DOCUMENT LIBRARY
DOCUMENT LIBRARY
Products
Best Practices
Hardware Guides
Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
Hybrid Mesh Firewall
FortiGate/ FortiOS
FortiGate-5000
/
6000
/
7000
NOC Management
FortiManager
/
FortiManager Cloud
Managed Fortigate Service
LAN
FortiSwitch
FortiAP / FortiWiFi
FortiEdge Cloud
FortiNAC-F
WAN
Secure SD-WAN
FortiExtender
More >>
Unified SASE
Single Vendor SASE
FortiSASE
Secure SD-WAN
Zero Trust Network Access (ZTNA)
FortiProxy
FortiMonitor
Cloud Network Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiGate CNF
FortiFlex
Lacework FortiCNAPP
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Web Application / API Protection
FortiWeb
FortiADC
FortiDAST
More >>
Security Operations
Security Operations Automation
FortiAnalyzer
/
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
SOC-as-a-Service (SOCaaS)
Identity
FortiAuthenticator
FortiTrust Identity
FortiPAM
Early Detection & Prevention
FortiSandbox
/
FortiSandbox Cloud
FortiNDR
FortiDeceptor
FortiRecon
More >>
Secure Networking
Hybrid Mesh Firewall
FortiGate/ FortiOS
FortiGate-5000
/
6000
/
7000
NOC Management
FortiManager
/
FortiManager Cloud
Managed Fortigate Service
FortiAIOps
LAN
FortiSwitch
FortiAP / FortiWiFi
FortiAP-U Series
FortiEdge Cloud
FortiNAC-F
WAN
Secure SD-WAN
FortiExtender
Communication & Surveillance
FortiVoice
/
FortiVoice Cloud
FortiFone
FortiCamera
FortiRecorder
FortiCentral
Unified SASE
Single Vendor SASE
FortiSASE
Secure SD-WAN
Zero Trust Network Access (ZTNA)
FortiProxy
FortiMonitor
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Cloud Network Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiGate CNF
FortiFlex
Cloud-Native Security
Lacework FortiCNAPP
FortiDevSec
Web Application / API Protection
FortiWeb
FortiADC
FortiDAST
Security Operations
Security Operations Automation
FortiAnalyzer
/
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
Endpoint
FortiClient
/
FortiClient Cloud
FortiEDR/XDR
Data Protection
FortiDLP
FortiDLP Agent
FortiDLP Policies
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken
/
FortiToken Cloud
FortiPAM
Email
FortiMail
FortiPhish
Early Detection & Prevention
FortiSandbox
/
FortiSandbox Cloud
FortiNDR
FortiDeceptor
FortiRecon
Expert Services
SOC-as-a-Service (SOCaaS)
Edge Firewall
FortiGate/FortiOS
FortiGate-5000
/
6000
/
7000
FortiGate Public Cloud
FortiGate Private Cloud
Orchestration & management
FortiManager
/
FortiManager Cloud
FortiAnalyzer
/
FortiAnalyzer Cloud
Overlay-as-a-Service
SD Branch
FortiSwitch
FortiAP / FortiWiFi
FortiExtender
/
FortiExtender Cloud
Application Delivery
FortiADC
/
FortiGSLB
Single Vendor SASE
FortiSASE
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Secure Private Access
Secure SD-WAN
Zero Trust Network Access (ZTNA)
Thin Edge
FortiGate/ FortiOS
FortiAP / FortiWiFi
FortiExtender
/
FortiExtender Cloud
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Application Gateway
FortiGate/ FortiOS
FortiProxy
FortiADC
/
FortiGSLB
Enterprise Asset Management
FortiClient EMS
Endpoint Agent
FortiClient
/
FortiClient Cloud
Agentless Security Posture
FortiNAC-F
FortiSIEM
/
FortiSIEM Cloud
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Wireless
FortiAP / FortiWiFi
FortiAP-U Series
FortiGate Cloud
Switching
FortiSwitch
FortiEdge Cloud
FortiNAC-F
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Privilege Acccess Management
FortiPAM
Next Generation Firewall
FortiGate / FortiOS
FortiGate-5000
/
6000
/
7000
FortiGate Public Cloud
FortiGate Private Cloud
Orchestration & management
FortiManager
/
FortiManager Cloud
FortiAnalyzer
/
FortiAnalyzer Cloud
Expert Services
SOC-as-a-Service (SOCaaS)
Managed Fortigate Service
All
FortiADC Public Cloud
FortiAnalyzer Public Cloud
FortiAuthenticator Public Cloud
FortiDeceptor Public Cloud
FortiGate Public Cloud
FortiIsolator Public Cloud
FortiManager Public Cloud
FortiNDR Public Cloud
FortiPAM Public Cloud
FortiPortal Public Cloud
FortiProxy Public Cloud
FortiSandbox Public Cloud
FortiTester Public Cloud
FortiVoice Public Cloud
FortiWeb Manager Public Cloud
FortiWeb Public Cloud
All
FortiADC Private Cloud
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Private Cloud
FortiAuthenticator Private Cloud
FortiDeceptor Private Cloud
FortiGate Private Cloud
FortiManager Private Cloud
FortiNDR Private Cloud
FortiPAM Private Cloud
FortiProxy Private Cloud
FortiSandbox Private Cloud
FortiTester Private Cloud
FortiVoice Private Cloud
FortiWeb Manager Private Cloud
FortiWeb Private Cloud
Account Management
FortiCloud Services
SAAS Management
FortiGate Cloud
FortiEdge Cloud
FortiEdge Cloud
FortiExtender Cloud
FortiPresence Cloud
FortiToken Cloud
FortiTrust Identity
FortiZTP
FortiCamera Cloud
SAAS Application Security
FortiWeb Cloud
FortiGSLB
FortiCASB
FortiCNP
FortiInsight
FortiPhish
FortiGate CNF
Managed Services
SOC-as-a-Service (SOCaaS)
Managed Fortigate Service
Platform as a service (PAAS)
FortiSASE
FortiAnalyzer Cloud
FortiManager Cloud
FortiClient Cloud
FortiSandbox Cloud
FortiMail Cloud
FortiSOAR Cloud
Other SAAS Services
Overlay-as-a-Service
FortiRecon
FortiConverter
ForiIPAM
FortiFlex
FortiCare Elite
4D Resources
Solution Hubs
Define, design, deploy, demo
4D Pillars
Secure SD-WAN
Zero Trust Network Access
Wireless
Switching
Secure Access Service Edge
Identity and Access Management
Next Generation Firewall
Curated Links by Solution
Cloud
FortiCloud
Public & Private Cloud
Popular Solutions
Secure SD-WAN
Zero Trust Network Access
Secure Access
Security Fabric
Tele-Working
Multi-Factor Authentication
FortiASIC
Operational Technology
MSSP
Next Generation Firewall
FortiAnalyzer
FortiAnalyzer Big-Data
FortiADC
FortiAP / FortiWiFi
FortiAP U-Series
FortiAuthenticator
FortiCache
FortiCarrier
FortiController
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiExtender
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiHypervisor
FortiIsolator
FortiMail
FortiManager
FortiNAC
FortiNDR
FortiProxy
FortiRecorder
FortiGate
FortiRPS
FortiSandbox
FortiSIEM
FortiSwitch
FortiTester
FortiToken
FortiVoice
FortiWAN
FortiWeb
FortiWLC
FortiWLM
AscenLink
AV Engine
AWS Firewall Rules
Container FortiOS
FortiADC
FortiADC E Series
FortiADC Manager
FortiADC Private Cloud
FortiADC Public Cloud
FortiAIOps
FortiAnalyzer
FortiAnalyzer BigData
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Cloud
FortiAnalyzer Private Cloud
FortiAnalyzer Public Cloud
FortiAP / FortiWiFi
FortiAP-U Series
FortiAuthenticator
FortiAuthenticator Private Cloud
FortiAuthenticator Public Cloud
FortiAuthProxy
FortiBalancer
FortiBranchSASE
FortiBridge
FortiCache
FortiCamera
FortiCamera Cloud
FortiCare Elite
FortiCarrier
FortiCASB
FortiCentral
FortiClient
FortiClient Cloud
FortiCloud Services
FortiCNP
FortiConnect
FortiController
FortiConverter Service
FortiConverter Tool
FortiCore
FortiCSPM
FortiCWP
FortiDAST
FortiDB
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiDeceptor DaaS
FortiDeceptor Private Cloud
FortiDeceptor Public Cloud
FortiDevSec
FortiDLP
FortiDLP Agent
FortiDLP Policies
FortiDNS
FortiEdge Cloud
FortiEDR/XDR
FortiEndpoint
FortiExplorer
FortiExplorer Go
FortiExtender
FortiFlex
FortiFone
FortiGate / FortiOS
FortiGate Cloud
FortiGate CNF
FortiGate Private Cloud
FortiGate Public Cloud
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiGate-as-a-Service
FortiGSLB
FortiGuard Advanced Bot Protection
FortiGuest
FortiHypervisor
FortiInsight
FortiInsight Cloud
FortiIPAM
FortiIsolator
FortiIsolator Public Cloud
FortiLAN Cloud
FortiMail
FortiMail Cloud
FortiManager
FortiManager Cloud
FortiManager Private Cloud
FortiManager Public Cloud
FortiMonitor
FortiNAC
FortiNAC-F
FortiNDR
FortiNDR (on-premise) Private Cloud
FortiNDR (on-premise) Public Cloud
FortiNDR Cloud
FortiNDR Cloud Sensors
FortiPAM
FortiPAM Private Cloud
FortiPAM Public Cloud
FortiPhish
FortiPlanner
FortiPolicy
FortiPortal
FortiPortal Public Cloud
FortiPresence
FortiPresence VM
FortiProxy
FortiProxy Private Cloud
FortiProxy Public Cloud
FortiRecon
FortiRecorder
FortiRPS
FortiSandbox
FortiSandbox Cloud
FortiSandbox Private Cloud
FortiSandbox Public Cloud
FortiSASE
FortiScanner
FortiSIEM
FortiSIEM Cloud
FortiSOAR
FortiSOAR Cloud
FortiSRA
FortiSwitch
FortiSwitch Manager
FortiTap
FortiTester
FortiTester Private Cloud
FortiTester Public Cloud
FortiToken
FortiToken Cloud
FortiTrust Identity
FortiVoice
FortiVoice Cloud
FortiVoice Private Cloud
FortiVoice Public Cloud
FortiWAN
FortiWAN Controller
FortiWeb
FortiWeb Cloud
FortiWeb Manager Private Cloud
FortiWeb Manager Public Cloud
FortiWeb Private Cloud
FortiWeb Public Cloud
FortiWLM
FortiZTP
IPS Engine
Lacework FortiCNAPP
Managed FortiGate Service
Overlay-as-a-Service
Security Awareness and Training
SOCaaS
Wireless Controller
Search documents and hardware ...
Handbook
Introduction
Chapter 1: What's New
Chapter 2: Key Concepts and Features
Server load balancing
Link load balancing
Global load balancing
Security
High availability
Virtual domains
Chapter 3: Getting Started
Step 1: Install the appliance
Step 2: Configure the management interface
Step 3: Configure basic network settings
Step 4: Test connectivity to destination servers
Step 5: Complete product registration, licensing, and upgrades
Step 6: Configure a basic server load balancing policy
Step 7: Test the deployment
Step 8: Back up the configuration
Chapter 4: Server Load Balancing
Server load balancing basics
Server load balancing configuration overview
Configuring virtual servers
Using content rewriting rules
HSTS and HPKP support
Configuring content routes
Using source pools
Using schedule pools
Using clone pools
Configuring Application profiles
WebSocket load-balancing
Configuring MSSQL profiles
Configuring MySQL profiles
Configuring client SSL profiles
Configuring HTTP2 profiles
Configuring load-balancing (LB) methods
Configuring persistence rules
Configuring error pages
Configuring decompression rules
Configuring Captcha
Creating a PageSpeed configuration
Creating PageSpeed profiles
PageSpeed support and restrictions
Configuring compression rules
Compression and decompression
Configuring caching rules
Using real server pools
Configuring real servers
Configuring real server SSL profiles
Using scripts
Configuring an L2 exception list
Creating a Web Filter Profile configuration
Using the Web Category tab
Configuring certificate caching
TCP multiplexing
Chapter 5: Link Load Balancing
Link load balancing basics
Link load balancing configuration overview
Configuring link policies
Configuring a link group
Configuring gateway links
Configuring persistence rules
Configuring proximity route settings
Configuring a virtual tunnel group
Chapter 6: Global Load Balancing
Global load balancing basics
Global load balancing configuration overview
Configuring servers
Configuring a global load balance link
Configuring data centers
Configuring hosts
Configuring wizard
Configuring virtual server pools
Configuring location lists
Logical Topology
Configuring a Global DNS policy
Configuring DNS zones
Configuring general settings
Configuring the trust anchor key
Configuring DNS64
Configuring the DSSET list
Configuring an address group
Configuring remote DNS servers
Configuring the response rate limit
Chapter 7: Network Security
Security features basics
Managing IP Reputation policy settings
Configure IP reputation exception
Configure IP reputation block list
Using the Geo IP block list
Using the Geo IP whitelist
Special Geo codes
Enabling denial of service protection
Configuring an IPv4 firewall policy
Configuring an IPv6 firewall policy
Configuring an IPv4 connection limit policy
Configuring an IPv6 connection limit policy
Anti-virus
Creating an AV profile
Setting AV quarantine policies
Setting AV service level
Configuring IPS
Zero Trust Network Access (ZTNA)
How device identity and trust context is established with FortiClient EMS
Configuring FortiClient EMS Connector for ZTNA
Verifying client certificate, FortiClient endpoint and ZTNA tag synchronized from FortiClient EMS
Configuring a ZTNA Profile
ZTNA troubleshooting and debugging
Chapter 8: DoS Protection
Configuring DoS Protection Profile
Configuring HTTP access limit policy
Configuring HTTP connection flood policy
Configuring an HTTP request flood policy
Configuring an IP fragmentation policy
Configuring a TCP SYN flood protection policy
Configuring a TCP slow data flood protection policy
Chapter 9: Web Application Firewall
Web application firewall basics
Web application firewall configuration overview
Configuring an OWASP TOP10 profile
Configuring a WAF Profile
Configuring WAF Action objects
Configuring WAF Exception objects
Configuring a Web Attack Signature policy
Configuring a URL Protection policy
Configuring an Advanced Protection policy
Configuring an HTTP Protocol Constraint policy
Configuring CSRF protection
Configuring brute force attack detection
Configuring an SQL/XSS Injection Detection policy
Configuring a Bot Detection policy
Configuring a Credential Stuffing Defense Policy
Configuring a Cookie Security policy
Configuring sensitive data protection
Configuring Cross-Origin Resource Sharing (CORS) protection
Configuring XML Detection
Configuring JSON detection
Importing XML schema
Uploading WSDL files
Importing JSON schema
Configuring OpenAPI Detection
Importing OpenAPI schema
Configuring API Gateway
Configuring Input Validation
Web Vulnerability Scanner
WVS Profile
WVS Login
WVS Exceptions
Scan History
Scan Integration
Web Anti-Defacement
Chapter 10: User Authentication
Configuring AD FS Proxy
Configuring authentication policies
Configuring user groups
Configuring customized authentication form
Using the local authentication server
Using an LDAP authentication server
Using a RADIUS authentication server
Configuring Duo authentication server support
Configuring an NTLM authentication server
Using Kerberos Authentication Relay
Two-factor authentication
OAuth 2.0 authentication
Using HTTP Basic SSO
SAML and SSO
Configure a SAML service provider
Import IDP Metadata
Chapter 11: Shared Resources
Configuring health checks
Configuring health check monitor
Creating schedule groups
Creating IP address objects
Configuring address groups
Creating IPv6 address objects
Configuring address groups
Managing the ISP address books
Creating service objects
Creating service groups
Configuring WCCP
Chapter 12: Basic Networking
Configuring network interfaces
Configuring management interface
Linking VDOMs for inter-VDOM routing
Configuring static routes
Configuring policy routes
Chapter 13: System Management
Configuring basic system settings
Configuring system time
Configuring pre-login disclaimer messages
Updating firmware
Configuring an SMTP mail server
Connecting to FortiGuard services
Configuring FortiGuard service settings
Pushing/pulling configurations
Backing up and restoring the configuration
SCP support for configuration backup
Rebooting, resetting, and shutting down the system
Create a traffic group
Manage administrator users
Create administrator users
Create REST API administrator users
Configure access profiles
Enable password policies
Configuring SNMP
Download SNMP MIBs
Configure SNMP threshold
Configure SNMP v1/v2
Configure SNMP v3
Managing and validating certificates
Generating or importing a local certificate
Creating a local certificate group
Importing intermediate CAs
Creating an intermediate CA group
OCSP stapling
Validating certificates
Importing CRLs
Adding OCSPs
Importing OCSP signing certificates
Importing CAs
Creating a CA group
Configuring SNMP trap servers
Configuring an email alert object
Configuring a syslog object
HSM Integration
Chapter 14: Logging and Reporting
Downloading logs
Using the security log
Using the traffic log
Using the script log
Configuring local log settings
Configuring syslog settings
Configuring OFTP settings for FortiAnalyzer logs
Configuring fast stats log settings
Configuring report email
Configuring reports
Configuring report queries
Configuring fast reports
Display logs via CLI
Chapter 15: High Availability Deployments
HA feature overview
HA system requirements
HA synchronization
Configuring HA settings
Monitoring an HA cluster
Updating firmware for an HA cluster
Deploying an active-passive cluster
Deploying an active-active cluster
Advantages of HA Active-Active-VRRP
Deploying an active-active-VRRP cluster
Chapter 16: Virtual Domains
Virtual domain basics
Enabling the virtual domain feature
Creating a virtual domain
Assigning network interfaces and admin users to VDOMs
Virtual domain policies
Disabling a virtual domain
Chapter 17: SSL Offloading
SSL offloading
SSL decryption by forward proxy
SSL profile configurations
Certificate guidelines
SSL/TLS versions and cipher suites
Exceptions list
SSL traffic mirroring
Chapter 18: Advanced Networking
NAT
Configure source NAT
Configuring 1-to-1 NAT
QoS
Configuring a QoS queue
Configuring the QoS IPv6 filter
Configuring the QoS filter
OSPF
ISP Routes
Reverse path route caching
BGP
Access list vs. prefix list
Configuring an IPv4 access list
Configuring an IPv6 access list
Configuring an IPv4 prefix list
Configuring an IPv6 prefix list
Transparent mode
Chapter 19: Best Practices and Fine-tuning
Regular backups
Security
Performance tips
High availability
Chapter 20: Troubleshooting
Logs
Tools
execute commands
diagnose commands
System dump
Packet capture
Diff
Save debug file
Solutions by issue type
Resetting the configuration
Restoring firmware (“clean install”)
Additional resources
Chapter 21: System Dashboard
Widgets
Dashboard management tools
Chapter 22: FortiView
Physical Topology
HA Status
Server Load Balance
Logical Topology
Virtual server details
Real server pool details
Real-server pool member details
Virtual Servers
Virtual server details
Real server pool details
Data Analytics
Traffic Logs
Link Load Balance
Logical Topology
Link Group
Global Load Balance
Logical Topology
Host
Security
OWASP Top 10
Threat Map
Data Analytics
Viewing the quarantine monitor
Security Logs
All Segments
Event Logs
Alerts
All Sessions
ZTNA FortiClient endpoint
Chapter 23: Security Fabric
Automation
Creating automation stitches
Triggers
Actions
CLI Script action
Webhook action
FortiGate IP Ban action
Execute multiple automation actions based on security events
Diagnose commands
Fabric connectors
FortiSIEM Connector
FortiAnalyzer Connector
FortiSandbox Connector
FortiADC Manager Connector
FortiGSLB Connector
FortiClient EMS Connector
External connectors
AWS Connectors
OCI Connector
Kubernetes Connector
Splunk Connector
SAP Connector
Appendix A: Fortinet MIBs
Appendix B: Port Numbers
Appendix C: Scripts
Events and actions
Predefined scripts
Predefined Commands
Control structures
Operators
String library
Special characters
Examples
Appendix D: Maximum Configuration Values
Change Log
Home
FortiADC 7.0.3
Handbook
7.0.3
7.4.5
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7
Chapter 23: Security Fabric
Chapter 23: Security Fabric
This section includes the following topics:
Automation
Fabric connectors
External connectors
Previous
Next
Chapter 23: Security Fabric
Chapter 23: Security Fabric
This section includes the following topics:
Automation
Fabric connectors
External connectors
Previous
Next
Home
Product Pillars
Network Security
Network Security
FortiGate / FortiOS
FortiGate 5000
FortiGate 6000
FortiGate 7000
FortiProxy
NOC & SOC Management
FortiManager
FortiManager Cloud
FortiAnalyzer
FortiAnalyzer Cloud
FortiMonitor
FortiGate Cloud
Enterprise Networking
Secure SD-WAN
FortiLAN Cloud
FortiSwitch
FortiAP / FortiWiFi
FortiAP-U Series
FortiNAC-F
FortiExtender
FortiExtender Cloud
FortiAIOps
Business Communications
FortiFone
FortiVoice
FortiVoice Cloud
FortiRecorder
FortiCamera
Zero Trust Access
ZTNA
Zero Trust Network Access
FortiClient EMS
SASE
FortiSASE
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Cloud Security
Hybrid Cloud Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiFlex
Cloud Native Protection
FortiCNP
FortiDevSec
Web Application / API Protection
FortiWeb
FortiWeb Cloud
FortiADC
FortiGSLB
FortiGuard ABP
SAAS Security
FortiMail
FortiMail Cloud
FortiCASB
Security Operations
SOC Platform
FortiAnalyzer
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
FortiPhish
Advanced Threat Protection
FortiSandbox
FortiSandbox Cloud
FortiNDR
FortiNDR Cloud
FortiDeceptor
FortiInsight
FortiInsight Cloud
FortiIsolator
Endpoint Security
FortiClient
FortiClient Cloud
FortiEDR
Best Practices
Solution Hubs
Cloud
FortiCloud
Public & Private Cloud
Popular Solutions
Secure SD-WAN
Zero Trust Network Access
Secure Access
Next Generation Firewall
Security Fabric
Tele-Working
Multi-Factor Authentication
FortiASIC
Operational Technology
MSSP
4-D Resources
Secure SD-WAN
Zero Trust Network Access
Wireless
Switching
Secure Access Service Edge
Identity and Access Management
Next Generation Firewall
Hardware Guides
FortiAnalyzer
FortiAnalyzer Big-Data
FortiADC
FortiAP / FortiWiFi
FortiAP U-Series
FortiAuthenticator
FortiCache
FortiCarrier
FortiController
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiExtender
FortiGate
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiHypervisor
FortiIsolator
FortiMail
FortiManager
FortiNAC
FortiNDR
FortiProxy
FortiRecorder
FortiRPS
FortiSandbox
FortiSIEM
FortiSwitch
FortiTester
FortiToken
FortiVoice
FortiWAN
FortiWeb
FortiWLC
FortiWLM
Product A-Z
AscenLink
AV Engine
AWS Firewall Rules
Container FortiOS
FortiADC
FortiADC E Series
FortiADC Manager
FortiADC Private Cloud
FortiADC Public Cloud
FortiAIOps
FortiAnalyzer
FortiAnalyzer BigData
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Cloud
FortiAnalyzer Private Cloud
FortiAnalyzer Public Cloud
FortiAP / FortiWiFi
FortiAP-U Series
FortiAuthenticator
FortiAuthenticator Private Cloud
FortiAuthenticator Public Cloud
FortiAuthProxy
FortiBalancer
FortiBranchSASE
FortiBridge
FortiCache
FortiCamera
FortiCamera Cloud
FortiCare Elite
FortiCarrier
FortiCASB
FortiCentral
FortiClient
FortiClient Cloud
FortiCloud Services
FortiCNP
FortiConnect
FortiController
FortiConverter Service
FortiConverter Tool
FortiCore
FortiCSPM
FortiCWP
FortiDAST
FortiDB
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiDeceptor DaaS
FortiDeceptor Private Cloud
FortiDeceptor Public Cloud
FortiDevSec
FortiDLP
FortiDLP Agent
FortiDLP Policies
FortiDNS
FortiEdge Cloud
FortiEDR/XDR
FortiEndpoint
FortiExplorer
FortiExplorer Go
FortiExtender
FortiFlex
FortiFone
FortiGate / FortiOS
FortiGate Cloud
FortiGate CNF
FortiGate Private Cloud
FortiGate Public Cloud
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiGate-as-a-Service
FortiGSLB
FortiGuard Advanced Bot Protection
FortiGuest
FortiHypervisor
FortiInsight
FortiInsight Cloud
FortiIPAM
FortiIsolator
FortiIsolator Public Cloud
FortiLAN Cloud
FortiMail
FortiMail Cloud
FortiManager
FortiManager Cloud
FortiManager Private Cloud
FortiManager Public Cloud
FortiMonitor
FortiNAC
FortiNAC-F
FortiNDR
FortiNDR (on-premise) Private Cloud
FortiNDR (on-premise) Public Cloud
FortiNDR Cloud
FortiNDR Cloud Sensors
FortiPAM
FortiPAM Private Cloud
FortiPAM Public Cloud
FortiPhish
FortiPlanner
FortiPolicy
FortiPortal
FortiPortal Public Cloud
FortiPresence
FortiPresence VM
FortiProxy
FortiProxy Private Cloud
FortiProxy Public Cloud
FortiRecon
FortiRecorder
FortiRPS
FortiSandbox
FortiSandbox Cloud
FortiSandbox Private Cloud
FortiSandbox Public Cloud
FortiSASE
FortiScanner
FortiSIEM
FortiSIEM Cloud
FortiSOAR
FortiSOAR Cloud
FortiSRA
FortiSwitch
FortiSwitch Manager
FortiTap
FortiTester
FortiTester Private Cloud
FortiTester Public Cloud
FortiToken
FortiToken Cloud
FortiTrust Identity
FortiVoice
FortiVoice Cloud
FortiVoice Private Cloud
FortiVoice Public Cloud
FortiWAN
FortiWAN Controller
FortiWeb
FortiWeb Cloud
FortiWeb Manager Private Cloud
FortiWeb Manager Public Cloud
FortiWeb Private Cloud
FortiWeb Public Cloud
FortiWLM
FortiZTP
IPS Engine
Lacework FortiCNAPP
Managed FortiGate Service
Overlay-as-a-Service
Security Awareness and Training
SOCaaS
Wireless Controller
Ordering Guides
Download PDF
Table of Contents
Introduction
Chapter 1: What's New
Chapter 2: Key Concepts and Features
Server load balancing
Link load balancing
Global load balancing
Security
High availability
Virtual domains
Chapter 3: Getting Started
Step 1: Install the appliance
Step 2: Configure the management interface
Step 3: Configure basic network settings
Step 4: Test connectivity to destination servers
Step 5: Complete product registration, licensing, and upgrades
Step 6: Configure a basic server load balancing policy
Step 7: Test the deployment
Step 8: Back up the configuration
Chapter 4: Server Load Balancing
Server load balancing basics
Server load balancing configuration overview
Configuring virtual servers
Using content rewriting rules
HSTS and HPKP support
Configuring content routes
Using source pools
Using schedule pools
Using clone pools
Configuring Application profiles
WebSocket load-balancing
Configuring MSSQL profiles
Configuring MySQL profiles
Configuring client SSL profiles
Configuring HTTP2 profiles
Configuring load-balancing (LB) methods
Configuring persistence rules
Configuring error pages
Configuring decompression rules
Configuring Captcha
Creating a PageSpeed configuration
Creating PageSpeed profiles
PageSpeed support and restrictions
Configuring compression rules
Compression and decompression
Configuring caching rules
Using real server pools
Configuring real servers
Configuring real server SSL profiles
Using scripts
Configuring an L2 exception list
Creating a Web Filter Profile configuration
Using the Web Category tab
Configuring certificate caching
TCP multiplexing
Chapter 5: Link Load Balancing
Link load balancing basics
Link load balancing configuration overview
Configuring link policies
Configuring a link group
Configuring gateway links
Configuring persistence rules
Configuring proximity route settings
Configuring a virtual tunnel group
Chapter 6: Global Load Balancing
Global load balancing basics
Global load balancing configuration overview
Configuring servers
Configuring a global load balance link
Configuring data centers
Configuring hosts
Configuring wizard
Configuring virtual server pools
Configuring location lists
Logical Topology
Configuring a Global DNS policy
Configuring DNS zones
Configuring general settings
Configuring the trust anchor key
Configuring DNS64
Configuring the DSSET list
Configuring an address group
Configuring remote DNS servers
Configuring the response rate limit
Chapter 7: Network Security
Security features basics
Managing IP Reputation policy settings
Configure IP reputation exception
Configure IP reputation block list
Using the Geo IP block list
Using the Geo IP whitelist
Special Geo codes
Enabling denial of service protection
Configuring an IPv4 firewall policy
Configuring an IPv6 firewall policy
Configuring an IPv4 connection limit policy
Configuring an IPv6 connection limit policy
Anti-virus
Creating an AV profile
Setting AV quarantine policies
Setting AV service level
Configuring IPS
Zero Trust Network Access (ZTNA)
How device identity and trust context is established with FortiClient EMS
Configuring FortiClient EMS Connector for ZTNA
Verifying client certificate, FortiClient endpoint and ZTNA tag synchronized from FortiClient EMS
Configuring a ZTNA Profile
ZTNA troubleshooting and debugging
Chapter 8: DoS Protection
Configuring DoS Protection Profile
Configuring HTTP access limit policy
Configuring HTTP connection flood policy
Configuring an HTTP request flood policy
Configuring an IP fragmentation policy
Configuring a TCP SYN flood protection policy
Configuring a TCP slow data flood protection policy
Chapter 9: Web Application Firewall
Web application firewall basics
Web application firewall configuration overview
Configuring an OWASP TOP10 profile
Configuring a WAF Profile
Configuring WAF Action objects
Configuring WAF Exception objects
Configuring a Web Attack Signature policy
Configuring a URL Protection policy
Configuring an Advanced Protection policy
Configuring an HTTP Protocol Constraint policy
Configuring CSRF protection
Configuring brute force attack detection
Configuring an SQL/XSS Injection Detection policy
Configuring a Bot Detection policy
Configuring a Credential Stuffing Defense Policy
Configuring a Cookie Security policy
Configuring sensitive data protection
Configuring Cross-Origin Resource Sharing (CORS) protection
Configuring XML Detection
Configuring JSON detection
Importing XML schema
Uploading WSDL files
Importing JSON schema
Configuring OpenAPI Detection
Importing OpenAPI schema
Configuring API Gateway
Configuring Input Validation
Web Vulnerability Scanner
WVS Profile
WVS Login
WVS Exceptions
Scan History
Scan Integration
Web Anti-Defacement
Chapter 10: User Authentication
Configuring AD FS Proxy
Configuring authentication policies
Configuring user groups
Configuring customized authentication form
Using the local authentication server
Using an LDAP authentication server
Using a RADIUS authentication server
Configuring Duo authentication server support
Configuring an NTLM authentication server
Using Kerberos Authentication Relay
Two-factor authentication
OAuth 2.0 authentication
Using HTTP Basic SSO
SAML and SSO
Configure a SAML service provider
Import IDP Metadata
Chapter 11: Shared Resources
Configuring health checks
Configuring health check monitor
Creating schedule groups
Creating IP address objects
Configuring address groups
Creating IPv6 address objects
Configuring address groups
Managing the ISP address books
Creating service objects
Creating service groups
Configuring WCCP
Chapter 12: Basic Networking
Configuring network interfaces
Configuring management interface
Linking VDOMs for inter-VDOM routing
Configuring static routes
Configuring policy routes
Chapter 13: System Management
Configuring basic system settings
Configuring system time
Configuring pre-login disclaimer messages
Updating firmware
Configuring an SMTP mail server
Connecting to FortiGuard services
Configuring FortiGuard service settings
Pushing/pulling configurations
Backing up and restoring the configuration
SCP support for configuration backup
Rebooting, resetting, and shutting down the system
Create a traffic group
Manage administrator users
Create administrator users
Create REST API administrator users
Configure access profiles
Enable password policies
Configuring SNMP
Download SNMP MIBs
Configure SNMP threshold
Configure SNMP v1/v2
Configure SNMP v3
Managing and validating certificates
Generating or importing a local certificate
Creating a local certificate group
Importing intermediate CAs
Creating an intermediate CA group
OCSP stapling
Validating certificates
Importing CRLs
Adding OCSPs
Importing OCSP signing certificates
Importing CAs
Creating a CA group
Configuring SNMP trap servers
Configuring an email alert object
Configuring a syslog object
HSM Integration
Chapter 14: Logging and Reporting
Downloading logs
Using the security log
Using the traffic log
Using the script log
Configuring local log settings
Configuring syslog settings
Configuring OFTP settings for FortiAnalyzer logs
Configuring fast stats log settings
Configuring report email
Configuring reports
Configuring report queries
Configuring fast reports
Display logs via CLI
Chapter 15: High Availability Deployments
HA feature overview
HA system requirements
HA synchronization
Configuring HA settings
Monitoring an HA cluster
Updating firmware for an HA cluster
Deploying an active-passive cluster
Deploying an active-active cluster
Advantages of HA Active-Active-VRRP
Deploying an active-active-VRRP cluster
Chapter 16: Virtual Domains
Virtual domain basics
Enabling the virtual domain feature
Creating a virtual domain
Assigning network interfaces and admin users to VDOMs
Virtual domain policies
Disabling a virtual domain
Chapter 17: SSL Offloading
SSL offloading
SSL decryption by forward proxy
SSL profile configurations
Certificate guidelines
SSL/TLS versions and cipher suites
Exceptions list
SSL traffic mirroring
Chapter 18: Advanced Networking
NAT
Configure source NAT
Configuring 1-to-1 NAT
QoS
Configuring a QoS queue
Configuring the QoS IPv6 filter
Configuring the QoS filter
OSPF
ISP Routes
Reverse path route caching
BGP
Access list vs. prefix list
Configuring an IPv4 access list
Configuring an IPv6 access list
Configuring an IPv4 prefix list
Configuring an IPv6 prefix list
Transparent mode
Chapter 19: Best Practices and Fine-tuning
Regular backups
Security
Performance tips
High availability
Chapter 20: Troubleshooting
Logs
Tools
execute commands
diagnose commands
System dump
Packet capture
Diff
Save debug file
Solutions by issue type
Resetting the configuration
Restoring firmware (“clean install”)
Additional resources
Chapter 21: System Dashboard
Widgets
Dashboard management tools
Chapter 22: FortiView
Physical Topology
HA Status
Server Load Balance
Logical Topology
Virtual server details
Real server pool details
Real-server pool member details
Virtual Servers
Virtual server details
Real server pool details
Data Analytics
Traffic Logs
Link Load Balance
Logical Topology
Link Group
Global Load Balance
Logical Topology
Host
Security
OWASP Top 10
Threat Map
Data Analytics
Viewing the quarantine monitor
Security Logs
All Segments
Event Logs
Alerts
All Sessions
ZTNA FortiClient endpoint
Chapter 23: Security Fabric
Automation
Creating automation stitches
Triggers
Actions
CLI Script action
Webhook action
FortiGate IP Ban action
Execute multiple automation actions based on security events
Diagnose commands
Fabric connectors
FortiSIEM Connector
FortiAnalyzer Connector
FortiSandbox Connector
FortiADC Manager Connector
FortiGSLB Connector
FortiClient EMS Connector
External connectors
AWS Connectors
OCI Connector
Kubernetes Connector
Splunk Connector
SAP Connector
Appendix A: Fortinet MIBs
Appendix B: Port Numbers
Appendix C: Scripts
Events and actions
Predefined scripts
Predefined Commands
Control structures
Operators
String library
Special characters
Examples
Appendix D: Maximum Configuration Values
Change Log