DOCUMENT LIBRARY
DOCUMENT LIBRARY
Products
Best Practices
Hardware Guides
Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
Hybrid Mesh Firewall
FortiGate/ FortiOS
FortiGate-5000
/
6000
/
7000
NOC Management
FortiManager
/
FortiManager Cloud
Managed Fortigate Service
LAN
FortiSwitch
FortiAP / FortiWiFi
FortiEdge Cloud
FortiNAC-F
WAN
Secure SD-WAN
FortiExtender
More >>
Unified SASE
Single Vendor SASE
FortiSASE
Secure SD-WAN
Zero Trust Network Access (ZTNA)
FortiProxy
FortiMonitor
Cloud Network Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiGate CNF
FortiFlex
Lacework FortiCNAPP
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Web Application / API Protection
FortiWeb
FortiADC
FortiDAST
More >>
Security Operations
Security Operations Automation
FortiAnalyzer
/
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
SOC-as-a-Service (SOCaaS)
Identity
FortiAuthenticator
FortiTrust Identity
FortiPAM
Early Detection & Prevention
FortiSandbox
/
FortiSandbox Cloud
FortiNDR
FortiDeceptor
FortiRecon
More >>
Secure Networking
Hybrid Mesh Firewall
FortiGate/ FortiOS
FortiGate-5000
/
6000
/
7000
NOC Management
FortiManager
/
FortiManager Cloud
Managed Fortigate Service
FortiAIOps
LAN
FortiSwitch
FortiAP / FortiWiFi
FortiAP-U Series
FortiEdge Cloud
FortiNAC-F
WAN
Secure SD-WAN
FortiExtender
Communication & Surveillance
FortiVoice
/
FortiVoice Cloud
FortiFone
FortiCamera
FortiRecorder
FortiCentral
Unified SASE
Single Vendor SASE
FortiSASE
Secure SD-WAN
Zero Trust Network Access (ZTNA)
FortiProxy
FortiMonitor
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Cloud Network Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiGate CNF
FortiFlex
Cloud-Native Security
Lacework FortiCNAPP
FortiDevSec
Web Application / API Protection
FortiWeb
FortiADC
FortiDAST
Security Operations
Security Operations Automation
FortiAnalyzer
/
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
Endpoint
FortiClient
/
FortiClient Cloud
FortiEDR/XDR
Data Protection
FortiDLP
FortiDLP Agent
FortiDLP Policies
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken
/
FortiToken Cloud
FortiPAM
Email
FortiMail
FortiPhish
Early Detection & Prevention
FortiSandbox
/
FortiSandbox Cloud
FortiNDR
FortiDeceptor
FortiRecon
Expert Services
SOC-as-a-Service (SOCaaS)
Edge Firewall
FortiGate/FortiOS
FortiGate-5000
/
6000
/
7000
FortiGate Public Cloud
FortiGate Private Cloud
Orchestration & management
FortiManager
/
FortiManager Cloud
FortiAnalyzer
/
FortiAnalyzer Cloud
Overlay-as-a-Service
SD Branch
FortiSwitch
FortiAP / FortiWiFi
FortiExtender
/
FortiExtender Cloud
Application Delivery
FortiADC
/
FortiGSLB
Single Vendor SASE
FortiSASE
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Secure Private Access
Secure SD-WAN
Zero Trust Network Access (ZTNA)
Thin Edge
FortiGate/ FortiOS
FortiAP / FortiWiFi
FortiExtender
/
FortiExtender Cloud
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Application Gateway
FortiGate/ FortiOS
FortiProxy
FortiADC
/
FortiGSLB
Enterprise Asset Management
FortiClient EMS
Endpoint Agent
FortiClient
/
FortiClient Cloud
Agentless Security Posture
FortiNAC-F
FortiSIEM
/
FortiSIEM Cloud
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Wireless
FortiAP / FortiWiFi
FortiAP-U Series
FortiGate Cloud
Switching
FortiSwitch
FortiEdge Cloud
FortiNAC-F
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Privilege Acccess Management
FortiPAM
Next Generation Firewall
FortiGate / FortiOS
FortiGate-5000
/
6000
/
7000
FortiGate Public Cloud
FortiGate Private Cloud
Orchestration & management
FortiManager
/
FortiManager Cloud
FortiAnalyzer
/
FortiAnalyzer Cloud
Expert Services
SOC-as-a-Service (SOCaaS)
Managed Fortigate Service
All
FortiADC Public Cloud
FortiAnalyzer Public Cloud
FortiAuthenticator Public Cloud
FortiDeceptor Public Cloud
FortiGate Public Cloud
FortiIsolator Public Cloud
FortiManager Public Cloud
FortiNDR Public Cloud
FortiPAM Public Cloud
FortiPortal Public Cloud
FortiProxy Public Cloud
FortiSandbox Public Cloud
FortiTester Public Cloud
FortiVoice Public Cloud
FortiWeb Manager Public Cloud
FortiWeb Public Cloud
All
FortiADC Private Cloud
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Private Cloud
FortiAuthenticator Private Cloud
FortiDeceptor Private Cloud
FortiGate Private Cloud
FortiManager Private Cloud
FortiNDR Private Cloud
FortiPAM Private Cloud
FortiProxy Private Cloud
FortiSandbox Private Cloud
FortiTester Private Cloud
FortiVoice Private Cloud
FortiWeb Manager Private Cloud
FortiWeb Private Cloud
Account Management
FortiCloud Services
SAAS Management
FortiGate Cloud
FortiEdge Cloud
FortiEdge Cloud
FortiExtender Cloud
FortiPresence Cloud
FortiToken Cloud
FortiTrust Identity
FortiZTP
FortiCamera Cloud
SAAS Application Security
FortiWeb Cloud
FortiGSLB
FortiCASB
FortiCNP
FortiInsight
FortiPhish
FortiGate CNF
Managed Services
SOC-as-a-Service (SOCaaS)
Managed Fortigate Service
Platform as a service (PAAS)
FortiSASE
FortiAnalyzer Cloud
FortiManager Cloud
FortiClient Cloud
FortiSandbox Cloud
FortiMail Cloud
FortiSOAR Cloud
Other SAAS Services
Overlay-as-a-Service
FortiRecon
FortiConverter
ForiIPAM
FortiFlex
FortiCare Elite
4D Resources
Solution Hubs
Define, design, deploy, demo
4D Pillars
Secure SD-WAN
Zero Trust Network Access
Wireless
Switching
Secure Access Service Edge
Identity and Access Management
Next Generation Firewall
Curated Links by Solution
Cloud
FortiCloud
Public & Private Cloud
Popular Solutions
Secure SD-WAN
Zero Trust Network Access
Secure Access
Security Fabric
Tele-Working
Multi-Factor Authentication
FortiASIC
Operational Technology
MSSP
Next Generation Firewall
FortiAnalyzer
FortiAnalyzer Big-Data
FortiADC
FortiAP / FortiWiFi
FortiAP U-Series
FortiAuthenticator
FortiCache
FortiCarrier
FortiController
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiExtender
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiHypervisor
FortiIsolator
FortiMail
FortiManager
FortiNAC
FortiNDR
FortiProxy
FortiRecorder
FortiGate
FortiRPS
FortiSandbox
FortiSIEM
FortiSwitch
FortiTester
FortiToken
FortiVoice
FortiWAN
FortiWeb
FortiWLC
FortiWLM
AscenLink
AV Engine
AWS Firewall Rules
Container FortiOS
FortiADC
FortiADC E Series
FortiADC Manager
FortiADC Private Cloud
FortiADC Public Cloud
FortiAIOps
FortiAnalyzer
FortiAnalyzer BigData
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Cloud
FortiAnalyzer Private Cloud
FortiAnalyzer Public Cloud
FortiAP / FortiWiFi
FortiAP-U Series
FortiAuthenticator
FortiAuthenticator Private Cloud
FortiAuthenticator Public Cloud
FortiAuthProxy
FortiBalancer
FortiBranchSASE
FortiBridge
FortiCache
FortiCamera
FortiCamera Cloud
FortiCare Elite
FortiCarrier
FortiCASB
FortiCentral
FortiClient
FortiClient Cloud
FortiCloud Services
FortiCNP
FortiConnect
FortiController
FortiConverter Service
FortiConverter Tool
FortiCore
FortiCSPM
FortiCWP
FortiDAST
FortiDB
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiDeceptor DaaS
FortiDeceptor Private Cloud
FortiDeceptor Public Cloud
FortiDevSec
FortiDLP
FortiDLP Agent
FortiDLP Policies
FortiDNS
FortiEdge Cloud
FortiEDR/XDR
FortiEndpoint
FortiExplorer
FortiExplorer Go
FortiExtender
FortiFlex
FortiFone
FortiGate / FortiOS
FortiGate Cloud
FortiGate CNF
FortiGate Private Cloud
FortiGate Public Cloud
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiGate-as-a-Service
FortiGSLB
FortiGuard Advanced Bot Protection
FortiGuest
FortiHypervisor
FortiInsight
FortiInsight Cloud
FortiIPAM
FortiIsolator
FortiIsolator Public Cloud
FortiLAN Cloud
FortiMail
FortiMail Cloud
FortiManager
FortiManager Cloud
FortiManager Private Cloud
FortiManager Public Cloud
FortiMonitor
FortiNAC
FortiNAC-F
FortiNDR
FortiNDR (on-premise) Private Cloud
FortiNDR (on-premise) Public Cloud
FortiNDR Cloud
FortiNDR Cloud Sensors
FortiPAM
FortiPAM Private Cloud
FortiPAM Public Cloud
FortiPhish
FortiPlanner
FortiPolicy
FortiPortal
FortiPortal Public Cloud
FortiPresence
FortiPresence VM
FortiProxy
FortiProxy Private Cloud
FortiProxy Public Cloud
FortiRecon
FortiRecorder
FortiRPS
FortiSandbox
FortiSandbox Cloud
FortiSandbox Private Cloud
FortiSandbox Public Cloud
FortiSASE
FortiScanner
FortiSIEM
FortiSIEM Cloud
FortiSOAR
FortiSOAR Cloud
FortiSRA
FortiSwitch
FortiSwitch Manager
FortiTap
FortiTester
FortiTester Private Cloud
FortiTester Public Cloud
FortiToken
FortiToken Cloud
FortiTrust Identity
FortiVoice
FortiVoice Cloud
FortiVoice Private Cloud
FortiVoice Public Cloud
FortiWAN
FortiWAN Controller
FortiWeb
FortiWeb Cloud
FortiWeb Manager Private Cloud
FortiWeb Manager Public Cloud
FortiWeb Private Cloud
FortiWeb Public Cloud
FortiWLM
FortiZTP
IPS Engine
Lacework FortiCNAPP
Managed FortiGate Service
Overlay-as-a-Service
Security Awareness and Training
SOCaaS
Wireless Controller
Search documents and hardware ...
Administration Guide
Getting started
Summary of steps
Setting up FortiGate for management access
Completing the FortiGate Setup wizard
Configuring basic settings
Registering FortiGate
Configuring a firewall policy
Backing up the configuration
Troubleshooting your installation
Using the GUI
Connecting using a web browser
Menus
Tables
Entering values
Text strings
Numbers
GUI-based global search
Loading artifacts from a CDN
Using the CLI
Connecting to the CLI
CLI basics
Command syntax
Subcommands
Permissions
Configuration and management
Using FortiExplorer Go and FortiExplorer
Getting started with FortiExplorer
Connecting FortiExplorer to a FortiGate with WiFi
Configure FortiGate with FortiExplorer using BLE
Running a security rating
Accessing Fortinet Developer Network
Terraform: FortiOS as a provider
Product registration with FortiCare
FortiCare and FortiGate Cloud login
FortiCare Register button
Transfer a device to another FortiCloud account
Deregistering a FortiGate
FortiGate models
Differences between models
Low encryption models
LEDs
Dashboards and Monitors
Using dashboards
Using widgets
Viewing device dashboards in the Security Fabric
Creating a fabric system and license dashboard
Dashboards
Status dashboard
Security dashboard
Viewing session information for a compromised host
Network dashboard
Static & Dynamic Routing monitor
DHCP monitor
IPsec monitor
SSL-VPN monitor
Users & Devices
Device inventory
Device inventory and filtering
Adding MAC-based addresses to devices
Firewall Users monitor
WiFi dashboard
FortiAP Status monitor
Clients by FortiAP monitor
Monitors
FortiView monitors and widgets
Adding FortiView monitors
Using the FortiView interface
Enabling FortiView from devices
FortiView sources
FortiView Sessions
FortiView Top Source and Top Destination Firewall Objects monitors
Viewing top websites and sources by category
Cloud application view
Top application: YouTube example
Network
Interfaces
Interface settings
Configure IPAM locally on the FortiGate
Interface MTU packet size
One-arm sniffer
Interface migration wizard
Captive portals
Configuring a FortiGate interface to act as an 802.1X supplicant
Physical interface
VLAN
Virtual VLAN switch
QinQ 802.1Q in 802.1ad
QinQ 802.1Q in 802.1Q
Aggregation and redundancy
Enhanced hashing for LAG member selection
Failure detection for aggregate and redundant interfaces
Loopback interface
Software switch
Hardware switch
Zone
Virtual wire pair
PRP handling in NAT mode with virtual wire pair
Using VLAN sub-interfaces in virtual wire pairs
Enhanced MAC VLAN
VXLAN
General VXLAN configuration and topologies
VLAN inside VXLAN
Virtual wire pair with VXLAN
VXLAN over IPsec tunnel with virtual wire pair
VXLAN over IPsec using a VXLAN tunnel endpoint
VXLAN troubleshooting
DNS
Important DNS CLI commands
DNS domain list
FortiGate DNS server
Basic DNS server configuration example
DDNS
DNS latency information
DNS over TLS and HTTPS
DNS session helpers
DNS troubleshooting
Explicit and transparent proxies
Explicit web proxy
FTP proxy
Transparent proxy
Proxy policy addresses
Proxy policy security profiles
Explicit proxy authentication
Transparent web proxy forwarding
Upstream proxy authentication in transparent proxy mode
Multiple dynamic header count
Restricted SaaS access
Explicit proxy and FortiGate Cloud Sandbox
Proxy chaining
WAN optimization SSL proxy chaining
Agentless NTLM authentication for web proxy
Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers
Learn client IP addresses
Explicit proxy authentication over HTTPS
mTLS client certificate authentication
CORS protocol in explicit web proxy when using session-based, cookie-enabled, and captive portal-enabled SAML authentication
HTTP connection coalescing and concurrent multiplexing for explicit proxy
DHCP servers and relays
Basic configuration
DHCP options
Common DHCP options
Additional DHCP options
IP address assignment with relay agent information option
DHCP addressing mode on an interface
VCI pattern matching for DHCP assignment
Multiple DHCP relay servers
FortiGate DHCP works with DDNS to allow FQDN connectivity to leased IP addresses
Static routing
Routing concepts
Policy routes
Equal cost multi-path
Dual internet connections
Dynamic routing
RIP
Basic RIP example
Basic RIPng example
OSPF
Basic OSPF example
OSPFv3 neighbor authentication
OSPF graceful restart upon a topology change
BGP
Basic BGP example
Route filtering with a distribution list
Next hop recursive resolution using other BGP routes
Next hop recursive resolution using ECMP routes
BGP conditional advertisement
BGP error handling per RFC 7606
BGP next hop tag-match mode
BGP neighbor password
BGP multi-exit discriminator
Troubleshooting BGP
BFD
BFD for multihop path for BGP
Routing objects
Route maps
Access lists
Prefix lists
AS path lists
Community lists
Multicast
Multicast routing and PIM support
Configuring multicast forwarding
FortiExtender
Adding a FortiExtender
Direct IP support for LTE/4G
LLDP reception
Virtual routing and forwarding
Implementing VRF
VRF routing support
Route leaking between VRFs with BGP
Route leaking between multiple VRFs
VRF with IPv6
IBGP and EBGP support in VRF
Support cross-VRF local-in and local-out traffic for local services
NetFlow
NetFlow templates
NetFlow on FortiExtender and tunnel interfaces
Allow multiple Netflow collectors
sFlow
Link monitor
Link monitor with route updates
Enable or disable updating policy routes when link health monitor fails
Add weight setting on each link health monitor server
SLA link monitoring for dynamic IPsec and SSL VPN tunnels
IPv6
IPv6 overview
IPv6 quick start
Neighbor discovery proxy
IPv6 address assignment
IPv6 stateless address auto-configuration (SLAAC)
DHCPv6 stateful server
SLAAC with DHCPv6 stateless server
IPv6 prefix delegation
NAT66, NAT46, NAT64, and DNS64
NAT66 policy
NAT46 policy
NAT64 policy and DNS64 (DNS proxy)
DHCPv6 relay
IPv6 tunneling
IPv6 IPsec VPN
IPv6 GRE tunnels
IPv6 tunnel inherits MTU based on physical interface
Configuring IPv4 over IPv6 DS-Lite service
IPv6 Simple Network Management Protocol
Dynamic routing in IPv6
OSPFv3 and IPv6
BGP and IPv6
IPv6 configuration examples
IPv6 quick start example
Site-to-site IPv6 over IPv6 VPN example
Site-to-site IPv4 over IPv6 VPN example
Site-to-site IPv6 over IPv4 VPN example
Basic OSPFv3 example
Basic IPv6 BGP example
FortiGate LAN extension
SCTP packets with zero checksum on the NP7 platform
Diagnostics
Using the packet capture tool
Using the debug flow tool
SD-WAN
SD-WAN overview
SD-WAN components and design principles
SD-WAN designs and architectures
SD-WAN quick start
Configuring the SD-WAN interface
Adding a static route
Selecting the implicit SD-WAN algorithm
Configuring firewall policies for SD-WAN
Link monitoring and failover
Results
Configuring SD-WAN in the CLI
SD-WAN members and zones
Specify an SD-WAN zone in static routes and SD-WAN rules
Performance SLA
Performance SLA overview
Link health monitor
Monitoring performance SLA
Passive WAN health measurement
Passive health-check measurement by internet service and application
Mean opinion score calculation and logging in performance SLA health checks
Embedded SD-WAN SLA information in ICMP probes
SD-WAN application monitor using FortiMonitor
SD-WAN rules
SD-WAN rules overview
Fields for identifying traffic
Fields for configuring WAN intelligence
Additional fields for configuring WAN intelligence
Implicit rule
Automatic strategy
Manual strategy
Best quality strategy
Lowest cost (SLA) strategy
Maximize bandwidth (SLA) strategy
SD-WAN traffic shaping and QoS
SDN dynamic connector addresses in SD-WAN rules
Application steering using SD-WAN rules
Static application steering with a manual strategy
Dynamic application steering with lowest cost and best quality strategies
DSCP tag-based traffic steering in SD-WAN
Configuring SD-WAN rules
Results
ECMP support for the longest match in SD-WAN rule matching
Override quality comparisons in SD-WAN longest match rule matching
Use an application category as an SD-WAN rule destination
Use SD-WAN rules for WAN link selection with load balancing
Advanced routing
Local out traffic
Using BGP tags with SD-WAN rules
BGP multiple path support
Controlling traffic with BGP route mapping and service rules
Applying BGP route-map to multiple BGP neighbors
Using multiple members per SD-WAN neighbor configuration
VPN overlay
ADVPN and shortcut paths
SD-WAN monitor on ADVPN shortcuts
Hold down time to support SD-WAN service strategies
SD-WAN integration with OCVPN
Adaptive Forward Error Correction
Dual VPN tunnel wizard
Duplicate packets on other zone members
Duplicate packets based on SD-WAN rules
Interface based QoS on individual child tunnels based on speed test results
SD-WAN in large scale deployments
Advanced configuration
SD-WAN with FGCP HA
Configuring SD-WAN in an HA cluster using internal hardware switches
SD-WAN configuration portability
SD-WAN segmentation over a single overlay
Matching BGP extended community route targets in route maps
Copying the DSCP value from the session original direction to its reply direction
SD-WAN cloud on-ramp
Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM
Configuring the VPN overlay between the HQ FortiGate and AWS native VPN gateway
Configuring the VIP to access the remote servers
Configuring the SD-WAN to steer traffic between the overlays
Verifying the traffic
SD-WAN Network Monitor service
CLI speed test
GUI speed test
Scheduled interface speed test
Running speed tests from the hub to the spokes in dial-up IPsec tunnels
Speed test usage
Speed test examples
Troubleshooting SD-WAN
Tracking SD-WAN sessions
Understanding SD-WAN related logs
SD-WAN related diagnose commands
Using SNMP to monitor health check
Zero Trust Network Access
Zero Trust Network Access introduction
Basic ZTNA configuration
Establish device identity and trust context with FortiClient EMS
SSL certificate based authentication
Full versus simple ZTNA policies
ZTNA advanced configurations
Access control of unmanageable and unknown devices
HTTP2 connection coalescing and concurrent multiplexing for ZTNA
ZTNA configuration examples
ZTNA HTTPS access proxy example
ZTNA HTTPS access proxy with basic authentication example
ZTNA TCP forwarding access proxy example
ZTNA SSH access proxy example
ZTNA application gateway with SAML authentication example
ZTNA application gateway with SAML and MFA using FortiAuthenticator example
Secure LDAP connection from FortiAuthenticator with zero trust tunnel example
ZTNA IP MAC based access control example
ZTNA IPv6 examples
ZTNA Zero Trust application gateway example
ZTNA access proxy with KDC to access shared drives
Custom replacement message for ZTNA virtual hosts
ZTNA troubleshooting and debugging commands
ZTNA troubleshooting scenarios
Policy and Objects
Policies
Firewall policy
NGFW policy
Local-in policy
DoS policy
Access control lists
Interface policies
Source NAT
Static SNAT
Dynamic SNAT
Central SNAT
Configuring an IPv6 SNAT policy
SNAT policies with virtual wire pairs
Destination NAT
Configuring VIPs
Configuring VIP groups
Static virtual IPs
Virtual IP with services
Virtual IPs with port forwarding
Virtual server load balance
Virtual server load balance multiplexing
Configure FQDN-based VIPs
Central DNAT
Examples and policy actions
NAT46 and NAT64 policy and routing configurations
Mirroring SSL traffic in policies
Recognize anycast addresses in geo-IP blocking
Matching GeoIP by registered and physical location
HTTP to HTTPS redirect for load balancing
Use Active Directory objects directly in policies
No session timeout
MAP-E support
Seven-day rolling counter for policy hit counters
Cisco Security Group Tag as policy matching criteria
Virtual patching on the local-in management interface
Per-policy disclaimer messages
Address objects
Subnet
Dynamic policy — fabric devices
IP range
FQDN addresses
Using wildcard FQDN addresses in firewall policies
Geography based addresses
IPv6 geography-based addresses
Wildcard addressing
Interface subnet
Address group
Address folders
Allow empty address groups
Address group exclusions
FSSO dynamic address subtype
ClearPass integration for dynamic address objects
FortiNAC tag dynamic address
MAC addressed-based policies
ISDB well-known MAC address list
IPv6 MAC addresses and usage in firewall policies
Protocol options
Traffic shaping
Traffic shaping policies
Traffic shaping profiles
Traffic shaping with queuing using a traffic shaping profile
Traffic shapers
Shared traffic shaper
Per-IP traffic shaper
Changing traffic shaper bandwidth unit of measurement
Multi-stage DSCP marking and class ID in traffic shapers
Adding traffic shapers to multicast policies
Global traffic prioritization
DSCP matching and DSCP marking
Examples
Interface-based traffic shaping profile
Interface-based traffic shaping with NP acceleration
QoS assignment and rate limiting for FortiSwitch quarantined VLANs
Ingress traffic shaping profile
Internet Services
Using Internet Service in a policy
Using custom Internet Service in policy
Using extension Internet Service in policy
Global IP address information database
IP reputation filtering
Internet service groups in policies
Allow creation of ISDB objects with regional information
Internet service customization
Look up IP address information from the Internet Service Database page
Internet Service Database on-demand mode
Enabling the ISDB cache in the FortiOS kernel
Security Profiles
Inspection modes
Flow mode inspection (default mode)
Proxy mode inspection
Inspection mode feature comparison
Antivirus
Antivirus introduction
Antivirus techniques
Configuring an antivirus profile
Testing an antivirus profile
Proxy mode stream-based scanning
Databases
Advanced configurations
Using FortiSandbox post-transfer scanning with antivirus
Using FortiSandbox inline scanning with antivirus
Using FortiNDR inline scanning with antivirus
Malware threat feed from EMS
CIFS support
Configuration examples
Content disarm and reconstruction
FortiGuard outbreak prevention
External malware block list
Exempt list for files based on individual hash
Web filter
Web filter introduction
Web filter techniques
Configuring a web filter profile
FortiGuard filter
Category usage quota
Search engines
Static URL filter
Rating options
Proxy options
Advanced CLI configuration
Credential phishing prevention
Additional antiphishing settings
Web filter statistics
URL certificate blocklist
Websense Integrated Services Protocol
Inspecting HTTP3 traffic
Configuration examples
Configuring web filter profiles with Hebrew domain names
Configuring web filter profiles to block AI and cryptocurrency
Video filter
Filtering based on FortiGuard categories
Filtering based on YouTube channel
Replacement messages displayed in blocked videos
DNS filter
Configuring a DNS filter profile
FortiGuard category-based DNS domain filtering
Botnet C&C domain blocking
DNS safe search
Local domain filter
DNS translation
Applying DNS filter to FortiGate DNS server
DNS inspection with DoT and DoH
Troubleshooting for DNS filter
Application control
Configuring an application sensor
Basic category filters and overrides
Excluding signatures in application control profiles
Port enforcement check
Protocol enforcement
SSL-based application detection over decrypted traffic in a sandwich topology
Matching multiple parameters on application control signatures
Application signature dissector for DNP3
Blocking QUIC manually
Intrusion prevention
Signature-based defense
Configuring an IPS sensor
IPS configuration options
IPS signature filter options
IPS with botnet C&C IP blocking
IPS signatures for the industrial security service
IPS sensor for IEC 61850 MMS protocol
SCTP filtering capabilities
File filter
Supported file types
Email filter
Configuring an email filter profile
Local-based filters
FortiGuard-based filters
Third-party-based filters
Filtering order
Protocols and actions
Configuring webmail filtering
Data leak prevention
DLP techniques
Basic DLP settings
Advanced DLP configurations
DLP fingerprinting
Sensitivity labels
DLP examples
Block HTTPS upload traffic that includes credit card information
Log FTP upload traffic with a specific pattern
Block HTTPS downloads of EXE files and log HTTPS downloads of files larger than 500 KB
Block HTTPS upload traffic that includes Visa or Mastercard information using evaluation through logical expression
Block access to LLM applications using keywords and FQDN
VoIP solutions
General use cases
NAT46 and NAT64 for SIP ALG
SIP message inspection and filtering
SIP ALG and SIP session helper
SIP pinholes
SIP over TLS
Voice VLAN auto-assignment
Scanning MSRP traffic
ICAP
ICAP configuration example
ICAP response filtering
Secure ICAP clients
ICAP scanning with SCP and FTP
Web application firewall
Protecting a server running web applications
SSL & SSH Inspection
Configuring an SSL/SSH inspection profile
Certificate inspection
Deep inspection
Protecting an SSL server
Handling SSL offloaded traffic from an external decryption device
SSH traffic file scanning
Redirect to WAD after handshake completion
HTTP/2 support in proxy mode SSL inspection
Define multiple certificates in an SSL profile in replace mode
Disabling the FortiGuard IP address rating
Custom signatures
Configuring custom signatures
Blocking applications with custom signatures
Filters for application control groups
Application groups in traffic shaping policies
Overrides
Web rating override
Configuring the category override rule
Sub-category actions
Category override examples
Using local and remote categories
Web profile override
IP ban
IP ban using the CLI
IP ban using security profiles
Configuring the persistency for a banned IP list
Profile groups
IPsec VPN
General IPsec VPN configuration
Network topologies
Phase 1 configuration
Choosing IKE version 1 and 2
Pre-shared key vs digital certificates
Using XAuth authentication
Dynamic IPsec route control
Matching IPsec tunnel gateway based on address parameters
Phase 2 configuration
VPN security policies
Blocking unwanted IKE negotiations and ESP packets with a local-in policy
Configurable IKE port
IPsec VPN IP address assignments
Site-to-site VPN
FortiGate-to-FortiGate
Basic site-to-site VPN with pre-shared key
Site-to-site VPN with digital certificate
Site-to-site VPN with overlapping subnets
GRE over IPsec
Policy-based IPsec tunnel
FortiGate-to-third-party
IKEv2 IPsec site-to-site VPN to an AWS VPN gateway
IPsec VPN to Azure with virtual network gateway
IPsec VPN to an Azure with virtual WAN
IPSec VPN between a FortiGate and a Cisco ASA with multiple subnets
Cisco GRE-over-IPsec VPN
Remote access
FortiGate as dialup client
FortiClient as dialup client
Add FortiToken multi-factor authentication
Add LDAP user authentication
iOS device as dialup client
IKE Mode Config clients
IPsec VPN with external DHCP service
L2TP over IPsec
Tunneled Internet browsing
Dialup IPsec VPN with certificate authentication
SAML-based authentication for FortiClient remote access dialup IPsec VPN clients
Configuring FortiAuthenticator as SAML IdP and FortiGate as SAML SP
Configuring Microsoft Entra ID as SAML IdP and FortiGate as SAML SP
Enhancing IPsec security using EMS SN verification
IPsec split DNS
Aggregate and redundant VPN
Manual redundant VPN configuration
OSPF with IPsec VPN for network redundancy
IPsec VPN in an HA environment
Packet distribution and redundancy for aggregate IPsec tunnels
Packet distribution for aggregate dial-up IPsec tunnels using location ID
Packet distribution for aggregate static IPsec tunnels in SD-WAN
Packet distribution for aggregate IPsec tunnels using weighted round robin
Redundant hub and spoke VPN
Overlay Controller VPN (OCVPN)
Full mesh OCVPN
Hub-spoke OCVPN with ADVPN shortcut
Hub-spoke OCVPN with inter-overlay source NAT
OCVPN portal
Allow FortiClient to join OCVPN
Troubleshooting OCVPN
ADVPN
IPsec VPN wizard hub-and-spoke ADVPN support
ADVPN with BGP as the routing protocol
ADVPN with OSPF as the routing protocol
ADVPN with RIP as the routing protocol
UDP hole punching for spokes behind NAT
Fabric Overlay Orchestrator
Prerequisites
Network topology
Using the Fabric Overlay Orchestrator
Other VPN topics
VPN and ASIC offload
Encryption algorithms
Fragmenting IP packets before IPsec encapsulation
Configure DSCP for IPsec tunnels
Defining gateway IP addresses in IPsec with mode-config and DHCP
FQDN support for remote gateways
Windows IKEv2 native VPN with user certificate
IPsec IKE load balancing based on FortiSASE account information
Securely exchange serial numbers between FortiGates connected with IPsec VPN
VPN IPsec troubleshooting
Understanding VPN related logs
IPsec related diagnose commands
SSL VPN
SSL VPN best practices
SSL VPN security best practices
SSL VPN quick start
SSL VPN split tunnel for remote user
Connecting from FortiClient VPN client
Set up FortiToken multi-factor authentication
Connecting from FortiClient with FortiToken
SSL VPN tunnel mode
SSL VPN full tunnel for remote user
SSL VPN tunnel mode host check
SSL VPN split DNS
Split tunneling settings
Augmenting VPN security with ZTNA tags
Enhancing VPN security using EMS SN verification
SSL VPN web mode
Web portal configurations
Quick Connection tool
SSL VPN bookmarks
SSL VPN web mode for remote user
Customizing the RDP display size
Showing the SSL VPN portal login page in the browser's language
SSL VPN authentication
SSL VPN with LDAP user authentication
SSL VPN with LDAP user password renew
SSL VPN with certificate authentication
SSL VPN with LDAP-integrated certificate authentication
SSL VPN for remote users with MFA and user sensitivity
SSL VPN with FortiToken mobile push authentication
SSL VPN with RADIUS on FortiAuthenticator
SSL VPN with RADIUS and FortiToken mobile push on FortiAuthenticator
SSL VPN with RADIUS password renew on FortiAuthenticator
SSL VPN with RADIUS on Windows NPS
SSL VPN with multiple RADIUS servers
SSL VPN with local user password policy
Dynamic address support for SSL VPN policies
SSL VPN multi-realm
NAS-IP support per SSL-VPN realm
SSL VPN with Okta as SAML IdP
SSL VPN with Microsoft Entra SSO integration
SSL VPN to IPsec VPN
SSL VPN protocols
TLS 1.3 support
SMBv2 support
DTLS support
Configuring OS and host check
FortiGate as SSL VPN Client
Dual stack IPv4 and IPv6 support for SSL VPN
Disable the clipboard in SSL VPN web mode RDP connections
SSL VPN IP address assignments
Using SSL VPN interfaces in zones
SSL VPN troubleshooting
Debug commands
Troubleshooting common issues
User & Authentication
User definition, groups, and settings
Users
User groups
Authentication settings
Retail environment guest access
LDAP servers
Configuring an LDAP server
Enabling Active Directory recursive search
Configuring LDAP dial-in using a member attribute
Configuring wildcard admin accounts
Configuring least privileges for LDAP admin account authentication in Active Directory
Tracking users in each Active Directory LDAP group
Tracking rolling historical records of LDAP user logins
Configuring client certificate authentication on the LDAP server
RADIUS servers
Configuring a RADIUS server
Using multiple RADIUS servers
RADIUS AVPs and VSAs
Restricting RADIUS user groups to match selective users on the RADIUS server
Configuring RADIUS SSO authentication
RSA ACE (SecurID) servers
Support for Okta RADIUS attributes filter-Id and class
Sending multiple RADIUS attribute values in a single RADIUS Access-Request
Traffic shaping based on dynamic RADIUS VSAs
RADIUS Termination-Action AVP in wired and wireless scenarios
SAML
Configuring SAML SSO
SSL VPN with FortiAuthenticator as a SAML IdP
Using a browser as an external user-agent for SAML authentication in an SSL VPN connection
IPsec VPN with SAML IdP
Outbound firewall authentication with Microsoft Entra ID as a SAML IdP
SAML authentication in a proxy policy
TACACS+ servers
FortiTokens
FortiToken Mobile quick start
Registering FortiToken Mobile
Provisioning FortiToken Mobile
Activating FortiToken Mobile on a mobile phone
Applying multi-factor authentication
FortiToken Cloud
Registering hard tokens
Managing FortiTokens
FortiToken Mobile Push
Synchronizing LDAP Active Directory users to FortiToken Cloud using the two-factor filter
FortiGuard distribution of updated Apple certificates for push notifications
Troubleshooting and diagnosis
PKI
Configuring a PKI user
Using the SAN field for LDAP-integrated certificate authentication
FSSO
FSSO polling connector agent installation
FSSO using Syslog as source
Configuring the FSSO timeout when the collector agent connection fails
Configuring FSSO firewall authentication
Include usernames in logs
Wireless configuration
Switch Controller
System
Administrators
Local authentication
Remote authentication for administrators
Administrator account options
REST API administrator
SSO administrators
FortiCloud SSO
Allowing the FortiGate to override FortiCloud SSO administrator user permissions
Password policy
Public key SSH access
Restricting SSH and Telnet jump host capabilities
Remote administrators with TACACS VSA attributes
Administrator profiles
Fabric Management
About firmware installations
Firmware maturity levels
Upgrading individual devices
Upgrading Fabric or managed devices
Enabling automatic firmware updates
Authorizing devices
Firmware upgrade notifications
Downloading a firmware image
Testing a firmware version
Installing firmware from system reboot
Restoring from a USB drive
Using controlled upgrades
Downgrading individual device firmware
Downloading the EOS support package for supported Fabric devices
Settings
Default administrator password
Changing the host name
Setting the system time
SHA-1 authentication support (for NTPv4)
PTPv2
Configuring ports
Custom default service port range
Setting the idle timeout time
Setting the password policy
Changing the view settings
Setting the administrator password retries and lockout time
TLS configuration
Controlling return path with auxiliary session
Email alerts
Using configuration save mode
Trusted platform module support
Using the default certificate for HTTPS administrative access
Virtual Domains
VDOM overview
General configurations
Configuring global profiles
Backing up and restoring configurations in multi-VDOM mode
Inter-VDOM routing configuration example: Internet access
Inter-VDOM routing configuration example: Partial-mesh VDOMs
High Availability
FGCP
Failover protection
HA heartbeat interface
Unicast HA heartbeat
HA active-passive cluster setup
HA active-active cluster setup
HA and load balancing
HA virtual cluster setup
HA primary unit selection criteria
Check HA synchronization status
Out-of-band management with reserved management interfaces
In-band management
Upgrading FortiGates in an HA cluster
Distributed HA clusters
HA between remote sites over managed FortiSwitches
HA using a hardware switch to replace a physical switch
VDOM exceptions
Override FortiAnalyzer and syslog server settings
Routing NetFlow data over the HA management interface
Force HA failover for testing and demonstrations
Disabling stateful SCTP inspection
Resume IPS scanning of ICCP traffic after HA failover
Querying autoscale clusters for FortiGate VM
Cluster virtual MAC addresses
Abbreviated TLS handshake after HA failover
Session synchronization during HA failover for ZTNA proxy sessions
Troubleshoot an HA formation
FGSP
FGSP basic peer setup
Synchronizing sessions between FGCP clusters
Session synchronization interfaces in FGSP
UTM inspection on asymmetric traffic in FGSP
UTM inspection on asymmetric traffic on L3
Encryption for L3 on asymmetric traffic in FGSP
Optimizing FGSP session synchronization and redundancy
Firmware upgrades in FGSP
FGSP session synchronization between different FortiGate models or firmware versions
Applying the session synchronization filter only between FGSP peers in an FGCP over FGSP topology
FGSP static site-to-site IPsec VPN setup
FGSP per-tunnel failover for IPsec
FGCP over FGSP per-tunnel failover for IPsec
Allow IPsec DPD in FGSP members to support failovers
Standalone configuration synchronization
Layer 3 unicast standalone configuration synchronization
VRRP
Adding IPv4 and IPv6 virtual routers to an interface
VRRP failover
VRRP groups
VRRP virtual MACs
Preempt mode
Single-domain VRRP example
Multi-domain VRRP example
VRRP on EMAC-VLAN interfaces
Session failover
Session pickup
Pass-through sessions
Terminated sessions
Improving session sync performance
SNMP
Basic configuration
MIB files
Access control for SNMP
Important SNMP traps
SNMP examples
Replacement messages
Replacement message groups
FortiGuard
Anycast
Configuring FortiGuard updates
Using a proxy server to connect to the FortiGuard Distribution Network
Manual updates
Automatic updates
Scheduled updates
Sending malware statistics to FortiGuard
Update server location
Filtering
Online security tools
Anycast and unicast services
Using FortiManager as a local FortiGuard server
Cloud service communication statistics
IoT detection service
FortiAP query to FortiGuard IoT service to determine device details
FortiGate Cloud / FDN communication through an explicit proxy
FDS-only ISDB package in firmware images
Licensing in air-gap environments
License expiration
Feature visibility
Certificates
Automatically provision a certificate
Generate a new certificate
Regenerate default certificates
Import a certificate
Generate a CSR
CA certificate
Remote certificate
Certificate revocation list
Export a certificate
Uploading certificates using an API
Procuring and importing a signed SSL certificate
Microsoft CA deep packet inspection
Administrative access using certificates
Creating certificates with XCA
Security
BIOS-level signature and file integrity checking
Real-time file system integrity checking
Running a file system check automatically
Built-in entropy source
FortiGate VM unique certificate
Configuration scripts
Workspace mode
Custom languages
RAID
FortiGate encryption algorithm cipher suites
Conserve mode
Using APIs
Configuration backups and reset
Fortinet Security Fabric
Components
Security Fabric connectors
Configuring the root FortiGate and downstream FortiGates
Configuring logging and analytics
Configuring FortiAnalyzer
Configuring cloud logging
Configuring FortiClient EMS
Synchronizing FortiClient ZTNA tags
Configuring LAN edge devices
Configuring central management
Configuring sandboxing
Configuring supported connectors
Configuring FortiNDR
Configuring FortiDeceptor
Configuring FortiMail
Configuring FortiMonitor
Configuring FortiNAC
Configuring FortiTester
Configuring FortiVoice
Configuring FortiWeb
Configuring FortiPolicy
Using the Security Fabric
Dashboard widgets
Topology
Asset Identity Center page
WebSocket for Security Fabric events
Deploying the Security Fabric
Deploying the Security Fabric in a multi-VDOM environment
Other Security Fabric topics
Synchronizing objects across the Security Fabric
Group address objects synchronized from FortiManager
Security Fabric over IPsec VPN
Leveraging LLDP to simplify Security Fabric negotiation
Integrate user information from EMS and Exchange connectors in the user store
Configuring the Security Fabric with SAML
Configuring single-sign-on in the Security Fabric
Configuring the root FortiGate as the IdP
Configuring a downstream FortiGate as an SP
Configuring certificates for SAML SSO
Verifying the single-sign-on configuration
CLI commands for SAML SSO
SAML SSO with pre-authorized FortiGates
Navigating between Security Fabric members with SSO
Integrating FortiAnalyzer management using SAML SSO
Integrating FortiManager management using SAML SSO
Advanced option - FortiGate SP changes
Security rating
Security Fabric score
Automation stitches
Creating automation stitches
Default automation stitches
Incoming Webhook Quarantine stitch
Triggers
FortiAnalyzer event handler trigger
Fabric connector event trigger
FortiOS event log trigger
Event log category triggers
Certificate expiration trigger
Schedule trigger
Actions
FortiNAC Quarantine action
VMware NSX security tag action
VMware NSX-T security tag action
Replacement messages for email alerts
Slack Notification action
Microsoft Teams Notification action
AWS Lambda action
Azure Function action
Google Cloud Function action
AliCloud Function action
CLI script action
Execute a CLI script based on memory and CPU thresholds
Webhook action
Webhook action with Twilio for SMS text messages
Slack integration webhook
Microsoft Teams integration webhook
System action
Public and private SDN connectors
Getting started with public and private SDN connectors
AliCloud SDN connector using access key
AWS SDN connector using access keys
Azure SDN connector using service principal
Cisco ACI SDN connector using a standalone connector
Retrieve IPv6 dynamic addresses from Cisco ACI SDN connector
ClearPass endpoint connector via FortiManager
GCP SDN connector using service account
IBM Cloud SDN connector using API keys
Kubernetes (K8s) SDN connectors
AliCloud Kubernetes SDN connector using access key
AWS Kubernetes (EKS) SDN connector using access key
Azure Kubernetes (AKS) SDN connector using client secret
GCP Kubernetes (GKE) SDN connector using service account
Oracle Kubernetes (OKE) SDN connector using certificates
Private cloud K8s SDN connector using secret token
Nuage SDN connector using server credentials
Nutanix SDN connector using server credentials
OCI SDN connector using certificates
OpenStack SDN connector using node credentials
SAP SDN connector
VMware ESXi SDN connector using server credentials
VMware NSX-T Manager SDN connector using NSX-T Manager credentials
Multiple concurrent SDN connectors
Filter lookup in SDN connectors
Support for wildcard SDN connectors in filter configurations
Endpoint/Identity connectors
Fortinet single sign-on agent
Poll Active Directory server
Symantec endpoint connector
RADIUS single sign-on agent
Exchange Server connector
Threat feeds
Configuring a threat feed
FortiGuard category threat feed
IP address threat feed
Domain name threat feed
Malware hash threat feed
Threat feed connectors per VDOM
STIX format for external threat feeds
Using the AusCERT malicious URL feed with an API key
Monitoring the Security Fabric using FortiExplorer for Apple TV
NOC and SOC example
Adding the root FortiGate to FortiExplorer for Apple TV
Viewing the Fabric Topology monitor
Viewing the Fabric Overview monitor
Viewing the Security Rating monitor
Viewing the Compromised Hosts monitor
Viewing the Vulnerability Monitor
Using the SD-WAN monitor
Troubleshooting
Viewing a summary of all connected FortiGates in a Security Fabric
Diagnosing automation stitches
Log and Report
Viewing event logs
System Events log page
Security Events log page
Reports page
Log settings and targets
Logging to FortiAnalyzer
FortiAnalyzer log caching
Configuring multiple FortiAnalyzers (or syslog servers) per VDOM
Configuring multiple FortiAnalyzers on a FortiGate in multi-VDOM mode
Switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable
Advanced and specialized logging
Logs for the execution of CLI commands
Log buffer on FortiGates with an SSD disk
Source and destination UUID logging
Configuring and debugging the free-style filter
Logging the signal-to-noise ratio and signal strength per client
RSSO information for authenticated destination users in logs
Destination user information in UTM logs
Generate unique user name for anonymized logs
Sample logs by log type
Troubleshooting
Log-related diagnostic commands
Backing up log files or dumping log messages
SNMP OID for logs that failed to send
WAN optimization
Overview
Peers and authentication groups
Tunnels
Transparent mode
Protocol optimization
Cache service and video caching
Manual and active-passive
Monitoring performance
System and feature operation with WAN optimization
Best practices
Example topologies
In-path WAN optimization topology
Out-of-path WAN optimization topology
Topology for multiple networks
Configuration examples
Manual (peer-to-peer) WAN optimization configuration example
Active-passive WAN optimization configuration example
Secure tunneling configuration example
Testing and troubleshooting the configuration
VM
Amazon Web Services
Microsoft Azure
Google Cloud Platform
OCI
AliCloud
Private cloud
VM license
Permanent trial mode for FortiGate-VM
Adding VDOMs with FortiGate v-series
PF and VF SR-IOV driver and virtual SPU support
Using OCI IMDSv2
FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs
Cloud-init
TPM support for FortiGate-VM
Hyperscale firewall
Troubleshooting
Troubleshooting methodologies
Troubleshooting scenarios
Checking the system date and time
Checking the hardware connections
Checking FortiOS network settings
Troubleshooting CPU and network resources
Troubleshooting high CPU usage
Checking the modem status
Running ping and traceroute
Checking the logs
Verifying routing table contents in NAT mode
Verifying the correct route is being used
Verifying the correct firewall policy is being used
Checking the bridging information in transparent mode
Checking wireless information
Performing a sniffer trace or packet capture
Debugging the packet flow
Testing a proxy operation
Displaying detail Hardware NIC information
Performing a traffic trace
Using a session table
Finding object dependencies
Diagnosing NPU-based interfaces
Identifying the XAUI link used for a specific traffic stream
Date and time settings
Running the TAC report
Using the process monitor
Computing file hashes
Other commands
ARP table
IP address
FortiGuard troubleshooting
Verifying connectivity to FortiGuard
Troubleshooting process for FortiGuard updates
FortiGuard server settings
View open and in use ports
IPS and AV engine version
CLI troubleshooting cheat sheet
CLI error codes
Additional resources
Change Log
Home
FortiGate / FortiOS 7.2.9
Administration Guide
7.2.9
7.6.0
7.4.5
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.16
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Multicast
Multicast
The following topics include information about multicast:
Multicast routing and PIM support
Configuring multicast forwarding
Previous
Next
Multicast
Multicast
The following topics include information about multicast:
Multicast routing and PIM support
Configuring multicast forwarding
Previous
Next
Home
Product Pillars
Network Security
Network Security
FortiGate / FortiOS
FortiGate 5000
FortiGate 6000
FortiGate 7000
FortiProxy
NOC & SOC Management
FortiManager
FortiManager Cloud
FortiAnalyzer
FortiAnalyzer Cloud
FortiMonitor
FortiGate Cloud
Enterprise Networking
Secure SD-WAN
FortiLAN Cloud
FortiSwitch
FortiAP / FortiWiFi
FortiAP-U Series
FortiNAC-F
FortiExtender
FortiExtender Cloud
FortiAIOps
Business Communications
FortiFone
FortiVoice
FortiVoice Cloud
FortiRecorder
FortiCamera
Zero Trust Access
ZTNA
Zero Trust Network Access
FortiClient EMS
SASE
FortiSASE
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Cloud Security
Hybrid Cloud Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiFlex
Cloud Native Protection
FortiCNP
FortiDevSec
Web Application / API Protection
FortiWeb
FortiWeb Cloud
FortiADC
FortiGSLB
FortiGuard ABP
SAAS Security
FortiMail
FortiMail Cloud
FortiCASB
Security Operations
SOC Platform
FortiAnalyzer
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
FortiPhish
Advanced Threat Protection
FortiSandbox
FortiSandbox Cloud
FortiNDR
FortiNDR Cloud
FortiDeceptor
FortiInsight
FortiInsight Cloud
FortiIsolator
Endpoint Security
FortiClient
FortiClient Cloud
FortiEDR
Best Practices
Solution Hubs
Cloud
FortiCloud
Public & Private Cloud
Popular Solutions
Secure SD-WAN
Zero Trust Network Access
Secure Access
Next Generation Firewall
Security Fabric
Tele-Working
Multi-Factor Authentication
FortiASIC
Operational Technology
MSSP
4-D Resources
Secure SD-WAN
Zero Trust Network Access
Wireless
Switching
Secure Access Service Edge
Identity and Access Management
Next Generation Firewall
Hardware Guides
FortiAnalyzer
FortiAnalyzer Big-Data
FortiADC
FortiAP / FortiWiFi
FortiAP U-Series
FortiAuthenticator
FortiCache
FortiCarrier
FortiController
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiExtender
FortiGate
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiHypervisor
FortiIsolator
FortiMail
FortiManager
FortiNAC
FortiNDR
FortiProxy
FortiRecorder
FortiRPS
FortiSandbox
FortiSIEM
FortiSwitch
FortiTester
FortiToken
FortiVoice
FortiWAN
FortiWeb
FortiWLC
FortiWLM
Product A-Z
AscenLink
AV Engine
AWS Firewall Rules
Container FortiOS
FortiADC
FortiADC E Series
FortiADC Manager
FortiADC Private Cloud
FortiADC Public Cloud
FortiAIOps
FortiAnalyzer
FortiAnalyzer BigData
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Cloud
FortiAnalyzer Private Cloud
FortiAnalyzer Public Cloud
FortiAP / FortiWiFi
FortiAP-U Series
FortiAuthenticator
FortiAuthenticator Private Cloud
FortiAuthenticator Public Cloud
FortiAuthProxy
FortiBalancer
FortiBranchSASE
FortiBridge
FortiCache
FortiCamera
FortiCamera Cloud
FortiCare Elite
FortiCarrier
FortiCASB
FortiCentral
FortiClient
FortiClient Cloud
FortiCloud Services
FortiCNP
FortiConnect
FortiController
FortiConverter Service
FortiConverter Tool
FortiCore
FortiCSPM
FortiCWP
FortiDAST
FortiDB
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiDeceptor DaaS
FortiDeceptor Private Cloud
FortiDeceptor Public Cloud
FortiDevSec
FortiDLP
FortiDLP Agent
FortiDLP Policies
FortiDNS
FortiEdge Cloud
FortiEDR/XDR
FortiEndpoint
FortiExplorer
FortiExplorer Go
FortiExtender
FortiFlex
FortiFone
FortiGate / FortiOS
FortiGate Cloud
FortiGate CNF
FortiGate Private Cloud
FortiGate Public Cloud
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiGate-as-a-Service
FortiGSLB
FortiGuard Advanced Bot Protection
FortiGuest
FortiHypervisor
FortiInsight
FortiInsight Cloud
FortiIPAM
FortiIsolator
FortiIsolator Public Cloud
FortiLAN Cloud
FortiMail
FortiMail Cloud
FortiManager
FortiManager Cloud
FortiManager Private Cloud
FortiManager Public Cloud
FortiMonitor
FortiNAC
FortiNAC-F
FortiNDR
FortiNDR (on-premise) Private Cloud
FortiNDR (on-premise) Public Cloud
FortiNDR Cloud
FortiNDR Cloud Sensors
FortiPAM
FortiPAM Private Cloud
FortiPAM Public Cloud
FortiPhish
FortiPlanner
FortiPolicy
FortiPortal
FortiPortal Public Cloud
FortiPresence
FortiPresence VM
FortiProxy
FortiProxy Private Cloud
FortiProxy Public Cloud
FortiRecon
FortiRecorder
FortiRPS
FortiSandbox
FortiSandbox Cloud
FortiSandbox Private Cloud
FortiSandbox Public Cloud
FortiSASE
FortiScanner
FortiSIEM
FortiSIEM Cloud
FortiSOAR
FortiSOAR Cloud
FortiSRA
FortiSwitch
FortiSwitch Manager
FortiTap
FortiTester
FortiTester Private Cloud
FortiTester Public Cloud
FortiToken
FortiToken Cloud
FortiTrust Identity
FortiVoice
FortiVoice Cloud
FortiVoice Private Cloud
FortiVoice Public Cloud
FortiWAN
FortiWAN Controller
FortiWeb
FortiWeb Cloud
FortiWeb Manager Private Cloud
FortiWeb Manager Public Cloud
FortiWeb Private Cloud
FortiWeb Public Cloud
FortiWLM
FortiZTP
IPS Engine
Lacework FortiCNAPP
Managed FortiGate Service
Overlay-as-a-Service
Security Awareness and Training
SOCaaS
Wireless Controller
Ordering Guides
Download PDF
Table of Contents
Getting started
Summary of steps
Setting up FortiGate for management access
Completing the FortiGate Setup wizard
Configuring basic settings
Registering FortiGate
Configuring a firewall policy
Backing up the configuration
Troubleshooting your installation
Using the GUI
Connecting using a web browser
Menus
Tables
Entering values
Text strings
Numbers
GUI-based global search
Loading artifacts from a CDN
Using the CLI
Connecting to the CLI
CLI basics
Command syntax
Subcommands
Permissions
Configuration and management
Using FortiExplorer Go and FortiExplorer
Getting started with FortiExplorer
Connecting FortiExplorer to a FortiGate with WiFi
Configure FortiGate with FortiExplorer using BLE
Running a security rating
Accessing Fortinet Developer Network
Terraform: FortiOS as a provider
Product registration with FortiCare
FortiCare and FortiGate Cloud login
FortiCare Register button
Transfer a device to another FortiCloud account
Deregistering a FortiGate
FortiGate models
Differences between models
Low encryption models
LEDs
Dashboards and Monitors
Using dashboards
Using widgets
Viewing device dashboards in the Security Fabric
Creating a fabric system and license dashboard
Dashboards
Status dashboard
Security dashboard
Viewing session information for a compromised host
Network dashboard
Static & Dynamic Routing monitor
DHCP monitor
IPsec monitor
SSL-VPN monitor
Users & Devices
Device inventory
Device inventory and filtering
Adding MAC-based addresses to devices
Firewall Users monitor
WiFi dashboard
FortiAP Status monitor
Clients by FortiAP monitor
Monitors
FortiView monitors and widgets
Adding FortiView monitors
Using the FortiView interface
Enabling FortiView from devices
FortiView sources
FortiView Sessions
FortiView Top Source and Top Destination Firewall Objects monitors
Viewing top websites and sources by category
Cloud application view
Top application: YouTube example
Network
Interfaces
Interface settings
Configure IPAM locally on the FortiGate
Interface MTU packet size
One-arm sniffer
Interface migration wizard
Captive portals
Configuring a FortiGate interface to act as an 802.1X supplicant
Physical interface
VLAN
Virtual VLAN switch
QinQ 802.1Q in 802.1ad
QinQ 802.1Q in 802.1Q
Aggregation and redundancy
Enhanced hashing for LAG member selection
Failure detection for aggregate and redundant interfaces
Loopback interface
Software switch
Hardware switch
Zone
Virtual wire pair
PRP handling in NAT mode with virtual wire pair
Using VLAN sub-interfaces in virtual wire pairs
Enhanced MAC VLAN
VXLAN
General VXLAN configuration and topologies
VLAN inside VXLAN
Virtual wire pair with VXLAN
VXLAN over IPsec tunnel with virtual wire pair
VXLAN over IPsec using a VXLAN tunnel endpoint
VXLAN troubleshooting
DNS
Important DNS CLI commands
DNS domain list
FortiGate DNS server
Basic DNS server configuration example
DDNS
DNS latency information
DNS over TLS and HTTPS
DNS session helpers
DNS troubleshooting
Explicit and transparent proxies
Explicit web proxy
FTP proxy
Transparent proxy
Proxy policy addresses
Proxy policy security profiles
Explicit proxy authentication
Transparent web proxy forwarding
Upstream proxy authentication in transparent proxy mode
Multiple dynamic header count
Restricted SaaS access
Explicit proxy and FortiGate Cloud Sandbox
Proxy chaining
WAN optimization SSL proxy chaining
Agentless NTLM authentication for web proxy
Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers
Learn client IP addresses
Explicit proxy authentication over HTTPS
mTLS client certificate authentication
CORS protocol in explicit web proxy when using session-based, cookie-enabled, and captive portal-enabled SAML authentication
HTTP connection coalescing and concurrent multiplexing for explicit proxy
DHCP servers and relays
Basic configuration
DHCP options
Common DHCP options
Additional DHCP options
IP address assignment with relay agent information option
DHCP addressing mode on an interface
VCI pattern matching for DHCP assignment
Multiple DHCP relay servers
FortiGate DHCP works with DDNS to allow FQDN connectivity to leased IP addresses
Static routing
Routing concepts
Policy routes
Equal cost multi-path
Dual internet connections
Dynamic routing
RIP
Basic RIP example
Basic RIPng example
OSPF
Basic OSPF example
OSPFv3 neighbor authentication
OSPF graceful restart upon a topology change
BGP
Basic BGP example
Route filtering with a distribution list
Next hop recursive resolution using other BGP routes
Next hop recursive resolution using ECMP routes
BGP conditional advertisement
BGP error handling per RFC 7606
BGP next hop tag-match mode
BGP neighbor password
BGP multi-exit discriminator
Troubleshooting BGP
BFD
BFD for multihop path for BGP
Routing objects
Route maps
Access lists
Prefix lists
AS path lists
Community lists
Multicast
Multicast routing and PIM support
Configuring multicast forwarding
FortiExtender
Adding a FortiExtender
Direct IP support for LTE/4G
LLDP reception
Virtual routing and forwarding
Implementing VRF
VRF routing support
Route leaking between VRFs with BGP
Route leaking between multiple VRFs
VRF with IPv6
IBGP and EBGP support in VRF
Support cross-VRF local-in and local-out traffic for local services
NetFlow
NetFlow templates
NetFlow on FortiExtender and tunnel interfaces
Allow multiple Netflow collectors
sFlow
Link monitor
Link monitor with route updates
Enable or disable updating policy routes when link health monitor fails
Add weight setting on each link health monitor server
SLA link monitoring for dynamic IPsec and SSL VPN tunnels
IPv6
IPv6 overview
IPv6 quick start
Neighbor discovery proxy
IPv6 address assignment
IPv6 stateless address auto-configuration (SLAAC)
DHCPv6 stateful server
SLAAC with DHCPv6 stateless server
IPv6 prefix delegation
NAT66, NAT46, NAT64, and DNS64
NAT66 policy
NAT46 policy
NAT64 policy and DNS64 (DNS proxy)
DHCPv6 relay
IPv6 tunneling
IPv6 IPsec VPN
IPv6 GRE tunnels
IPv6 tunnel inherits MTU based on physical interface
Configuring IPv4 over IPv6 DS-Lite service
IPv6 Simple Network Management Protocol
Dynamic routing in IPv6
OSPFv3 and IPv6
BGP and IPv6
IPv6 configuration examples
IPv6 quick start example
Site-to-site IPv6 over IPv6 VPN example
Site-to-site IPv4 over IPv6 VPN example
Site-to-site IPv6 over IPv4 VPN example
Basic OSPFv3 example
Basic IPv6 BGP example
FortiGate LAN extension
SCTP packets with zero checksum on the NP7 platform
Diagnostics
Using the packet capture tool
Using the debug flow tool
SD-WAN
SD-WAN overview
SD-WAN components and design principles
SD-WAN designs and architectures
SD-WAN quick start
Configuring the SD-WAN interface
Adding a static route
Selecting the implicit SD-WAN algorithm
Configuring firewall policies for SD-WAN
Link monitoring and failover
Results
Configuring SD-WAN in the CLI
SD-WAN members and zones
Specify an SD-WAN zone in static routes and SD-WAN rules
Performance SLA
Performance SLA overview
Link health monitor
Monitoring performance SLA
Passive WAN health measurement
Passive health-check measurement by internet service and application
Mean opinion score calculation and logging in performance SLA health checks
Embedded SD-WAN SLA information in ICMP probes
SD-WAN application monitor using FortiMonitor
SD-WAN rules
SD-WAN rules overview
Fields for identifying traffic
Fields for configuring WAN intelligence
Additional fields for configuring WAN intelligence
Implicit rule
Automatic strategy
Manual strategy
Best quality strategy
Lowest cost (SLA) strategy
Maximize bandwidth (SLA) strategy
SD-WAN traffic shaping and QoS
SDN dynamic connector addresses in SD-WAN rules
Application steering using SD-WAN rules
Static application steering with a manual strategy
Dynamic application steering with lowest cost and best quality strategies
DSCP tag-based traffic steering in SD-WAN
Configuring SD-WAN rules
Results
ECMP support for the longest match in SD-WAN rule matching
Override quality comparisons in SD-WAN longest match rule matching
Use an application category as an SD-WAN rule destination
Use SD-WAN rules for WAN link selection with load balancing
Advanced routing
Local out traffic
Using BGP tags with SD-WAN rules
BGP multiple path support
Controlling traffic with BGP route mapping and service rules
Applying BGP route-map to multiple BGP neighbors
Using multiple members per SD-WAN neighbor configuration
VPN overlay
ADVPN and shortcut paths
SD-WAN monitor on ADVPN shortcuts
Hold down time to support SD-WAN service strategies
SD-WAN integration with OCVPN
Adaptive Forward Error Correction
Dual VPN tunnel wizard
Duplicate packets on other zone members
Duplicate packets based on SD-WAN rules
Interface based QoS on individual child tunnels based on speed test results
SD-WAN in large scale deployments
Advanced configuration
SD-WAN with FGCP HA
Configuring SD-WAN in an HA cluster using internal hardware switches
SD-WAN configuration portability
SD-WAN segmentation over a single overlay
Matching BGP extended community route targets in route maps
Copying the DSCP value from the session original direction to its reply direction
SD-WAN cloud on-ramp
Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM
Configuring the VPN overlay between the HQ FortiGate and AWS native VPN gateway
Configuring the VIP to access the remote servers
Configuring the SD-WAN to steer traffic between the overlays
Verifying the traffic
SD-WAN Network Monitor service
CLI speed test
GUI speed test
Scheduled interface speed test
Running speed tests from the hub to the spokes in dial-up IPsec tunnels
Speed test usage
Speed test examples
Troubleshooting SD-WAN
Tracking SD-WAN sessions
Understanding SD-WAN related logs
SD-WAN related diagnose commands
Using SNMP to monitor health check
Zero Trust Network Access
Zero Trust Network Access introduction
Basic ZTNA configuration
Establish device identity and trust context with FortiClient EMS
SSL certificate based authentication
Full versus simple ZTNA policies
ZTNA advanced configurations
Access control of unmanageable and unknown devices
HTTP2 connection coalescing and concurrent multiplexing for ZTNA
ZTNA configuration examples
ZTNA HTTPS access proxy example
ZTNA HTTPS access proxy with basic authentication example
ZTNA TCP forwarding access proxy example
ZTNA SSH access proxy example
ZTNA application gateway with SAML authentication example
ZTNA application gateway with SAML and MFA using FortiAuthenticator example
Secure LDAP connection from FortiAuthenticator with zero trust tunnel example
ZTNA IP MAC based access control example
ZTNA IPv6 examples
ZTNA Zero Trust application gateway example
ZTNA access proxy with KDC to access shared drives
Custom replacement message for ZTNA virtual hosts
ZTNA troubleshooting and debugging commands
ZTNA troubleshooting scenarios
Policy and Objects
Policies
Firewall policy
NGFW policy
Local-in policy
DoS policy
Access control lists
Interface policies
Source NAT
Static SNAT
Dynamic SNAT
Central SNAT
Configuring an IPv6 SNAT policy
SNAT policies with virtual wire pairs
Destination NAT
Configuring VIPs
Configuring VIP groups
Static virtual IPs
Virtual IP with services
Virtual IPs with port forwarding
Virtual server load balance
Virtual server load balance multiplexing
Configure FQDN-based VIPs
Central DNAT
Examples and policy actions
NAT46 and NAT64 policy and routing configurations
Mirroring SSL traffic in policies
Recognize anycast addresses in geo-IP blocking
Matching GeoIP by registered and physical location
HTTP to HTTPS redirect for load balancing
Use Active Directory objects directly in policies
No session timeout
MAP-E support
Seven-day rolling counter for policy hit counters
Cisco Security Group Tag as policy matching criteria
Virtual patching on the local-in management interface
Per-policy disclaimer messages
Address objects
Subnet
Dynamic policy — fabric devices
IP range
FQDN addresses
Using wildcard FQDN addresses in firewall policies
Geography based addresses
IPv6 geography-based addresses
Wildcard addressing
Interface subnet
Address group
Address folders
Allow empty address groups
Address group exclusions
FSSO dynamic address subtype
ClearPass integration for dynamic address objects
FortiNAC tag dynamic address
MAC addressed-based policies
ISDB well-known MAC address list
IPv6 MAC addresses and usage in firewall policies
Protocol options
Traffic shaping
Traffic shaping policies
Traffic shaping profiles
Traffic shaping with queuing using a traffic shaping profile
Traffic shapers
Shared traffic shaper
Per-IP traffic shaper
Changing traffic shaper bandwidth unit of measurement
Multi-stage DSCP marking and class ID in traffic shapers
Adding traffic shapers to multicast policies
Global traffic prioritization
DSCP matching and DSCP marking
Examples
Interface-based traffic shaping profile
Interface-based traffic shaping with NP acceleration
QoS assignment and rate limiting for FortiSwitch quarantined VLANs
Ingress traffic shaping profile
Internet Services
Using Internet Service in a policy
Using custom Internet Service in policy
Using extension Internet Service in policy
Global IP address information database
IP reputation filtering
Internet service groups in policies
Allow creation of ISDB objects with regional information
Internet service customization
Look up IP address information from the Internet Service Database page
Internet Service Database on-demand mode
Enabling the ISDB cache in the FortiOS kernel
Security Profiles
Inspection modes
Flow mode inspection (default mode)
Proxy mode inspection
Inspection mode feature comparison
Antivirus
Antivirus introduction
Antivirus techniques
Configuring an antivirus profile
Testing an antivirus profile
Proxy mode stream-based scanning
Databases
Advanced configurations
Using FortiSandbox post-transfer scanning with antivirus
Using FortiSandbox inline scanning with antivirus
Using FortiNDR inline scanning with antivirus
Malware threat feed from EMS
CIFS support
Configuration examples
Content disarm and reconstruction
FortiGuard outbreak prevention
External malware block list
Exempt list for files based on individual hash
Web filter
Web filter introduction
Web filter techniques
Configuring a web filter profile
FortiGuard filter
Category usage quota
Search engines
Static URL filter
Rating options
Proxy options
Advanced CLI configuration
Credential phishing prevention
Additional antiphishing settings
Web filter statistics
URL certificate blocklist
Websense Integrated Services Protocol
Inspecting HTTP3 traffic
Configuration examples
Configuring web filter profiles with Hebrew domain names
Configuring web filter profiles to block AI and cryptocurrency
Video filter
Filtering based on FortiGuard categories
Filtering based on YouTube channel
Replacement messages displayed in blocked videos
DNS filter
Configuring a DNS filter profile
FortiGuard category-based DNS domain filtering
Botnet C&C domain blocking
DNS safe search
Local domain filter
DNS translation
Applying DNS filter to FortiGate DNS server
DNS inspection with DoT and DoH
Troubleshooting for DNS filter
Application control
Configuring an application sensor
Basic category filters and overrides
Excluding signatures in application control profiles
Port enforcement check
Protocol enforcement
SSL-based application detection over decrypted traffic in a sandwich topology
Matching multiple parameters on application control signatures
Application signature dissector for DNP3
Blocking QUIC manually
Intrusion prevention
Signature-based defense
Configuring an IPS sensor
IPS configuration options
IPS signature filter options
IPS with botnet C&C IP blocking
IPS signatures for the industrial security service
IPS sensor for IEC 61850 MMS protocol
SCTP filtering capabilities
File filter
Supported file types
Email filter
Configuring an email filter profile
Local-based filters
FortiGuard-based filters
Third-party-based filters
Filtering order
Protocols and actions
Configuring webmail filtering
Data leak prevention
DLP techniques
Basic DLP settings
Advanced DLP configurations
DLP fingerprinting
Sensitivity labels
DLP examples
Block HTTPS upload traffic that includes credit card information
Log FTP upload traffic with a specific pattern
Block HTTPS downloads of EXE files and log HTTPS downloads of files larger than 500 KB
Block HTTPS upload traffic that includes Visa or Mastercard information using evaluation through logical expression
Block access to LLM applications using keywords and FQDN
VoIP solutions
General use cases
NAT46 and NAT64 for SIP ALG
SIP message inspection and filtering
SIP ALG and SIP session helper
SIP pinholes
SIP over TLS
Voice VLAN auto-assignment
Scanning MSRP traffic
ICAP
ICAP configuration example
ICAP response filtering
Secure ICAP clients
ICAP scanning with SCP and FTP
Web application firewall
Protecting a server running web applications
SSL & SSH Inspection
Configuring an SSL/SSH inspection profile
Certificate inspection
Deep inspection
Protecting an SSL server
Handling SSL offloaded traffic from an external decryption device
SSH traffic file scanning
Redirect to WAD after handshake completion
HTTP/2 support in proxy mode SSL inspection
Define multiple certificates in an SSL profile in replace mode
Disabling the FortiGuard IP address rating
Custom signatures
Configuring custom signatures
Blocking applications with custom signatures
Filters for application control groups
Application groups in traffic shaping policies
Overrides
Web rating override
Configuring the category override rule
Sub-category actions
Category override examples
Using local and remote categories
Web profile override
IP ban
IP ban using the CLI
IP ban using security profiles
Configuring the persistency for a banned IP list
Profile groups
IPsec VPN
General IPsec VPN configuration
Network topologies
Phase 1 configuration
Choosing IKE version 1 and 2
Pre-shared key vs digital certificates
Using XAuth authentication
Dynamic IPsec route control
Matching IPsec tunnel gateway based on address parameters
Phase 2 configuration
VPN security policies
Blocking unwanted IKE negotiations and ESP packets with a local-in policy
Configurable IKE port
IPsec VPN IP address assignments
Site-to-site VPN
FortiGate-to-FortiGate
Basic site-to-site VPN with pre-shared key
Site-to-site VPN with digital certificate
Site-to-site VPN with overlapping subnets
GRE over IPsec
Policy-based IPsec tunnel
FortiGate-to-third-party
IKEv2 IPsec site-to-site VPN to an AWS VPN gateway
IPsec VPN to Azure with virtual network gateway
IPsec VPN to an Azure with virtual WAN
IPSec VPN between a FortiGate and a Cisco ASA with multiple subnets
Cisco GRE-over-IPsec VPN
Remote access
FortiGate as dialup client
FortiClient as dialup client
Add FortiToken multi-factor authentication
Add LDAP user authentication
iOS device as dialup client
IKE Mode Config clients
IPsec VPN with external DHCP service
L2TP over IPsec
Tunneled Internet browsing
Dialup IPsec VPN with certificate authentication
SAML-based authentication for FortiClient remote access dialup IPsec VPN clients
Configuring FortiAuthenticator as SAML IdP and FortiGate as SAML SP
Configuring Microsoft Entra ID as SAML IdP and FortiGate as SAML SP
Enhancing IPsec security using EMS SN verification
IPsec split DNS
Aggregate and redundant VPN
Manual redundant VPN configuration
OSPF with IPsec VPN for network redundancy
IPsec VPN in an HA environment
Packet distribution and redundancy for aggregate IPsec tunnels
Packet distribution for aggregate dial-up IPsec tunnels using location ID
Packet distribution for aggregate static IPsec tunnels in SD-WAN
Packet distribution for aggregate IPsec tunnels using weighted round robin
Redundant hub and spoke VPN
Overlay Controller VPN (OCVPN)
Full mesh OCVPN
Hub-spoke OCVPN with ADVPN shortcut
Hub-spoke OCVPN with inter-overlay source NAT
OCVPN portal
Allow FortiClient to join OCVPN
Troubleshooting OCVPN
ADVPN
IPsec VPN wizard hub-and-spoke ADVPN support
ADVPN with BGP as the routing protocol
ADVPN with OSPF as the routing protocol
ADVPN with RIP as the routing protocol
UDP hole punching for spokes behind NAT
Fabric Overlay Orchestrator
Prerequisites
Network topology
Using the Fabric Overlay Orchestrator
Other VPN topics
VPN and ASIC offload
Encryption algorithms
Fragmenting IP packets before IPsec encapsulation
Configure DSCP for IPsec tunnels
Defining gateway IP addresses in IPsec with mode-config and DHCP
FQDN support for remote gateways
Windows IKEv2 native VPN with user certificate
IPsec IKE load balancing based on FortiSASE account information
Securely exchange serial numbers between FortiGates connected with IPsec VPN
VPN IPsec troubleshooting
Understanding VPN related logs
IPsec related diagnose commands
SSL VPN
SSL VPN best practices
SSL VPN security best practices
SSL VPN quick start
SSL VPN split tunnel for remote user
Connecting from FortiClient VPN client
Set up FortiToken multi-factor authentication
Connecting from FortiClient with FortiToken
SSL VPN tunnel mode
SSL VPN full tunnel for remote user
SSL VPN tunnel mode host check
SSL VPN split DNS
Split tunneling settings
Augmenting VPN security with ZTNA tags
Enhancing VPN security using EMS SN verification
SSL VPN web mode
Web portal configurations
Quick Connection tool
SSL VPN bookmarks
SSL VPN web mode for remote user
Customizing the RDP display size
Showing the SSL VPN portal login page in the browser's language
SSL VPN authentication
SSL VPN with LDAP user authentication
SSL VPN with LDAP user password renew
SSL VPN with certificate authentication
SSL VPN with LDAP-integrated certificate authentication
SSL VPN for remote users with MFA and user sensitivity
SSL VPN with FortiToken mobile push authentication
SSL VPN with RADIUS on FortiAuthenticator
SSL VPN with RADIUS and FortiToken mobile push on FortiAuthenticator
SSL VPN with RADIUS password renew on FortiAuthenticator
SSL VPN with RADIUS on Windows NPS
SSL VPN with multiple RADIUS servers
SSL VPN with local user password policy
Dynamic address support for SSL VPN policies
SSL VPN multi-realm
NAS-IP support per SSL-VPN realm
SSL VPN with Okta as SAML IdP
SSL VPN with Microsoft Entra SSO integration
SSL VPN to IPsec VPN
SSL VPN protocols
TLS 1.3 support
SMBv2 support
DTLS support
Configuring OS and host check
FortiGate as SSL VPN Client
Dual stack IPv4 and IPv6 support for SSL VPN
Disable the clipboard in SSL VPN web mode RDP connections
SSL VPN IP address assignments
Using SSL VPN interfaces in zones
SSL VPN troubleshooting
Debug commands
Troubleshooting common issues
User & Authentication
User definition, groups, and settings
Users
User groups
Authentication settings
Retail environment guest access
LDAP servers
Configuring an LDAP server
Enabling Active Directory recursive search
Configuring LDAP dial-in using a member attribute
Configuring wildcard admin accounts
Configuring least privileges for LDAP admin account authentication in Active Directory
Tracking users in each Active Directory LDAP group
Tracking rolling historical records of LDAP user logins
Configuring client certificate authentication on the LDAP server
RADIUS servers
Configuring a RADIUS server
Using multiple RADIUS servers
RADIUS AVPs and VSAs
Restricting RADIUS user groups to match selective users on the RADIUS server
Configuring RADIUS SSO authentication
RSA ACE (SecurID) servers
Support for Okta RADIUS attributes filter-Id and class
Sending multiple RADIUS attribute values in a single RADIUS Access-Request
Traffic shaping based on dynamic RADIUS VSAs
RADIUS Termination-Action AVP in wired and wireless scenarios
SAML
Configuring SAML SSO
SSL VPN with FortiAuthenticator as a SAML IdP
Using a browser as an external user-agent for SAML authentication in an SSL VPN connection
IPsec VPN with SAML IdP
Outbound firewall authentication with Microsoft Entra ID as a SAML IdP
SAML authentication in a proxy policy
TACACS+ servers
FortiTokens
FortiToken Mobile quick start
Registering FortiToken Mobile
Provisioning FortiToken Mobile
Activating FortiToken Mobile on a mobile phone
Applying multi-factor authentication
FortiToken Cloud
Registering hard tokens
Managing FortiTokens
FortiToken Mobile Push
Synchronizing LDAP Active Directory users to FortiToken Cloud using the two-factor filter
FortiGuard distribution of updated Apple certificates for push notifications
Troubleshooting and diagnosis
PKI
Configuring a PKI user
Using the SAN field for LDAP-integrated certificate authentication
FSSO
FSSO polling connector agent installation
FSSO using Syslog as source
Configuring the FSSO timeout when the collector agent connection fails
Configuring FSSO firewall authentication
Include usernames in logs
Wireless configuration
Switch Controller
System
Administrators
Local authentication
Remote authentication for administrators
Administrator account options
REST API administrator
SSO administrators
FortiCloud SSO
Allowing the FortiGate to override FortiCloud SSO administrator user permissions
Password policy
Public key SSH access
Restricting SSH and Telnet jump host capabilities
Remote administrators with TACACS VSA attributes
Administrator profiles
Fabric Management
About firmware installations
Firmware maturity levels
Upgrading individual devices
Upgrading Fabric or managed devices
Enabling automatic firmware updates
Authorizing devices
Firmware upgrade notifications
Downloading a firmware image
Testing a firmware version
Installing firmware from system reboot
Restoring from a USB drive
Using controlled upgrades
Downgrading individual device firmware
Downloading the EOS support package for supported Fabric devices
Settings
Default administrator password
Changing the host name
Setting the system time
SHA-1 authentication support (for NTPv4)
PTPv2
Configuring ports
Custom default service port range
Setting the idle timeout time
Setting the password policy
Changing the view settings
Setting the administrator password retries and lockout time
TLS configuration
Controlling return path with auxiliary session
Email alerts
Using configuration save mode
Trusted platform module support
Using the default certificate for HTTPS administrative access
Virtual Domains
VDOM overview
General configurations
Configuring global profiles
Backing up and restoring configurations in multi-VDOM mode
Inter-VDOM routing configuration example: Internet access
Inter-VDOM routing configuration example: Partial-mesh VDOMs
High Availability
FGCP
Failover protection
HA heartbeat interface
Unicast HA heartbeat
HA active-passive cluster setup
HA active-active cluster setup
HA and load balancing
HA virtual cluster setup
HA primary unit selection criteria
Check HA synchronization status
Out-of-band management with reserved management interfaces
In-band management
Upgrading FortiGates in an HA cluster
Distributed HA clusters
HA between remote sites over managed FortiSwitches
HA using a hardware switch to replace a physical switch
VDOM exceptions
Override FortiAnalyzer and syslog server settings
Routing NetFlow data over the HA management interface
Force HA failover for testing and demonstrations
Disabling stateful SCTP inspection
Resume IPS scanning of ICCP traffic after HA failover
Querying autoscale clusters for FortiGate VM
Cluster virtual MAC addresses
Abbreviated TLS handshake after HA failover
Session synchronization during HA failover for ZTNA proxy sessions
Troubleshoot an HA formation
FGSP
FGSP basic peer setup
Synchronizing sessions between FGCP clusters
Session synchronization interfaces in FGSP
UTM inspection on asymmetric traffic in FGSP
UTM inspection on asymmetric traffic on L3
Encryption for L3 on asymmetric traffic in FGSP
Optimizing FGSP session synchronization and redundancy
Firmware upgrades in FGSP
FGSP session synchronization between different FortiGate models or firmware versions
Applying the session synchronization filter only between FGSP peers in an FGCP over FGSP topology
FGSP static site-to-site IPsec VPN setup
FGSP per-tunnel failover for IPsec
FGCP over FGSP per-tunnel failover for IPsec
Allow IPsec DPD in FGSP members to support failovers
Standalone configuration synchronization
Layer 3 unicast standalone configuration synchronization
VRRP
Adding IPv4 and IPv6 virtual routers to an interface
VRRP failover
VRRP groups
VRRP virtual MACs
Preempt mode
Single-domain VRRP example
Multi-domain VRRP example
VRRP on EMAC-VLAN interfaces
Session failover
Session pickup
Pass-through sessions
Terminated sessions
Improving session sync performance
SNMP
Basic configuration
MIB files
Access control for SNMP
Important SNMP traps
SNMP examples
Replacement messages
Replacement message groups
FortiGuard
Anycast
Configuring FortiGuard updates
Using a proxy server to connect to the FortiGuard Distribution Network
Manual updates
Automatic updates
Scheduled updates
Sending malware statistics to FortiGuard
Update server location
Filtering
Online security tools
Anycast and unicast services
Using FortiManager as a local FortiGuard server
Cloud service communication statistics
IoT detection service
FortiAP query to FortiGuard IoT service to determine device details
FortiGate Cloud / FDN communication through an explicit proxy
FDS-only ISDB package in firmware images
Licensing in air-gap environments
License expiration
Feature visibility
Certificates
Automatically provision a certificate
Generate a new certificate
Regenerate default certificates
Import a certificate
Generate a CSR
CA certificate
Remote certificate
Certificate revocation list
Export a certificate
Uploading certificates using an API
Procuring and importing a signed SSL certificate
Microsoft CA deep packet inspection
Administrative access using certificates
Creating certificates with XCA
Security
BIOS-level signature and file integrity checking
Real-time file system integrity checking
Running a file system check automatically
Built-in entropy source
FortiGate VM unique certificate
Configuration scripts
Workspace mode
Custom languages
RAID
FortiGate encryption algorithm cipher suites
Conserve mode
Using APIs
Configuration backups and reset
Fortinet Security Fabric
Components
Security Fabric connectors
Configuring the root FortiGate and downstream FortiGates
Configuring logging and analytics
Configuring FortiAnalyzer
Configuring cloud logging
Configuring FortiClient EMS
Synchronizing FortiClient ZTNA tags
Configuring LAN edge devices
Configuring central management
Configuring sandboxing
Configuring supported connectors
Configuring FortiNDR
Configuring FortiDeceptor
Configuring FortiMail
Configuring FortiMonitor
Configuring FortiNAC
Configuring FortiTester
Configuring FortiVoice
Configuring FortiWeb
Configuring FortiPolicy
Using the Security Fabric
Dashboard widgets
Topology
Asset Identity Center page
WebSocket for Security Fabric events
Deploying the Security Fabric
Deploying the Security Fabric in a multi-VDOM environment
Other Security Fabric topics
Synchronizing objects across the Security Fabric
Group address objects synchronized from FortiManager
Security Fabric over IPsec VPN
Leveraging LLDP to simplify Security Fabric negotiation
Integrate user information from EMS and Exchange connectors in the user store
Configuring the Security Fabric with SAML
Configuring single-sign-on in the Security Fabric
Configuring the root FortiGate as the IdP
Configuring a downstream FortiGate as an SP
Configuring certificates for SAML SSO
Verifying the single-sign-on configuration
CLI commands for SAML SSO
SAML SSO with pre-authorized FortiGates
Navigating between Security Fabric members with SSO
Integrating FortiAnalyzer management using SAML SSO
Integrating FortiManager management using SAML SSO
Advanced option - FortiGate SP changes
Security rating
Security Fabric score
Automation stitches
Creating automation stitches
Default automation stitches
Incoming Webhook Quarantine stitch
Triggers
FortiAnalyzer event handler trigger
Fabric connector event trigger
FortiOS event log trigger
Event log category triggers
Certificate expiration trigger
Schedule trigger
Actions
FortiNAC Quarantine action
VMware NSX security tag action
VMware NSX-T security tag action
Replacement messages for email alerts
Slack Notification action
Microsoft Teams Notification action
AWS Lambda action
Azure Function action
Google Cloud Function action
AliCloud Function action
CLI script action
Execute a CLI script based on memory and CPU thresholds
Webhook action
Webhook action with Twilio for SMS text messages
Slack integration webhook
Microsoft Teams integration webhook
System action
Public and private SDN connectors
Getting started with public and private SDN connectors
AliCloud SDN connector using access key
AWS SDN connector using access keys
Azure SDN connector using service principal
Cisco ACI SDN connector using a standalone connector
Retrieve IPv6 dynamic addresses from Cisco ACI SDN connector
ClearPass endpoint connector via FortiManager
GCP SDN connector using service account
IBM Cloud SDN connector using API keys
Kubernetes (K8s) SDN connectors
AliCloud Kubernetes SDN connector using access key
AWS Kubernetes (EKS) SDN connector using access key
Azure Kubernetes (AKS) SDN connector using client secret
GCP Kubernetes (GKE) SDN connector using service account
Oracle Kubernetes (OKE) SDN connector using certificates
Private cloud K8s SDN connector using secret token
Nuage SDN connector using server credentials
Nutanix SDN connector using server credentials
OCI SDN connector using certificates
OpenStack SDN connector using node credentials
SAP SDN connector
VMware ESXi SDN connector using server credentials
VMware NSX-T Manager SDN connector using NSX-T Manager credentials
Multiple concurrent SDN connectors
Filter lookup in SDN connectors
Support for wildcard SDN connectors in filter configurations
Endpoint/Identity connectors
Fortinet single sign-on agent
Poll Active Directory server
Symantec endpoint connector
RADIUS single sign-on agent
Exchange Server connector
Threat feeds
Configuring a threat feed
FortiGuard category threat feed
IP address threat feed
Domain name threat feed
Malware hash threat feed
Threat feed connectors per VDOM
STIX format for external threat feeds
Using the AusCERT malicious URL feed with an API key
Monitoring the Security Fabric using FortiExplorer for Apple TV
NOC and SOC example
Adding the root FortiGate to FortiExplorer for Apple TV
Viewing the Fabric Topology monitor
Viewing the Fabric Overview monitor
Viewing the Security Rating monitor
Viewing the Compromised Hosts monitor
Viewing the Vulnerability Monitor
Using the SD-WAN monitor
Troubleshooting
Viewing a summary of all connected FortiGates in a Security Fabric
Diagnosing automation stitches
Log and Report
Viewing event logs
System Events log page
Security Events log page
Reports page
Log settings and targets
Logging to FortiAnalyzer
FortiAnalyzer log caching
Configuring multiple FortiAnalyzers (or syslog servers) per VDOM
Configuring multiple FortiAnalyzers on a FortiGate in multi-VDOM mode
Switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable
Advanced and specialized logging
Logs for the execution of CLI commands
Log buffer on FortiGates with an SSD disk
Source and destination UUID logging
Configuring and debugging the free-style filter
Logging the signal-to-noise ratio and signal strength per client
RSSO information for authenticated destination users in logs
Destination user information in UTM logs
Generate unique user name for anonymized logs
Sample logs by log type
Troubleshooting
Log-related diagnostic commands
Backing up log files or dumping log messages
SNMP OID for logs that failed to send
WAN optimization
Overview
Peers and authentication groups
Tunnels
Transparent mode
Protocol optimization
Cache service and video caching
Manual and active-passive
Monitoring performance
System and feature operation with WAN optimization
Best practices
Example topologies
In-path WAN optimization topology
Out-of-path WAN optimization topology
Topology for multiple networks
Configuration examples
Manual (peer-to-peer) WAN optimization configuration example
Active-passive WAN optimization configuration example
Secure tunneling configuration example
Testing and troubleshooting the configuration
VM
Amazon Web Services
Microsoft Azure
Google Cloud Platform
OCI
AliCloud
Private cloud
VM license
Permanent trial mode for FortiGate-VM
Adding VDOMs with FortiGate v-series
PF and VF SR-IOV driver and virtual SPU support
Using OCI IMDSv2
FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs
Cloud-init
TPM support for FortiGate-VM
Hyperscale firewall
Troubleshooting
Troubleshooting methodologies
Troubleshooting scenarios
Checking the system date and time
Checking the hardware connections
Checking FortiOS network settings
Troubleshooting CPU and network resources
Troubleshooting high CPU usage
Checking the modem status
Running ping and traceroute
Checking the logs
Verifying routing table contents in NAT mode
Verifying the correct route is being used
Verifying the correct firewall policy is being used
Checking the bridging information in transparent mode
Checking wireless information
Performing a sniffer trace or packet capture
Debugging the packet flow
Testing a proxy operation
Displaying detail Hardware NIC information
Performing a traffic trace
Using a session table
Finding object dependencies
Diagnosing NPU-based interfaces
Identifying the XAUI link used for a specific traffic stream
Date and time settings
Running the TAC report
Using the process monitor
Computing file hashes
Other commands
ARP table
IP address
FortiGuard troubleshooting
Verifying connectivity to FortiGuard
Troubleshooting process for FortiGuard updates
FortiGuard server settings
View open and in use ports
IPS and AV engine version
CLI troubleshooting cheat sheet
CLI error codes
Additional resources
Change Log