Embed Size (px)
Citation preview
IndexAAccess point, 107Active Directory, 126AddressFQDN firewall address, 135Admin profilecustom, 83super_admin, 34administratorcreating, 34, 83administrator profilecustom, 83alert email, 280alert notification email for SSL VPN login failures, 280antiviruschanging the maximum file size, 185flow-based, 187software, 225application control, 202, 264adding a sensor to a policy, 202blocking access to social media, 204blocking instant messaging, 203blocking peer to peer file sharing, 205troubleshooting, 202application monitor, 202drill down, 202applicationsbandwidth use, 189, 202, 204, 205, 228, 231, 237, 242,246, 249, 270, 272, 275, 278blocking, 264debugging, 104visualizing, 202ARPpacket sniffer, 95assigning IP addresses, 86authenticateweb filtering, 190authenticationdebugging, 102two-factor, 266, 268authoritative dns, 85
Bbackupconfiguration, 28, 74backup Internet connection, 38, 44backup log solution, 275bandwidthapplication use, 189, 202, 204, 205, 228, 231, 237, 242,246, 249, 270, 272, 275, 278bandwidth consumingweb filtering, 189Bingsafe search, 191bridge table, 26
CCA Authority, 126captive portalWiFi, 117capturepacket, 89central NAT table, 166certification, 10Cisco UNITY client, 237cluster, 69connecting an HA cluster, 70configurationbackup, 28, 74connecting a FortiGate HA cluster, 70count, 144
policy, 144security policy, 202customer service, 10
DData Leak Prevention, 209DCHP server, 123debugapplication, 104authentication, 102diagnose command, 101flow, 104, 139, 140, 146info, 104IPsec VPN, 103packet flow, 103SSL VPN, 101URL filtering, 103debug flow, 139, 140debugging FortiGate configurations, 101default route failover, 41, 47demilitarized zonenetwork, 50denial of serviceprotection, 207deny policycount column, 149verifying, 147destination NAT, 169, 171, 173, 176, 179DHCP, 15IP reservation, 86DHCP relayWiFi, 123diag debug flow, 139, 140, 146Index286 FortiGate Cookbookhttp://docs.fortinet.com/diag log test, 277diagnosequick reference, 104diagnose debug, 101diagnose debug flow, 139, 140DLP, 209flow-based, 188DMZ network, 50DNAT, 169, 171, 173, 176, 179web server, 51DNScreating a local DNS server, 85verifying the configuration, 20, 25dnsauthoritative, 85database, 85documentation, 10Fortinet, 10domain name service, 85DoSpolicy, 207protection, 207sensor, 207driftFortiToken, 104dual internet connections, 48dynamic SNAT, 162dynamic source address translation, 162central NAT table, 166
EECMProute priority, 42routing, 42, 48spillover, 48usage-based, 48email filtering, 208FortiGuard, 32enterprise security
wireless, 114equal cost multipathrouting, 42, 48ESPpacket sniffer, 95event log, 280extendedvirus database, 184extremevirus database, 184
Ffailoverdefault route, 41, 47FAQ, 10file sizeantivirus maximum, 185filterpacket capture, 98packet sniffer, 94firewallordering policies, 148restricting all DNS queries to a selected DNS server, 151restricting employees’ Internet access, 135restricting Internet access per IP address, 141schedule, 135using geographic addresses, 158verifying that traffic is hitting a security policy, 144firewall addressFQDN, 135firewall statisticsdiag, 104firmwaredownload from Fortinet support, 27TFTP upgrade, 28upgrading, 27, 73version, 27, 73flowdebug, 104diag debug, 139, 140, 146diagnose debug flow, 139, 140flow-basedantivirus, 187DLP, 187UTM, 187web filtering, 187FortiAnalyzer, 275FortiAnalyzer unit, 275testing sending logs, 277FortiAP, 107, 110, 123FortiAP, troubleshooting, 112FortiASIC, 213FortiClientSSL VPN, 221FortiClient SSL VPN, 218FortiGuardAntivirus, 9email filtering lookups, 32overriding web filtering, 190ports used, 32server list, 32services, 9setup, 30transparent mode, 26troubleshooting, 30web filtering category, 192web filtering lookups, 32FortiGuard Centre, 192FortiGuard web filtering, 189check IP addresses, 199images, 200Fortinetcustomer service, 10Knowledge Base, 10
Knowledge Center, 10MIB, 87SSL VPN clients, 213Technical Documentation, 10Technical Support, 10Technical Support, registering with, 9Technical Support, web site, 9Training Services, 10Fortinet documentation, 10Fortitokendrift, 104IndexFortiOS 4.0 MR3 287http://docs.fortinet.com/FortiToken deviceSMS message as alternative, 268using with FortiOS, 266FortiWiFi, 107, 108, 114, 117, 126FQDNfirewall address, 135
Ggeographic addresses, firewall, 158get system status, 27, 73glossary, 10Googlesafe search, 191GREpacket sniffer, 95greyware, 183guest network, 107
HHA, 69firmware upgrade, 73hardware configuration, 69split brain, 70hardware certificatediagnose, 104hardware deviceinfo diskdiagnose, 105hardware deviceinfo nic eth0diagnose, 105high availability, 69host checking, 225how-to, 10
Iimagesweb filtering, 200infodebug, 104instant messagingblocking, 203introductionFortinetdocumentation, 10IP addressprivate network, 7IP addressesassigning, 86web filtering, 199IP masquerading, 160IP Phonetraffic shaping, 154IP reservation, 86IPSfail closed, 206failover, 206ips urlfilter statusdiagnose, 105IPsec VPNdebugging, 103
KKnowledge Center, 10
Llegacy virusesprotecting your network from, 184license informationdashboard widget, 30local disk, 275local DNS server, 85local server, 85local-inpolicy, 88log messages, 125, 272DCHCPREQUEST, 125DHCPACK, 125DHCPDISCOVER, 125DHCPOFFER, 125log to disk, 275loggingalert notification email for SSL VPN login failures, 280backup log solution, 275FortiAnalyzer unit, 275log message body, 273log message header, 273Log Message Reference, 274multiple Syslog servers, 278testing log configuration, 284testing sending logs to a FortiAnalyzer unit, 277testing sending logs to Syslog servers, 279understanding log messages, 272
Mmac address IP reservation, 86Managed FortiAP, 112managementlocal-in policy, 88many-to-one NAT, 160MIBFortinet, 87mobile devices, 107mode-cfg, 240modem interface, 44, 46MS-CHAP-v2, 127
NNAPT, 160NATdestination NAT, 169, 171, 173, 176, 179dynamic SNAT, 162IP masquerading, 160many-to-one, 160NAPT, 160one-to-one, 164PAT, 160SNAT, 160NAT overload, 160netlink brctl listdiagnose, 105networkvisualizing applications on, 202network address and port translation, 160Network Policy Server., 126networkingWiFi, 108, 110, 114, 123Index288 FortiGate Cookbookhttp://docs.fortinet.com/
Oone-to-one NAT, 164overrideweb filtering, 190override internal DNSDHCP, 17oversized email, 186oversized file, 186
P
packetsniffer, 89packet capture, 94, 98filters, 98packet flowdebugging, 103packet snifferfilters, 94protocols, 95packet sniffing, 89, 98PAT, 160pcappacket capture file, 98PEAP, 128PEAP authentication, 126peer-to-peer file sharingblocking, 205ping server, 41policyadding an application control sensor, 202count, 144DoS, 207local-in, 88policy monitor, 144port address translation, 160port forwarding, 169, 171, 173, 176, 179web server, 51port mapping, 169, 171, 173, 176, 179port pairingtransparent mode, 63portalWiFi, 117preshared key, 121, 124Primary Internet connection, 44primary Internet connection, 38priorityroute, 42product registration, 9protocol options, 186proxy avoidanceweb filtering, 189
RRADIUS (NPS), 126rating error, 21, 26web filtering, 21, 26recursiveDNS server mode, 85recursive dns, 85redundant Internet connections, 38registeringwith Fortinet Technical Support, 9release notes, 27remote Internet access, 218replacement messagevirus message, 62reportingFortiOS UTM report, 282modifying default report, 282RFC1918, 7routepriority, 42route failover, 41, 47route mode, 66security policy, 52routingECMP, 42, 48equal cost multipath, 42, 48
Ssafe searchweb filtering, 191schedulefirewall, 135
security policiesordering, 148restricting all DNS queries to a selected DNS server, 151restricting employee’s Internet access, 135using geographic addresses, 158security policy, 144adding an application control sensor, 202count column, 202limit Internet access, 135restricting Internet access per IP address, 141verifying traffic, 144security riskweb filtering, 189sensitive informationblocking, 209sensorDoS, 207servicemultiple, 52shared shapers, 154SMS used in two-factor authentication, 268SNAT, 160, 162, 166sniffer packetdiagnose, 105sniffingpacket, 89social mediablocking, 204software switchWiFi, 120source address translation, 160spamfiltering, 208spilloverECMP, 48split tunnel, 220split tunnelingSSL VPN, 221split-brainHA, 70SSID, 120, 123IndexFortiOS 4.0 MR3 289http://docs.fortinet.com/SSL VPN, 214access email server, 214debugging, 101endpoint security, 213FortiClient, 221portal, 214remote user, 225split tunneling, 221Subsession, 220tunnel mode, 213virtual desktop, 213ssl.root, 219, 222ssl.root interface, 220static SNAT, 160storage location, 275streaming mediablocking, 195suggest a URL categoryweb filtering, 192super_adminadministrator profile, 34sys session full-statdiagnose, 105Syslog server, 275Syslog servers, log device, 278
Ttechnicaldocumentation, 10notes, 10
support, 10technical support, 10test logdiagnose, 105test update infodiagnose, 105TFTP, 28thin AP, 107thresholdoversized file/email, 186traceroute, 31traffic shapingshared shapers, 154VoIP, 154Training Services, 10Transparent mode, 26transparent modeport pairing, 63protecting a server, 57troubleshooting, 25transport-mode, 236troubleshootingDHCP, 16FortiGuard, 30ISP connection, 16NAT configuration, 16packet sniffing, 89, 94transparent mode, 25verifying that traffic is hitting a security policy, 144VPNs, 249Tunnel Mode, 218
Uunity-support, 240upgradefirmware, 27HA cluster firmware, 73uploading logs, 276URLFortiGuard web filtering category, 192URL filteringdebugging, 103usage-basedECMP, 48USB modem, 46usersidentifying, 260monitoring, 260
VVDOM, 78VIPweb serverfirewall VIP, 51virtual domain, 78virtual FortiOS instances, 78virtual interface, 120virtual LANs, 75viruslegacy, 184virus databaseextended, 184extreme, 184visualapplications, 202VLANs, 75configuring, 75VoIPtraffic shaping, 154VPNCisco UNITY client, 237Dialup, 231L2TP, 236SSL, 214vpn tunnel list
diagnose, 105VPN, IPsecfrom Android device, 242from FortiClient PC, 231from iPhone, 237, 242overview, 227vulnerability scanner, 210
Wweb browsingblocking web sites by category, 262web filterblocking streaming media, 195record websites, 193safe search, 191whitelist, 197Web filteringcorrect a URL category, 192Index290 FortiGate Cookbookhttp://docs.fortinet.com/web filtering, 21, 26, 189authenticate, 190errors, 21flow-based, 187FortiGuard, 32, 189, 262suggest a URL category, 192web monitoring, 262web portal, 214web serverport forwarding, 51web sites users have visited, 193websitesblocking, 262whitelistweb filter, 197WiFicaptive portal, 117DHCP relay, 123software switch, 120WiFi access, 108, 110, 114, 123WiFi access point, 107WiFi Controller, 109WiFi controller feature, 107Windows AD, 126Windows Security Health Validator, 128Windows Server 2008, 126wirelessWPA/WPA2 enterprise security, 114WPA2 security, 108WPA/WPA2 enterprise securitywireless security, 114WPA2wireless security, 108WPA2-Personal, 110, 123WPA-Enterprise, 126
YYahoosafe search, 191
Index
A
access point, 107
Active Directory, 126
address
FQDN firewall address, 135
admin profile
custom, 83
super_admin, 34
administrator
creating, 34, 83
administrator profile
custom, 83
alert email, 280
alert notification email for SSL VPN login failures, 280
antivirus
changing the maximum file size, 185
flow-based, 187
software, 225
application control, 202, 264
adding a sensor to a policy, 202
blocking access to social media, 204
blocking instant messaging, 203
blocking peer to peer file sharing, 205
troubleshooting, 202
application monitor, 202
drill down, 202
applications
bandwidth use, 189, 202, 204, 205, 228, 231, 237, 242,
246, 249, 270, 272, 275, 278
blocking, 264
debugging, 104
visualizing, 202
ARP
packet sniffer, 95
assigning IP addresses, 86
authenticate
web filtering, 190
authentication
debugging, 102
two-factor, 266, 268
authoritative dns, 85
B
backup
configuration, 28, 74
backup Internet connection, 38, 44
backup log solution, 275
bandwidth
application use, 189, 202, 204, 205, 228, 231, 237, 242,
246, 249, 270, 272, 275, 278
bandwidth consuming
web filtering, 189
Bing
safe search, 191
bridge table, 26
C
CA Authority, 126
captive portal
WiFi, 117
capture
packet, 89
central NAT table, 166
certification, 10
Cisco UNITY client, 237
cluster, 69
connecting an HA cluster, 70
configuration
backup, 28, 74
connecting a FortiGate HA cluster, 70
count, 144
policy, 144
security policy, 202
customer service, 10
D
Data Leak Prevention, 209
DCHP server, 123
debug
application, 104
authentication, 102
diagnose command, 101
flow, 104, 139, 140, 146
info, 104
IPsec VPN, 103
packet flow, 103
SSL VPN, 101
URL filtering, 103
debug flow, 139, 140
debugging FortiGate configurations, 101
default route failover, 41, 47
demilitarized zone
network, 50
denial of service
protection, 207
deny policy
count column, 149
verifying, 147
destination NAT, 169, 171, 173, 176, 179
DHCP, 15
IP reservation, 86
DHCP relay
WiFi, 123
diag debug flow, 139, 140, 146
Index
286 FortiGate Cookbook
http://docs.fortinet.com/
diag log test, 277
diagnose
quick reference, 104
diagnose debug, 101
diagnose debug flow, 139, 140
DLP, 209
flow-based, 188
DMZ network, 50
DNAT, 169, 171, 173, 176, 179
web server, 51
DNS
creating a local DNS server, 85
verifying the configuration, 20, 25
dns
authoritative, 85
database, 85
documentation, 10
Fortinet, 10
domain name service, 85
DoS
policy, 207
protection, 207
sensor, 207
drift
FortiToken, 104
dual internet connections, 48
dynamic SNAT, 162
dynamic source address translation, 162
central NAT table, 166
E
ECMP
route priority, 42
routing, 42, 48
spillover, 48
usage-based, 48
email filtering, 208
FortiGuard, 32
enterprise security
wireless, 114
equal cost multipath
routing, 42, 48
ESP
packet sniffer, 95
event log, 280
extended
virus database, 184
extreme
virus database, 184
F
failover
default route, 41, 47
FAQ, 10
file size
antivirus maximum, 185
filter
packet capture, 98
packet sniffer, 94
firewall
ordering policies, 148
restricting all DNS queries to a selected DNS server, 151
restricting employees’ Internet access, 135
restricting Internet access per IP address, 141
schedule, 135
using geographic addresses, 158
verifying that traffic is hitting a security policy, 144
firewall address
FQDN, 135
firewall statistics
diag, 104
firmware
download from Fortinet support, 27
TFTP upgrade, 28
upgrading, 27, 73
version, 27, 73
flow
debug, 104
diag debug, 139, 140, 146
diagnose debug flow, 139, 140
flow-based
antivirus, 187
DLP, 187
UTM, 187
web filtering, 187
FortiAnalyzer, 275
FortiAnalyzer unit, 275
testing sending logs, 277
FortiAP, 107, 110, 123
FortiAP, troubleshooting, 112
FortiASIC, 213
FortiClient
SSL VPN, 221
FortiClient SSL VPN, 218
FortiGuard
Antivirus, 9
email filtering lookups, 32
overriding web filtering, 190
ports used, 32
server list, 32
services, 9
setup, 30
transparent mode, 26
troubleshooting, 30
web filtering category, 192
web filtering lookups, 32
FortiGuard Centre, 192
FortiGuard web filtering, 189
check IP addresses, 199
images, 200
Fortinet
customer service, 10
Knowledge Base, 10
Knowledge Center, 10
MIB, 87
SSL VPN clients, 213
Technical Documentation, 10
Technical Support, 10
Technical Support, registering with, 9
Technical Support, web site, 9
Training Services, 10
Fortinet documentation, 10
Fortitoken
drift, 104
Index
FortiOS 4.0 MR3 287
http://docs.fortinet.com/
FortiToken device
SMS message as alternative, 268
using with FortiOS, 266
FortiWiFi, 107, 108, 114, 117, 126
FQDN
firewall address, 135
G
geographic addresses, firewall, 158
get system status, 27, 73
glossary, 10
safe search, 191
GRE
packet sniffer, 95
greyware, 183
guest network, 107
H
HA, 69
firmware upgrade, 73
hardware configuration, 69
split brain, 70
hardware certificate
diagnose, 104
hardware deviceinfo disk
diagnose, 105
hardware deviceinfo nic eth0
diagnose, 105
high availability, 69
host checking, 225
how-to, 10
I
images
web filtering, 200
info
debug, 104
instant messaging
blocking, 203
introduction
Fortinet
documentation, 10
IP address
private network, 7
IP addresses
assigning, 86
web filtering, 199
IP masquerading, 160
IP Phone
traffic shaping, 154
IP reservation, 86
IPS
fail closed, 206
failover, 206
ips urlfilter status
diagnose, 105
IPsec VPN
debugging, 103
K
Knowledge Center, 10
L
legacy viruses
protecting your network from, 184
license information
dashboard widget, 30
local disk, 275
local DNS server, 85
local server, 85
local-in
policy, 88
log messages, 125, 272
DCHCPREQUEST, 125
DHCPACK, 125
DHCPDISCOVER, 125
DHCPOFFER, 125
log to disk, 275
logging
alert notification email for SSL VPN login failures, 280
backup log solution, 275
FortiAnalyzer unit, 275
log message body, 273
log message header, 273
Log Message Reference, 274
multiple Syslog servers, 278
testing log configuration, 284
testing sending logs to a FortiAnalyzer unit, 277
testing sending logs to Syslog servers, 279
understanding log messages, 272
M
mac address IP reservation, 86
Managed FortiAP, 112
management
local-in policy, 88
many-to-one NAT, 160
MIB
Fortinet, 87
mobile devices, 107
mode-cfg, 240
modem interface, 44, 46
MS-CHAP-v2, 127
N
NAPT, 160
NAT
destination NAT, 169, 171, 173, 176, 179
dynamic SNAT, 162
IP masquerading, 160
many-to-one, 160
NAPT, 160
one-to-one, 164
PAT, 160
SNAT, 160
NAT overload, 160
netlink brctl list
diagnose, 105
network
visualizing applications on, 202
network address and port translation, 160
Network Policy Server., 126
networking
WiFi, 108, 110, 114, 123
Index
288 FortiGate Cookbook
http://docs.fortinet.com/
O
one-to-one NAT, 164
override
web filtering, 190
override internal DNS
DHCP, 17
oversized email, 186
oversized file, 186
P
packet
sniffer, 89
packet capture, 94, 98
filters, 98
packet flow
debugging, 103
packet sniffer
filters, 94
protocols, 95
packet sniffing, 89, 98
PAT, 160
pcap
packet capture file, 98
PEAP, 128
PEAP authentication, 126
peer-to-peer file sharing
blocking, 205
ping server, 41
policy
adding an application control sensor, 202
count, 144
DoS, 207
local-in, 88
policy monitor, 144
port address translation, 160
port forwarding, 169, 171, 173, 176, 179
web server, 51
port mapping, 169, 171, 173, 176, 179
port pairing
transparent mode, 63
portal
WiFi, 117
preshared key, 121, 124
Primary Internet connection, 44
primary Internet connection, 38
priority
route, 42
product registration, 9
protocol options, 186
proxy avoidance
web filtering, 189
R
RADIUS (NPS), 126
rating error, 21, 26
web filtering, 21, 26
recursive
DNS server mode, 85
recursive dns, 85
redundant Internet connections, 38
registering
with Fortinet Technical Support, 9
release notes, 27
remote Internet access, 218
replacement message
virus message, 62
reporting
FortiOS UTM report, 282
modifying default report, 282
RFC
1918, 7
route
priority, 42
route failover, 41, 47
route mode, 66
security policy, 52
routing
ECMP, 42, 48
equal cost multipath, 42, 48
S
safe search
web filtering, 191
schedule
firewall, 135
security policies
ordering, 148
restricting all DNS queries to a selected DNS server, 151
restricting employee’s Internet access, 135
using geographic addresses, 158
security policy, 144
adding an application control sensor, 202
count column, 202
limit Internet access, 135
restricting Internet access per IP address, 141
verifying traffic, 144
security risk
web filtering, 189
sensitive information
blocking, 209
sensor
DoS, 207
service
multiple, 52
shared shapers, 154
SMS used in two-factor authentication, 268
SNAT, 160, 162, 166
sniffer packet
diagnose, 105
sniffing
packet, 89
social media
blocking, 204
software switch
WiFi, 120
source address translation, 160
spam
filtering, 208
spillover
ECMP, 48
split tunnel, 220
split tunneling
SSL VPN, 221
split-brain
HA, 70
SSID, 120, 123
Index
FortiOS 4.0 MR3 289
http://docs.fortinet.com/
SSL VPN, 214
access email server, 214
debugging, 101
endpoint security, 213
FortiClient, 221
portal, 214
remote user, 225
split tunneling, 221
Subsession, 220
tunnel mode, 213
virtual desktop, 213
ssl.root, 219, 222
ssl.root interface, 220
static SNAT, 160
storage location, 275
streaming media
blocking, 195
suggest a URL category
web filtering, 192
super_admin
administrator profile, 34
sys session full-stat
diagnose, 105
Syslog server, 275
Syslog servers, log device, 278
T
technical
documentation, 10
notes, 10
support, 10
technical support, 10
test log
diagnose, 105
test update info
diagnose, 105
TFTP, 28
thin AP, 107
threshold
oversized file/email, 186
traceroute, 31
traffic shaping
shared shapers, 154
VoIP, 154
Training Services, 10
Transparent mode, 26
transparent mode
port pairing, 63
protecting a server, 57
troubleshooting, 25
transport-mode, 236
troubleshooting
DHCP, 16
FortiGuard, 30
ISP connection, 16
NAT configuration, 16
packet sniffing, 89, 94
transparent mode, 25
verifying that traffic is hitting a security policy, 144
VPNs, 249
Tunnel Mode, 218
U
unity-support, 240
upgrade
firmware, 27
HA cluster firmware, 73
uploading logs, 276
URL
FortiGuard web filtering category, 192
URL filtering
debugging, 103
usage-based
ECMP, 48
USB modem, 46
users
identifying, 260
monitoring, 260
V
VDOM, 78
VIP
web server
firewall VIP, 51
virtual domain, 78
virtual FortiOS instances, 78
virtual interface, 120
virtual LANs, 75
virus
legacy, 184
virus database
extended, 184
extreme, 184
visual
applications, 202
VLANs, 75
configuring, 75
VoIP
traffic shaping, 154
VPN
Cisco UNITY client, 237
Dialup, 231
L2TP, 236
SSL, 214
vpn tunnel list
diagnose, 105
VPN, IPsec
from Android device, 242
from FortiClient PC, 231
from iPhone, 237, 242
overview, 227
vulnerability scanner, 210
W
web browsing
blocking web sites by category, 262
web filter
blocking streaming media, 195
record websites, 193
safe search, 191
whitelist, 197
Web filtering
correct a URL category, 192
Index
290 FortiGate Cookbook
http://docs.fortinet.com/
web filtering, 21, 26, 189
authenticate, 190
errors, 21
flow-based, 187
FortiGuard, 32, 189, 262
suggest a URL category, 192
web monitoring, 262
web portal, 214
web server
port forwarding, 51
web sites users have visited, 193
websites
blocking, 262
whitelist
web filter, 197
WiFi
captive portal, 117
DHCP relay, 123
software switch, 120
WiFi access, 108, 110, 114, 123
WiFi access point, 107
WiFi Controller, 109
WiFi controller feature, 107
Windows AD, 126
Windows Security Health Validator, 128
Windows Server 2008, 126
Wireless
WPA/WPA2 enterprise security, 114
WPA2 security, 108
WPA/WPA2 enterprise security
Wireless security, 114
WPA2
Wireless security, 108
WPA2-Personal, 110, 123
WPA-Enterprise, 126
Y
Yahoo
Safe search, 191
