DOCUMENT LIBRARY
DOCUMENT LIBRARY
Products
Best Practices
Hardware Guides
Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
Hybrid Mesh Firewall
FortiGate/ FortiOS
FortiGate-5000
/
6000
/
7000
NOC Management
FortiManager
/
FortiManager Cloud
Managed Fortigate Service
LAN
FortiSwitch
FortiAP / FortiWiFi
FortiEdge Cloud
FortiNAC-F
WAN
Secure SD-WAN
FortiExtender
More >>
Unified SASE
Single Vendor SASE
FortiSASE
Secure SD-WAN
Zero Trust Network Access (ZTNA)
FortiProxy
FortiMonitor
Cloud Network Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiGate CNF
FortiFlex
Lacework FortiCNAPP
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Web Application / API Protection
FortiWeb
FortiADC
FortiDAST
More >>
Security Operations
Security Operations Automation
FortiAnalyzer
/
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
SOC-as-a-Service (SOCaaS)
Identity
FortiAuthenticator
FortiTrust Identity
FortiPAM
Early Detection & Prevention
FortiSandbox
/
FortiSandbox Cloud
FortiNDR
FortiDeceptor
FortiRecon
More >>
Secure Networking
Hybrid Mesh Firewall
FortiGate/ FortiOS
FortiGate-5000
/
6000
/
7000
NOC Management
FortiManager
/
FortiManager Cloud
Managed Fortigate Service
FortiAIOps
LAN
FortiSwitch
FortiAP / FortiWiFi
FortiAP-U Series
FortiEdge Cloud
FortiNAC-F
WAN
Secure SD-WAN
FortiExtender
Communication & Surveillance
FortiVoice
/
FortiVoice Cloud
FortiFone
FortiCamera
FortiRecorder
FortiCentral
Unified SASE
Single Vendor SASE
FortiSASE
Secure SD-WAN
Zero Trust Network Access (ZTNA)
FortiProxy
FortiMonitor
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Cloud Network Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiGate CNF
FortiFlex
Cloud-Native Security
Lacework FortiCNAPP
FortiDevSec
Web Application / API Protection
FortiWeb
FortiADC
FortiDAST
Security Operations
Security Operations Automation
FortiAnalyzer
/
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
Endpoint
FortiClient
/
FortiClient Cloud
FortiEDR/XDR
Data Protection
FortiDLP
FortiDLP Agent
FortiDLP Policies
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken
/
FortiToken Cloud
FortiPAM
Email
FortiMail
FortiPhish
Early Detection & Prevention
FortiSandbox
/
FortiSandbox Cloud
FortiNDR
FortiDeceptor
FortiRecon
Expert Services
SOC-as-a-Service (SOCaaS)
Edge Firewall
FortiGate/FortiOS
FortiGate-5000
/
6000
/
7000
FortiGate Public Cloud
FortiGate Private Cloud
Orchestration & management
FortiManager
/
FortiManager Cloud
FortiAnalyzer
/
FortiAnalyzer Cloud
Overlay-as-a-Service
SD Branch
FortiSwitch
FortiAP / FortiWiFi
FortiExtender
/
FortiExtender Cloud
Application Delivery
FortiADC
/
FortiGSLB
Single Vendor SASE
FortiSASE
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Secure Private Access
Secure SD-WAN
Zero Trust Network Access (ZTNA)
Thin Edge
FortiGate/ FortiOS
FortiAP / FortiWiFi
FortiExtender
/
FortiExtender Cloud
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Application Gateway
FortiGate/ FortiOS
FortiProxy
FortiADC
/
FortiGSLB
Enterprise Asset Management
FortiClient EMS
Endpoint Agent
FortiClient
/
FortiClient Cloud
Agentless Security Posture
FortiNAC-F
FortiSIEM
/
FortiSIEM Cloud
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Wireless
FortiAP / FortiWiFi
FortiAP-U Series
FortiGate Cloud
Switching
FortiSwitch
FortiEdge Cloud
FortiNAC-F
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Privilege Acccess Management
FortiPAM
Next Generation Firewall
FortiGate / FortiOS
FortiGate-5000
/
6000
/
7000
FortiGate Public Cloud
FortiGate Private Cloud
Orchestration & management
FortiManager
/
FortiManager Cloud
FortiAnalyzer
/
FortiAnalyzer Cloud
Expert Services
SOC-as-a-Service (SOCaaS)
Managed Fortigate Service
All
FortiADC Public Cloud
FortiAnalyzer Public Cloud
FortiAuthenticator Public Cloud
FortiDeceptor Public Cloud
FortiGate Public Cloud
FortiIsolator Public Cloud
FortiManager Public Cloud
FortiNDR Public Cloud
FortiPAM Public Cloud
FortiPortal Public Cloud
FortiProxy Public Cloud
FortiSandbox Public Cloud
FortiTester Public Cloud
FortiVoice Public Cloud
FortiWeb Manager Public Cloud
FortiWeb Public Cloud
All
FortiADC Private Cloud
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Private Cloud
FortiAuthenticator Private Cloud
FortiDeceptor Private Cloud
FortiGate Private Cloud
FortiManager Private Cloud
FortiNDR Private Cloud
FortiPAM Private Cloud
FortiProxy Private Cloud
FortiSandbox Private Cloud
FortiTester Private Cloud
FortiVoice Private Cloud
FortiWeb Manager Private Cloud
FortiWeb Private Cloud
Account Management
FortiCloud Services
SAAS Management
FortiGate Cloud
FortiEdge Cloud
FortiEdge Cloud
FortiExtender Cloud
FortiPresence Cloud
FortiToken Cloud
FortiTrust Identity
FortiZTP
FortiCamera Cloud
SAAS Application Security
FortiWeb Cloud
FortiGSLB
FortiCASB
FortiCNP
FortiInsight
FortiPhish
FortiGate CNF
Managed Services
SOC-as-a-Service (SOCaaS)
Managed Fortigate Service
Platform as a service (PAAS)
FortiSASE
FortiAnalyzer Cloud
FortiManager Cloud
FortiClient Cloud
FortiSandbox Cloud
FortiMail Cloud
FortiSOAR Cloud
Other SAAS Services
Overlay-as-a-Service
FortiRecon
FortiConverter
ForiIPAM
FortiFlex
FortiCare Elite
4D Resources
Solution Hubs
Define, design, deploy, demo
4D Pillars
Secure SD-WAN
Zero Trust Network Access
Wireless
Switching
Secure Access Service Edge
Identity and Access Management
Next Generation Firewall
Curated Links by Solution
Cloud
FortiCloud
Public & Private Cloud
Popular Solutions
Secure SD-WAN
Zero Trust Network Access
Secure Access
Security Fabric
Tele-Working
Multi-Factor Authentication
FortiASIC
Operational Technology
MSSP
Next Generation Firewall
FortiAnalyzer
FortiAnalyzer Big-Data
FortiADC
FortiAP / FortiWiFi
FortiAP U-Series
FortiAuthenticator
FortiCache
FortiCarrier
FortiController
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiExtender
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiHypervisor
FortiIsolator
FortiMail
FortiManager
FortiNAC
FortiNDR
FortiProxy
FortiRecorder
FortiGate
FortiRPS
FortiSandbox
FortiSIEM
FortiSwitch
FortiTester
FortiToken
FortiVoice
FortiWAN
FortiWeb
FortiWLC
FortiWLM
AscenLink
AV Engine
AWS Firewall Rules
Container FortiOS
FortiADC
FortiADC E Series
FortiADC Manager
FortiADC Private Cloud
FortiADC Public Cloud
FortiAIOps
FortiAnalyzer
FortiAnalyzer BigData
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Cloud
FortiAnalyzer Private Cloud
FortiAnalyzer Public Cloud
FortiAP / FortiWiFi
FortiAP-U Series
FortiAuthenticator
FortiAuthenticator Private Cloud
FortiAuthenticator Public Cloud
FortiAuthProxy
FortiBalancer
FortiBranchSASE
FortiBridge
FortiCache
FortiCamera
FortiCamera Cloud
FortiCare Elite
FortiCarrier
FortiCASB
FortiCentral
FortiClient
FortiClient Cloud
FortiCloud Services
FortiCNP
FortiConnect
FortiController
FortiConverter Service
FortiConverter Tool
FortiCore
FortiCSPM
FortiCWP
FortiDAST
FortiDB
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiDeceptor DaaS
FortiDeceptor Private Cloud
FortiDeceptor Public Cloud
FortiDevSec
FortiDLP
FortiDLP Agent
FortiDLP Policies
FortiDNS
FortiEdge Cloud
FortiEDR/XDR
FortiEndpoint
FortiExplorer
FortiExplorer Go
FortiExtender
FortiFlex
FortiFone
FortiGate / FortiOS
FortiGate Cloud
FortiGate CNF
FortiGate Private Cloud
FortiGate Public Cloud
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiGate-as-a-Service
FortiGSLB
FortiGuard Advanced Bot Protection
FortiGuest
FortiHypervisor
FortiInsight
FortiInsight Cloud
FortiIPAM
FortiIsolator
FortiIsolator Public Cloud
FortiLAN Cloud
FortiMail
FortiMail Cloud
FortiManager
FortiManager Cloud
FortiManager Private Cloud
FortiManager Public Cloud
FortiMonitor
FortiNAC
FortiNAC-F
FortiNDR
FortiNDR (on-premise) Private Cloud
FortiNDR (on-premise) Public Cloud
FortiNDR Cloud
FortiNDR Cloud Sensors
FortiPAM
FortiPAM Private Cloud
FortiPAM Public Cloud
FortiPhish
FortiPlanner
FortiPolicy
FortiPortal
FortiPortal Public Cloud
FortiPresence
FortiPresence VM
FortiProxy
FortiProxy Private Cloud
FortiProxy Public Cloud
FortiRecon
FortiRecorder
FortiRPS
FortiSandbox
FortiSandbox Cloud
FortiSandbox Private Cloud
FortiSandbox Public Cloud
FortiSASE
FortiScanner
FortiSIEM
FortiSIEM Cloud
FortiSOAR
FortiSOAR Cloud
FortiSRA
FortiSwitch
FortiSwitch Manager
FortiTap
FortiTester
FortiTester Private Cloud
FortiTester Public Cloud
FortiToken
FortiToken Cloud
FortiTrust Identity
FortiVoice
FortiVoice Cloud
FortiVoice Private Cloud
FortiVoice Public Cloud
FortiWAN
FortiWAN Controller
FortiWeb
FortiWeb Cloud
FortiWeb Manager Private Cloud
FortiWeb Manager Public Cloud
FortiWeb Private Cloud
FortiWeb Public Cloud
FortiWLM
FortiZTP
IPS Engine
Lacework FortiCNAPP
Managed FortiGate Service
Overlay-as-a-Service
Security Awareness and Training
SOCaaS
Wireless Controller
Search documents and hardware ...
Handbook
What's new
Fortinet Security Fabric
Manageability
Networking
Security
SSH MITM deep inspection
Getting started
Installation
Quick installation using DHCP
NAT mode installation
Virtual wire pair
Using the GUI
Connecting using a web browser
Menus
Dashboard
Feature Visibility
Tables
Text strings
Using the CLI
Connecting to the CLI
CLI-only features
Command syntax
Sub-commands
Permissions
Tips
FortiExplorer for iOS
LED specifications
Inspection mode
Basic administration
Registration
System settings
Passwords
Configuration backups
Firmware
Downloading
Testing
Upgrading
Reverting
Installation from system reboot
Restoring from a USB key
Controlled upgrade
FortiGuard
FortiCloud
Troubleshooting your installation
Resources
Fortinet Security Fabric
Overview
Benefits
Components
Configuration
FortiGate, FortSwitch, and FortiAP
FortiAnalyzer
FortiSandbox
FortiManager
FortiClient EMS
Using the Fortinet Security Fabric
Dashboard widgets
Topology
Security Rating
Automation stitches
Triggers
Actions
Creating automation stitches
Chaining and delaying actions
Diagnose commands
Fabric Connectors
Available services
Configuration
Verifying status
SD-WAN
Configuring SD-WAN
SD-WAN requirements
Configuring a basic SD-WAN deployment
Removing existing configuration references to interfaces
Creating SD-WAN interfaces
Configuring SD-WAN load balancing
Creating a static route for the SD-WAN interface
Configuring security policies for SD-WAN
Configuring link health monitoring
Configuring SD-WAN rules
Using the best quality strategy
Using the minimum quality SLA strategy
Monitoring SD-WAN
Applying traffic shaping to SD-WAN traffic
Viewing SD-WAN information in the Fortinet Security Fabric
High availability
HA solutions
FortiGate Cluster Protocol (FGCP)
FortiGate Session Life Support Protocol (FGSP)
VRRP
Session-Aware Load Balancing Clustering (SLBC)
Enhanced Load Balancing Clustering (ELBC)
Content clustering
FGCP HA
Synchronizing the configuration
Preparing to setup HA
Basic configuration steps
Active-passive and active-active HA
Identifying the cluster
Device, link, and session failover
Primary unit selection with override disabled (default)
Primary unit selection with override enabled
DHCP and PPPoE compatability
Distributed clustering
Clusters of three or four FortiGates
Disk storage
FGCP best practices
FGCP HA glossary
FGCP support for OCVPN
GUI options
FGCP HA examples
How to set up FGCP HA
HA with three FortiGates
Active-active HA in transparent mode
FortiGate-5000 active-active HA cluster with FortiClient licenses
Replacing a failed cluster unit
HA with 802.3ad aggregate interfaces
HA with redundant interfaces
Troubleshooting
Virtual clustering
Configuration
Virtual clustering examples
Inter-VDOM links and virtual clustering
Troubleshooting virtual clustering
Full mesh HA
Full mesh HA example
Troubleshooting full mesh HA
Operating a cluster
Operating a virtual cluster
Out-of-band management
In-band management
Managing FortiGate in a virtual cluster
Shutdown/reboot the primary unit
Backup FortiGate management
RADIUS and LDAP servers
FortiGuard services
Logging
SNMP
FortiClient licenses
Cluster members list
Virtual cluster members list
HA statistics
HA configuration change
HA configuration change - virtual cluster
Backup FortiGate host name and device priority
Firmware upgrade
Firmware downgrade
Configuration backup and restore
Failover monitoring
CLI HA status
Managing individual cluster units
Disconnecting a FortiGate
Restoring a disconnected FortiGate
diagnose sys ha dump-by
Failover protection
A-P failover
A-A failover
Device failover
HA heartbeat
Unicast HA heartbeat
Cluster virtual MAC addresses
Synchronizing the configuration
Synchronizing kernel routing tables
Routing graceful restart
Link failover
Monitoring VLAN interfaces
Remote link failover
Failover affects the network
Failover monitoring
NAT mode A-P packet flow
Transparent mode A-P packet flow
Failover performance
Session failover
TCP, UDP, ICMP, and multicast sessions
If session pickup is disabled
Improving session sync performance
Pass-through sessions
Terminated sessions
IPsec VPN SA sync
WAN optimization
HA and load balancing
Load balancing schedules
TCP and UDP load balancing
NP6 and load balancing
Weighted load balancing
Dynamic optimization
Weighted load balancing example
NAT mode A-A packet flow
Transparent mode A-A packet flow
FortiGate-VM and third-party HA
VMware HA
Hyper-V HA
Layer-2 switches
Layer-3 switches
Connected equipment
Ethertype conflicts
LACPand 802.3ad aggregation
VRRP
Configuration
Adding IPv4 virtual router to an interface
Adding IPv6 virtual routers to an interface
VRRP failover
VRRP groups
VRRP virtual MACs
Single-domain VRRP example
Multi-domain VRRP example
Optional settings
FortiController-5000 VRRP support
FGSP
Between FGCP clusters
Configuration
TCP and SCTP sessions
Firmware upgrades
Configuration backup and restore
IPsec tunnels
Connectionless (UDP and ICMP) sessions
NAT sessions
Asymmetric sessions
Expectation sessions
GTP sessions
Flow-based inspection sessions
Notes and limitations
Session synchronization links
FGSP example
Verifying FGSP operation
Standalone configuration sync
Firewall
Firewall concepts
What is a firewall?
NAT mode and transparent mode
How FortiOS handles packets
Interfaces and zones
Access control lists
Firewall policies
Hair-pinning
Blocking traffic by a service or protocol
Learning mode
NGFW policy mode
DNS traffic in NGFW mode
Security profiles
Proxy option components
SSL/SSH inspection
Mirroring SSL inspected traffic
Encryption strength for proxied SSH sessions
RPC over HTTP
Security profile groups
Making security profile groups visible
NAT
The origins of NAT
Dynamic NAT
Static NAT
Benefits of NAT
NAT in transparent mode
Central NAT table
NAT64 and NAT46
NAT64 CLAT
NAT66
Session differentiation
IP pools
Services and TCP ports
Protocol types
TCP/UDP/SCTP
Protocol port values
ICMP
ICMP types and codes
log-invalid-packet
ICMPv6
ICMPv6 types and codes
IP
Protocol number
VPN policies
DSRI
Interface policies
DoS protection
Local-In policies
Security policy 0
Deny policies
Accept policies
Fixed port
Fixed port range IP pools algorithm
Endpoint security
Traffic logging
IPv6
Benefits
Addressing
Packet structure
Policies
NAT66, NAT64, NAT46 and DNS64
IPv6 tunneling
Tunneling IPv6 through IPsec VPN
IPv6 support for GRE tunnels
SIP
IPv6 MIB fields
Per-IP traffic shaper
DHCPv6
IPv6 forwarding
Authentication
FSSO
Neighbor discovery proxy
Address groups
Address ranges
Firewall addresses
SSH
ICMPv6
IPsec VPN
TCP MSS values
BGP
RIPng
RSSO
IPS
Blocking IPv6 packets by extension headers
DoS policies
Configure hosts in an SNMP community
PIM sparse mode multicast routing
Neighbor discovery proxy
Network defense
Inside FortiOS: Denial of Service (DoS) protection
Monitoring
Blocking external probes
Defending against DoS attacks
Policies
UUID support
Viewing firewall policies
Policy names
IPv4 policy
ISDB and IRDB in firewall policies
IPv6 policy
NAT64 policy
NAT46 policy
Central SNAT
IPv4 access control list
IPv6 access control list
IPv4 DoS policy
IPv6 DoS policy
Multicast policy
SSL mirroring for policies
Addresses
Interfaces
IPv4 addresses
FQDN addresses
Changing the TTL of a FQDN address
Geography based addresses
IP range addresses
IP / netmask addresses
Wildcard addressing
Wildcard FQDN
Wildcard FQDNs for SSL deep inspection exemptions
IPv6 addresses
Subnet addresses
IPv6 FQDN firewall addresses
Firewall IPv6 address templates
Multicast addresses
Multicast IP range
Broadcast subnet
Multicast IP addresses
Proxy addresses
Internet services
Address groups
Virtual IPs
IPv4 VIPs
IPv6 VIPs
NAT46 VIPs
NAT64 VIPs
FQDNs in VIPs
Dynamic VIP DNS translation
VIP groups
IP pools
IPv4 pools
IPv6 pools
NAT46 IP pools and secondary NAT64 prefixes
Services
Categories
Creating services
Specific addresses in TCP/UDP/SCTP
Service groups
Schedules
One-time schedules
Recurring schedules
Schedule groups
Schedule expiration
WAN optimization, proxies, web caching, and WCCP
Before you begin
FortiGate models that support WAN optimization
Distributing WAN optimization processing
Disk usage
Example topologies
Basic WAN optimization topology
Out-of-path WAN optimization topology
Topology for multiple networks
WAN optimization with web caching
Explicit web proxy topologies
Explicit FTP proxy topologies
Web caching topologies
WCCP topologies
WAN optimization
Client/server architecture
Peers and authentication groups
Peer requirements
Tunnel requests for peer authentication
Peers
Authentication groups
Secure tunneling
Peer performance
WAN optimization peers
Protocol optimization
Protocol optimization and MAPI
Byte caching
Transparent mode
Operating modes and VDOMs
Tunnels
Identity policies, load balancing, and traffic shaping
HA
Memory usage
Manual (peer-to-peer) and active-passive
Profiles
Monitoring performance
configuration summary
Storage
Cache service
Video caching
Best practices
Manual (peer-to-peer) WAN optimization configuration
Active-passive WAN optimization
Secure tunneling
Transparent and explicit proxies
Proxy policy
Transparent proxy concepts
Transparent proxy configuration
Proxy authentication
Proxy addresses
Web proxy configuration
Logging options in web proxy profiles
Policy matching based on referrer headers and query strings
Multiple web proxy PAC files in one VDOM
Web proxy firewall services and service groups
Learn client IP
Explicit web proxy
Options
Proxy chaining
Security profiles, threat weight, and device identification
Session and user limits
External IP addressses
Incoming IP
Outgoing source IP
Address types
Proxy auto-config (PAC)
Unknown HTTP version
Authentication realm
Botnet scanning
Adding disclaimers
HTTP headers
Transparent mode
Kerberos
Explicit FTP proxy
Protecting an FTP server
Security profiles, threat weight, and device identification
Proxy sessions and user limits
Configuration
Incoming IP
Outgoing source IP
Example
Web caching
Configuration
HA
Memory usage
Caching options
Forwarding URLs and exempting
Monitoring performance
Forward proxy configuration
Reverse proxy configuration
Using a FortiCache
WCCP
Configuration
L2-forwarding tunneling
Services
Caching HTTP sessions on port 80
Caching HTTP sessions on port 80 and HTTPS sessions on port 443
Packet flow
Authentication
Messages
Troubleshooting
WAN optimization diagnose commands
get test {wad | wccpd}
diagnose wad
diagnose wad worker
diagnose wad csvc
diagnose wacs
diagnose wadbd
diagnose debug application {wad | wccpd} [
]
diagnose test application wad 2200
Security Profiles
Overview
Inside FortiOS
AntiVirus
Application control
Intrusion prevention system (IPS)
Web filtering
Inspection modes
Proxy-based inspection
Flow-based inspection
Comparison
Security profiles and different modes
Changing modes
AntiVirus
Concepts
Malware
Scanning order
Databases
Techniques
FortiSandbox
Client comforting
Oversized files and emails
Archive scan depth
Scan buffer size
Windows file sharing (CIFS)
Enabling scanning
Testing your configuration
Examples
Web filtering
Concepts
Inspection modes
FortiGuard Web Filtering
Configuring profiles
Overriding FortiGuard website categorization
Web Profile Overrides
SafeSearch
YouTube Education Filter
Static URL filter
Web content filter
Example
Advanced configurations
DNS filter
FortiGuard botnet protection
Application control
Concepts
Configuring profiles
Actions
Considerations
Monitoring
Examples
Blocking instant messaging
Allowing software updates
Blocking Windows XP
Intrusion prevention
Concepts
Configuring profiles
High availability
Options
Packet logging
Examples
Anti-spam filter
Concepts
Techniques
Configuring profiles
Filtering order
Actions
Examples
Data leak prevention
Concepts
Configuring profiles
Configuring sensors
Archiving
Examples
ICAP support
Overview
Offloading
Configuring profiles
Example sequence
Example scenario
FortiClient Compliance Profiles
Overview
Configuring profiles
Registration over a VPN
Microsoft AD users
Replacement messages
Monitoring
Proxy options
SSL/SSH inspection
Why use SSL inspection
Configuring profiles
FortiGate allowlist
SSH MITM deep inspection
Server table for SSL offloading
Other considerations
Virtual domains
Conserve mode
Wildcards and Perl regular expressions
Session distribution
CPU affinity
Excluding industrial IP signatures
Other considerations
Authentication
Introduction to authentication
Authentication servers
Users and user groups
FortiToken Mobile user instructions
Managing guest access
Configuring authenticated access
Captive portals
Certificate-based authentication
Single sign-on using a FortiAuthenticator unit
Single sign-on to Windows AD
Agent-based FSSO
SSO using RADIUS accounting records
Monitoring authenticated users
Examples and troubleshooting
IPsec VPN
IPsec VPN concepts
VPN tunnels
VPN gateways
Clients, servers, and peers
Encryption
Authentication
Phase 1 and Phase 2 settings
Security Association
IKE and IPsec packet processing
IPsec VPN overview
Types of VPNs
Planning your VPN
General preparation steps
How to use this guide to configure an IPsec VPN
IPsec VPN from the GUI
Phase 1 configuration
Concentrator
IPsec Monitor
Phase 1 parameters
Overview
Defining the tunnel ends
Choosing Main mode or Aggressive mode
Authenticating the FortiGate unit
Authenticating remote peers and clients
Defining IKE negotiation parameters
Using XAuth authentication
Dynamic IPsec route control
Phase 2 parameters
Phase 2 settings
Configuring Phase 2 parameters
Defining VPN security policies
Defining policy addresses
Defining security policies
Gateway-to-gateway configuration
Gateway-to-gateway configuration
Testing
Hub-and-spoke configuration
Configuration overview
Configure the hub
Configure the spokes
Dynamic spokes configuration example
One-Click VPN (OCVPN)
General configuration
Key exchange
Device polling and controller information
System states
Debugging and logging
Dynamic DNS configuration
Configuration overview
FortiClient dialup-client configuration
Configuration overview
FortiGate dialup-client configuration
Configuration overview
Supporting IKE Mode Config clients
Automatic configuration overview
Internet-browsing configuration
Configuration overview
Redundant VPN configuration
Configuration overview
Transparent-mode VPN configuration
Configuration overview
IPv6 IPsec VPNs
Configuration examples
L2TP and IPsec (Microsoft VPN)
Configuration overview
GRE over IPsec (Cisco VPN)
Configuration overview
Protecting OSPF with IPsec
Configuration overview
Redundant OSPF routing over IPsec
Configuration
BGP over dynamic IPsec
IPsec Auto-Discovery VPN (ADVPN)
Example ADVPN configuration
Logging and monitoring
Monitoring VPN connections
VPN event logs
Troubleshooting
General troubleshooting tips
Troubleshooting L2TP and IPsec
Troubleshooting GRE over IPsec
SSL VPN
Overview
SSL VPN modes of operation
Port forwarding mode
SSL VPN conserve mode
Traveling and security
SSL VPN and IPv6
SSL VPN best practices
Basic configuration
User accounts and groups
Configuring SSL VPN web portals
Configuring security policies
Configuring encryption key algorithms
Additional configuration options
SSL VPN with FortiToken two-factor authentication
SSL VPN client
FortiClient
Tunnel mode client configuration
SSL VPN web portal
Connecting to the FortiGate unit
Web portal overview
Portal configuration
Using the Bookmarks widget
Using the Quick Connection Tool
Using FortiClient
Setup examples
Secure Internet browsing
Split tunnel
SSL VPN with LDAP user authentication
Multiple user groups with different access permissions
Troubleshooting
Networking
Interfaces
Configuring administrative access to interfaces
Using server probes on interfaces
Aggregate interfaces
DHCP addressing mode on an interface
DHCP servers and relays
Interface MTU packet size
Interface settings
Loopback interfaces
One-armed sniffer
Physical ports
PPPoE addressing mode on an interface
Redundant interfaces
Dual Internet connections
Secondary IP addresses to an interface
Software switch
Soft switch example
Virtual switch
Zones
Virtual domains
VXLANs
Wireless
VLANs
VLANs in NAT mode
VLANs in transparent mode
VLANs over VXLANs
VLAN switching and routing
Layer-2 and ARP traffic
STP forwarding
ARP traffic
Multiple VDOMs solution
Vlanforward solution
Forward-domain solution
Asymmetric routing
NetBIOS
Too many VLAN interfaces
Troubleshooting VLAN issues
Enhanced MAC VLANs
Virtual wire pairs
Botnet and command-and-control protection
DNS
Advanced static routing
Routing concepts
Static routing tips
Policy routing
Static routing in transparent mode
Static routing example
Dynamic routing
Comparison of dynamic routing protocols
Choosing a routing protocol
Dynamic routing terminology
Controlling how routing changes affect active sessions
IPv6 in dynamic routing
RIP
Troubleshooting RIP
Simple RIP example
RIPng: RIP and IPv6
OSPF
Troubleshooting OSPF
Basic OSPF example
Advanced inter-area OSPF example
Controlling redundant links by cost
BGP
Troubleshooting BGP
Dual-homed BGP example
Redistributing and blocking routes in BGP
IS-IS
Troubleshooting IS-IS
Simple IS-IS example
Multicast forwarding
Sparse mode
Dense mode
PIM support
Multicast forwarding and FortiGate devices
Multicast forwarding and RIPv2
Configuring FortiGate multicast forwarding
Adding multicast security policies
Enabling multicast forwarding
Multicast routing examples
Example FortiGate PIM-SM configuration using a static RP
FortiGate PIM-SM debugging examples
Example multicast DNAT configuration
Example PIM configuration that uses BSR to find the RP
Modems
Enabling modem support
Determining if your modem is supported
Setting up your supported LTE modem
Setting up your supported PPP modem
Configuring an unsupported modem
Troubleshooting
Netflow support
Netflow templates
Configuring sFlow
Packet capture
Transparent mode
Overview
What is transparent mode?
Transparent mode features
Installation
Installing the FortiGate
Virtual wire pair
Management IP configuration
Networking in transparent mode
Static routing
Overview
Source prefixes
Packet forwarding
MAC learning and L2 forwarding table
Broadcast, multicast, and unicast forwarding
Multicast processing
Source MAC addresses
ARP table
Verifying the forwarding database
STP forwarding
Non-IPv4 Ethernet frames forwarding
Network address translation (NAT)
Configuring SNAT
Configuring DNAT
VLANs and forwarding domains
VLANs in transparent mode
Forwarding domains in transparent mode
VLANs vs forwarding domains
VLAN forwarding
Unknown VLANs and VLAN forwarding
VLAN trunking and MAC address learning
VLAN translation
Inter-VDOM links between NAT and transparent VDOMs
Replay traffic scenario
Packet forwarding using Cisco protocols
Configuration example
Firewalls and security in transparent mode
Firewall policy look up
Firewall session list
Security scanning
IPsec VPN in transparent mode
Using IPsec VPNs in transparent mode
Example 1: Remote sites with different subnets
Example 2: Remote sites on the same subnet
Using FortiManager and FortiAnalyzer
High availability in transparent mode
Virtual clustering
MAC address assignment
Best practices
VoIP Solutions: SIP
Inside FortiOS: Voice over IP (VoIP) protection
Common SIP VoIP configurations
Peer to peer configuration
SIP proxy server configuration
SIP redirect server configuration
SIP registrar configuration
SIP with a FortiGate
SIP messages and media protocols
Hardware accelerated RTP processing
SIP request messages
SIP response messages
SIP message start line
SIP headers
The SIP message body and SDP session profiles
Example SIP messages
The SIP session helper
SIP session helper configuration overview
Viewing, removing, and adding the SIP session helper configuration
Changing the port numbers that the SIP session helper listens on
Configuration example: SIP session helper in transparent mode
SIP session helper diagnose commands
The SIP ALG
Enabling VoIP support from the GUI
SIP ALG configuration overview
VoIP profiles
Changing the port numbers that the SIP ALG listens on
Disabling the SIP ALG in a VoIP profile
SIP ALG diagnose commands
Conflicts between the SIP ALG and the session helper
Stateful SIP tracking, call termination, and session inactivity timeout
Adding a media stream timeout for SIP calls
Adding an idle dialog setting for SIP calls
Changing how long to wait for call setup to complete
SIP and RTP/RTCP
How the SIP ALG creates RTP pinholes
Configuration example: SIP in transparent mode
RTP enable/disable (RTP bypass)
Opening and closing SIP register, contact, via and record-route pinholes
Accepting SIP register responses
How the SIP ALG performs NAT
SIP ALG source address translation
SIP ALG destination address translation
SIP call re-invite messages
How the SIP ALG translates IP addresses in SIP headers
How the SIP ALG translates IP addresses in the SIP body
SIP NAT scenario: source address translation (source NAT)
SIP NAT scenario: destination address translation (destination NAT)
SIP NAT configuration example: source address translation (source NAT)
SIP NAT configuration example: destination address translation (destination NAT)
SIP and RTP source NAT
SIP and RTP destination NAT
Source NAT with an IP pool
Different source and destination NAT for SIP and RTP
NAT with IP address conservation
Controlling how the SIP ALG NATs SIP contact header line addresses
Controlling NAT for addresses in SDP lines
Translating SIP session destination ports
Translating SIP sessions to multiple destination ports
Adding the original IP address and port to the SIP message header after NAT
Enhancing SIP pinhole security
Hosted NAT traversal
Configuration example: Hosted NAT traversal for calls between SIP Phone A and SIP Phone B
Hosted NAT traversal for calls between SIP Phone A and SIP Phone C
Restricting the RTP source IP
SIP over IPv6
Deep SIP message inspection
Actions taken when a malformed message line is found
Logging and statistics
Deep SIP message inspection best practices
Configuring deep SIP message inspection
Blocking SIP request messages
SIP rate limiting
Limiting the number of SIP dialogs accepted by a security policy
SIP logging
Inspecting SIP over SSL/TLS (secure SIP)
Adding the SIP server and client certificates
Adding SIP over SSL/TLS support to a VoIP profile
SIP and HA–session failover and geographic redundancy
SIP geographic redundancy
Supporting geographic redundancy when blocking OPTIONS messages
Support for RFC 2543-compliant branch parameters
SIP and IPS
SIP debugging
SIP debug log format
SIP-proxy filter per VDOM
SIP-proxy filter command
SIP debug setting
Display SIP rate-limit data
Best practices
General considerations
Customer service and technical support
Fortinet Knowledge Base
System and performance
Performance
Shutting down
Migration
Information gathering
Object and policy migration
Testing and validation
Going live and obtaining feedback
Adding new services
Environmental specifications
Grounding
Rack mounting
Firmware
Firmware change management
Performing a firmware upgrade
Performing a firmware downgrade
Performing a configuration backup
Security Profiles (AV, Web Filtering etc.)
Firewall
Security
Authentication
Antivirus
Antispam
Intrusion Prevention System (IPS)
Email filter
URL filtering
Web filtering
Patch management
Policy configuration
Networking
Routing configuration
Advanced routing
Network Address Translation (NAT)
Transparent Mode
Using virtual IPs (VIPs)
FGCP high availability
Heartbeat interfaces
Interface monitoring (port monitoring)
WAN Optimization
Virtual Domains (VDOMs)
Per-VDOM resource settings
Virtual domains in NAT mode
Virtual clustering
Explicit proxy
Wireless
Encryption and authentication
Geographic location
Network planning
Lowering the power level to reduce RF interference
Wireless client load balancing
Local bridging
Advertising SSIDs
Using static IPs in a CAPWAP configuration
Logging and reporting
Log management
System memory and hard disks
Managing devices
Managing “bring your own device”
Device monitoring
Device groups
Controlling access with a MAC ACL
Security policies for devices
Managing Fortinet devices
Server load balancing
Inside FortiOS: server load balancing
Basic load balancing configuration example
Configuring load balancing
Load balancing and other FortiOS features
Configuring load balancing from the GUI
Configuring load balancing from the CLI
Load balancing methods
Session persistence
Real servers
Health check monitoring
Load balancing limitations
Monitoring load balancing
Load balancing diagnose commands
Configuring load balancing
Server load balancing configuration
HTTP and HTTPS load balancing, multiplexing, and persistence
HTTP and HTTPS multiplexing
HTTP and HTTPS persistence
HTTP host-based load balancing
SSL/TLS load balancing
SSL/TLS offloading
Separate virtual-server client and server TLS version and cipher configuration
Setting the SSL/TLS versions to use for server and client connections
Setting the SSL/TLS cipher choices for server and client connections
Protection from TLS protocol downgrade attacks
Setting 3072- and 4096-bit Diffie-Hellman values
Additional SSL load balancing and SSL offloading options
SSL offloading support for Internet Explorer 6
Selecting the cipher suites available for SSL load balancing
Disabling SSL/TLS re-negotiation
IP, TCP, and UDP load balancing
Example HTTP load balancing to three real web servers
Example Basic IP load balancing configuration
Example Adding a server load balance port forwarding virtual IP
Example Weighted load balancing configuration
Example HTTP and HTTPS persistence configuration
System administration
Administrators
Monitoring
Dashboard
Monitor menus
Logging
Alert email
SNMP
SNMP get command syntax
Replacement messages
Administration for schools
PPTP and L2TP
Configuring L2TP VPNs
L2TP configuration overview
Session helpers
Viewing the session helper configuration
Changing the session helper configuration
Changing the protocol or port that a session helper listens on
Disabling a session helper
DCE-RPC session helper (dcerpc)
DNS session helpers (dns-tcp and dns-udp)
File transfer protocol (FTP) session helper (ftp)
H.323 and RAS session helpers (h323 and ras)
Media Gateway Controller Protocol (MGCP) session helper (mgcp)
ONC-RPC portmapper session helper (pmap)
PPTP session helper for PPTP traffic (pptp)
Remote shell session helper (rsh)
Real-Time Streaming Protocol (RTSP) session helper (rtsp)
Session Initiation Protocol (SIP) session helper (sip)
Trivial File Transfer Protocol (TFTP) session helper (tftp)
Oracle TNS listener session helper (tns)
Advanced concepts
Single firewall vs. multiple virtual domains
Assigning IP address by MAC address
IP addresses for self-originated traffic
Disk
CLI scripts
Rejecting PING requests
Opening TCP 113
Obfuscate HTTP responses from SSL VPN
Blocking land attacks in transparent mode
Multi-dimension tagging
Traffic shaping
Overview
Configuring traffic shaping
Enabling traffic shaping
Configuring shared policy traffic shaping
Configuring per-IP traffic shaping
Configuring traffic shaping policies
Configuring application control traffic shaping
Configuring interface-based traffic shaping
Changing bandwidth measurement units for traffic shapers
Configuring ToS priority
Configuring differentiated services
Configuring traffic mapping
Monitoring traffic shaping
Traffic shaping examples
Traffic shaping priority queueing (PRIQ)
Troubleshooting traffic shaping
Virtual Domains
VDOMs overview
Benefits
Configurations
Configuring VDOMs
Enabling VDOMs
Configuring additional VDOMs
Inter-VDOM routing
Example configurations
Example 1: NAT mode
Example 2: NAT and transparent mode
Troubleshooting VDOMs
FortiWifi and FortiAP Configuration
Introduction to wireless networking
Wireless networking concepts
Security
Authentication
Wireless networking equipment
Automatic Radio Resource Provisioning
Captive portals
WiFi LAN configuration
Overview
Setting your geographic location
Creating a FortiAP profile
Defining a wireless network interface (SSID)
Defining SSID groups
Configuring dynamic user VLAN assignment
Configuring user authentication
Configuring firewall policies for the SSID
Configuring the built-in access point on a FortiWiFi unit
Enforcing UTM policies on a local bridge SSID
Access point deployment
Network topology for managed APs
Discovering and authorizing APs
Advanced WiFi controller discovery
Wireless client load balancing for high-density deployments
FortiAP groups
LAN port options
Preventing IP fragmentation of packets in CAPWAP tunnels
LED options
CAPWAP bandwidth formula
Remote AP setup
Configuring FortiGate before deploying remote APs
Configuring FortiAPs to connect to FortiGate
Final FortiGate configuration tasks
Wireless mesh
Configuring a meshed WiFi network
Configuring a point-to-point bridge
Hotspot 2.0
Combining WiFi and wired networks with a software switch
FortiAP local bridging (private cloud-managed AP)
Using bridged FortiAPs to increase scalability
Using remote WLAN FortiAPs
Features for high-density deployments
Wireless network protection
Wireless Intrusion Detection System
WiFi data channel encryption
Protected Management Frames and Opportunistic Key Caching support
Bluetooth Low Energy scan
Preventing local bridge traffic from reaching the LAN
FortiAP-S bridge mode security profiles
DHCP Snooping Option-82 Data Insertion
Wireless network monitoring
Monitoring wireless clients
Monitoring rogue APs
Suppressing rogue APs
Monitoring wireless network health
Wireless network client configuration
Configuring a wireless network connection using a Windows XP client
Configuring a wireless network connection using a Windows 7 client
Configuring a wireless network connection using a Mac OS client
Configuring a wireless network connection using a Linux client
Troubleshooting
Wireless network examples
Basic wireless network example
Complex wireless network example
Managing a FortiAP with FortiCloud
FortiCloud-managed FortiAP WiFi
FortiCloud-managed FortiAP WiFi without a key
Using a FortiWiFi unit as a client
Using a FortiWiFi unit in the client mode
Configuring a FortiAP unit as a WiFi Client in client mode
Support for location-based services
Configuring location tracking
Viewing device location data on the FortiGate unit
Troubleshooting
Reference
Wireless radio channels
WiFi event types
FortiAP CLI
FortiSwitch devices managed by FortiOS
Connecting FortiLink ports
Using the FortiGate GUI
Using the FortiGate CLI
Network topologies
Optional setup tasks
FortiSwitch port features
FortiSwitch port security policy
Additional capabilities
Troubleshooting
FortiOS Carrier
Overview of FortiOS Carrier features
MMS
GTP
MMS Concepts
MMS background
How FortiOS Carrier processes MMS messages
MMS protection profiles
Bypassing MMS protection profile filtering based on carrier endpoints
Applying MMS protection profiles to MMS traffic
MMS Configuration
MMS profiles
MMS scanning options
MMS Bulk Anti-Spam Detection options
MMS Address Translation options
MMS Notifications
DLP Archive options
Logging
MMS Content Checksum
Notification List
Message Flood
Duplicate Message
Carrier Endpoint Filter Lists
Message flood protection
Duplicate message protection
Employing MMS Security features
GTP basic concepts
PDP Context
GPRS security
Parts of a GTPv2 network
Parts of a GTPv1 network
Radio access
Transport
Billing and records
GPRS network common interfaces
GTP Configuration
Introduction to GTP
GTP Profile
GTP profile configuration settings
General settings options
Message type filtering options
APN filtering options
Basic filtering options
Advanced filtering options
Information Element (IE) removal policy options
Encapsulated IP traffic filtering options
Encapsulated non-IP end user traffic filtering options
Protocol Anomaly prevention options
Anti-Overbilling options
Log options
Specifying logging types
GTP performance
Configuring GTP on FortiOS Carrier
GTP support on the Carrier-enabled FortiGate unit
Packet sanity checking
GTP stateful inspection
Protocol anomaly detection and prevention
GTP Shared Tunnel Limit
HA
Virtual domain support
Configuring General Settings on the Carrier-enabled FortiGate unit
GTP Monitor Mode
GTP Stats via SNMP
Configuring Encapsulated Filtering in FortiOS Carrier
Configuring the Protocol Anomaly feature in FortiOS Carrier
Configuring Anti-overbilling in FortiOS Carrier
Logging events on the Carrier-enabled FortiGate unit
GTP message type filtering
GTP identity filtering
SCTP Concepts
SCTP Firewall
Troubleshooting
FortiOS Carrier diagnose commands
Applying IPS signatures to IP packets within GTP-U tunnels
GTP packets are not moving along your network
Sandbox inspection
Using FortiSandbox with a FortiGate
Connecting a FortiGate to FortiSandbox
FortiSandbox console
Sandbox integration
Overview
Example configuration
Sandbox inspection FAQ
FortiView
Overview
Enabling FortiView
FortiView interface
FortiView consoles
Sources
Destinations
Applications
Cloud Applications
Web Sites
Threats
WiFi Clients
Traffic Shaping
System Events
VPN
Endpoint Vulnerability
Threat Map
Policies
Interfaces
FortiSandbox
All Sessions
Reference
Filtering options
Drill-Down Options
Columns displayed
Risk level indicators
Troubleshooting
Logging and reporting
Logging and reporting overview
Logging and reporting for small networks
Logging and reporting for large networks
Advanced logging
Troubleshooting and logging
Troubleshooting
Troubleshooting methodologies
Troubleshooting tools
FortiOS diagnostics
FortiOS ports
FortiAnalyzer and FortiManager ports
FortiGuard troubleshooting
Troubleshooting tips
Troubleshooting resources
Home
FortiGate / FortiOS 6.0.0
Handbook
6.0.0
6.0.0
Advanced static routing
Advanced static routing
Advanced static routing includes features and concepts that are used in more complex networks.
Previous
Next
Advanced static routing
Advanced static routing
Advanced static routing includes features and concepts that are used in more complex networks.
Previous
Next
Home
Product Pillars
Network Security
Network Security
FortiGate / FortiOS
FortiGate 5000
FortiGate 6000
FortiGate 7000
FortiProxy
NOC & SOC Management
FortiManager
FortiManager Cloud
FortiAnalyzer
FortiAnalyzer Cloud
FortiMonitor
FortiGate Cloud
Enterprise Networking
Secure SD-WAN
FortiLAN Cloud
FortiSwitch
FortiAP / FortiWiFi
FortiAP-U Series
FortiNAC-F
FortiExtender
FortiExtender Cloud
FortiAIOps
Business Communications
FortiFone
FortiVoice
FortiVoice Cloud
FortiRecorder
FortiCamera
Zero Trust Access
ZTNA
Zero Trust Network Access
FortiClient EMS
SASE
FortiSASE
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Cloud Security
Hybrid Cloud Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiFlex
Cloud Native Protection
FortiCNP
FortiDevSec
Web Application / API Protection
FortiWeb
FortiWeb Cloud
FortiADC
FortiGSLB
FortiGuard ABP
SAAS Security
FortiMail
FortiMail Cloud
FortiCASB
Security Operations
SOC Platform
FortiAnalyzer
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
FortiPhish
Advanced Threat Protection
FortiSandbox
FortiSandbox Cloud
FortiNDR
FortiNDR Cloud
FortiDeceptor
FortiInsight
FortiInsight Cloud
FortiIsolator
Endpoint Security
FortiClient
FortiClient Cloud
FortiEDR
Best Practices
Solution Hubs
Cloud
FortiCloud
Public & Private Cloud
Popular Solutions
Secure SD-WAN
Zero Trust Network Access
Secure Access
Next Generation Firewall
Security Fabric
Tele-Working
Multi-Factor Authentication
FortiASIC
Operational Technology
MSSP
4-D Resources
Secure SD-WAN
Zero Trust Network Access
Wireless
Switching
Secure Access Service Edge
Identity and Access Management
Next Generation Firewall
Hardware Guides
FortiAnalyzer
FortiAnalyzer Big-Data
FortiADC
FortiAP / FortiWiFi
FortiAP U-Series
FortiAuthenticator
FortiCache
FortiCarrier
FortiController
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiExtender
FortiGate
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiHypervisor
FortiIsolator
FortiMail
FortiManager
FortiNAC
FortiNDR
FortiProxy
FortiRecorder
FortiRPS
FortiSandbox
FortiSIEM
FortiSwitch
FortiTester
FortiToken
FortiVoice
FortiWAN
FortiWeb
FortiWLC
FortiWLM
Product A-Z
AscenLink
AV Engine
AWS Firewall Rules
Container FortiOS
FortiADC
FortiADC E Series
FortiADC Manager
FortiADC Private Cloud
FortiADC Public Cloud
FortiAIOps
FortiAnalyzer
FortiAnalyzer BigData
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Cloud
FortiAnalyzer Private Cloud
FortiAnalyzer Public Cloud
FortiAP / FortiWiFi
FortiAP-U Series
FortiAuthenticator
FortiAuthenticator Private Cloud
FortiAuthenticator Public Cloud
FortiAuthProxy
FortiBalancer
FortiBranchSASE
FortiBridge
FortiCache
FortiCamera
FortiCamera Cloud
FortiCare Elite
FortiCarrier
FortiCASB
FortiCentral
FortiClient
FortiClient Cloud
FortiCloud Services
FortiCNP
FortiConnect
FortiController
FortiConverter Service
FortiConverter Tool
FortiCore
FortiCSPM
FortiCWP
FortiDAST
FortiDB
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiDeceptor DaaS
FortiDeceptor Private Cloud
FortiDeceptor Public Cloud
FortiDevSec
FortiDLP
FortiDLP Agent
FortiDLP Policies
FortiDNS
FortiEdge Cloud
FortiEDR/XDR
FortiEndpoint
FortiExplorer
FortiExplorer Go
FortiExtender
FortiFlex
FortiFone
FortiGate / FortiOS
FortiGate Cloud
FortiGate CNF
FortiGate Private Cloud
FortiGate Public Cloud
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiGate-as-a-Service
FortiGSLB
FortiGuard Advanced Bot Protection
FortiGuest
FortiHypervisor
FortiInsight
FortiInsight Cloud
FortiIPAM
FortiIsolator
FortiIsolator Public Cloud
FortiLAN Cloud
FortiMail
FortiMail Cloud
FortiManager
FortiManager Cloud
FortiManager Private Cloud
FortiManager Public Cloud
FortiMonitor
FortiNAC
FortiNAC-F
FortiNDR
FortiNDR (on-premise) Private Cloud
FortiNDR (on-premise) Public Cloud
FortiNDR Cloud
FortiNDR Cloud Sensors
FortiPAM
FortiPAM Private Cloud
FortiPAM Public Cloud
FortiPhish
FortiPlanner
FortiPolicy
FortiPortal
FortiPortal Public Cloud
FortiPresence
FortiPresence VM
FortiProxy
FortiProxy Private Cloud
FortiProxy Public Cloud
FortiRecon
FortiRecorder
FortiRPS
FortiSandbox
FortiSandbox Cloud
FortiSandbox Private Cloud
FortiSandbox Public Cloud
FortiSASE
FortiScanner
FortiSIEM
FortiSIEM Cloud
FortiSOAR
FortiSOAR Cloud
FortiSRA
FortiSwitch
FortiSwitch Manager
FortiTap
FortiTester
FortiTester Private Cloud
FortiTester Public Cloud
FortiToken
FortiToken Cloud
FortiTrust Identity
FortiVoice
FortiVoice Cloud
FortiVoice Private Cloud
FortiVoice Public Cloud
FortiWAN
FortiWAN Controller
FortiWeb
FortiWeb Cloud
FortiWeb Manager Private Cloud
FortiWeb Manager Public Cloud
FortiWeb Private Cloud
FortiWeb Public Cloud
FortiWLM
FortiZTP
IPS Engine
Lacework FortiCNAPP
Managed FortiGate Service
Overlay-as-a-Service
Security Awareness and Training
SOCaaS
Wireless Controller
Ordering Guides
Download PDF
Table of Contents
What's new
Fortinet Security Fabric
Manageability
Networking
Security
SSH MITM deep inspection
Getting started
Installation
Quick installation using DHCP
NAT mode installation
Virtual wire pair
Using the GUI
Connecting using a web browser
Menus
Dashboard
Feature Visibility
Tables
Text strings
Using the CLI
Connecting to the CLI
CLI-only features
Command syntax
Sub-commands
Permissions
Tips
FortiExplorer for iOS
LED specifications
Inspection mode
Basic administration
Registration
System settings
Passwords
Configuration backups
Firmware
Downloading
Testing
Upgrading
Reverting
Installation from system reboot
Restoring from a USB key
Controlled upgrade
FortiGuard
FortiCloud
Troubleshooting your installation
Resources
Fortinet Security Fabric
Overview
Benefits
Components
Configuration
FortiGate, FortSwitch, and FortiAP
FortiAnalyzer
FortiSandbox
FortiManager
FortiClient EMS
Using the Fortinet Security Fabric
Dashboard widgets
Topology
Security Rating
Automation stitches
Triggers
Actions
Creating automation stitches
Chaining and delaying actions
Diagnose commands
Fabric Connectors
Available services
Configuration
Verifying status
SD-WAN
Configuring SD-WAN
SD-WAN requirements
Configuring a basic SD-WAN deployment
Removing existing configuration references to interfaces
Creating SD-WAN interfaces
Configuring SD-WAN load balancing
Creating a static route for the SD-WAN interface
Configuring security policies for SD-WAN
Configuring link health monitoring
Configuring SD-WAN rules
Using the best quality strategy
Using the minimum quality SLA strategy
Monitoring SD-WAN
Applying traffic shaping to SD-WAN traffic
Viewing SD-WAN information in the Fortinet Security Fabric
High availability
HA solutions
FortiGate Cluster Protocol (FGCP)
FortiGate Session Life Support Protocol (FGSP)
VRRP
Session-Aware Load Balancing Clustering (SLBC)
Enhanced Load Balancing Clustering (ELBC)
Content clustering
FGCP HA
Synchronizing the configuration
Preparing to setup HA
Basic configuration steps
Active-passive and active-active HA
Identifying the cluster
Device, link, and session failover
Primary unit selection with override disabled (default)
Primary unit selection with override enabled
DHCP and PPPoE compatability
Distributed clustering
Clusters of three or four FortiGates
Disk storage
FGCP best practices
FGCP HA glossary
FGCP support for OCVPN
GUI options
FGCP HA examples
How to set up FGCP HA
HA with three FortiGates
Active-active HA in transparent mode
FortiGate-5000 active-active HA cluster with FortiClient licenses
Replacing a failed cluster unit
HA with 802.3ad aggregate interfaces
HA with redundant interfaces
Troubleshooting
Virtual clustering
Configuration
Virtual clustering examples
Inter-VDOM links and virtual clustering
Troubleshooting virtual clustering
Full mesh HA
Full mesh HA example
Troubleshooting full mesh HA
Operating a cluster
Operating a virtual cluster
Out-of-band management
In-band management
Managing FortiGate in a virtual cluster
Shutdown/reboot the primary unit
Backup FortiGate management
RADIUS and LDAP servers
FortiGuard services
Logging
SNMP
FortiClient licenses
Cluster members list
Virtual cluster members list
HA statistics
HA configuration change
HA configuration change - virtual cluster
Backup FortiGate host name and device priority
Firmware upgrade
Firmware downgrade
Configuration backup and restore
Failover monitoring
CLI HA status
Managing individual cluster units
Disconnecting a FortiGate
Restoring a disconnected FortiGate
diagnose sys ha dump-by
Failover protection
A-P failover
A-A failover
Device failover
HA heartbeat
Unicast HA heartbeat
Cluster virtual MAC addresses
Synchronizing the configuration
Synchronizing kernel routing tables
Routing graceful restart
Link failover
Monitoring VLAN interfaces
Remote link failover
Failover affects the network
Failover monitoring
NAT mode A-P packet flow
Transparent mode A-P packet flow
Failover performance
Session failover
TCP, UDP, ICMP, and multicast sessions
If session pickup is disabled
Improving session sync performance
Pass-through sessions
Terminated sessions
IPsec VPN SA sync
WAN optimization
HA and load balancing
Load balancing schedules
TCP and UDP load balancing
NP6 and load balancing
Weighted load balancing
Dynamic optimization
Weighted load balancing example
NAT mode A-A packet flow
Transparent mode A-A packet flow
FortiGate-VM and third-party HA
VMware HA
Hyper-V HA
Layer-2 switches
Layer-3 switches
Connected equipment
Ethertype conflicts
LACPand 802.3ad aggregation
VRRP
Configuration
Adding IPv4 virtual router to an interface
Adding IPv6 virtual routers to an interface
VRRP failover
VRRP groups
VRRP virtual MACs
Single-domain VRRP example
Multi-domain VRRP example
Optional settings
FortiController-5000 VRRP support
FGSP
Between FGCP clusters
Configuration
TCP and SCTP sessions
Firmware upgrades
Configuration backup and restore
IPsec tunnels
Connectionless (UDP and ICMP) sessions
NAT sessions
Asymmetric sessions
Expectation sessions
GTP sessions
Flow-based inspection sessions
Notes and limitations
Session synchronization links
FGSP example
Verifying FGSP operation
Standalone configuration sync
Firewall
Firewall concepts
What is a firewall?
NAT mode and transparent mode
How FortiOS handles packets
Interfaces and zones
Access control lists
Firewall policies
Hair-pinning
Blocking traffic by a service or protocol
Learning mode
NGFW policy mode
DNS traffic in NGFW mode
Security profiles
Proxy option components
SSL/SSH inspection
Mirroring SSL inspected traffic
Encryption strength for proxied SSH sessions
RPC over HTTP
Security profile groups
Making security profile groups visible
NAT
The origins of NAT
Dynamic NAT
Static NAT
Benefits of NAT
NAT in transparent mode
Central NAT table
NAT64 and NAT46
NAT64 CLAT
NAT66
Session differentiation
IP pools
Services and TCP ports
Protocol types
TCP/UDP/SCTP
Protocol port values
ICMP
ICMP types and codes
log-invalid-packet
ICMPv6
ICMPv6 types and codes
IP
Protocol number
VPN policies
DSRI
Interface policies
DoS protection
Local-In policies
Security policy 0
Deny policies
Accept policies
Fixed port
Fixed port range IP pools algorithm
Endpoint security
Traffic logging
IPv6
Benefits
Addressing
Packet structure
Policies
NAT66, NAT64, NAT46 and DNS64
IPv6 tunneling
Tunneling IPv6 through IPsec VPN
IPv6 support for GRE tunnels
SIP
IPv6 MIB fields
Per-IP traffic shaper
DHCPv6
IPv6 forwarding
Authentication
FSSO
Neighbor discovery proxy
Address groups
Address ranges
Firewall addresses
SSH
ICMPv6
IPsec VPN
TCP MSS values
BGP
RIPng
RSSO
IPS
Blocking IPv6 packets by extension headers
DoS policies
Configure hosts in an SNMP community
PIM sparse mode multicast routing
Neighbor discovery proxy
Network defense
Inside FortiOS: Denial of Service (DoS) protection
Monitoring
Blocking external probes
Defending against DoS attacks
Policies
UUID support
Viewing firewall policies
Policy names
IPv4 policy
ISDB and IRDB in firewall policies
IPv6 policy
NAT64 policy
NAT46 policy
Central SNAT
IPv4 access control list
IPv6 access control list
IPv4 DoS policy
IPv6 DoS policy
Multicast policy
SSL mirroring for policies
Addresses
Interfaces
IPv4 addresses
FQDN addresses
Changing the TTL of a FQDN address
Geography based addresses
IP range addresses
IP / netmask addresses
Wildcard addressing
Wildcard FQDN
Wildcard FQDNs for SSL deep inspection exemptions
IPv6 addresses
Subnet addresses
IPv6 FQDN firewall addresses
Firewall IPv6 address templates
Multicast addresses
Multicast IP range
Broadcast subnet
Multicast IP addresses
Proxy addresses
Internet services
Address groups
Virtual IPs
IPv4 VIPs
IPv6 VIPs
NAT46 VIPs
NAT64 VIPs
FQDNs in VIPs
Dynamic VIP DNS translation
VIP groups
IP pools
IPv4 pools
IPv6 pools
NAT46 IP pools and secondary NAT64 prefixes
Services
Categories
Creating services
Specific addresses in TCP/UDP/SCTP
Service groups
Schedules
One-time schedules
Recurring schedules
Schedule groups
Schedule expiration
WAN optimization, proxies, web caching, and WCCP
Before you begin
FortiGate models that support WAN optimization
Distributing WAN optimization processing
Disk usage
Example topologies
Basic WAN optimization topology
Out-of-path WAN optimization topology
Topology for multiple networks
WAN optimization with web caching
Explicit web proxy topologies
Explicit FTP proxy topologies
Web caching topologies
WCCP topologies
WAN optimization
Client/server architecture
Peers and authentication groups
Peer requirements
Tunnel requests for peer authentication
Peers
Authentication groups
Secure tunneling
Peer performance
WAN optimization peers
Protocol optimization
Protocol optimization and MAPI
Byte caching
Transparent mode
Operating modes and VDOMs
Tunnels
Identity policies, load balancing, and traffic shaping
HA
Memory usage
Manual (peer-to-peer) and active-passive
Profiles
Monitoring performance
configuration summary
Storage
Cache service
Video caching
Best practices
Manual (peer-to-peer) WAN optimization configuration
Active-passive WAN optimization
Secure tunneling
Transparent and explicit proxies
Proxy policy
Transparent proxy concepts
Transparent proxy configuration
Proxy authentication
Proxy addresses
Web proxy configuration
Logging options in web proxy profiles
Policy matching based on referrer headers and query strings
Multiple web proxy PAC files in one VDOM
Web proxy firewall services and service groups
Learn client IP
Explicit web proxy
Options
Proxy chaining
Security profiles, threat weight, and device identification
Session and user limits
External IP addressses
Incoming IP
Outgoing source IP
Address types
Proxy auto-config (PAC)
Unknown HTTP version
Authentication realm
Botnet scanning
Adding disclaimers
HTTP headers
Transparent mode
Kerberos
Explicit FTP proxy
Protecting an FTP server
Security profiles, threat weight, and device identification
Proxy sessions and user limits
Configuration
Incoming IP
Outgoing source IP
Example
Web caching
Configuration
HA
Memory usage
Caching options
Forwarding URLs and exempting
Monitoring performance
Forward proxy configuration
Reverse proxy configuration
Using a FortiCache
WCCP
Configuration
L2-forwarding tunneling
Services
Caching HTTP sessions on port 80
Caching HTTP sessions on port 80 and HTTPS sessions on port 443
Packet flow
Authentication
Messages
Troubleshooting
WAN optimization diagnose commands
get test {wad | wccpd}
diagnose wad
diagnose wad worker
diagnose wad csvc
diagnose wacs
diagnose wadbd
diagnose debug application {wad | wccpd} [
]
diagnose test application wad 2200
Security Profiles
Overview
Inside FortiOS
AntiVirus
Application control
Intrusion prevention system (IPS)
Web filtering
Inspection modes
Proxy-based inspection
Flow-based inspection
Comparison
Security profiles and different modes
Changing modes
AntiVirus
Concepts
Malware
Scanning order
Databases
Techniques
FortiSandbox
Client comforting
Oversized files and emails
Archive scan depth
Scan buffer size
Windows file sharing (CIFS)
Enabling scanning
Testing your configuration
Examples
Web filtering
Concepts
Inspection modes
FortiGuard Web Filtering
Configuring profiles
Overriding FortiGuard website categorization
Web Profile Overrides
SafeSearch
YouTube Education Filter
Static URL filter
Web content filter
Example
Advanced configurations
DNS filter
FortiGuard botnet protection
Application control
Concepts
Configuring profiles
Actions
Considerations
Monitoring
Examples
Blocking instant messaging
Allowing software updates
Blocking Windows XP
Intrusion prevention
Concepts
Configuring profiles
High availability
Options
Packet logging
Examples
Anti-spam filter
Concepts
Techniques
Configuring profiles
Filtering order
Actions
Examples
Data leak prevention
Concepts
Configuring profiles
Configuring sensors
Archiving
Examples
ICAP support
Overview
Offloading
Configuring profiles
Example sequence
Example scenario
FortiClient Compliance Profiles
Overview
Configuring profiles
Registration over a VPN
Microsoft AD users
Replacement messages
Monitoring
Proxy options
SSL/SSH inspection
Why use SSL inspection
Configuring profiles
FortiGate allowlist
SSH MITM deep inspection
Server table for SSL offloading
Other considerations
Virtual domains
Conserve mode
Wildcards and Perl regular expressions
Session distribution
CPU affinity
Excluding industrial IP signatures
Other considerations
Authentication
Introduction to authentication
Authentication servers
Users and user groups
FortiToken Mobile user instructions
Managing guest access
Configuring authenticated access
Captive portals
Certificate-based authentication
Single sign-on using a FortiAuthenticator unit
Single sign-on to Windows AD
Agent-based FSSO
SSO using RADIUS accounting records
Monitoring authenticated users
Examples and troubleshooting
IPsec VPN
IPsec VPN concepts
VPN tunnels
VPN gateways
Clients, servers, and peers
Encryption
Authentication
Phase 1 and Phase 2 settings
Security Association
IKE and IPsec packet processing
IPsec VPN overview
Types of VPNs
Planning your VPN
General preparation steps
How to use this guide to configure an IPsec VPN
IPsec VPN from the GUI
Phase 1 configuration
Concentrator
IPsec Monitor
Phase 1 parameters
Overview
Defining the tunnel ends
Choosing Main mode or Aggressive mode
Authenticating the FortiGate unit
Authenticating remote peers and clients
Defining IKE negotiation parameters
Using XAuth authentication
Dynamic IPsec route control
Phase 2 parameters
Phase 2 settings
Configuring Phase 2 parameters
Defining VPN security policies
Defining policy addresses
Defining security policies
Gateway-to-gateway configuration
Gateway-to-gateway configuration
Testing
Hub-and-spoke configuration
Configuration overview
Configure the hub
Configure the spokes
Dynamic spokes configuration example
One-Click VPN (OCVPN)
General configuration
Key exchange
Device polling and controller information
System states
Debugging and logging
Dynamic DNS configuration
Configuration overview
FortiClient dialup-client configuration
Configuration overview
FortiGate dialup-client configuration
Configuration overview
Supporting IKE Mode Config clients
Automatic configuration overview
Internet-browsing configuration
Configuration overview
Redundant VPN configuration
Configuration overview
Transparent-mode VPN configuration
Configuration overview
IPv6 IPsec VPNs
Configuration examples
L2TP and IPsec (Microsoft VPN)
Configuration overview
GRE over IPsec (Cisco VPN)
Configuration overview
Protecting OSPF with IPsec
Configuration overview
Redundant OSPF routing over IPsec
Configuration
BGP over dynamic IPsec
IPsec Auto-Discovery VPN (ADVPN)
Example ADVPN configuration
Logging and monitoring
Monitoring VPN connections
VPN event logs
Troubleshooting
General troubleshooting tips
Troubleshooting L2TP and IPsec
Troubleshooting GRE over IPsec
SSL VPN
Overview
SSL VPN modes of operation
Port forwarding mode
SSL VPN conserve mode
Traveling and security
SSL VPN and IPv6
SSL VPN best practices
Basic configuration
User accounts and groups
Configuring SSL VPN web portals
Configuring security policies
Configuring encryption key algorithms
Additional configuration options
SSL VPN with FortiToken two-factor authentication
SSL VPN client
FortiClient
Tunnel mode client configuration
SSL VPN web portal
Connecting to the FortiGate unit
Web portal overview
Portal configuration
Using the Bookmarks widget
Using the Quick Connection Tool
Using FortiClient
Setup examples
Secure Internet browsing
Split tunnel
SSL VPN with LDAP user authentication
Multiple user groups with different access permissions
Troubleshooting
Networking
Interfaces
Configuring administrative access to interfaces
Using server probes on interfaces
Aggregate interfaces
DHCP addressing mode on an interface
DHCP servers and relays
Interface MTU packet size
Interface settings
Loopback interfaces
One-armed sniffer
Physical ports
PPPoE addressing mode on an interface
Redundant interfaces
Dual Internet connections
Secondary IP addresses to an interface
Software switch
Soft switch example
Virtual switch
Zones
Virtual domains
VXLANs
Wireless
VLANs
VLANs in NAT mode
VLANs in transparent mode
VLANs over VXLANs
VLAN switching and routing
Layer-2 and ARP traffic
STP forwarding
ARP traffic
Multiple VDOMs solution
Vlanforward solution
Forward-domain solution
Asymmetric routing
NetBIOS
Too many VLAN interfaces
Troubleshooting VLAN issues
Enhanced MAC VLANs
Virtual wire pairs
Botnet and command-and-control protection
DNS
Advanced static routing
Routing concepts
Static routing tips
Policy routing
Static routing in transparent mode
Static routing example
Dynamic routing
Comparison of dynamic routing protocols
Choosing a routing protocol
Dynamic routing terminology
Controlling how routing changes affect active sessions
IPv6 in dynamic routing
RIP
Troubleshooting RIP
Simple RIP example
RIPng: RIP and IPv6
OSPF
Troubleshooting OSPF
Basic OSPF example
Advanced inter-area OSPF example
Controlling redundant links by cost
BGP
Troubleshooting BGP
Dual-homed BGP example
Redistributing and blocking routes in BGP
IS-IS
Troubleshooting IS-IS
Simple IS-IS example
Multicast forwarding
Sparse mode
Dense mode
PIM support
Multicast forwarding and FortiGate devices
Multicast forwarding and RIPv2
Configuring FortiGate multicast forwarding
Adding multicast security policies
Enabling multicast forwarding
Multicast routing examples
Example FortiGate PIM-SM configuration using a static RP
FortiGate PIM-SM debugging examples
Example multicast DNAT configuration
Example PIM configuration that uses BSR to find the RP
Modems
Enabling modem support
Determining if your modem is supported
Setting up your supported LTE modem
Setting up your supported PPP modem
Configuring an unsupported modem
Troubleshooting
Netflow support
Netflow templates
Configuring sFlow
Packet capture
Transparent mode
Overview
What is transparent mode?
Transparent mode features
Installation
Installing the FortiGate
Virtual wire pair
Management IP configuration
Networking in transparent mode
Static routing
Overview
Source prefixes
Packet forwarding
MAC learning and L2 forwarding table
Broadcast, multicast, and unicast forwarding
Multicast processing
Source MAC addresses
ARP table
Verifying the forwarding database
STP forwarding
Non-IPv4 Ethernet frames forwarding
Network address translation (NAT)
Configuring SNAT
Configuring DNAT
VLANs and forwarding domains
VLANs in transparent mode
Forwarding domains in transparent mode
VLANs vs forwarding domains
VLAN forwarding
Unknown VLANs and VLAN forwarding
VLAN trunking and MAC address learning
VLAN translation
Inter-VDOM links between NAT and transparent VDOMs
Replay traffic scenario
Packet forwarding using Cisco protocols
Configuration example
Firewalls and security in transparent mode
Firewall policy look up
Firewall session list
Security scanning
IPsec VPN in transparent mode
Using IPsec VPNs in transparent mode
Example 1: Remote sites with different subnets
Example 2: Remote sites on the same subnet
Using FortiManager and FortiAnalyzer
High availability in transparent mode
Virtual clustering
MAC address assignment
Best practices
VoIP Solutions: SIP
Inside FortiOS: Voice over IP (VoIP) protection
Common SIP VoIP configurations
Peer to peer configuration
SIP proxy server configuration
SIP redirect server configuration
SIP registrar configuration
SIP with a FortiGate
SIP messages and media protocols
Hardware accelerated RTP processing
SIP request messages
SIP response messages
SIP message start line
SIP headers
The SIP message body and SDP session profiles
Example SIP messages
The SIP session helper
SIP session helper configuration overview
Viewing, removing, and adding the SIP session helper configuration
Changing the port numbers that the SIP session helper listens on
Configuration example: SIP session helper in transparent mode
SIP session helper diagnose commands
The SIP ALG
Enabling VoIP support from the GUI
SIP ALG configuration overview
VoIP profiles
Changing the port numbers that the SIP ALG listens on
Disabling the SIP ALG in a VoIP profile
SIP ALG diagnose commands
Conflicts between the SIP ALG and the session helper
Stateful SIP tracking, call termination, and session inactivity timeout
Adding a media stream timeout for SIP calls
Adding an idle dialog setting for SIP calls
Changing how long to wait for call setup to complete
SIP and RTP/RTCP
How the SIP ALG creates RTP pinholes
Configuration example: SIP in transparent mode
RTP enable/disable (RTP bypass)
Opening and closing SIP register, contact, via and record-route pinholes
Accepting SIP register responses
How the SIP ALG performs NAT
SIP ALG source address translation
SIP ALG destination address translation
SIP call re-invite messages
How the SIP ALG translates IP addresses in SIP headers
How the SIP ALG translates IP addresses in the SIP body
SIP NAT scenario: source address translation (source NAT)
SIP NAT scenario: destination address translation (destination NAT)
SIP NAT configuration example: source address translation (source NAT)
SIP NAT configuration example: destination address translation (destination NAT)
SIP and RTP source NAT
SIP and RTP destination NAT
Source NAT with an IP pool
Different source and destination NAT for SIP and RTP
NAT with IP address conservation
Controlling how the SIP ALG NATs SIP contact header line addresses
Controlling NAT for addresses in SDP lines
Translating SIP session destination ports
Translating SIP sessions to multiple destination ports
Adding the original IP address and port to the SIP message header after NAT
Enhancing SIP pinhole security
Hosted NAT traversal
Configuration example: Hosted NAT traversal for calls between SIP Phone A and SIP Phone B
Hosted NAT traversal for calls between SIP Phone A and SIP Phone C
Restricting the RTP source IP
SIP over IPv6
Deep SIP message inspection
Actions taken when a malformed message line is found
Logging and statistics
Deep SIP message inspection best practices
Configuring deep SIP message inspection
Blocking SIP request messages
SIP rate limiting
Limiting the number of SIP dialogs accepted by a security policy
SIP logging
Inspecting SIP over SSL/TLS (secure SIP)
Adding the SIP server and client certificates
Adding SIP over SSL/TLS support to a VoIP profile
SIP and HA–session failover and geographic redundancy
SIP geographic redundancy
Supporting geographic redundancy when blocking OPTIONS messages
Support for RFC 2543-compliant branch parameters
SIP and IPS
SIP debugging
SIP debug log format
SIP-proxy filter per VDOM
SIP-proxy filter command
SIP debug setting
Display SIP rate-limit data
Best practices
General considerations
Customer service and technical support
Fortinet Knowledge Base
System and performance
Performance
Shutting down
Migration
Information gathering
Object and policy migration
Testing and validation
Going live and obtaining feedback
Adding new services
Environmental specifications
Grounding
Rack mounting
Firmware
Firmware change management
Performing a firmware upgrade
Performing a firmware downgrade
Performing a configuration backup
Security Profiles (AV, Web Filtering etc.)
Firewall
Security
Authentication
Antivirus
Antispam
Intrusion Prevention System (IPS)
Email filter
URL filtering
Web filtering
Patch management
Policy configuration
Networking
Routing configuration
Advanced routing
Network Address Translation (NAT)
Transparent Mode
Using virtual IPs (VIPs)
FGCP high availability
Heartbeat interfaces
Interface monitoring (port monitoring)
WAN Optimization
Virtual Domains (VDOMs)
Per-VDOM resource settings
Virtual domains in NAT mode
Virtual clustering
Explicit proxy
Wireless
Encryption and authentication
Geographic location
Network planning
Lowering the power level to reduce RF interference
Wireless client load balancing
Local bridging
Advertising SSIDs
Using static IPs in a CAPWAP configuration
Logging and reporting
Log management
System memory and hard disks
Managing devices
Managing “bring your own device”
Device monitoring
Device groups
Controlling access with a MAC ACL
Security policies for devices
Managing Fortinet devices
Server load balancing
Inside FortiOS: server load balancing
Basic load balancing configuration example
Configuring load balancing
Load balancing and other FortiOS features
Configuring load balancing from the GUI
Configuring load balancing from the CLI
Load balancing methods
Session persistence
Real servers
Health check monitoring
Load balancing limitations
Monitoring load balancing
Load balancing diagnose commands
Configuring load balancing
Server load balancing configuration
HTTP and HTTPS load balancing, multiplexing, and persistence
HTTP and HTTPS multiplexing
HTTP and HTTPS persistence
HTTP host-based load balancing
SSL/TLS load balancing
SSL/TLS offloading
Separate virtual-server client and server TLS version and cipher configuration
Setting the SSL/TLS versions to use for server and client connections
Setting the SSL/TLS cipher choices for server and client connections
Protection from TLS protocol downgrade attacks
Setting 3072- and 4096-bit Diffie-Hellman values
Additional SSL load balancing and SSL offloading options
SSL offloading support for Internet Explorer 6
Selecting the cipher suites available for SSL load balancing
Disabling SSL/TLS re-negotiation
IP, TCP, and UDP load balancing
Example HTTP load balancing to three real web servers
Example Basic IP load balancing configuration
Example Adding a server load balance port forwarding virtual IP
Example Weighted load balancing configuration
Example HTTP and HTTPS persistence configuration
System administration
Administrators
Monitoring
Dashboard
Monitor menus
Logging
Alert email
SNMP
SNMP get command syntax
Replacement messages
Administration for schools
PPTP and L2TP
Configuring L2TP VPNs
L2TP configuration overview
Session helpers
Viewing the session helper configuration
Changing the session helper configuration
Changing the protocol or port that a session helper listens on
Disabling a session helper
DCE-RPC session helper (dcerpc)
DNS session helpers (dns-tcp and dns-udp)
File transfer protocol (FTP) session helper (ftp)
H.323 and RAS session helpers (h323 and ras)
Media Gateway Controller Protocol (MGCP) session helper (mgcp)
ONC-RPC portmapper session helper (pmap)
PPTP session helper for PPTP traffic (pptp)
Remote shell session helper (rsh)
Real-Time Streaming Protocol (RTSP) session helper (rtsp)
Session Initiation Protocol (SIP) session helper (sip)
Trivial File Transfer Protocol (TFTP) session helper (tftp)
Oracle TNS listener session helper (tns)
Advanced concepts
Single firewall vs. multiple virtual domains
Assigning IP address by MAC address
IP addresses for self-originated traffic
Disk
CLI scripts
Rejecting PING requests
Opening TCP 113
Obfuscate HTTP responses from SSL VPN
Blocking land attacks in transparent mode
Multi-dimension tagging
Traffic shaping
Overview
Configuring traffic shaping
Enabling traffic shaping
Configuring shared policy traffic shaping
Configuring per-IP traffic shaping
Configuring traffic shaping policies
Configuring application control traffic shaping
Configuring interface-based traffic shaping
Changing bandwidth measurement units for traffic shapers
Configuring ToS priority
Configuring differentiated services
Configuring traffic mapping
Monitoring traffic shaping
Traffic shaping examples
Traffic shaping priority queueing (PRIQ)
Troubleshooting traffic shaping
Virtual Domains
VDOMs overview
Benefits
Configurations
Configuring VDOMs
Enabling VDOMs
Configuring additional VDOMs
Inter-VDOM routing
Example configurations
Example 1: NAT mode
Example 2: NAT and transparent mode
Troubleshooting VDOMs
FortiWifi and FortiAP Configuration
Introduction to wireless networking
Wireless networking concepts
Security
Authentication
Wireless networking equipment
Automatic Radio Resource Provisioning
Captive portals
WiFi LAN configuration
Overview
Setting your geographic location
Creating a FortiAP profile
Defining a wireless network interface (SSID)
Defining SSID groups
Configuring dynamic user VLAN assignment
Configuring user authentication
Configuring firewall policies for the SSID
Configuring the built-in access point on a FortiWiFi unit
Enforcing UTM policies on a local bridge SSID
Access point deployment
Network topology for managed APs
Discovering and authorizing APs
Advanced WiFi controller discovery
Wireless client load balancing for high-density deployments
FortiAP groups
LAN port options
Preventing IP fragmentation of packets in CAPWAP tunnels
LED options
CAPWAP bandwidth formula
Remote AP setup
Configuring FortiGate before deploying remote APs
Configuring FortiAPs to connect to FortiGate
Final FortiGate configuration tasks
Wireless mesh
Configuring a meshed WiFi network
Configuring a point-to-point bridge
Hotspot 2.0
Combining WiFi and wired networks with a software switch
FortiAP local bridging (private cloud-managed AP)
Using bridged FortiAPs to increase scalability
Using remote WLAN FortiAPs
Features for high-density deployments
Wireless network protection
Wireless Intrusion Detection System
WiFi data channel encryption
Protected Management Frames and Opportunistic Key Caching support
Bluetooth Low Energy scan
Preventing local bridge traffic from reaching the LAN
FortiAP-S bridge mode security profiles
DHCP Snooping Option-82 Data Insertion
Wireless network monitoring
Monitoring wireless clients
Monitoring rogue APs
Suppressing rogue APs
Monitoring wireless network health
Wireless network client configuration
Configuring a wireless network connection using a Windows XP client
Configuring a wireless network connection using a Windows 7 client
Configuring a wireless network connection using a Mac OS client
Configuring a wireless network connection using a Linux client
Troubleshooting
Wireless network examples
Basic wireless network example
Complex wireless network example
Managing a FortiAP with FortiCloud
FortiCloud-managed FortiAP WiFi
FortiCloud-managed FortiAP WiFi without a key
Using a FortiWiFi unit as a client
Using a FortiWiFi unit in the client mode
Configuring a FortiAP unit as a WiFi Client in client mode
Support for location-based services
Configuring location tracking
Viewing device location data on the FortiGate unit
Troubleshooting
Reference
Wireless radio channels
WiFi event types
FortiAP CLI
FortiSwitch devices managed by FortiOS
Connecting FortiLink ports
Using the FortiGate GUI
Using the FortiGate CLI
Network topologies
Optional setup tasks
FortiSwitch port features
FortiSwitch port security policy
Additional capabilities
Troubleshooting
FortiOS Carrier
Overview of FortiOS Carrier features
MMS
GTP
MMS Concepts
MMS background
How FortiOS Carrier processes MMS messages
MMS protection profiles
Bypassing MMS protection profile filtering based on carrier endpoints
Applying MMS protection profiles to MMS traffic
MMS Configuration
MMS profiles
MMS scanning options
MMS Bulk Anti-Spam Detection options
MMS Address Translation options
MMS Notifications
DLP Archive options
Logging
MMS Content Checksum
Notification List
Message Flood
Duplicate Message
Carrier Endpoint Filter Lists
Message flood protection
Duplicate message protection
Employing MMS Security features
GTP basic concepts
PDP Context
GPRS security
Parts of a GTPv2 network
Parts of a GTPv1 network
Radio access
Transport
Billing and records
GPRS network common interfaces
GTP Configuration
Introduction to GTP
GTP Profile
GTP profile configuration settings
General settings options
Message type filtering options
APN filtering options
Basic filtering options
Advanced filtering options
Information Element (IE) removal policy options
Encapsulated IP traffic filtering options
Encapsulated non-IP end user traffic filtering options
Protocol Anomaly prevention options
Anti-Overbilling options
Log options
Specifying logging types
GTP performance
Configuring GTP on FortiOS Carrier
GTP support on the Carrier-enabled FortiGate unit
Packet sanity checking
GTP stateful inspection
Protocol anomaly detection and prevention
GTP Shared Tunnel Limit
HA
Virtual domain support
Configuring General Settings on the Carrier-enabled FortiGate unit
GTP Monitor Mode
GTP Stats via SNMP
Configuring Encapsulated Filtering in FortiOS Carrier
Configuring the Protocol Anomaly feature in FortiOS Carrier
Configuring Anti-overbilling in FortiOS Carrier
Logging events on the Carrier-enabled FortiGate unit
GTP message type filtering
GTP identity filtering
SCTP Concepts
SCTP Firewall
Troubleshooting
FortiOS Carrier diagnose commands
Applying IPS signatures to IP packets within GTP-U tunnels
GTP packets are not moving along your network
Sandbox inspection
Using FortiSandbox with a FortiGate
Connecting a FortiGate to FortiSandbox
FortiSandbox console
Sandbox integration
Overview
Example configuration
Sandbox inspection FAQ
FortiView
Overview
Enabling FortiView
FortiView interface
FortiView consoles
Sources
Destinations
Applications
Cloud Applications
Web Sites
Threats
WiFi Clients
Traffic Shaping
System Events
VPN
Endpoint Vulnerability
Threat Map
Policies
Interfaces
FortiSandbox
All Sessions
Reference
Filtering options
Drill-Down Options
Columns displayed
Risk level indicators
Troubleshooting
Logging and reporting
Logging and reporting overview
Logging and reporting for small networks
Logging and reporting for large networks
Advanced logging
Troubleshooting and logging
Troubleshooting
Troubleshooting methodologies
Troubleshooting tools
FortiOS diagnostics
FortiOS ports
FortiAnalyzer and FortiManager ports
FortiGuard troubleshooting
Troubleshooting tips
Troubleshooting resources