Handbook

What's new
- Fortinet Security Fabric
- Manageability
- Networking
- Security
  - SSH MITM deep inspection
Getting started
- Installation
- Using the GUI
- Using the CLI
- FortiExplorer for iOS
- LED specifications
- Inspection mode
- Basic administration
- Firmware
- FortiGuard
- FortiCloud
- Troubleshooting your installation
- Resources
Fortinet Security Fabric
- Overview
  - Benefits
  - Components
- Configuration
- Using the Fortinet Security Fabric
- Automation stitches
- Fabric Connectors
SD-WAN
- Configuring SD-WAN
  - SD-WAN requirements
  - Configuring a basic SD-WAN deployment
- Monitoring SD-WAN
- Applying traffic shaping to SD-WAN traffic
- Viewing SD-WAN information in the Fortinet Security Fabric
High availability
- HA solutions
- FGCP HA
- FGCP HA examples
- Virtual clustering
- Full mesh HA
  - Full mesh HA example
  - Troubleshooting full mesh HA
- Operating a cluster
- Failover protection
- Session failover
- HA and load balancing
- FortiGate-VM and third-party HA
- VRRP
- FGSP
- Standalone configuration sync
Firewall
- Firewall concepts
- IPv6
- Network defense
- Policies
- Addresses
- Virtual IPs
- IP pools
- Services
- Schedules
- WAN optimization, proxies, web caching, and WCCP
- Example topologies
- WAN optimization
- Transparent and explicit proxies
- Explicit web proxy
- Explicit FTP proxy
- Web caching
- WCCP
- WAN optimization diagnose commands
Security Profiles
- Overview
- Inside FortiOS
- Inspection modes
- AntiVirus
- Web filtering
- DNS filter
  - FortiGuard botnet protection
- Application control
- Intrusion prevention
- Anti-spam filter
- Data leak prevention
- ICAP support
- FortiClient Compliance Profiles
- Proxy options
- SSL/SSH inspection
- Other considerations
Authentication
- Introduction to authentication
- Authentication servers
- Users and user groups
- FortiToken Mobile user instructions
- Managing guest access
- Configuring authenticated access
- Captive portals
- Certificate-based authentication
- Single sign-on using a FortiAuthenticator unit
- Single sign-on to Windows AD
- Agent-based FSSO
- SSO using RADIUS accounting records
- Monitoring authenticated users
- Examples and troubleshooting
IPsec VPN
- IPsec VPN concepts
  - VPN tunnels
  - VPN gateways
  - Clients, servers, and peers
  - Encryption
  - Authentication
  - Phase 1 and Phase 2 settings
  - Security Association
  - IKE and IPsec packet processing
- IPsec VPN overview
  - Types of VPNs
  - Planning your VPN
  - General preparation steps
  - How to use this guide to configure an IPsec VPN
- IPsec VPN from the GUI
  - Phase 1 configuration
  - Concentrator
  - IPsec Monitor
- Phase 1 parameters
  - Overview
  - Defining the tunnel ends
  - Choosing Main mode or Aggressive mode
  - Authenticating the FortiGate unit
  - Authenticating remote peers and clients
  - Defining IKE negotiation parameters
  - Using XAuth authentication
  - Dynamic IPsec route control
- Phase 2 parameters
  - Phase 2 settings
  - Configuring Phase 2 parameters
- Defining VPN security policies
  - Defining policy addresses
  - Defining security policies
- Gateway-to-gateway configuration
  - Gateway-to-gateway configuration
  - Testing
- Hub-and-spoke configuration
  - Configuration overview
  - Configure the hub
  - Configure the spokes
  - Dynamic spokes configuration example
- One-Click VPN (OCVPN)
  - General configuration
  - Key exchange
  - Device polling and controller information
  - System states
  - Debugging and logging
- Dynamic DNS configuration
  - Configuration overview
- FortiClient dialup-client configuration
  - Configuration overview
- FortiGate dialup-client configuration
  - Configuration overview
- Supporting IKE Mode Config clients
  - Automatic configuration overview
- Internet-browsing configuration
  - Configuration overview
- Redundant VPN configuration
  - Configuration overview
- Transparent-mode VPN configuration
  - Configuration overview
- IPv6 IPsec VPNs
  - Configuration examples
- L2TP and IPsec (Microsoft VPN)
  - Configuration overview
- GRE over IPsec (Cisco VPN)
  - Configuration overview
- Protecting OSPF with IPsec
  - Configuration overview
- Redundant OSPF routing over IPsec
  - Configuration
- BGP over dynamic IPsec
- IPsec Auto-Discovery VPN (ADVPN)
  - Example ADVPN configuration
- Logging and monitoring
  - Monitoring VPN connections
  - VPN event logs
- Troubleshooting
  - General troubleshooting tips
  - Troubleshooting L2TP and IPsec
  - Troubleshooting GRE over IPsec
SSL VPN
- Overview
- SSL VPN best practices
- Basic configuration
- SSL VPN client
  - FortiClient
  - Tunnel mode client configuration
- SSL VPN web portal
- Setup examples
- Troubleshooting
Networking
- Interfaces
- DNS
- Advanced static routing
- Dynamic routing
- Multicast forwarding
- Modems
- Troubleshooting
Transparent mode
- Overview
  - What is transparent mode?
  - Transparent mode features
- Installation
- Networking in transparent mode
- Firewalls and security in transparent mode
- IPsec VPN in transparent mode
- Using FortiManager and FortiAnalyzer
- High availability in transparent mode
  - Virtual clustering
  - MAC address assignment
- Best practices
VoIP Solutions: SIP
- Inside FortiOS: Voice over IP (VoIP) protection
- Common SIP VoIP configurations
  - Peer to peer configuration
  - SIP proxy server configuration
  - SIP redirect server configuration
  - SIP registrar configuration
  - SIP with a FortiGate
- SIP messages and media protocols
  - Hardware accelerated RTP processing
  - SIP request messages
  - SIP response messages
  - SIP message start line
  - SIP headers
  - The SIP message body and SDP session profiles
  - Example SIP messages
- The SIP session helper
  - SIP session helper configuration overview
  - Viewing, removing, and adding the SIP session helper configuration
  - Changing the port numbers that the SIP session helper listens on
  - Configuration example: SIP session helper in transparent mode
  - SIP session helper diagnose commands
- The SIP ALG
  - Enabling VoIP support from the GUI
  - SIP ALG configuration overview
  - VoIP profiles
  - Changing the port numbers that the SIP ALG listens on
  - Disabling the SIP ALG in a VoIP profile
  - SIP ALG diagnose commands
- Conflicts between the SIP ALG and the session helper
- Stateful SIP tracking, call termination, and session inactivity timeout
  - Adding a media stream timeout for SIP calls
  - Adding an idle dialog setting for SIP calls
  - Changing how long to wait for call setup to complete
- SIP and RTP/RTCP
- How the SIP ALG creates RTP pinholes
- Configuration example: SIP in transparent mode
- RTP enable/disable (RTP bypass)
- Opening and closing SIP register, contact, via and record-route pinholes
- Accepting SIP register responses
- How the SIP ALG performs NAT
  - SIP ALG source address translation
  - SIP ALG destination address translation
  - SIP call re-invite messages
  - How the SIP ALG translates IP addresses in SIP headers
  - How the SIP ALG translates IP addresses in the SIP body
  - SIP NAT scenario: source address translation (source NAT)
  - SIP NAT scenario: destination address translation (destination NAT)
  - SIP NAT configuration example: source address translation (source NAT)
  - SIP NAT configuration example: destination address translation (destination NAT)
  - SIP and RTP source NAT
  - SIP and RTP destination NAT
  - Source NAT with an IP pool
  - Different source and destination NAT for SIP and RTP
  - NAT with IP address conservation
  - Controlling how the SIP ALG NATs SIP contact header line addresses
  - Controlling NAT for addresses in SDP lines
  - Translating SIP session destination ports
  - Translating SIP sessions to multiple destination ports
  - Adding the original IP address and port to the SIP message header after NAT
- Enhancing SIP pinhole security
- Hosted NAT traversal
  - Configuration example: Hosted NAT traversal for calls between SIP Phone A and SIP Phone B
  - Hosted NAT traversal for calls between SIP Phone A and SIP Phone C
  - Restricting the RTP source IP
- SIP over IPv6
- Deep SIP message inspection
  - Actions taken when a malformed message line is found
  - Logging and statistics
  - Deep SIP message inspection best practices
  - Configuring deep SIP message inspection
- Blocking SIP request messages
- SIP rate limiting
  - Limiting the number of SIP dialogs accepted by a security policy
- SIP logging
- Inspecting SIP over SSL/TLS (secure SIP)
  - Adding the SIP server and client certificates
  - Adding SIP over SSL/TLS support to a VoIP profile
- SIP and HA–session failover and geographic redundancy
  - SIP geographic redundancy
  - Supporting geographic redundancy when blocking OPTIONS messages
  - Support for RFC 2543-compliant branch parameters
- SIP and IPS
- SIP debugging
  - SIP debug log format
  - SIP-proxy filter per VDOM
  - SIP-proxy filter command
  - SIP debug setting
  - Display SIP rate-limit data
Best practices
- General considerations
- Customer service and technical support
- Fortinet Knowledge Base
- System and performance
  - Performance
  - Shutting down
- Migration
- Environmental specifications
  - Grounding
  - Rack mounting
- Firmware
- Security Profiles (AV, Web Filtering etc.)
- Networking
- FGCP high availability
  - Heartbeat interfaces
  - Interface monitoring (port monitoring)
- WAN Optimization
- Virtual Domains (VDOMs)
- Explicit proxy
- Wireless
- Logging and reporting
  - Log management
  - System memory and hard disks
Managing devices
- Managing “bring your own device”
- Managing Fortinet devices
Server load balancing
- Inside FortiOS: server load balancing
- Basic load balancing configuration example
- Configuring load balancing
- HTTP and HTTPS load balancing, multiplexing, and persistence
- SSL/TLS load balancing
- IP, TCP, and UDP load balancing
- Example HTTP load balancing to three real web servers
- Example Basic IP load balancing configuration
- Example Adding a server load balance port forwarding virtual IP
- Example Weighted load balancing configuration
- Example HTTP and HTTPS persistence configuration
System administration
- Administrators
- Monitoring
- Replacement messages
- Administration for schools
- PPTP and L2TP
  - Configuring L2TP VPNs
  - L2TP configuration overview
- Session helpers
- Advanced concepts
Traffic shaping
- Overview
- Configuring traffic shaping
- Monitoring traffic shaping
- Traffic shaping examples
- Traffic shaping priority queueing (PRIQ)
- Troubleshooting traffic shaping
Virtual Domains
- VDOMs overview
  - Benefits
  - Configurations
- Configuring VDOMs
- Example configurations
  - Example 1: NAT mode
  - Example 2: NAT and transparent mode
- Troubleshooting VDOMs
FortiWifi and FortiAP Configuration
- Introduction to wireless networking
- Captive portals
- WiFi LAN configuration
- Access point deployment
- Remote AP setup
- Wireless mesh
  - Configuring a meshed WiFi network
  - Configuring a point-to-point bridge
- Hotspot 2.0
- Combining WiFi and wired networks with a software switch
  - FortiAP local bridging (private cloud-managed AP)
  - Using bridged FortiAPs to increase scalability
- Using remote WLAN FortiAPs
- Features for high-density deployments
- Wireless network protection
- Wireless network monitoring
- Wireless network client configuration
- Wireless network examples
  - Basic wireless network example
  - Complex wireless network example
- Managing a FortiAP with FortiCloud
  - FortiCloud-managed FortiAP WiFi
  - FortiCloud-managed FortiAP WiFi without a key
- Using a FortiWiFi unit as a client
  - Using a FortiWiFi unit in the client mode
  - Configuring a FortiAP unit as a WiFi Client in client mode
- Support for location-based services
  - Configuring location tracking
  - Viewing device location data on the FortiGate unit
- Troubleshooting
- Reference
FortiSwitch devices managed by FortiOS
- Connecting FortiLink ports
- Using the FortiGate GUI
- Using the FortiGate CLI
- Network topologies
- Optional setup tasks
- FortiSwitch port features
- FortiSwitch port security policy
- Additional capabilities
- Troubleshooting
FortiOS Carrier
- Overview of FortiOS Carrier features
  - MMS
  - GTP
- MMS Concepts
- MMS Configuration
- GTP basic concepts
- GTP Configuration
- SCTP Concepts
  - SCTP Firewall
- Troubleshooting
Sandbox inspection
- Using FortiSandbox with a FortiGate
  - Connecting a FortiGate to FortiSandbox
  - FortiSandbox console
- Sandbox integration
  - Overview
  - Example configuration
- Sandbox inspection FAQ
FortiView
- Overview
  - Enabling FortiView
  - FortiView interface
- FortiView consoles
- Reference
- Troubleshooting
Logging and reporting
- Logging and reporting overview
- Logging and reporting for small networks
- Logging and reporting for large networks
- Advanced logging
- Troubleshooting and logging
Troubleshooting
- Troubleshooting methodologies
- Troubleshooting tools
- Troubleshooting tips
- Troubleshooting resources

Home FortiGate / FortiOS 6.0.0 Handbook

6.0.0

FortiGate PIM-SM debugging examples

Using the example topology shown below, you can trace the multicast streams and states within the three FortiGate devices (FGT-1, FGT-2, and FGT-3) using the debug commands described in this section. The command output in this section is taken from the FortiGate when the multicast stream is flowing correctly from source to receiver.

PIM-SM debugging topology

Checking that the receiver has joined the required group

From the last hop router, FGT-3, you can use the following command to check that the receiver has correctly joined the required group.

FGT-3 # get router info multicast igmp groups

IGMP Connected Group Membership

Group Address Interface Uptime Expires Last Reporter

239.255.255.1 port3 00:31:15 00:04:02 10.167.0.62

Only 1 receiver is displayed for a particular group, this is the device that responded to the IGMP query request from the FGT-3. If a receiver is active, the expire time should drop to approximately 2 minutes before being refreshed.

Checking the PIM-SM neighbors

Next, the PIM-SM neighbors should be checked. A PIM router becomes a neighbor when the PIM router receives a PIM hello. Use the following command to display the PIM-SM neighbors of FGT-3:

FGT-3 # get router info multicast pim sparse-mode neighbour

Neighbor Interface Uptime/Expires Ver DR

Address Priority/Mode

10.132.0.156 port2 01:57:12/00:01:33 v2 1 /

Checking that the PIM router can reach the RP

The rendezvous point (RP) must be reachable for the PIM router (FGT-3) to be able to send the *,G join to request the stream. This can be checked for FGT-3 using the following command:

FGT-3 # get router info multicast pim sparse-mode rp-mapping

PIM Group-to-RP Mappings

Group(s): 224.0.0.0/4, Static

RP: 192.168.1.1

Uptime: 07:23:00

Viewing the multicast routing table (FGT-3)

The FGT-3 unicast routing table can be used to determine the path taken to reach the RP at 192.168.1.1. You can then check the stream state entries using the following commands:

FGT-3 # get router info multicast pim sparse-mode table

IP Multicast Routing Table

(*,*,RP) Entries: 0

(*,G) Entries: 1

(S,G) Entries: 1

(S,G,rpt) Entries: 1

FCR Entries: 0

`(,,RP) Entries`	This state may be reached by general joins for all groups served by a specified RP.
`(*,G) Entries`	State that maintains the RP tree for a given group.
`(S,G) Entries`	State that maintains a source-specific tree for source `S` and group `G`.
`(S,G,rpt) Entries`	State that maintains source-specific information about source s on the RP tree for `G`. For example, if a source is being received on the source-specific tree, it will normally have been pruned off the RP tree.
`FCR`	The FCR state entries are for tracking the sources in the <*, G> when <S, G> isn't available for any reason, the stream would typically be flowing when this state exists.

Breaking down each entry in detail:

(*, 239.255.255.1)

RP: 192.168.1.1

RPF nbr: 10.132.0.156

RPF idx: port2

Upstream State: JOINED

Local:

port3

Joined:

Asserted:

FCR:

The RP will always be listed in a *,G entry, the RPF neighbor and interface index will also be shown. In this topology, these are the same in all downstream PIM routers. The state is active so the upstream state is joined.

In this case FGT-3 is the last hop router so the IGMP join is received locally on port3. There is no PIM outgoing interface listed for this entry as it is used for the upstream PIM join.

(10.166.0.11, 239.255.255.1)

RPF nbr: 10.132.0.156

RPF idx: port2

SPT bit: 1

Upstream State: JOINED

Local:

Joined:

Asserted:

Outgoing:

port3

This is the entry for the SPT, no RP IS listed. The S,G stream will be forwarded out of the stated outgoing interface.

(10.166.0.11, 239.255.255.1, rpt)

RP: 192.168.1.1

RPF nbr: 10.132.0.156

RPF idx: port2

Upstream State: NOT PRUNED

Local:

Pruned:

Outgoing:

The above S,G,RPT state is created for all streams that have both a S,G and a *,G entry on the router. This isn't pruned, in this case, because of the topology: the RP and source are reachable over the same interface.

Although not seen in this scenario, assert states may be seen when multiple PIM routers exist on the same LAN, which can lead to more than one upstream router having a valid forwarding state. Assert messages are used to elect a single forwarder from the upstream devices.

Viewing the PIM next-hop table

The PIM next-hop table is also very useful for checking the various states, it can be used to quickly identify the states of multiple multicast streams.

FGT-3 # get router info multicast pim sparse-mode next-hop

Flags: N = New, R = RP, S = Source, U = Unreachable

Destination Type Nexthop Nexthop Nexthop Metric Pref Refcnt

Num Addr Ifindex

_______________________________________________________________

10.166.0.11 ..S. 1 10.132.0.156 9 21 110 3

192.168.1.1 .R.. 1 10.132.0.156 9 111 110 2

Viewing the PIM multicast forwarding table

Also, you can check the multicast forwarding table showing the ingress and egress ports of the multicast stream.

FGT-3 # get router info multicast table

IP Multicast Routing Table

Flags: I - Immediate Stat, T - Timed Stat, F - Forwarder installed

Timers: Uptime/Stat Expiry

Interface State: Interface (TTL threshold)

(10.166.0.11, 239.255.255.1), uptime 04:02:55, stat expires 00:02:25

Owner PIM-SM, Flags: TF

Incoming interface: port2

Outgoing interface list:

port3 (TTL threshold 1)

Viewing the kernel forwarding table

Also, the kernel forwarding table can be verified, however this should give similar information to the above command:

FGT-3 # diag ip multicast mroute

grp=239.255.255.1 src=10.166.0.11 intf=9 flags=(0x10000000)[ ] status=resolved

last_assert=2615136 bytes=1192116 pkt=14538 wrong_if=0 num_ifs=1

index(ttl)=[6(1),]

Viewing the multicast routing table (FGT-2)

If you check the output on FGT-2, there are some small differences:

FGT-2 # get router info multicast pim sparse-mode table

IP Multicast Routing Table

(*,*,RP) Entries: 0

(*,G) Entries: 1

(S,G) Entries: 1

(S,G,rpt) Entries: 1

FCR Entries: 0

(*, 239.255.255.1)

RP: 192.168.1.1

RPF nbr: 0.0.0.0

RPF idx: None

Upstream State: JOINED

Local:

Joined:

external

Asserted:

FCR:

The *,G entry now has a joined interface rather than local because it received a PIM join from FGT-3 rather than a local IGMP join.

(10.166.0.11, 239.255.255.1)

RPF nbr: 10.130.0.237

RPF idx: internal

SPT bit: 1

Upstream State: JOINED

Local:

Joined:

external

Asserted:

Outgoing:

external

The S,G entry shows that we have received a join on the external interface and the stream is being forwarded out of this interface.

(10.166.0.11, 239.255.255.1, rpt)

RP: 192.168.1.1

RPF nbr: 0.0.0.0

RPF idx: None

Upstream State: PRUNED

Local:

Pruned:

Outgoing:

External

The S,G,RPT is different from FGT-3 because FGT-2 is the RP, it has pruned back the SPT for the RP to the first hop router.

Viewing the multicast routing table (FGT-1)

FGT-1 again has some differences with regard to the PIM-SM states. There's no *,G entry because it isn't in the path of a receiver and the RP.

FGT-1_primary # get router info multicast pim sparse-mode table

IP Multicast Routing Table

(*,*,RP) Entries: 0

(*,G) Entries: 0

(S,G) Entries: 1

(S,G,rpt) Entries: 1

FCR Entries: 0

Below the S,G is the SPT termination because this FortiGate is the first hop router. The RPF neighbor always shows as 0.0.0.0 because the source is local to this device. Both the joined and outgoing fields show as external because the PIM join and the stream is egressing on this interface.

(10.166.0.11, 239.255.255.1)

RPF nbr: 0.0.0.0

RPF idx: None

SPT bit: 1

Upstream State: JOINED

Local:

Joined:

external

Asserted:

Outgoing:

external

The stream has been pruned back from the RP because the end-to-end SPT is flowing. In this case, there's no requirement for the stream to be sent to the RP.

(10.166.0.11, 239.255.255.1, rpt)

RP: 0.0.0.0

RPF nbr: 10.130.0.156

RPF idx: external

Upstream State: RPT NOT JOINED

Local:

Pruned:

Outgoing: