Administration Guide

• Getting started
  • Using the GUI
    • Connecting using a web browser
    • Menus
    • Tables
    • Entering values
      • Text strings
      • Numbers
    • GUI-based global search
  • Using the CLI
    • Connecting to the CLI
    • CLI basics
    • Command syntax
    • Subcommands
    • Permissions
  • FortiExplorer for iOS
    • Getting started with FortiExplorer
    • Connecting FortiExplorer to a FortiGate via WiFi
    • Running a security rating
    • Upgrading to FortiExplorer Pro
  • Basic administration
    • Basic configuration
    • Registration
    • FortiCare and FortiGate Cloud login
    • Transfer a device to another FortiCloud account
    • Configuration backups
  • Troubleshooting your installation
• Dashboards and Monitors
  • Using dashboards
  • Using widgets
  • Viewing device dashboards in the Security Fabric
  • Creating a fabric system and license dashboard
  • Dashboards
    • Status dashboard
    • Security dashboard
      • Viewing session information for a compromised host
    • Network dashboard
      • Static & Dynamic Routing monitor
      • DHCP monitor
      • IPsec monitor
      • SSL-VPN monitor
    • Users & Devices
      • Device inventory
      • Device inventory and filtering
      • Adding MAC-based addresses to devices
      • Firewall Users monitor
    • WiFi dashboard
      • FortiAP Status monitor
      • Clients by FortiAP monitor
  • Monitors
    • FortiView monitors and widgets
    • Adding FortiView monitors
    • Using the FortiView interface
    • Enabling FortiView from devices
    • FortiView sources
    • FortiView Sessions
    • FortiView Top Source and Top Destination Firewall Objects monitors
    • Viewing top websites and sources by category
    • Cloud application view
      • Top application: YouTube example
• Network
  • Interfaces
    • Interface settings
    • Aggregation and redundancy
      • Enhanced hashing for LAG member selection
    • VLANs
    • Enhanced MAC VLANs
    • Inter-VDOM routing
    • Software switch
    • Hardware switch
    • Zone
    • Virtual wire pair
    • PRP handling in NAT mode with virtual wire pair
    • Virtual switch support for FortiGate 300E series
    • Failure detection for aggregate and redundant interfaces
    • VLAN inside VXLAN
    • Virtual wire pair with VXLAN
    • QinQ
    • Assign a subnet with the FortiIPAM service
    • Interface MTU packet size
    • One-arm sniffer
    • Interface migration wizard
  • DNS
    • Important DNS CLI commands
    • DNS domain list
    • FortiGate DNS server
    • DDNS
    • DNS latency information
    • DNS over TLS and HTTPS
    • DNS troubleshooting
  • Explicit and transparent proxies
    • Explicit web proxy
    • FTP proxy
    • Transparent proxy
    • Proxy policy addresses
    • Proxy policy security profiles
    • Explicit proxy authentication
    • Transparent web proxy forwarding
    • Upstream proxy authentication in transparent proxy mode
    • Multiple dynamic header count
    • Restricted SaaS access
    • Explicit proxy and FortiSandbox Cloud
    • Proxy chaining
    • WAN optimization SSL proxy chaining
    • Agentless NTLM authentication for web proxy
    • Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers
    • Learn client IP addresses
    • Explicit proxy authentication over HTTPS
    • mTLS client certificate authentication
  • DHCP server
    • DHCP options
    • IP address assignment with relay agent information option
    • DHCP client options
  • Static routing
    • Routing concepts
    • Policy routes
    • Equal cost multi-path
    • Dual internet connections
  • RIP
  • OSPF
  • BGP
  • Multicast
    • Multicast routing and PIM support
    • Configuring multicast forwarding
  • FortiExtender
    • Adding a FortiExtender
    • Data plan profiles
  • Direct IP support for LTE/4G
  • LLDP reception
  • Virtual routing and forwarding
    • Implementing VRF
    • VRF routing support
    • Route leaking between VRFs with BGP
    • Route leaking between multiple VRFs
    • VRF with IPv6
    • IBGP and EBGP support in VRF
  • NetFlow
    • NetFlow templates
    • NetFlow on FortiExtender and tunnel interfaces
  • Link monitor
    • Link monitor with route updates
    • Enable or disable updating policy routes when link health monitor fails
    • Add weight setting on each link health monitor server
• SD-WAN
  • SD-WAN quick start
    • Configuring the SD-WAN interface
    • Adding a static route
    • Selecting the implicit SD-WAN algorithm
    • Configuring firewall policies for SD-WAN
    • Link monitoring and failover
    • Results
    • Configuring SD-WAN in the CLI
  • SD-WAN zones
    • Specify an SD-WAN zone in static routes and SD-WAN rules
  • Performance SLA
    • Link health monitor
    • Factory default health checks
    • Health check options
    • Link monitoring example
    • SLA targets example
    • Passive WAN health measurement
    • Health check packet DSCP marker support
    • Manual interface speedtest
    • Scheduled interface speedtest
    • Monitor performance SLA
    • SLA monitoring using the REST API
  • SD-WAN rules
    • Implicit rule
    • Best quality strategy
    • Lowest cost (SLA) strategy
    • Maximize bandwidth (SLA) strategy
    • Minimum number of links for a rule to take effect
    • Use MAC addresses in SD-WAN rules and policy routes
    • SD-WAN traffic shaping and QoS
    • SDN dynamic connector addresses in SD-WAN rules
    • Application steering using SD-WAN rules
      • Static application steering with a manual strategy
      • Dynamic application steering with lowest cost and best quality strategies
    • DSCP tag-based traffic steering in SD-WAN
      • Configuring IPsec tunnels
      • Configuring SD-WAN zones
      • Configuring firewall policies
      • Configuring Performance SLA test
      • Configuring SD-WAN rules
      • Results
    • ECMP support for the longest match in SD-WAN rule matching
    • Override quality comparisons in SD-WAN longest match rule matching
  • Advanced routing
    • Local out traffic
    • Using BGP tags with SD-WAN rules
    • BGP multiple path support
    • Controlling traffic with BGP route mapping and service rules
    • Applying BGP route-map to multiple BGP neighbors
  • VPN overlay
    • ADVPN and shortcut paths
    • SD-WAN monitor on ADVPN shortcuts
    • Hold down time to support SD-WAN service strategies
    • SD-WAN integration with OCVPN
    • Forward error correction on VPN overlay networks
    • Dual VPN tunnel wizard
    • Duplicate packets based on SD-WAN rules
    • Duplicate packets on other zone members
    • Speed tests run from the hub to the spokes in dial-up IPsec tunnels
    • Interface based QoS on individual child tunnels based on speed test results
    • Use SSL VPN interfaces in zones
  • Advanced configuration
    • SD-WAN with FGCP HA
    • Configuring SD-WAN in an HA cluster using internal hardware switches
    • SD-WAN configuration portability
  • SD-WAN cloud on-ramp
    • Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM
    • Configuring the VPN overlay between the HQ FortiGate and AWS native VPN gateway
    • Configuring the VIP to access the remote servers
    • Configuring the SD-WAN to steer traffic between the overlays
    • Verifying the traffic
  • Hub and spoke SD-WAN deployment example
    • Datacenter configuration
      • Configure dial-up (dynamic) VPN
      • Configure VPN interfaces
      • Configure loopback interface
      • Configure BGP
      • Firewall policies
      • Configure a blackhole route
    • Branch configuration
      • Configure VPN to the hub
      • Configure VPN interfaces
      • Configure BGP
      • Configure SD-WAN
      • Firewall configuration
    • Validation
    • Dynamic definition of SD-WAN routes
    • Adding another datacenter
  • Troubleshooting SD-WAN
    • Tracking SD-WAN sessions
    • Understanding SD-WAN related logs
    • SD-WAN related diagnose commands
    • SD-WAN bandwidth monitoring service
    • Using SNMP to monitor health check
• Policy and Objects
  • Policies
    • Firewall policy parameters
    • Profile-based NGFW vs policy-based NGFW
    • NGFW policy mode application default service
    • Application logging in NGFW policy mode
    • Policy views and policy lookup
    • Policy with source NAT
      • Static SNAT
      • Dynamic SNAT
      • Central SNAT
      • Configuring an IPv6 SNAT policy
      • SNAT policies with virtual wire pairs
    • Policy with destination NAT
      • Static virtual IPs
      • Virtual IP with services
      • Virtual IPs with port forwarding
      • Virtual server load balance
    • Policy with Internet Service
      • Using Internet Service in policy
      • Using custom Internet Service in policy
      • Using extension Internet Service in policy
      • Global IP address information database
      • IP reputation filtering
      • Internet service groups in policies
      • Allow creation of ISDB objects with regional information
      • Internet service customization
    • NAT64 policy and DNS64 (DNS proxy)
    • NAT46 policy
    • Local-in policies
    • DoS protection
    • Access control lists
    • Mirroring SSL traffic in policies
    • Inspection mode per policy
    • OSPFv3 neighbor authentication
    • Firewall anti-replay option per policy
    • Enabling advanced policy options in the GUI
    • Recognize anycast addresses in geo-IP blocking
    • Matching GeoIP by registered and physical location
    • Authentication policy extensions
    • HTTP to HTTPS redirect for load balancing
    • Use Active Directory objects directly in policies
    • FortiGate Cloud / FDN communication through an explicit proxy
    • No session timeout
    • MAP-E support
    • Seven-day rolling counter for policy hit counters
    • Cisco Security Group Tag as policy matching criteria
  • Objects
    • Address group exclusions
    • MAC addressed-based policies
    • ISDB well-known MAC address list
    • Dynamic policy — fabric devices
    • FSSO dynamic address subtype
    • ClearPass integration for dynamic address objects
    • Group address objects synchronized from FortiManager
    • Using wildcard FQDN addresses in firewall policies
    • Configure FQDN-based VIPs
    • IPv6 geography-based addresses
    • Array structure for address objects
    • IPv6 MAC addresses and usage in firewall policies
  • Traffic shaping
    • Traffic shaping profiles
      • Traffic shaping with queuing using a traffic shaping profile
    • Traffic shapers
      • Shared traffic shaper
      • Per-IP traffic shaper
      • Changing traffic shaper bandwidth unit of measurement
      • Multi-stage DSCP marking and class ID in traffic shapers
    • Global traffic prioritization
    • DSCP matching and DSCP marking
    • Examples
      • Interface-based traffic shaping profile
      • Interface-based traffic shaping with NP acceleration
      • QoS assignment and rate limiting for FortiSwitch quarantined VLANs
  • Zero Trust Network Access
    • Zero Trust Network Access introduction
    • Basic ZTNA configuration
    • Establish device identity and trust context with FortiClient EMS
    • SSL certificate based authentication
    • ZTNA configuration examples
      • ZTNA HTTPS access proxy example
      • ZTNA HTTPS access proxy with basic authentication example
      • ZTNA TCP forwarding access proxy example
      • ZTNA TCP forwarding access proxy without encryption example
      • ZTNA proxy access with SAML authentication example
      • ZTNA IP MAC filtering example
      • ZTNA IPv6 examples
      • ZTNA SSH access proxy example
      • ZTNA access proxy with SAML and MFA using FortiAuthenticator example
    • Migrating from SSL VPN to ZTNA HTTPS access proxy
    • ZTNA logging enhancements
    • ZTNA troubleshooting and debugging
• Security Profiles
  • Inspection modes
    • Flow mode inspection (default mode)
    • Proxy mode inspection
    • Inspection mode feature comparison
  • Antivirus
    • Proxy mode stream-based scanning
    • Databases
    • Content disarm and reconstruction
    • FortiGuard outbreak prevention
    • External malware block list
    • Malware threat feed from EMS
    • Checking flow antivirus statistics
    • CIFS support
    • Using FortiSandbox with antivirus
    • FortiAI inline blocking and integration with an AV profile
  • Web filter
    • URL filter
    • FortiGuard filter
    • Credential phishing prevention
    • Additional antiphishing settings
    • Usage quota
    • Web content filter
    • Advanced filters 1
    • Advanced filters 2
    • Web filter statistics
    • URL certificate blocklist
  • Video filter
    • Filtering based on FortiGuard categories
    • Filtering based on YouTube channel
  • DNS filter
    • Configuring a DNS filter profile
    • FortiGuard category-based DNS domain filtering
    • Botnet C&C domain blocking
    • DNS safe search
    • Local domain filter
    • DNS translation
    • Applying DNS filter to FortiGate DNS server
    • DNS inspection with DoT and DoH
    • Troubleshooting for DNS filter
  • Application control
    • Basic category filters and overrides
    • Excluding signatures in application control profiles
    • Port enforcement check
    • Protocol enforcement
    • SSL-based application detection over decrypted traffic in a sandwich topology
    • Matching multiple parameters on application control signatures
    • Application signature dissector for DNP3
  • Intrusion prevention
    • Botnet C&C IP blocking
    • Detecting IEC 61850 MMS protocol in IPS
    • IPS signature filter options
    • SCTP filtering capabilities
  • File filter
    • Supported file types
  • Email filter
    • Local-based filters
    • FortiGuard-based filters
    • Protocols and actions
    • Configuring webmail filtering
  • Data leak prevention
    • Basic DLP filter types
    • DLP fingerprinting
  • VoIP solutions
    • General use cases
    • SIP message inspection and filtering
    • SIP pinholes
    • SIP over TLS
    • Custom SIP RTP port range support
    • Voice VLAN auto-assignment
  • ICAP
    • ICAP configuration example
    • ICAP response filtering
    • Secure ICAP clients
  • Web application firewall
    • Protecting a server running web applications
  • SSL & SSH Inspection
    • Certificate inspection
    • Deep inspection
    • Protecting an SSL server
    • Handling SSL offloaded traffic from an external decryption device
    • SSH traffic file scanning
    • Redirect to WAD after handshake completion
    • HTTP/2 support in proxy mode SSL inspection
    • Define multiple certificates in an SSL profile in replace mode
  • Custom signatures
    • Application groups in traffic shaping policies
    • Blocking applications with custom signatures
    • Filters for application control groups
  • Overrides
    • Web rating override
    • Web profile override
• VPN
  • IPsec VPNs
    • General IPsec VPN configuration
      • Network topologies
      • Phase 1 configuration
        • Choosing IKE version 1 and 2
        • Pre-shared key vs digital certificates
        • Using XAuth authentication
        • Dynamic IPsec route control
      • Phase 2 configuration
      • VPN security policies
      • Blocking unwanted IKE negotiations and ESP packets with a local-in policy
      • Configurable IKE port
      • IPsec VPN IP address assignments
    • Site-to-site VPN
      • FortiGate-to-FortiGate
        • Basic site-to-site VPN with pre-shared key
        • Site-to-site VPN with digital certificate
        • Site-to-site VPN with overlapping subnets
        • GRE over IPsec
        • Policy-based IPsec tunnel
      • FortiGate-to-third-party
        • IKEv2 IPsec site-to-site VPN to an AWS VPN gateway
        • IPsec VPN to Azure with virtual network gateway
        • IPsec VPN to an Azure with virtual WAN
        • IPSec VPN between a FortiGate and a Cisco ASA with multiple subnets
        • Cisco GRE-over-IPsec VPN
    • Remote access
      • FortiGate as dialup client
      • FortiClient as dialup client
      • Add FortiToken multi-factor authentication
      • Add LDAP user authentication
      • iOS device as dialup client
      • IKE Mode Config clients
      • IPsec VPN with external DHCP service
      • L2TP over IPsec
      • Tunneled Internet browsing
      • Dialup IPsec VPN with certificate authentication
    • Aggregate and redundant VPN
      • Manual redundant VPN configuration
      • OSPF with IPsec VPN for network redundancy
      • IPsec VPN in an HA environment
      • IPsec aggregate for redundancy and traffic load-balancing
      • Packet distribution for aggregate dial-up IPsec tunnels
      • Per packet distribution and tunnel aggregation
      • Redundant hub and spoke VPN
      • Weighted round robin for IPsec aggregate tunnels
    • Overlay Controller VPN (OCVPN)
      • Full mesh OCVPN
      • Hub-spoke OCVPN with ADVPN shortcut
      • Hub-spoke OCVPN with inter-overlay source NAT
      • OCVPN portal
      • Allow FortiClient to join OCVPN
      • Troubleshooting OCVPN
    • ADVPN
      • IPsec VPN wizard hub-and-spoke ADVPN support
      • ADVPN with BGP as the routing protocol
      • ADVPN with OSPF as the routing protocol
      • ADVPN with RIP as the routing protocol
      • UDP hole punching for spokes behind NAT
    • Other VPN topics
      • VPN and ASIC offload
      • Encryption algorithms
      • Fragmenting IP packets before IPsec encapsulation
      • Configure DSCP for IPsec tunnels
      • VXLAN over IPsec tunnel with virtual wire pair
      • VXLAN over IPsec using a VXLAN tunnel endpoint
      • Defining gateway IP addresses in IPsec with mode-config and DHCP
      • FQDN support for remote gateways
    • VPN IPsec troubleshooting
      • Understanding VPN related logs
      • IPsec related diagnose commands
  • SSL VPN
    • SSL VPN best practices
    • SSL VPN quick start
      • SSL VPN split tunnel for remote user
      • Connecting from FortiClient VPN client
      • Set up FortiToken multi-factor authentication
      • Connecting from FortiClient with FortiToken
    • SSL VPN tunnel mode
      • SSL VPN full tunnel for remote user
      • SSL VPN tunnel mode host check
    • SSL VPN web mode for remote user
      • Quick Connection tool
    • SSL VPN authentication
      • SSL VPN with LDAP user authentication
      • SSL VPN with LDAP user password renew
      • SSL VPN with certificate authentication
      • SSL VPN with LDAP-integrated certificate authentication
      • SSL VPN for remote users with MFA and user sensitivity
      • SSL VPN with FortiToken mobile push authentication
      • SSL VPN with RADIUS on FortiAuthenticator
      • SSL VPN with RADIUS and FortiToken mobile push on FortiAuthenticator
      • SSL VPN with RADIUS password renew on FortiAuthenticator
      • SSL VPN with RADIUS on Windows NPS
      • SSL VPN with multiple RADIUS servers
      • SSL VPN with local user password policy
      • Dynamic address support for SSL VPN policies
      • SSL VPN multi-realm
      • NAS-IP support per SSL-VPN realm
    • SSL VPN to IPsec VPN
    • SSL VPN protocols
      • TLS 1.3 support
      • SMBv2 support
    • FortiGate as SSL VPN Client
    • Dual stack IPv4 and IPv6 support for SSL VPN
    • Disable the clipboard in SSL VPN web mode RDP connections
    • SSL VPN IP address assignments
    • SSL VPN troubleshooting
      • Debug commands
      • Troubleshooting common issues
• User & Authentication
  • Endpoint control and compliance
    • Per-policy disclaimer messages
    • Compliance
      • FortiGate VM unique certificate
      • Running a file system check automatically
    • FortiGuard distribution of updated Apple certificates
    • Integrate user information from EMS and Exchange connectors in the user store
  • User Definition
    • User types
    • Removing a user
  • User Groups
    • Configuring POP3 authentication
  • Guest Management
    • Configuring guest access
    • Retail environment guest access
  • LDAP Servers
    • Configuring an LDAP server
    • FSSO polling connector agent installation
    • Enabling Active Directory recursive search
    • Configuring LDAP dial-in using a member attribute
    • Configuring wildcard admin accounts
    • Configuring least privileges for LDAP admin account authentication in Active Directory
  • RADIUS Servers
    • Configuring RADIUS SSO authentication
    • RSA ACE (SecurID) servers
    • Support for Okta RADIUS attributes filter-Id and class
    • Send multiple RADIUS attribute values in a single RADIUS Access-Request
    • Traffic shaping based on dynamic RADIUS VSAs
  • TACACS+ servers
  • SAML
    • Outbound firewall authentication for a SAML user
    • SAML SP for VPN authentication
    • Using a browser as an external user-agent for SAML authentication in an SSL VPN connection
    • SAML authentication in a proxy policy
    • Outbound firewall authentication with Azure AD as a SAML IdP
  • Authentication Settings
  • FortiTokens
    • FortiToken Mobile quick start
      • Registering FortiToken Mobile
      • Provisioning FortiToken Mobile
      • Activating FortiToken Mobile on a mobile phone
      • Applying multi-factor authentication
    • FortiToken Cloud
    • Registering hard tokens
    • Managing FortiTokens
    • FortiToken Mobile Push
    • Troubleshooting and diagnosis
  • Configuring the maximum log in attempts and lockout period
  • PKI
    • Creating a PKI/peer user
  • Configuring firewall authentication
  • Configuring the FSSO timeout when the collector agent connection fails
• Wireless configuration
• Switch Controller
• System
  • Administrators
    • Administrator profiles
    • Add a local administrator
    • Remote authentication for administrators
    • Password policy
    • Associating a FortiToken to an administrator account
    • SSO administrators
    • FortiGate administrator log in using FortiCloud single sign-on
  • Firmware
    • Firmware upgrade notifications
    • Downloading a firmware image
    • Testing a firmware version
    • Upgrading the firmware
    • Downgrading to a previous firmware version
    • Installing firmware from system reboot
    • Restoring from a USB drive
    • Controlled upgrade
  • Settings
    • Default administrator password
    • Changing the host name
    • Setting the system time
      • SHA-1 authentication support (for NTPv4)
      • PTPv2
    • Configuring ports
      • Custom default service port range
    • Setting the idle timeout time
    • Setting the password policy
    • Changing the view settings
    • Setting the administrator password retries and lockout time
    • TLS configuration
    • Controlling return path with auxiliary session
    • Email alerts
  • Virtual Domains
    • Global and per-VDOM resources
    • Split-task VDOM mode
      • Assign interfaces to a VDOM
      • Create per-VDOM administrators
    • Multi VDOM mode
      • Multi VDOM configuration examples
        • NAT mode
        • NAT and transparent mode
  • High Availability
    • FGCP
      • Failover protection
      • HA active-passive cluster setup
      • HA active-active cluster setup
      • HA virtual cluster setup
      • Check HA synchronization status
      • Out-of-band management with reserved management interfaces
      • In-band management
      • Upgrading FortiGates in an HA cluster
      • HA between remote sites over managed FortiSwitches
      • HA using a hardware switch to replace a physical switch
      • VDOM exceptions
      • Override FortiAnalyzer and syslog server settings
      • Routing NetFlow data over the HA management interface
      • Force HA failover for testing and demonstrations
      • Disabling stateful SCTP inspection
      • Resume IPS scanning of ICCP traffic after HA failover
      • Querying autoscale clusters for FortiGate VM
      • Troubleshoot an HA formation
    • FGSP
      • FGSP basic peer setup
      • Synchronizing sessions between FGCP clusters
      • Session synchronization interfaces in FGSP
      • UTM inspection on asymmetric traffic in FGSP
      • UTM inspection on asymmetric traffic on L3
      • Encryption for L3 on asymmetric traffic in FGSP
      • FGSP four-member session synchronization and redundancy
      • IKE monitor for FGSP
      • Firmware upgrades in FGSP
    • Standalone configuration synchronization
      • Layer 3 unicast standalone configuration synchronization
  • SNMP
    • Interface access
    • MIB files
    • SNMP agent
    • SNMP v1/v2c communities
    • SNMP v3 users
    • Important SNMP traps
    • SNMP traps and query for monitoring DHCP pool
  • Replacement messages
  • Replacement message groups
  • FortiGuard
    • Configuring FortiGuard updates
    • Manual updates
    • Automatic updates
    • Scheduled updates
    • Sending malware statistics to FortiGuard
    • Update server location
    • Filtering
    • Online security tools
    • FortiGuard anycast and third-party SSL validation
    • Using FortiManager as a local FortiGuard server
    • Cloud service communication statistics
    • IoT detection service
    • FortiAP query to FortiGuard IoT service to determine device details
  • Feature visibility
  • Certificates
    • Uploading a certificate using the GUI
    • Uploading a certificate using the CLI
    • Uploading a certificate using an API
    • Procuring and importing a signed SSL certificate
    • Microsoft CA deep packet inspection
    • ACME certificate support
  • Configuration scripts
  • Workspace mode
  • Custom languages
  • RAID
  • FortiGate encryption algorithm cipher suites
• Fortinet Security Fabric
  • Security Fabric settings and usage
    • Components
    • Configuring the root FortiGate and downstream FortiGates
    • Configuring FortiAnalyzer
    • Configuring other Security Fabric devices
      • FortiGate Cloud
      • FortiAnalyzer Cloud service
      • FortiManager
      • FortiManager Cloud service
      • Sandboxing
      • FortiClient EMS
      • Synchronizing FortiClient ZTNA tags
      • FortiNAC
      • FortiAP and FortiSwitch
      • FortiMail
      • FortiAI
      • FortiDeceptor
      • FortiWeb
      • FortiTester
      • Additional devices
    • Using the Security Fabric
      • Dashboard widgets
      • Topology
    • Deploying the Security Fabric
    • Deploying the Security Fabric in a multi-VDOM environment
    • Synchronizing objects across the Security Fabric
    • Security Fabric over IPsec VPN
    • Leveraging LLDP to simplify Security Fabric negotiation
  • Configuring the Security Fabric with SAML
    • Configuring single-sign-on in the Security Fabric
      • Configuring the root FortiGate as the IdP
      • Configuring a downstream FortiGate as an SP
      • Configuring certificates for SAML SSO
      • Verifying the single-sign-on configuration
    • CLI commands for SAML SSO
    • SAML SSO with pre-authorized FortiGates
    • Navigating between Security Fabric members with SSO
    • Integrating FortiAnalyzer management using SAML SSO
    • Integrating FortiManager management using SAML SSO
    • Advanced option - FortiGate SP changes
  • Security rating
    • Security Fabric score
  • Automation stitches
    • Creating automation stitches
      • Default automation stitches
      • Incoming Webhook Quarantine stitch
    • Triggers
      • FortiAnalyzer event handler trigger
      • Fabric connector event trigger
      • FortiOS event log trigger
    • Actions
      • FortiNAC Quarantine action
      • VMware NSX security tag action
      • VMware NSX-T security tag action
      • Replacement messages for email alerts
      • Slack Notification action
      • Microsoft Teams Notification action
      • AWS Lambda action
      • Azure Function action
      • Google Cloud Function action
      • AliCloud Function action
      • CLI script action
      • Execute a CLI script based on CPU and memory thresholds
      • Webhook action
      • Slack integration webhook
      • Microsoft Teams integration webhook
  • Public and private SDN connectors
    • Getting started with public and private SDN connectors
    • AliCloud SDN connector using access key
    • AWS SDN connector using certificates
    • Azure SDN connector using service principal
    • Cisco ACI SDN connector using a standalone connector
    • ClearPass endpoint connector via FortiManager
    • GCP SDN connector using service account
    • IBM Cloud SDN connector using API keys
    • Kubernetes (K8s) SDN connectors
      • AliCloud Kubernetes SDN connector using access key
      • AWS Kubernetes (EKS) SDN connector using access key
      • Azure Kubernetes (AKS) SDN connector using client secret
      • GCP Kubernetes (GKE) SDN connector using service account
      • Oracle Kubernetes (OKE) SDN connector using certificates
      • Private cloud K8s SDN connector using secret token
    • Nuage SDN connector using server credentials
    • Nutanix SDN connector using server credentials
    • OCI SDN connector using certificates
    • OpenStack SDN connector using node credentials
    • VMware ESXi SDN connector using server credentials
    • VMware NSX-T Manager SDN connector using NSX-T Manager credentials
    • Multiple concurrent SDN connectors
    • Filter lookup in SDN connectors
    • Support for wildcard SDN connectors in filter configurations
  • Endpoint/Identity connectors
    • Fortinet single sign-on agent
    • Poll Active Directory server
    • Symantec endpoint connector
    • RADIUS single sign-on agent
    • Exchange Server connector
  • Threat feeds
    • External blocklist policy
    • External blocklist authentication
    • External blocklist file hashes
    • External resources for DNS filter
    • Threat feed connectors per VDOM
  • Monitoring the Security Fabric using FortiExplorer for Apple TV
    • NOC and SOC example
      • Adding the root FortiGate to FortiExplorer for Apple TV
      • Viewing the Fabric Topology monitor
      • Viewing the Fabric Overview monitor
      • Viewing the Security Rating monitor
      • Viewing the Compromised Hosts monitor
      • Viewing the Vulnerability Monitor
      • Using the SD-WAN monitor
  • Troubleshooting
    • Viewing a summary of all connected FortiGates in a Security Fabric
    • Diagnosing automation stitches
• Log and Report
  • Viewing event logs
  • Sample logs by log type
  • Log buffer on FortiGates with an SSD disk
  • Checking the email filter log
  • Supported log types to FortiAnalyzer, FortiAnalyzer Cloud, FortiGate Cloud, and syslog
  • Sending traffic logs to FortiAnalyzer Cloud
  • Configuring multiple FortiAnalyzers on a FortiGate in multi-VDOM mode
  • Configuring multiple FortiAnalyzers (or syslog servers) per VDOM
  • Source and destination UUID logging
  • Logging the signal-to-noise ratio and signal strength per client
  • RSSO information for authenticated destination users in logs
  • Threat weight
  • Logs for the execution of CLI commands
  • Troubleshooting
    • Log-related diagnose commands
    • Backing up log files or dumping log messages
    • SNMP OID for logs that failed to send
• VM
  • Amazon Web Services
  • Microsoft Azure
  • Google Cloud Platform
  • Oracle OCI
  • AliCloud
  • Private cloud
  • VM license
  • FortiGate multiple connector support
  • Adding VDOMs with FortiGate v-series
  • Terraform: FortiOS as a provider
  • PF and VF SR-IOV driver and virtual SPU support
  • Using OCI IMDSv2
  • FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs
• Troubleshooting
  • Troubleshooting methodologies
  • Troubleshooting scenarios
    • Checking the system date and time
    • Checking the hardware connections
    • Checking FortiOS network settings
    • Troubleshooting CPU and network resources
    • Troubleshooting high CPU usage
    • Checking the modem status
    • Running ping and traceroute
    • Checking the logs
    • Verifying routing table contents in NAT mode
    • Verifying the correct route is being used
    • Verifying the correct firewall policy is being used
    • Checking the bridging information in transparent mode
    • Checking wireless information
    • Performing a sniffer trace (CLI and packet capture)
    • Debugging the packet flow
    • Testing a proxy operation
    • Displaying detail Hardware NIC information
    • Performing a traffic trace
    • Using a session table
    • Finding object dependencies
    • Diagnosing NPU-based interfaces
    • Identifying the XAUI link used for a specific traffic stream
    • Date and time settings
    • Running the TAC report
    • Other commands
      • ARP table
      • IP address
    • FortiGuard troubleshooting
      • Verifying connectivity to FortiGuard
      • Troubleshooting process for FortiGuard updates
      • FortiGuard server settings
  • Additional resources
• Change Log