Fortinet white logo
Fortinet white logo

Administration Guide

NGFW policy

NGFW policy

Profile-based next-generation firewall (NGFW) mode is the traditional mode where you create a profile (antivirus, web filter, and so on) and then apply the profile to a policy.

In policy-based NGFW mode, you allow applications and URL categories to be used directly in security policies, without requiring web filter or application control profiles. However, it is possible to select and apply web filter URL categories and groups.

In policy-based mode:

  • Central NAT is always enabled. If no Central SNAT policy exists, you must create one. See Central SNAT for more information.
  • Pre-match rules are defined separately from security policies, and define broader rules, such as SSL inspection and user authentication.
  • The IPsec wizard is not supported.

If your FortiGate operates in NAT mode, rather than enabling source NAT in individual NGFW policies, go to Policy & Objects > Central SNAT and add source NAT policies that apply to all matching traffic. In many cases, you may only need one SNAT policy for each interface pair.

The NGFW mode is set per VDOM, and it is only available when the VDOM inspection mode is flow-based. You can operate your entire FortiGate or individual VDOMs in NGFW policy mode. The application default port can be set as a service port in the NGFW mode using the default-app-port-as-service option.

In NGFW mode, administrators can configure a security policy in learn mode to monitor traffic. See Learn mode in security policies in NGFW mode for more information.

Enabling policy-based NGFW mode

To enable policy-based NGFW mode without VDOMs in the GUI:
  1. Go to System > Settings.
  2. In NGFW Mode, select Policy-based.
  3. Click Apply.
To enable policy-based NGFW mode with VDOMs in the GUI:
  1. Go to System > VDOM .
  2. Double-click a VDOM to edit the settings.
  3. In NGFW Mode, select Policy-based.
  4. Click OK.
To enable policy-based NGFW mode without VDOMs in the CLI:
config system settings
    set ngfw-mode policy-based
end
To enable policy-based NGFW mode with VDOMs in the CLI:
config vdom
    edit <vdom>
        config system settings
            set ngfw-mode policy-based
        end
    next
end

Security and SSL Inspection & Authentication policies

Security policies work with SSL Inspection & Authentication policies to inspect traffic. To allow traffic from a specific user or user group, both Security and SSL Inspection & Authentication policies must be configured. A default SSL Inspection & Authentication policy with the certificate-inspection SSL Inspection profile is preconfigured. Traffic will match the SSL Inspection & Authentication policy first. If the traffic is allowed, packets are sent to the IPS engine for application, URL category, user, and user group match, and then, if enabled, UTM inspection (antivirus, IPS, DLP, and email filter) is performed.

SSL Inspection & Authentication policies are used to pre-match traffic before sending the packets to the IPS engine:

  • There are no schedule or action options; traffic matching the policy is always redirected to the IPS engine.
  • SSL inspection, formerly configured in the VDOM settings, is configured in an SSL Inspection & Authentication policy.
  • Users and user groups that require authentication must be configured in an SSL Inspection & Authentication policy.

Security policies work with SSL Inspection & Authentication policies to inspect traffic:

  • Applications and URL categories can be configured directly in the policy.
  • Users and user groups that require authentication must also be configured in a security policy.
  • The available actions are Accept or Deny.
  • The Service option can be used to enforce the standard port for the selected applications.
  • UTM inspection is configured in a security policy.

To configure policies for Facebook and Gmail access in the CLI:
  1. Configure an SSL Inspection & Authentication policy:
    config firewall policy
        edit 1
            set name "Policy-1"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr "all"
            set dstaddr "all"
            set service "ALL"
            set ssl-ssh-profile "new-deep-inspection"
            set groups "Dev" "HR" "QA" "SYS"
        next
    end
  2. Configure security policies:
    config firewall security-policy
        edit 2
            set name "allow-QA-Facebook"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set application 15832
            set groups "Dev" "QA"
        next
        edit 4
            set name "allow-QA-Email"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set url-category 23
            set groups "QA"
        next
    end
Logs

In the application control and web filter logs, securityid maps to the security policy ID.

Application control log:

date=2019-06-17 time=16:35:47 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1560814547702405829 tz="-0700" appid=15832 user="Jack" group="QA" srcip=10.1.100.102 dstip=157.240.3.29 srcport=56572 dstport=443 srcintf="port18" srcintfrole="undefined" dstintf="port17" dstintfrole="undefined" proto=6 service="P2P" direction="incoming" policyid=1 sessionid=42445 appcat="Social.Media" app="Facebook" action="pass" hostname="external-sea1-1.xx.fbcdn.net" incidentserialno=1419629662 url="/" securityid=2 msg="Social.Media: Facebook," apprisk="medium" scertcname="*.facebook.com" scertissuer="DigiCert SHA2 High Assurance Server CA"

Web filter log:

date=2019-06-17 time=16:42:41 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="vd1" eventtime=1560814961418114836 tz="-0700" policyid=4 sessionid=43201 user="Jack" group="QA" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" proto=6 service="HTTPS" hostname="mail.google.com" action="passthrough" reqtype="direct" url="/" sentbyte=709 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" securityid=4

Traffic logs:

date=2019-06-17 time=16:35:53 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560814553778525154 tz="-0700" srcip=10.1.100.102 srcport=56572 srcintf="port18" srcintfrole="undefined" dstip=157.240.3.29 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=42445 proto=6 action="server-rst" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56572 duration=6 sentbyte=276 rcvdbyte=745 sentpkt=5 rcvdpkt=11 appid=15832 app="Facebook" appcat="Social.Media" apprisk="medium" utmaction="allow" countapp=1 utmref=65531-294

2: date=2019-06-17 time=16:47:45 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560815265058557636 tz="-0700" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=43201 proto=6 action="timeout" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56668 duration=303 sentbyte=406 rcvdbyte=384 sentpkt=4 rcvdpkt=4 appcat="unscanned" utmaction="allow" countweb=1 utmref=65531-3486

Other NGFW policy-based mode options

You can combine Application Control and Web Filter in the same NGFW mode policy.

The following security profiles can be used in NGFW policy-based mode:

  • AntiVirus
  • Web Filter
  • Intrusion Prevention
  • File Filter
  • Email Filter

Logging can also be enabled in security policies.

Inspection mode per policy

Inspection mode is configured on a per-policy basis in NGFW mode. This gives you more flexibility when setting up different policies.

When configuring a firewall policy, you can select a Flow-based or Proxy-basedInspection Mode. The default setting is Flow-based.

To configure inspection mode in a policy:
  1. Go to Policy & Objects > Firewall Policy.
  2. Create a new policy, or edit an existing policy.
  3. Configure the policy as needed.
    1. If you change the Inspection Mode to Proxy-based, the Proxy HTTP(S) traffic option displays.

    2. In the Security Profiles section, if no security profiles are enabled, the default SSL Inspection is no-inspection.
    3. In the Security Profiles section, if you enable any security profile, the SSL Inspection changes to certificate-inspection.

To see the inspection mode changes using the CLI:
config firewall policy
    edit 1
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set nat enable
    next
end		
To see the HTTP and SSH policy redirect settings when inspection mode is set to proxy using the CLI:
config firewall policy
    edit 1
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set http-policy-redirect enable
        set ssh-policy-redirect enable
        set nat enable
    next
end
To see the default SSL-SSH policy set to no inspection using the CLI:
config firewall policy
    edit 1
       show fu | grep ssl-ssh-profile
        set ssl-ssh-profile "no-inspection"
    next
end

NGFW policy mode application default service

In NGFW policy-based mode, the application default service enforces applications running only on their default service port. The applications specified in the policy are monitored, and if traffic is detected from a nonstandard port, it is blocked, and a log entry is recorded with a port-violation event type.

If you are not using the default ports, and need to pick specific services, select Specify to select the required services.

Example

In this example, the standard port is enforced for HTTPS traffic using the HTTP.Audio application.

First, an SSL Inspection & Authentication policy is created do to traffic pre-match, and then a security policy is created to allow the HTTP.Audio application when using the default port. Fetching an MP3 file from an HTTP server using port 443 is allowed, but is blocked when using a nonstandard port, such as 8443.

To enforce the HTTP.Audio application using the default port in the GUI:
  1. Create a new SSL Inspection & Authentication policy, or use the default policy.
  2. Go to Policy & Objects > Security Policy, and click Create New.
  3. Enter a name for the policy, such as allow_HTTP.Audio.
  4. Configure the ports as needed.
  5. Set Service to App Default.
  6. In the Application field, select HTTP.Audio.
  7. Set the Action to Accept.

  8. Click OK.
To enforce the HTTP.Audio application using the default port in the CLI:
  1. Create a firewall policy:
    config firewall policy
        edit 1
            set name "consolidated_all"
            set srcintf "port13"
            set dstintf "port14"
            set srcaddr "all"
            set dstaddr "all"
            set service "ALL"
            set ssl-ssh-profile "new-deep-inspection"
        next
    end
  2. Create a security policy:
    config firewall security-policy
        edit 1
            set name "allow_HTTP.Audio"
            set srcintf "port13"
            set dstintf "port14"
            set srcaddr "all"
            set enforce-default-app-port enable
            set action accept
            set schedule "always"
            set logtraffic all
            set application 15879
        next
    end
Logs

The application logs show logs with an event type of port-violation for traffic on port 8443 that is blocked, and an event type of signature for traffic on port 443 that is allowed.

Blocked:

2: date=2019-06-18 time=16:15:40 logid="1060028736" type="utm" subtype="app-ctrl" eventtype="port-violation" level="warning" vd="vd1" eventtime=1560899740218875746 tz="-0700" appid=15879 srcip=10.1.100.22 dstip=172.16.200.216 srcport=52680 dstport=8443 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" proto=6 service="HTTPS" direction="incoming" policyid=1 sessionid=5041 appcat="Video/Audio" app="HTTP.Audio" action="block" hostname="172.16.200.216" incidentserialno=1906780850 url="/app_data/story.mp3" securityid=2 msg="Video/Audio: HTTP.Audio," apprisk="elevated"

Allowed:

1: date=2019-06-18 time=16:15:49 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1560899749258579372 tz="-0700" appid=15879 srcip=10.1.100.22 dstip=172.16.200.216 srcport=54527 dstport=443 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" proto=6 service="HTTPS" direction="incoming" policyid=1 sessionid=5064 appcat="Video/Audio" app="HTTP.Audio" action="pass" hostname="172.16.200.216" incidentserialno=1139663486 url="/app_data/story.mp3" securityid=2 msg="Video/Audio: HTTP.Audio," apprisk="elevated"

Add option to set application default port as a service port

The default-app-port-as-service option can be used in NGFW mode to set the application default port as a service port. This allows applications to match the policy and be blocked immediately the first time that traffic hits the firewall. When this option is enabled, the NGFW policy aggregates the ports used by the applications in the policy and performs a pre-match on the traffic.

config system settings
    set default-app-port-as-service {enable | disable}
end
Note

This option can be configured on a per-VDOM level.

This setting is enabled by default on new installations. When upgrading, the setting is disabled to retain the previous behavior.

To configure the application default port as service port:
  1. Configure the VDOM settings:
    config system settings
        set vdom-type traffic
        set opmode nat
        set ngfw-mode policy-based
        set block-land-attack disable
        set default-app-port-as-service enable
        set application-bandwidth-tracking disable
    end
  2. Configure the NGFW policy:
    config firewall security-policy
        edit 1
            set name "test"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set internet-service-src disable
            set enforce-default-app-port enable 
            set action accept
        next
    end

Sample logs

The following logging behavior occurs in NGFW mode with default-app-port-as-service:

  • When default-app-port-as-service and enforce-default-app-port are enabled, traffic that does not match the default port is blocked immediately. Only a traffic log is generated.

    Log with SSH and FTP traffic:
    1: date=2022-02-24 time=11:16:36 eventtime=1645730197145603994 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=40402 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=21 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=6811 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="FTP" trandisp="snat" transip=172.16.200.4 transport=40402 duration=10 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"
    Log with SSH and FTP traffic with port 2121:
    1: date=2022-02-24 time=11:19:20 eventtime=1645730360685614031 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=41362 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=2121 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7213 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="tcp/2121" trandisp="snat" transip=172.16.200.4 transport=41362 duration=9 sentbyte=60 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned"
  • When default-app-port-as-service is disabled and enforce-default-app-port is enabled, traffic that does not match the default port is not blocked immediately. Application and traffic logs are generated.

    Traffic log with SSH and FTP traffic:
    1: date=2022-02-24 time=11:21:51 eventtime=1645730511325606916 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=40408 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=21 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7522 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="FTP" trandisp="snat" transip=172.16.200.4 transport=40408 duration=14 sentbyte=164 rcvdbyte=171 sentpkt=3 rcvdpkt=2 appid=15896 app="FTP" appcat="Network.Service" apprisk="elevated" utmaction="block" countapp=1 utmref=65501-0
    Application log with SSH and FTP traffic:
    2: date=2022-02-24 time=11:21:39 eventtime=1645730499338228209 tz="-0800" logid="1059028705" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="vd1" appid=15896 srcip=10.1.100.12 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=40408 dstport=21 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="FTP" direction="outgoing" policyid=0 sessionid=7522 action="block" appcat="Network.Service" app="FTP" incidentserialno=188744239 msg="Network.Service: FTP" apprisk="elevated"
    Traffic log with SSH and FTP traffic with port 2121:
    1: date=2022-02-24 time=11:24:25 eventtime=1645730665235613912 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=41366 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=2121 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7876 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="tcp/2121" trandisp="snat" transip=172.16.200.4 transport=41366 duration=11 sentbyte=112 rcvdbyte=171 sentpkt=2 rcvdpkt=2 appid=15896 app="FTP" appcat="Network.Service" apprisk="elevated" utmaction="block" countapp=1 utmref=65500-0
    Application log with SSH and FTP traffic with port 2121:
    2: date=2022-02-24 time=11:24:16 eventtime=1645730656426052412 tz="-0800" logid="1060028736" type="utm" subtype="app-ctrl" eventtype="port-violation" level="warning" vd="vd1" appid=15896 srcip=10.1.100.12 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=41366 dstport=2121 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="FTP" direction="outgoing" policyid=0 sessionid=7876 action="block" appcat="Network.Service" app="FTP" incidentserialno=188744241 msg="Network.Service: FTP, non-default port used: 2121" apprisk="elevated"

Application logging in NGFW policy mode

In NGFW policy mode, if an application, application category, or application group is selected on a security policy, and traffic logging is set to UTM or All, then application control logs will be generated. In addition, when a signature is set to the ACCEPT action under a security policy, all corresponding child signatures will be assessed and logged as well.

Under NGFW, with default-app-port-as-service enabled, enable APP Default. The traffic which doesn't match the default port will be blocked immediately, and there is only traffic log generated.

Under NGFW, with default-app-port-as-service disabled, enable APP Default. The traffic which doesn't match the default port will not be blocked immediately, and there is app and traffic logs generated.

To verify application logging:
  1. Go to Policy & Objects > Security Policy and configure a new policy for YouTube.
  2. Set Action to ACCEPT and Log Allowed Traffic to Security Events.

  3. Configure the remaining settings as required, then click OK.
  4. On a client system, play some YouTube videos.
  5. On FortiOS, go to Log & Report > Security Events and view the Application Control logs.

    There are logs not only for YouTube, but also for YouTube_Video.Play, YouTube_Video.Access, and so on, as verified from the Application Name column.

Learn mode in security policies in NGFW mode

In NGFW mode, administrators can configure a security policy in learn mode to monitor traffic that passes through the source and destination interfaces. The learn mode uses a special prefix in the policymode and profile fields in traffic and UTM logs for use by FortiAnalyzer and the Policy Analyzer Management Extension Application (MEA) that is available with FortiManager.

Note

When enabled on FortiManager, Policy Analyzer MEA works with security policies in learning mode to analyze logs sent from a managed FortiGate to FortiAnalyzer. Based on the analyzed traffic, FortiManager administrators can choose to automatically create a policy in FortiManager for the managed FortiGate. For more information about Policy Analyzer MEA, see the Policy Analyzer Administration Guide.

The following limitations apply when learn mode is enabled in a security policy:

  • Only interfaces with device-identification enable can be used as source interfaces in a security policy with learning mode enabled.
  • Incoming and outgoing interfaces do not support any.
  • Internet service is not supported.
  • NAT46 and NAT64 are not supported.
  • Users and groups are not supported.
  • Some negate options are not supported.
To enable learn mode in the GUI:
  1. Enable policy-based NGFW mode:

    1. Go to System > Settings.

    2. Set the NGFW Mode to Policy-based and click Apply.

  2. Go to Policy & Objects > Security Policy, and open a security policy for editing.

  3. Set the Policy Mode to Learn Mode.

  4. Select an Incoming Interface.

  5. Select an Outgoing Interface.

  6. (Optional) Type a comment in the Comments box.

  7. Toggle on Enable this policy.

  8. Click OK to save the security policy.

To enable learn mode in the CLI:
  1. Enable policy-based NGFW mode:

    config system settings
        set ngfw-mode policy-based
    end
    
  2. Enable learn mode in a security policy:

    config firewall security-policy
        edit <id>
            set learning-mode enable
        next
    end
To view learn mode fields in logs in the CLI:
  1. Filter and view fields in traffic logs:

    # execute log filter category 0 # execute log display 1 logs found. 1 logs returned. 1: date=2022-03-21 time=10:21:11 eventtime=1647883271150012188 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.41 srcport=43296 srcintf="port24" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="port17" dstintfrole="wan" srccountry="Reserved" dstcountry="Reserved" sessionid=33934 proto=6 policymode="learn" action="accept" policyid=99 policytype="security-policy" poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policyname="Security-policy-99" centralnatid=3 service="HTTP" trandisp="snat" transip=172.16.200.9 transport=43296 duration=1 sentbyte=412 rcvdbyte=529 sentpkt=6 rcvdpkt=4 appid=15893 app="HTTP.BROWSER" appcat="Web.Client" apprisk="medium" utmaction="allow" countweb=1 countav=1 countips=3 countapp=1 crscore=50 craction=2 srchwvendor="VMware" devtype="Computer" osname="Debian" mastersrcmac="00:0c:29:b5:92:8d" srcmac="00:0c:29:b5:92:8d" srcserver=0 utmref=65534-0

  2. Filter and view fields in UTM logs:

    # execute log filter category 2 # execute log display 1 logs found. 1 logs returned. 1: date=2022-03-21 time=10:21:09 eventtime=1647883270101403283 tz="-0700" logid="0211008193" type="utm" subtype="virus" eventtype="infected" level="notice" vd="root" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" msg="File is infected." action="monitored" service="HTTP" sessionid=33934 srcip=10.1.100.41 dstip=172.16.200.55 srcport=43296 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" proto=6 direction="incoming" filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://172.16.200.55/virus/eicar.com" profile="learn-av" agent="curl/7.35.0" httpmethod="GET" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical" rawdata="Response-Content-Type=application/x-msdos-program"

  3. Filter and view fields in UTM-IPS logs:

    # execute log filter category 4 # execute log display 3 logs found. 3 logs returned. 1: date=2022-03-21 time=10:21:09 eventtime=1647883270101485354 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.100.41 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" sessionid=33934 action="detected" proto=6 service="HTTP" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" attack="Eicar.Virus.Test.File" srcport=43296 dstport=80 agent="curl/7.35.0" httpmethod="GET" direction="incoming" attackid=29844 profile="learn-ips" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=158335134 attackcontextid="2/2" attackcontext="YW0NCg0KWDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo8L1BBQ0tFVD4=" 2: date=2022-03-21 time=10:21:09 eventtime=1647883270101484791 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.100.41 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" sessionid=33934 action="detected" proto=6 service="HTTP" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" attack="Eicar.Virus.Test.File" srcport=43296 dstport=80 agent="curl/7.35.0" httpmethod="GET" direction="incoming" attackid=29844 profile="learn-ips" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=158335134 attackcontextid="1/2" attackcontext="PFBBVFRFUk5TPiBYNU8hUCVAQVBbNFxQWlg1NChQXik3Q0MpN30kRUlDQVItU1RBTkRBUkQtQU5USVZJUlVTLVRFU1QtRklMRSEkSCtIKjtYNU8hUCVAQVBbNFxQWlg1NChQXik3Q0MpN30kRUlDQVItU1RBTkRBUkQtQU5USVZJUlVTLVRFU1QtRklMRSEkSCtIKjwvUEFUVEVSTlM+CjxVUkk+IDwvVVJJPgo8SEVBREVSPiBIVFRQLzEuMSAyMDAgT0sNCkRhdGU6IE1vbiwgMjEgTWFyIDIwMjIgMTc6MjE6MTAgR01UDQpTZXJ2ZXI6IEFwYWNoZS8yLjQuMTggKFVidW50dSkNCkxhc3QtTW9kaWZpZWQ6IFRodSwgMDEgRGVjIDIwMTYgMDE6MjY6MzUgR01UDQpFVGFnOiAiNDQtNTQyOGViNjU4MDk3YSINCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQpDb250ZW50LUxlbmd0aDogNjgNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC1tc2Rvcy1wcm9ncmFtDQoNCjwvSEVBREVSPgo8Qk9EWT4gWDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo8L0JPRFk+CjxQQUNLRVQ+IEhUVFAvMS4xIDIwMCBPSw0KRGF0ZTogTW9uLCAyMSBNYXIgMjAyMiAxNzoyMToxMCBHTVQNClNlcnZlcjogQXBhY2hlLzIuNC4xOCAoVWJ1bnR1KQ0KTGFzdC1Nb2RpZmllZDogVGh1LCAwMSBEZWMgMjAxNiAwMToyNjozNSBHTVQNCkVUYWc6ICI0NC01NDI4ZWI2NTgwOTdhIg0KQWNjZXB0LVJhbmdlczogYnl0ZXMNCkNvbnRlbnQtTGVuZ3RoOiA2OA0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LW1zZG9zLXByb2dy" 3: date=2022-03-21 time=10:21:09 eventtime=1647883270101483279 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.100.41 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" sessionid=33934 action="detected" proto=6 service="HTTP" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" attack="Eicar.Virus.Test.File" srcport=43296 dstport=80 hostname="172.16.200.55" url="/virus/eicar.com" agent="curl/7.35.0" httpmethod="GET" direction="incoming" attackid=29844 profile="learn-ips" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=158335134 msg="file_transfer: Eicar.Virus.Test.File" attackcontextid="0/2" rawdataid="1/1" rawdata="Response-Content-Type=application/x-msdos-program"

Filter and view fields in UTM-webfilter logs:

# execute log filter category 3 # execute log display 2 logs found. 2 logs returned. 2: date=2022-03-21 time=10:21:09 eventtime=1647883270100329681 tz="-0700" logid="0319013317" type="utm" subtype="webfilter" eventtype="urlmonitor" level="notice" vd="root" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" sessionid=33934 srcip=10.1.100.41 srcport=43296 srccountry="Reserved" srcintf="port24" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstcountry="Reserved" dstintf="port17" dstintfrole="wan" proto=6 httpmethod="GET" service="HTTP" hostname="172.16.200.55" agent="curl/7.35.0" profile="learn-webf" action="passthrough" reqtype="direct" url="http://172.16.200.55/virus/eicar.com" sentbyte=92 rcvdbyte=0 direction="outgoing" msg="URL has been visited" ratemethod="domain" cat=255 catdesc="Unknown"

Dynamic address tags NEW

Tags for dynamic addresses, including EMS (normal and local EMS tags), FortiPolicy, FortiVoice, and FortiNAC can be used as the source or destination address in security policies. Once these tags are used in security policies, run diagnose ips pme dynamic-address list to show the addresses that are used in the policy. The following example uses an EMS tag.

To apply an EMS tag object to a security policy in the GUI:
  1. Go to Policy & Objects > Security Policy.

  2. Click Create new or edit an existing policy.

  3. In the Source field, click the + and select EMS1_ZTNA_ZT_OS_WIN.

  4. Configure the other settings as needed.

  5. Click OK.

To apply an EMS tag object to a security policy in the CLI:
  1. Configure the policy:

    config firewall security-policy
        edit 1
            set name "ddd"
            set srcintf "port8"
            set dstintf "port7"
            set srcaddr "EMS1_ZTNA_ZT_OS_WIN"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set logtraffic all
        next
    end
  2. Verify which IP addresses are used in the policy:

    # diagnose ips pme dynamic-address list
    EMS1_ZTNA_ZT_OS_WIN [vdom=0 type=IP]:

NGFW policy

NGFW policy

Profile-based next-generation firewall (NGFW) mode is the traditional mode where you create a profile (antivirus, web filter, and so on) and then apply the profile to a policy.

In policy-based NGFW mode, you allow applications and URL categories to be used directly in security policies, without requiring web filter or application control profiles. However, it is possible to select and apply web filter URL categories and groups.

In policy-based mode:

  • Central NAT is always enabled. If no Central SNAT policy exists, you must create one. See Central SNAT for more information.
  • Pre-match rules are defined separately from security policies, and define broader rules, such as SSL inspection and user authentication.
  • The IPsec wizard is not supported.

If your FortiGate operates in NAT mode, rather than enabling source NAT in individual NGFW policies, go to Policy & Objects > Central SNAT and add source NAT policies that apply to all matching traffic. In many cases, you may only need one SNAT policy for each interface pair.

The NGFW mode is set per VDOM, and it is only available when the VDOM inspection mode is flow-based. You can operate your entire FortiGate or individual VDOMs in NGFW policy mode. The application default port can be set as a service port in the NGFW mode using the default-app-port-as-service option.

In NGFW mode, administrators can configure a security policy in learn mode to monitor traffic. See Learn mode in security policies in NGFW mode for more information.

Enabling policy-based NGFW mode

To enable policy-based NGFW mode without VDOMs in the GUI:
  1. Go to System > Settings.
  2. In NGFW Mode, select Policy-based.
  3. Click Apply.
To enable policy-based NGFW mode with VDOMs in the GUI:
  1. Go to System > VDOM .
  2. Double-click a VDOM to edit the settings.
  3. In NGFW Mode, select Policy-based.
  4. Click OK.
To enable policy-based NGFW mode without VDOMs in the CLI:
config system settings
    set ngfw-mode policy-based
end
To enable policy-based NGFW mode with VDOMs in the CLI:
config vdom
    edit <vdom>
        config system settings
            set ngfw-mode policy-based
        end
    next
end

Security and SSL Inspection & Authentication policies

Security policies work with SSL Inspection & Authentication policies to inspect traffic. To allow traffic from a specific user or user group, both Security and SSL Inspection & Authentication policies must be configured. A default SSL Inspection & Authentication policy with the certificate-inspection SSL Inspection profile is preconfigured. Traffic will match the SSL Inspection & Authentication policy first. If the traffic is allowed, packets are sent to the IPS engine for application, URL category, user, and user group match, and then, if enabled, UTM inspection (antivirus, IPS, DLP, and email filter) is performed.

SSL Inspection & Authentication policies are used to pre-match traffic before sending the packets to the IPS engine:

  • There are no schedule or action options; traffic matching the policy is always redirected to the IPS engine.
  • SSL inspection, formerly configured in the VDOM settings, is configured in an SSL Inspection & Authentication policy.
  • Users and user groups that require authentication must be configured in an SSL Inspection & Authentication policy.

Security policies work with SSL Inspection & Authentication policies to inspect traffic:

  • Applications and URL categories can be configured directly in the policy.
  • Users and user groups that require authentication must also be configured in a security policy.
  • The available actions are Accept or Deny.
  • The Service option can be used to enforce the standard port for the selected applications.
  • UTM inspection is configured in a security policy.

To configure policies for Facebook and Gmail access in the CLI:
  1. Configure an SSL Inspection & Authentication policy:
    config firewall policy
        edit 1
            set name "Policy-1"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr "all"
            set dstaddr "all"
            set service "ALL"
            set ssl-ssh-profile "new-deep-inspection"
            set groups "Dev" "HR" "QA" "SYS"
        next
    end
  2. Configure security policies:
    config firewall security-policy
        edit 2
            set name "allow-QA-Facebook"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set application 15832
            set groups "Dev" "QA"
        next
        edit 4
            set name "allow-QA-Email"
            set srcintf "port18"
            set dstintf "port17"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set url-category 23
            set groups "QA"
        next
    end
Logs

In the application control and web filter logs, securityid maps to the security policy ID.

Application control log:

date=2019-06-17 time=16:35:47 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1560814547702405829 tz="-0700" appid=15832 user="Jack" group="QA" srcip=10.1.100.102 dstip=157.240.3.29 srcport=56572 dstport=443 srcintf="port18" srcintfrole="undefined" dstintf="port17" dstintfrole="undefined" proto=6 service="P2P" direction="incoming" policyid=1 sessionid=42445 appcat="Social.Media" app="Facebook" action="pass" hostname="external-sea1-1.xx.fbcdn.net" incidentserialno=1419629662 url="/" securityid=2 msg="Social.Media: Facebook," apprisk="medium" scertcname="*.facebook.com" scertissuer="DigiCert SHA2 High Assurance Server CA"

Web filter log:

date=2019-06-17 time=16:42:41 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="vd1" eventtime=1560814961418114836 tz="-0700" policyid=4 sessionid=43201 user="Jack" group="QA" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" proto=6 service="HTTPS" hostname="mail.google.com" action="passthrough" reqtype="direct" url="/" sentbyte=709 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=23 catdesc="Web-based Email" securityid=4

Traffic logs:

date=2019-06-17 time=16:35:53 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560814553778525154 tz="-0700" srcip=10.1.100.102 srcport=56572 srcintf="port18" srcintfrole="undefined" dstip=157.240.3.29 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=42445 proto=6 action="server-rst" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56572 duration=6 sentbyte=276 rcvdbyte=745 sentpkt=5 rcvdpkt=11 appid=15832 app="Facebook" appcat="Social.Media" apprisk="medium" utmaction="allow" countapp=1 utmref=65531-294

2: date=2019-06-17 time=16:47:45 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" eventtime=1560815265058557636 tz="-0700" srcip=10.1.100.102 srcport=56668 srcintf="port18" srcintfrole="undefined" dstip=172.217.3.165 dstport=443 dstintf="port17" dstintfrole="undefined" poluuid="b740d418-8ed3-51e9-5a7b-114e99ab6370" sessionid=43201 proto=6 action="timeout" user="Jack" group="QA" policyid=1 policytype="consolidated" centralnatid=1 service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=56668 duration=303 sentbyte=406 rcvdbyte=384 sentpkt=4 rcvdpkt=4 appcat="unscanned" utmaction="allow" countweb=1 utmref=65531-3486

Other NGFW policy-based mode options

You can combine Application Control and Web Filter in the same NGFW mode policy.

The following security profiles can be used in NGFW policy-based mode:

  • AntiVirus
  • Web Filter
  • Intrusion Prevention
  • File Filter
  • Email Filter

Logging can also be enabled in security policies.

Inspection mode per policy

Inspection mode is configured on a per-policy basis in NGFW mode. This gives you more flexibility when setting up different policies.

When configuring a firewall policy, you can select a Flow-based or Proxy-basedInspection Mode. The default setting is Flow-based.

To configure inspection mode in a policy:
  1. Go to Policy & Objects > Firewall Policy.
  2. Create a new policy, or edit an existing policy.
  3. Configure the policy as needed.
    1. If you change the Inspection Mode to Proxy-based, the Proxy HTTP(S) traffic option displays.

    2. In the Security Profiles section, if no security profiles are enabled, the default SSL Inspection is no-inspection.
    3. In the Security Profiles section, if you enable any security profile, the SSL Inspection changes to certificate-inspection.

To see the inspection mode changes using the CLI:
config firewall policy
    edit 1
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set nat enable
    next
end		
To see the HTTP and SSH policy redirect settings when inspection mode is set to proxy using the CLI:
config firewall policy
    edit 1
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set http-policy-redirect enable
        set ssh-policy-redirect enable
        set nat enable
    next
end
To see the default SSL-SSH policy set to no inspection using the CLI:
config firewall policy
    edit 1
       show fu | grep ssl-ssh-profile
        set ssl-ssh-profile "no-inspection"
    next
end

NGFW policy mode application default service

In NGFW policy-based mode, the application default service enforces applications running only on their default service port. The applications specified in the policy are monitored, and if traffic is detected from a nonstandard port, it is blocked, and a log entry is recorded with a port-violation event type.

If you are not using the default ports, and need to pick specific services, select Specify to select the required services.

Example

In this example, the standard port is enforced for HTTPS traffic using the HTTP.Audio application.

First, an SSL Inspection & Authentication policy is created do to traffic pre-match, and then a security policy is created to allow the HTTP.Audio application when using the default port. Fetching an MP3 file from an HTTP server using port 443 is allowed, but is blocked when using a nonstandard port, such as 8443.

To enforce the HTTP.Audio application using the default port in the GUI:
  1. Create a new SSL Inspection & Authentication policy, or use the default policy.
  2. Go to Policy & Objects > Security Policy, and click Create New.
  3. Enter a name for the policy, such as allow_HTTP.Audio.
  4. Configure the ports as needed.
  5. Set Service to App Default.
  6. In the Application field, select HTTP.Audio.
  7. Set the Action to Accept.

  8. Click OK.
To enforce the HTTP.Audio application using the default port in the CLI:
  1. Create a firewall policy:
    config firewall policy
        edit 1
            set name "consolidated_all"
            set srcintf "port13"
            set dstintf "port14"
            set srcaddr "all"
            set dstaddr "all"
            set service "ALL"
            set ssl-ssh-profile "new-deep-inspection"
        next
    end
  2. Create a security policy:
    config firewall security-policy
        edit 1
            set name "allow_HTTP.Audio"
            set srcintf "port13"
            set dstintf "port14"
            set srcaddr "all"
            set enforce-default-app-port enable
            set action accept
            set schedule "always"
            set logtraffic all
            set application 15879
        next
    end
Logs

The application logs show logs with an event type of port-violation for traffic on port 8443 that is blocked, and an event type of signature for traffic on port 443 that is allowed.

Blocked:

2: date=2019-06-18 time=16:15:40 logid="1060028736" type="utm" subtype="app-ctrl" eventtype="port-violation" level="warning" vd="vd1" eventtime=1560899740218875746 tz="-0700" appid=15879 srcip=10.1.100.22 dstip=172.16.200.216 srcport=52680 dstport=8443 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" proto=6 service="HTTPS" direction="incoming" policyid=1 sessionid=5041 appcat="Video/Audio" app="HTTP.Audio" action="block" hostname="172.16.200.216" incidentserialno=1906780850 url="/app_data/story.mp3" securityid=2 msg="Video/Audio: HTTP.Audio," apprisk="elevated"

Allowed:

1: date=2019-06-18 time=16:15:49 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vd1" eventtime=1560899749258579372 tz="-0700" appid=15879 srcip=10.1.100.22 dstip=172.16.200.216 srcport=54527 dstport=443 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" proto=6 service="HTTPS" direction="incoming" policyid=1 sessionid=5064 appcat="Video/Audio" app="HTTP.Audio" action="pass" hostname="172.16.200.216" incidentserialno=1139663486 url="/app_data/story.mp3" securityid=2 msg="Video/Audio: HTTP.Audio," apprisk="elevated"

Add option to set application default port as a service port

The default-app-port-as-service option can be used in NGFW mode to set the application default port as a service port. This allows applications to match the policy and be blocked immediately the first time that traffic hits the firewall. When this option is enabled, the NGFW policy aggregates the ports used by the applications in the policy and performs a pre-match on the traffic.

config system settings
    set default-app-port-as-service {enable | disable}
end
Note

This option can be configured on a per-VDOM level.

This setting is enabled by default on new installations. When upgrading, the setting is disabled to retain the previous behavior.

To configure the application default port as service port:
  1. Configure the VDOM settings:
    config system settings
        set vdom-type traffic
        set opmode nat
        set ngfw-mode policy-based
        set block-land-attack disable
        set default-app-port-as-service enable
        set application-bandwidth-tracking disable
    end
  2. Configure the NGFW policy:
    config firewall security-policy
        edit 1
            set name "test"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set internet-service-src disable
            set enforce-default-app-port enable 
            set action accept
        next
    end

Sample logs

The following logging behavior occurs in NGFW mode with default-app-port-as-service:

  • When default-app-port-as-service and enforce-default-app-port are enabled, traffic that does not match the default port is blocked immediately. Only a traffic log is generated.

    Log with SSH and FTP traffic:
    1: date=2022-02-24 time=11:16:36 eventtime=1645730197145603994 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=40402 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=21 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=6811 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="FTP" trandisp="snat" transip=172.16.200.4 transport=40402 duration=10 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"
    Log with SSH and FTP traffic with port 2121:
    1: date=2022-02-24 time=11:19:20 eventtime=1645730360685614031 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=41362 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=2121 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7213 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="tcp/2121" trandisp="snat" transip=172.16.200.4 transport=41362 duration=9 sentbyte=60 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned"
  • When default-app-port-as-service is disabled and enforce-default-app-port is enabled, traffic that does not match the default port is not blocked immediately. Application and traffic logs are generated.

    Traffic log with SSH and FTP traffic:
    1: date=2022-02-24 time=11:21:51 eventtime=1645730511325606916 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=40408 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=21 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7522 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="FTP" trandisp="snat" transip=172.16.200.4 transport=40408 duration=14 sentbyte=164 rcvdbyte=171 sentpkt=3 rcvdpkt=2 appid=15896 app="FTP" appcat="Network.Service" apprisk="elevated" utmaction="block" countapp=1 utmref=65501-0
    Application log with SSH and FTP traffic:
    2: date=2022-02-24 time=11:21:39 eventtime=1645730499338228209 tz="-0800" logid="1059028705" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="vd1" appid=15896 srcip=10.1.100.12 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=40408 dstport=21 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="FTP" direction="outgoing" policyid=0 sessionid=7522 action="block" appcat="Network.Service" app="FTP" incidentserialno=188744239 msg="Network.Service: FTP" apprisk="elevated"
    Traffic log with SSH and FTP traffic with port 2121:
    1: date=2022-02-24 time=11:24:25 eventtime=1645730665235613912 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=41366 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=2121 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7876 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="tcp/2121" trandisp="snat" transip=172.16.200.4 transport=41366 duration=11 sentbyte=112 rcvdbyte=171 sentpkt=2 rcvdpkt=2 appid=15896 app="FTP" appcat="Network.Service" apprisk="elevated" utmaction="block" countapp=1 utmref=65500-0
    Application log with SSH and FTP traffic with port 2121:
    2: date=2022-02-24 time=11:24:16 eventtime=1645730656426052412 tz="-0800" logid="1060028736" type="utm" subtype="app-ctrl" eventtype="port-violation" level="warning" vd="vd1" appid=15896 srcip=10.1.100.12 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=41366 dstport=2121 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="FTP" direction="outgoing" policyid=0 sessionid=7876 action="block" appcat="Network.Service" app="FTP" incidentserialno=188744241 msg="Network.Service: FTP, non-default port used: 2121" apprisk="elevated"

Application logging in NGFW policy mode

In NGFW policy mode, if an application, application category, or application group is selected on a security policy, and traffic logging is set to UTM or All, then application control logs will be generated. In addition, when a signature is set to the ACCEPT action under a security policy, all corresponding child signatures will be assessed and logged as well.

Under NGFW, with default-app-port-as-service enabled, enable APP Default. The traffic which doesn't match the default port will be blocked immediately, and there is only traffic log generated.

Under NGFW, with default-app-port-as-service disabled, enable APP Default. The traffic which doesn't match the default port will not be blocked immediately, and there is app and traffic logs generated.

To verify application logging:
  1. Go to Policy & Objects > Security Policy and configure a new policy for YouTube.
  2. Set Action to ACCEPT and Log Allowed Traffic to Security Events.

  3. Configure the remaining settings as required, then click OK.
  4. On a client system, play some YouTube videos.
  5. On FortiOS, go to Log & Report > Security Events and view the Application Control logs.

    There are logs not only for YouTube, but also for YouTube_Video.Play, YouTube_Video.Access, and so on, as verified from the Application Name column.

Learn mode in security policies in NGFW mode

In NGFW mode, administrators can configure a security policy in learn mode to monitor traffic that passes through the source and destination interfaces. The learn mode uses a special prefix in the policymode and profile fields in traffic and UTM logs for use by FortiAnalyzer and the Policy Analyzer Management Extension Application (MEA) that is available with FortiManager.

Note

When enabled on FortiManager, Policy Analyzer MEA works with security policies in learning mode to analyze logs sent from a managed FortiGate to FortiAnalyzer. Based on the analyzed traffic, FortiManager administrators can choose to automatically create a policy in FortiManager for the managed FortiGate. For more information about Policy Analyzer MEA, see the Policy Analyzer Administration Guide.

The following limitations apply when learn mode is enabled in a security policy:

  • Only interfaces with device-identification enable can be used as source interfaces in a security policy with learning mode enabled.
  • Incoming and outgoing interfaces do not support any.
  • Internet service is not supported.
  • NAT46 and NAT64 are not supported.
  • Users and groups are not supported.
  • Some negate options are not supported.
To enable learn mode in the GUI:
  1. Enable policy-based NGFW mode:

    1. Go to System > Settings.

    2. Set the NGFW Mode to Policy-based and click Apply.

  2. Go to Policy & Objects > Security Policy, and open a security policy for editing.

  3. Set the Policy Mode to Learn Mode.

  4. Select an Incoming Interface.

  5. Select an Outgoing Interface.

  6. (Optional) Type a comment in the Comments box.

  7. Toggle on Enable this policy.

  8. Click OK to save the security policy.

To enable learn mode in the CLI:
  1. Enable policy-based NGFW mode:

    config system settings
        set ngfw-mode policy-based
    end
    
  2. Enable learn mode in a security policy:

    config firewall security-policy
        edit <id>
            set learning-mode enable
        next
    end
To view learn mode fields in logs in the CLI:
  1. Filter and view fields in traffic logs:

    # execute log filter category 0 # execute log display 1 logs found. 1 logs returned. 1: date=2022-03-21 time=10:21:11 eventtime=1647883271150012188 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.41 srcport=43296 srcintf="port24" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="port17" dstintfrole="wan" srccountry="Reserved" dstcountry="Reserved" sessionid=33934 proto=6 policymode="learn" action="accept" policyid=99 policytype="security-policy" poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policyname="Security-policy-99" centralnatid=3 service="HTTP" trandisp="snat" transip=172.16.200.9 transport=43296 duration=1 sentbyte=412 rcvdbyte=529 sentpkt=6 rcvdpkt=4 appid=15893 app="HTTP.BROWSER" appcat="Web.Client" apprisk="medium" utmaction="allow" countweb=1 countav=1 countips=3 countapp=1 crscore=50 craction=2 srchwvendor="VMware" devtype="Computer" osname="Debian" mastersrcmac="00:0c:29:b5:92:8d" srcmac="00:0c:29:b5:92:8d" srcserver=0 utmref=65534-0

  2. Filter and view fields in UTM logs:

    # execute log filter category 2 # execute log display 1 logs found. 1 logs returned. 1: date=2022-03-21 time=10:21:09 eventtime=1647883270101403283 tz="-0700" logid="0211008193" type="utm" subtype="virus" eventtype="infected" level="notice" vd="root" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" msg="File is infected." action="monitored" service="HTTP" sessionid=33934 srcip=10.1.100.41 dstip=172.16.200.55 srcport=43296 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" proto=6 direction="incoming" filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://172.16.200.55/virus/eicar.com" profile="learn-av" agent="curl/7.35.0" httpmethod="GET" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical" rawdata="Response-Content-Type=application/x-msdos-program"

  3. Filter and view fields in UTM-IPS logs:

    # execute log filter category 4 # execute log display 3 logs found. 3 logs returned. 1: date=2022-03-21 time=10:21:09 eventtime=1647883270101485354 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.100.41 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" sessionid=33934 action="detected" proto=6 service="HTTP" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" attack="Eicar.Virus.Test.File" srcport=43296 dstport=80 agent="curl/7.35.0" httpmethod="GET" direction="incoming" attackid=29844 profile="learn-ips" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=158335134 attackcontextid="2/2" attackcontext="YW0NCg0KWDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo8L1BBQ0tFVD4=" 2: date=2022-03-21 time=10:21:09 eventtime=1647883270101484791 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.100.41 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" sessionid=33934 action="detected" proto=6 service="HTTP" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" attack="Eicar.Virus.Test.File" srcport=43296 dstport=80 agent="curl/7.35.0" httpmethod="GET" direction="incoming" attackid=29844 profile="learn-ips" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=158335134 attackcontextid="1/2" attackcontext="PFBBVFRFUk5TPiBYNU8hUCVAQVBbNFxQWlg1NChQXik3Q0MpN30kRUlDQVItU1RBTkRBUkQtQU5USVZJUlVTLVRFU1QtRklMRSEkSCtIKjtYNU8hUCVAQVBbNFxQWlg1NChQXik3Q0MpN30kRUlDQVItU1RBTkRBUkQtQU5USVZJUlVTLVRFU1QtRklMRSEkSCtIKjwvUEFUVEVSTlM+CjxVUkk+IDwvVVJJPgo8SEVBREVSPiBIVFRQLzEuMSAyMDAgT0sNCkRhdGU6IE1vbiwgMjEgTWFyIDIwMjIgMTc6MjE6MTAgR01UDQpTZXJ2ZXI6IEFwYWNoZS8yLjQuMTggKFVidW50dSkNCkxhc3QtTW9kaWZpZWQ6IFRodSwgMDEgRGVjIDIwMTYgMDE6MjY6MzUgR01UDQpFVGFnOiAiNDQtNTQyOGViNjU4MDk3YSINCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQpDb250ZW50LUxlbmd0aDogNjgNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC1tc2Rvcy1wcm9ncmFtDQoNCjwvSEVBREVSPgo8Qk9EWT4gWDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo8L0JPRFk+CjxQQUNLRVQ+IEhUVFAvMS4xIDIwMCBPSw0KRGF0ZTogTW9uLCAyMSBNYXIgMjAyMiAxNzoyMToxMCBHTVQNClNlcnZlcjogQXBhY2hlLzIuNC4xOCAoVWJ1bnR1KQ0KTGFzdC1Nb2RpZmllZDogVGh1LCAwMSBEZWMgMjAxNiAwMToyNjozNSBHTVQNCkVUYWc6ICI0NC01NDI4ZWI2NTgwOTdhIg0KQWNjZXB0LVJhbmdlczogYnl0ZXMNCkNvbnRlbnQtTGVuZ3RoOiA2OA0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LW1zZG9zLXByb2dy" 3: date=2022-03-21 time=10:21:09 eventtime=1647883270101483279 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.100.41 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" sessionid=33934 action="detected" proto=6 service="HTTP" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" attack="Eicar.Virus.Test.File" srcport=43296 dstport=80 hostname="172.16.200.55" url="/virus/eicar.com" agent="curl/7.35.0" httpmethod="GET" direction="incoming" attackid=29844 profile="learn-ips" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=158335134 msg="file_transfer: Eicar.Virus.Test.File" attackcontextid="0/2" rawdataid="1/1" rawdata="Response-Content-Type=application/x-msdos-program"

Filter and view fields in UTM-webfilter logs:

# execute log filter category 3 # execute log display 2 logs found. 2 logs returned. 2: date=2022-03-21 time=10:21:09 eventtime=1647883270100329681 tz="-0700" logid="0319013317" type="utm" subtype="webfilter" eventtype="urlmonitor" level="notice" vd="root" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" sessionid=33934 srcip=10.1.100.41 srcport=43296 srccountry="Reserved" srcintf="port24" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstcountry="Reserved" dstintf="port17" dstintfrole="wan" proto=6 httpmethod="GET" service="HTTP" hostname="172.16.200.55" agent="curl/7.35.0" profile="learn-webf" action="passthrough" reqtype="direct" url="http://172.16.200.55/virus/eicar.com" sentbyte=92 rcvdbyte=0 direction="outgoing" msg="URL has been visited" ratemethod="domain" cat=255 catdesc="Unknown"

Dynamic address tags NEW

Tags for dynamic addresses, including EMS (normal and local EMS tags), FortiPolicy, FortiVoice, and FortiNAC can be used as the source or destination address in security policies. Once these tags are used in security policies, run diagnose ips pme dynamic-address list to show the addresses that are used in the policy. The following example uses an EMS tag.

To apply an EMS tag object to a security policy in the GUI:
  1. Go to Policy & Objects > Security Policy.

  2. Click Create new or edit an existing policy.

  3. In the Source field, click the + and select EMS1_ZTNA_ZT_OS_WIN.

  4. Configure the other settings as needed.

  5. Click OK.

To apply an EMS tag object to a security policy in the CLI:
  1. Configure the policy:

    config firewall security-policy
        edit 1
            set name "ddd"
            set srcintf "port8"
            set dstintf "port7"
            set srcaddr "EMS1_ZTNA_ZT_OS_WIN"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set logtraffic all
        next
    end
  2. Verify which IP addresses are used in the policy:

    # diagnose ips pme dynamic-address list
    EMS1_ZTNA_ZT_OS_WIN [vdom=0 type=IP]: