---

Table of Contents

• Getting started
  • Using the GUI
    • Connecting using a web browser
    • Menus
    • Tables
    • Entering values
      • Text strings
      • Numbers
    • GUI-based global search
    • Loading artifacts from a CDN
    • Accessing additional support resources
    • Command palette
    • Recovering missing graphical components
  • Using the CLI
    • Connecting to the CLI
    • CLI basics
    • Command syntax
    • Subcommands
    • Permissions
  • Using FortiExplorer Go and FortiExplorer
    • Getting started with FortiExplorer
    • Connecting FortiExplorer to a FortiGate with WiFi
    • Configure FortiGate with FortiExplorer using BLE
    • Running a security rating
  • Basic administration
    • Basic configuration
    • Registration
    • FortiCare and FortiGate Cloud login
    • Transfer a device to another FortiCloud account
    • Configuration backups
    • Deregistering a FortiGate
    • Migrating a configuration with FortiConverter
    • Fortinet Developer Network access
    • One-time upgrade prompt when a critical vulnerability is detected upon login NEW
  • LEDs
  • Troubleshooting your installation
• Dashboards and Monitors
  • Using dashboards
  • Using widgets
  • Viewing device dashboards in the Security Fabric
  • Creating a fabric system and license dashboard
  • Dashboards
    • Status dashboard
    • Security dashboard
      • Viewing session information for a compromised host
    • Network dashboard
      • Static & Dynamic Routing monitor
      • DHCP monitor
      • IPsec monitor
      • SSL-VPN monitor
    • Assets & Identities
      • Assets
      • Assets and filtering
      • Adding MAC-based addresses to devices
      • Firewall Users monitor
    • WiFi dashboard
      • FortiAP Status monitor
      • Clients by FortiAP monitor
  • Monitors
    • FortiView monitors
    • Adding FortiView monitors
    • Using the FortiView interface
    • Enabling FortiView from devices
    • FortiView sources
    • FortiView Sessions
    • FortiView Top Source and Top Destination Firewall Objects monitors
    • Viewing top websites and sources by category
    • Cloud application view
      • Top application: YouTube example
• Network
  • Interfaces
    • Interface settings
      • Configure IPAM locally on the FortiGate
      • Interface MTU packet size
      • One-arm sniffer
      • Interface migration wizard
      • Captive portals
    • Physical interface
    • VLAN
      • Virtual VLAN switch
      • QinQ 802.1Q in 802.1ad
      • QinQ 802.1Q in 802.1Q
    • Aggregation and redundancy
      • Enhanced hashing for LAG member selection
      • LAG interface status signals to peer device
      • Failure detection for aggregate and redundant interfaces
    • Loopback interface
    • Software switch
    • Hardware switch
    • Zone
    • Virtual wire pair
      • PRP handling in NAT mode with virtual wire pair
      • Using VLAN sub-interfaces in virtual wire pairs
    • Enhanced MAC VLAN
    • VXLAN
      • General VXLAN configuration and topologies
      • VLAN inside VXLAN
      • Virtual wire pair with VXLAN
      • VXLAN over IPsec tunnel with virtual wire pair
      • VXLAN over IPsec using a VXLAN tunnel endpoint
      • VXLAN with MP-BGP EVPN
      • VXLAN troubleshooting
  • DNS
    • Important DNS CLI commands
    • DNS domain list
    • FortiGate DNS server
      • Basic DNS server configuration example
    • DDNS
    • DNS latency information
    • DNS over TLS and HTTPS
    • Transparent conditional DNS forwarder NEW
    • Interfaces in non-management VDOMs as the source IP address of the DNS conditional forwarding server NEW
    • DNS troubleshooting
  • Explicit and transparent proxies
    • Explicit web proxy
    • FTP proxy
    • Transparent proxy
    • Proxy policy addresses
    • Proxy policy security profiles
    • Explicit proxy authentication
    • Transparent web proxy forwarding
    • Transparent web proxy forwarding over IPv6 NEW
    • Upstream proxy authentication in transparent proxy mode
    • Multiple dynamic header count
    • Restricted SaaS access
    • Explicit proxy and FortiGate Cloud Sandbox
    • Proxy chaining
    • WAN optimization SSL proxy chaining
    • Agentless NTLM authentication for web proxy
    • Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers
    • Learn client IP addresses
    • Explicit proxy authentication over HTTPS
    • mTLS client certificate authentication
    • CORS protocol in explicit web proxy when using session-based, cookie-enabled, and captive portal-enabled SAML authentication
    • Display CORS content in an explicit proxy environment NEW
    • HTTP connection coalescing and concurrent multiplexing for explicit proxy
    • Secure explicit proxy
    • Explicit proxy logging
    • Configuring fast fallback for explicit proxy NEW
    • Forward HTTPS requests to a web server without the need for an HTTP CONNECT message NEW
  • DHCP servers and relays
    • Basic configuration
    • DHCP options
      • Common DHCP options
      • Additional DHCP options
      • IP address assignment with relay agent information option
    • DHCP addressing mode on an interface
    • VCI pattern matching for DHCP assignment
    • DHCP shared subnet
    • Multiple DHCP relay servers
    • DHCP smart relay on interfaces with a secondary IP
    • FortiGate DHCP works with DDNS to allow FQDN connectivity to leased IP addresses
  • Static routing
    • Routing concepts
    • Policy routes
    • Equal cost multi-path
    • Dual internet connections
  • Dynamic routing
    • RIP
      • Basic RIP example
      • Basic RIPng example
    • OSPF
      • Basic OSPF example
      • OSPFv3 neighbor authentication
      • OSPF graceful restart upon a topology change
    • BGP
      • Basic BGP example
      • Route filtering with a distribution list
      • Next hop recursive resolution using other BGP routes
      • Next hop recursive resolution using ECMP routes
      • BGP conditional advertisement
      • BGP error handling per RFC 7606
      • BGP next hop tag-match mode
      • BGP neighbor password
      • Defining a preferred source IP for local-out egress interfaces on BGP routes
      • BGP multi-exit discriminator
      • Troubleshooting BGP
    • BFD
      • BFD for multihop path for BGP
    • Routing objects
      • Route maps
      • Access lists
      • Prefix lists
      • AS path lists
      • Community lists
  • Multicast
    • Multicast routing and PIM support
    • Configuring multicast forwarding
  • FortiExtender
    • Adding a FortiExtender
  • Direct IP support for LTE/4G
  • Cellular interface support for IPv6 NEW
  • Active SIM card switching
  • Airplane mode and LTE/BLE NEW
  • LLDP reception
  • Virtual routing and forwarding
    • Implementing VRF
    • VRF routing support
    • Route leaking between VRFs with BGP
    • Route leaking between multiple VRFs
    • VRF with IPv6
    • IBGP and EBGP support in VRF
    • Support cross-VRF local-in and local-out traffic for local services
  • NetFlow
    • NetFlow templates
    • NetFlow on FortiExtender and tunnel interfaces
  • sFlow
  • Link monitor
    • Link monitor with route updates
    • Enable or disable updating policy routes when link health monitor fails
    • Add weight setting on each link health monitor server
    • SLA link monitoring for dynamic IPsec and SSL VPN tunnels
  • IPv6
    • IPv6 overview
    • IPv6 quick start
    • Neighbor discovery proxy
    • IPv6 address assignment
      • IPv6 stateless address auto-configuration (SLAAC)
      • DHCPv6 stateful server
      • SLAAC with DHCPv6 stateless server
      • IPv6 prefix delegation
    • NAT66, NAT46, NAT64, and DNS64
      • NAT66 policy
      • NAT46 policy
      • NAT64 policy and DNS64 (DNS proxy)
      • Port block allocation with NAT64
    • DHCPv6 relay
    • IPv6 tunneling
      • IPv6 IPsec VPN
      • IPv6 GRE tunnels
      • IPv6 tunnel inherits MTU based on physical interface
      • Configuring IPv4 over IPv6 DS-Lite service
    • IPv6 Simple Network Management Protocol
    • Dynamic routing in IPv6
      • OSPFv3 and IPv6
      • BGP and IPv6
    • IPv6 configuration examples
      • IPv6 quick start example
      • Site-to-site IPv6 over IPv6 VPN example
      • Site-to-site IPv4 over IPv6 VPN example
      • Site-to-site IPv6 over IPv4 VPN example
      • Basic OSPFv3 example
      • Basic IPv6 BGP example
  • FortiGate LAN extension
  • Diagnostics
    • Using the packet capture tool
    • Using the debug flow tool
• SD-WAN
  • SD-WAN overview
    • SD-WAN components and design principles
    • SD-WAN designs and architectures
  • SD-WAN quick start
    • Configuring the SD-WAN interface
    • Adding a static route
    • Selecting the implicit SD-WAN algorithm
    • Configuring firewall policies for SD-WAN
    • Link monitoring and failover
    • Results
    • Configuring SD-WAN in the CLI
  • SD-WAN members and zones
    • Specify an SD-WAN zone in static routes and SD-WAN rules
    • Defining a preferred source IP for local-out egress interfaces on SD-WAN members
  • Performance SLA
    • Performance SLA overview
    • Link health monitor
    • Monitoring performance SLA
    • Passive WAN health measurement
    • Passive health-check measurement by internet service and application
    • Mean opinion score calculation and logging in performance SLA health checks
    • Embedded SD-WAN SLA information in ICMP probes
    • SD-WAN application monitor using FortiMonitor
    • Classifying SLA probes for traffic prioritization
  • SD-WAN rules
    • SD-WAN rules overview
      • Fields for identifying traffic
      • Fields for configuring WAN intelligence
      • Additional fields for configuring WAN intelligence
    • Implicit rule
    • Automatic strategy
    • Manual strategy
    • Best quality strategy
    • Lowest cost (SLA) strategy
    • Load balancing strategy NEW
    • SD-WAN traffic shaping and QoS
    • SDN dynamic connector addresses in SD-WAN rules
    • Application steering using SD-WAN rules
      • Static application steering with a manual strategy
      • Dynamic application steering with lowest cost and best quality strategies
    • DSCP tag-based traffic steering in SD-WAN
      • Configuring SD-WAN rules
      • Results
    • ECMP support for the longest match in SD-WAN rule matching
    • Override quality comparisons in SD-WAN longest match rule matching
    • Internet service and application control steering
    • Use maximize bandwidth to load balance traffic between ADVPN shortcuts
    • Use SD-WAN rules to steer multicast traffic
    • Use SD-WAN rules for WAN link selection with load balancing
  • Advanced routing
    • Local out traffic
    • Using BGP tags with SD-WAN rules
    • BGP multiple path support
    • Controlling traffic with BGP route mapping and service rules
    • Applying BGP route-map to multiple BGP neighbors
    • Using multiple members per SD-WAN neighbor configuration
  • VPN overlay
    • ADVPN and shortcut paths
    • Active dynamic BGP neighbor triggered by ADVPN shortcut NEW
    • SD-WAN monitor on ADVPN shortcuts
    • Hold down time to support SD-WAN service strategies
    • Adaptive Forward Error Correction
    • Dual VPN tunnel wizard
    • Duplicate packets on other zone members
    • Duplicate packets based on SD-WAN rules
    • Interface based QoS on individual child tunnels based on speed test results
    • SD-WAN in large scale deployments
    • Keeping sessions in established ADVPN shortcuts while they remain in SLA
    • SD-WAN multi-PoP multi-hub large scale design and failover NEW
    • Using a single IKE elector in ADVPN to match all SD-WAN control plane traffic
    • SD-WAN Overlay-as-a-Service NEW
  • Advanced configuration
    • SD-WAN with FGCP HA
    • Configuring SD-WAN in an HA cluster using internal hardware switches
    • SD-WAN configuration portability
    • SD-WAN segmentation over a single overlay
    • Matching BGP extended community route targets in route maps
    • Copying the DSCP value from the session original direction to its reply direction
  • SD-WAN cloud on-ramp
    • Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM
    • Configuring the VPN overlay between the HQ FortiGate and AWS native VPN gateway
    • Configuring the VIP to access the remote servers
    • Configuring the SD-WAN to steer traffic between the overlays
    • Verifying the traffic
  • SD-WAN Network Monitor service
    • CLI speed test
    • GUI speed test
    • Scheduled interface speed test
    • Running speed tests from the hub to the spokes in dial-up IPsec tunnels
    • Speed test usage
    • Speed test examples NEW
  • Troubleshooting SD-WAN
    • Tracking SD-WAN sessions
    • Understanding SD-WAN related logs
    • SD-WAN related diagnose commands
    • Using SNMP to monitor health check
• Zero Trust Network Access
  • Zero Trust Network Access introduction
    • Basic ZTNA configuration
    • Establish device identity and trust context with FortiClient EMS
    • SSL certificate based authentication
    • Full versus simple ZTNA policies
  • ZTNA advanced configurations
    • Access control of unmanageable and unknown devices
    • HTTP2 connection coalescing and concurrent multiplexing for ZTNA
    • Mapping ZTNA virtual host and TCP forwarding domains to the DNS database
  • ZTNA configuration examples
    • ZTNA HTTPS access proxy example
    • ZTNA HTTPS access proxy with basic authentication example
    • ZTNA TCP forwarding access proxy example
    • ZTNA SSH access proxy example
    • ZTNA application gateway with SAML authentication example
    • ZTNA application gateway with SAML and MFA using FortiAuthenticator example
    • ZTNA IP MAC based access control example
    • ZTNA IPv6 examples
    • ZTNA Zero Trust application gateway example
    • ZTNA inline CASB for SaaS application access control
    • ZTNA access proxy with KDC to access shared drives
  • ZTNA troubleshooting and debugging commands
  • ZTNA troubleshooting scenarios
• Policy and Objects
  • Policies
    • Firewall policy
    • NGFW policy
    • Local-in policy
    • DoS policy
    • Access control lists
    • Interface policies
    • Source NAT
      • Static SNAT
      • Dynamic SNAT
      • Central SNAT
      • Configuring an IPv6 SNAT policy
      • SNAT policies with virtual wire pairs
    • Destination NAT
      • Static virtual IPs
      • Virtual IP with services
      • Virtual IPs with port forwarding
      • Virtual server load balance
      • Central DNAT
      • Configure FQDN-based VIPs
      • Remove overlap check for VIPs
      • VIP groups
      • HTTP2 connection coalescing and concurrent multiplexing for virtual server load balancing
    • Examples and policy actions
      • NAT46 and NAT64 policy and routing configurations
      • Mirroring SSL traffic in policies
      • Recognize anycast addresses in geo-IP blocking
      • Matching GeoIP by registered and physical location
      • HTTP to HTTPS redirect for load balancing
      • Use Active Directory objects directly in policies
      • No session timeout
      • MAP-E support
      • Seven-day rolling counter for policy hit counters
      • Cisco Security Group Tag as policy matching criteria
      • Virtual patching on the local-in management interface
      • Configuring PCP port mapping with SNAT and DNAT
      • Refreshing active sessions for specific protocols and port ranges per VDOM in a specified direction NEW
  • Address objects
    • Subnet
    • Dynamic policy — Fabric devices
    • IP range
    • FQDN addresses
    • Using wildcard FQDN addresses in firewall policies
    • Geography based addresses
    • IPv6 geography-based addresses
    • Wildcard addressing
    • Interface subnet
    • Address group
    • Address folders
    • Allow empty address groups
    • Address group exclusions
    • FSSO dynamic address subtype
    • ClearPass integration for dynamic address objects
    • FortiNAC tag dynamic address
    • FortiVoice tag dynamic address NEW
    • MAC addressed-based policies
    • ISDB well-known MAC address list
    • IPv6 MAC addresses and usage in firewall policies
  • Protocol options
  • Traffic shaping
    • Traffic shaping policies
      • Local-in and local-out traffic matching
      • VLAN CoS matching on a traffic shaping policy
    • Traffic shaping profiles
      • Traffic shaping with queuing using a traffic shaping profile
    • Traffic shapers
      • Shared traffic shaper
      • Per-IP traffic shaper
      • Changing traffic shaper bandwidth unit of measurement
      • Multi-stage DSCP marking and class ID in traffic shapers
      • Multi-stage VLAN CoS marking
      • Adding traffic shapers to multicast policies
    • Global traffic prioritization
    • DSCP matching and DSCP marking
    • Examples
      • Interface-based traffic shaping profile
      • Interface-based traffic shaping with NP acceleration
      • QoS assignment and rate limiting for FortiSwitch quarantined VLANs
      • Ingress traffic shaping profile
  • Internet Services
    • Using Internet Service in a policy
    • Using custom Internet Service in policy
    • Using extension Internet Service in policy
    • Global IP address information database
    • IP reputation filtering
    • Internet service groups in policies
    • Allow creation of ISDB objects with regional information
    • Internet service customization
    • Look up IP address information from the Internet Service Database page
    • Internet Service Database on-demand mode
• Security Profiles
  • Inspection modes
    • Flow mode inspection (default mode)
    • Proxy mode inspection
    • Inspection mode feature comparison
  • Antivirus
    • Configuring an antivirus profile
    • Proxy mode stream-based scanning
    • Databases
    • Content disarm and reconstruction
    • FortiGuard outbreak prevention
    • External malware block list
    • Malware threat feed from EMS
    • Checking flow antivirus statistics
    • CIFS support
    • Using FortiSandbox post-transfer scanning with antivirus
    • Using FortiSandbox inline scanning with antivirus
    • FortiSandbox database
    • Using FortiNDR inline scanning with antivirus
    • Exempt list for files based on individual hash
    • Downloading quarantined files in archive format NEW
    • Testing an antivirus profile
  • Web filter
    • URL filter
    • FortiGuard filter
    • Credential phishing prevention
    • Additional antiphishing settings
    • Usage quota
    • Web content filter
    • Advanced filters 1
    • Advanced filters 2
    • Web filter statistics
    • URL certificate blocklist
    • Websense Integrated Services Protocol
    • Inspecting HTTP3 traffic
    • Configuring web filter profiles with Hebrew domain names
  • Video filter
    • Filtering based on FortiGuard categories
    • Filtering based on YouTube channel
    • Replacement messages displayed in blocked videos
  • DNS filter
    • Configuring a DNS filter profile
    • FortiGuard category-based DNS domain filtering
    • Botnet C&C domain blocking
    • DNS safe search
    • Local domain filter
    • DNS translation
    • Applying DNS filter to FortiGate DNS server
    • DNS inspection with DoT and DoH
    • DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS modes NEW
    • Troubleshooting for DNS filter
  • Application control
    • Configuring an application sensor
    • Basic category filters and overrides
    • Excluding signatures in application control profiles
    • Port enforcement check
    • Protocol enforcement
    • SSL-based application detection over decrypted traffic in a sandwich topology
    • Matching multiple parameters on application control signatures
    • Application signature dissector for DNP3
    • Blocking QUIC manually
  • Inline CASB NEW
  • Intrusion prevention
    • Signature-based defense
    • Configuring an IPS sensor
    • IPS configuration options
    • IPS signature filter options
    • IPS with botnet C&C IP blocking
    • IPS signatures for the operational technology security service
    • IPS sensor for IEC 61850 MMS protocol
    • SCTP filtering capabilities
  • File filter
    • Supported file types
  • Email filter
    • Configuring an email filter profile
    • Local-based filters
    • FortiGuard-based filters
    • Third-party-based filters
    • Filtering order
    • Protocols and actions
    • Configuring webmail filtering
  • VoIP solutions
    • General use cases
    • NAT46 and NAT64 for SIP ALG
    • SIP message inspection and filtering
    • SIP ALG and SIP session helper
    • SIP pinholes
    • SIP over TLS
    • Voice VLAN auto-assignment
    • Scanning MSRP traffic
  • ICAP
    • ICAP configuration example
    • ICAP response filtering
    • Secure ICAP clients
    • ICAP scanning with SCP and FTP
    • Domain name in XFF with ICAP NEW
  • Web application firewall
    • Protecting a server running web applications
  • Data leak prevention
    • Basic DLP settings
    • Advanced DLP configurations
    • DLP examples
    • DLP fingerprinting
    • FortiGuard DLP service
  • Virtual patching NEW
    • OT and IoT virtual patching on NAC policies
  • SSL & SSH Inspection
    • Configuring an SSL/SSH inspection profile
    • Certificate inspection
    • Deep inspection
    • Protecting an SSL server
    • Handling SSL offloaded traffic from an external decryption device
    • SSH traffic file scanning
    • Redirect to WAD after handshake completion
    • HTTP/2 support in proxy mode SSL inspection
    • Define multiple certificates in an SSL profile in replace mode
    • Disabling the FortiGuard IP address rating
  • Custom signatures
    • Configuring custom signatures
    • Blocking applications with custom signatures
    • Filters for application control groups
    • Application groups in traffic shaping policies
  • Overrides
    • Web rating override
    • Using local and remote categories
    • Web profile override
  • Profile groups
• VPN
  • IPsec VPNs
    • General IPsec VPN configuration
      • Network topologies
      • Phase 1 configuration
        • Choosing IKE version 1 and 2
        • Pre-shared key vs digital certificates
        • Using XAuth authentication
        • Dynamic IPsec route control
      • Phase 2 configuration
      • VPN security policies
      • Blocking unwanted IKE negotiations and ESP packets with a local-in policy
      • Configurable IKE port
      • IPsec VPN IP address assignments
    • Site-to-site VPN
      • FortiGate-to-FortiGate
        • Basic site-to-site VPN with pre-shared key
        • Site-to-site VPN with digital certificate
        • Site-to-site VPN with overlapping subnets
        • GRE over IPsec
        • Policy-based IPsec tunnel
      • FortiGate-to-third-party
        • IKEv2 IPsec site-to-site VPN to an AWS VPN gateway
        • IPsec VPN to Azure with virtual network gateway
        • IPsec VPN to an Azure with virtual WAN
        • IPSec VPN between a FortiGate and a Cisco ASA with multiple subnets
        • Cisco GRE-over-IPsec VPN
    • Remote access
      • FortiGate as dialup client
      • FortiClient as dialup client
      • Add FortiToken multi-factor authentication
      • Add LDAP user authentication
      • iOS device as dialup client
      • IKE Mode Config clients
      • IPsec VPN with external DHCP service
      • L2TP over IPsec
      • Tunneled Internet browsing
      • Dialup IPsec VPN with certificate authentication
      • Using EMS SN verification to enhance VPN security
    • Aggregate and redundant VPN
      • Manual redundant VPN configuration
      • OSPF with IPsec VPN for network redundancy
      • IPsec VPN in an HA environment
      • Packet distribution and redundancy for aggregate IPsec tunnels
      • Packet distribution for aggregate dial-up IPsec tunnels using location ID
      • Packet distribution for aggregate static IPsec tunnels in SD-WAN
      • Packet distribution for aggregate IPsec tunnels using weighted round robin
      • Redundant hub and spoke VPN
    • ADVPN
      • IPsec VPN wizard hub-and-spoke ADVPN support
      • ADVPN with BGP as the routing protocol
      • ADVPN with OSPF as the routing protocol
      • ADVPN with RIP as the routing protocol
      • UDP hole punching for spokes behind NAT
    • Fabric Overlay Orchestrator
      • Prerequisites
      • Network topology
      • Using the Fabric Overlay Orchestrator
    • Other VPN topics
      • VPN and ASIC offload
      • Encryption algorithms
      • Fragmenting IP packets before IPsec encapsulation
      • Configure DSCP for IPsec tunnels
      • Defining gateway IP addresses in IPsec with mode-config and DHCP
      • FQDN support for remote gateways
      • Windows IKEv2 native VPN with user certificate
      • IPsec IKE load balancing based on FortiSASE account information
      • IPsec SA key retrieval from a KMS server using KMIP
      • Securely exchange serial numbers between FortiGates connected with IPsec VPN NEW
      • Multiple interface monitoring for IPsec NEW
    • VPN IPsec troubleshooting
      • Understanding VPN related logs
      • IPsec related diagnose commands
  • SSL VPN
    • SSL VPN best practices
    • SSL VPN security best practices
    • SSL VPN quick start
      • SSL VPN split tunnel for remote user
      • Connecting from FortiClient VPN client
      • Set up FortiToken multi-factor authentication
      • Connecting from FortiClient with FortiToken
    • SSL VPN tunnel mode
      • SSL VPN full tunnel for remote user
      • SSL VPN tunnel mode host check
      • SSL VPN split DNS
      • Split tunneling settings
      • Augmenting VPN security with ZTNA tags
      • Enhancing VPN security using EMS SN verification
    • SSL VPN web mode
      • Web portal configurations
      • Quick Connection tool
      • SSL VPN bookmarks
      • SSL VPN web mode for remote user
      • Customizing the RDP display size
      • Showing the SSL VPN portal login page in the browser's language
      • SSL VPN custom landing page
    • SSL VPN authentication
      • SSL VPN with LDAP user authentication
      • SSL VPN with LDAP user password renew
      • SSL VPN with certificate authentication
      • SSL VPN with LDAP-integrated certificate authentication
      • SSL VPN for remote users with MFA and user sensitivity
      • SSL VPN with FortiToken mobile push authentication
      • SSL VPN with RADIUS on FortiAuthenticator
      • SSL VPN with RADIUS and FortiToken mobile push on FortiAuthenticator
      • SSL VPN with RADIUS password renew on FortiAuthenticator
      • SSL VPN with RADIUS on Windows NPS
      • SSL VPN with multiple RADIUS servers
      • SSL VPN with local user password policy
      • Dynamic address support for SSL VPN policies
      • SSL VPN multi-realm
      • NAS-IP support per SSL-VPN realm
      • SSL VPN with Okta as SAML IdP
      • SSL VPN with Microsoft Entra SSO integration
    • SSL VPN to IPsec VPN
    • SSL VPN protocols
      • TLS 1.3 support
      • SMBv2 support
      • DTLS support
    • Configuring OS and host check
    • FortiGate as SSL VPN Client
    • Dual stack IPv4 and IPv6 support for SSL VPN
    • Disable the clipboard in SSL VPN web mode RDP connections
    • SSL VPN IP address assignments
    • Using SSL VPN interfaces in zones
    • SSL VPN troubleshooting
      • Debug commands
      • Troubleshooting common issues
• User & Authentication
  • Endpoint control and compliance
    • Per-policy disclaimer messages
    • Compliance
      • FortiGate VM unique certificate
      • Running a file system check automatically
    • FortiGuard distribution of updated Apple certificates
    • Integrate user information from EMS and Exchange connectors in the user store
  • User definition and groups
    • Users
    • User groups
    • Retail environment guest access
    • User and user group timeouts
    • Customizing complexity options for the local user password policy NEW
  • LDAP servers
    • Configuring an LDAP server
    • Enabling Active Directory recursive search
    • Configuring LDAP dial-in using a member attribute
    • Configuring wildcard admin accounts
    • Configuring least privileges for LDAP admin account authentication in Active Directory
    • Tracking users in each Active Directory LDAP group
    • Tracking rolling historical records of LDAP user logins
    • Configuring client certificate authentication on the LDAP server
  • RADIUS servers
    • Configuring a RADIUS server
    • Using multiple RADIUS servers
    • RADIUS AVPs and VSAs
    • Restricting RADIUS user groups to match selective users on the RADIUS server
    • Configuring RADIUS SSO authentication
    • RSA ACE (SecurID) servers
    • Support for Okta RADIUS attributes filter-Id and class
    • Sending multiple RADIUS attribute values in a single RADIUS Access-Request
    • Traffic shaping based on dynamic RADIUS VSAs
    • RADIUS Termination-Action AVP in wired and wireless scenarios
    • Configuring a RADSEC client
    • RADIUS integrated certificate authentication for SSL VPN NEW
  • TACACS+ servers
  • SAML
    • Outbound firewall authentication for a SAML user
    • SSL VPN with FortiAuthenticator as a SAML IdP
    • Using a browser as an external user-agent for SAML authentication in an SSL VPN connection
    • SAML authentication in a proxy policy
    • Configuring SAML SSO in the GUI
    • Outbound firewall authentication with Microsoft Entra ID as a SAML IdP
  • Authentication settings
  • FortiTokens
    • FortiToken Mobile quick start
      • Registering FortiToken Mobile
      • Provisioning FortiToken Mobile
      • Activating FortiToken Mobile on a mobile phone
      • Applying multi-factor authentication
    • FortiToken Cloud
    • Registering hard tokens
    • Managing FortiTokens
    • FortiToken Mobile Push
    • Synchronizing LDAP Active Directory users to FortiToken Cloud using the two-factor filter
    • Enable the FortiToken Cloud free trial directly from the FortiGate
    • Troubleshooting and diagnosis
  • Configuring the maximum log in attempts and lockout period
  • PKI
    • Configuring a PKI user
    • Using the SAN field for LDAP-integrated certificate authentication
  • Configuring firewall authentication
  • FSSO
    • FSSO polling connector agent installation
    • FSSO using Syslog as source
    • Configuring the FSSO timeout when the collector agent connection fails
  • Authentication policy extensions
  • Configuring the FortiGate to act as an 802.1X supplicant
  • Include usernames in logs
• Wireless configuration
• Switch Controller
• System
  • Administrators
    • Local authentication
    • Remote authentication for administrators
    • Administrator account options
    • REST API administrator
    • SSO administrators
    • FortiCloud SSO
    • Allowing the FortiGate to override FortiCloud SSO administrator user permissions
    • Password policy
    • Public key SSH access
    • Restricting SSH and Telnet jump host capabilities
    • Remote administrators with TACACS VSA attributes
  • Administrator profiles
  • Firmware & Registration
    • About firmware installations
    • Firmware maturity levels
    • Selected availability (SA) versions NEW
    • Upgrading individual device firmware
    • Upgrading individual device firmware by following the upgrade path (federated update)
    • Upgrading all device firmware
    • Upgrading all device firmware by following the upgrade path (federated update)
    • Enabling automatic firmware updates
    • Authorizing devices
    • Firmware upgrade notifications
    • Downloading a firmware image
    • Testing a firmware version
    • Installing firmware from system reboot
    • Restoring from a USB drive
    • Using controlled upgrades
    • Downgrading individual device firmware
    • Downloading the EOS support package for supported Fabric devices
    • How the FortiGate firmware license works
  • Settings
    • Default administrator password
    • Changing the host name
    • Setting the system time
      • SHA-1 authentication support (for NTPv4)
      • PTPv2
    • Configuring ports
      • Custom default service port range
    • Setting the idle timeout time
    • Setting the password policy
    • Changing the view settings
    • Setting the administrator password retries and lockout time
    • TLS configuration
    • Controlling return path with auxiliary session
    • Email alerts
    • Using configuration save mode
    • Trusted platform module support
    • Configuring the persistency for a banned IP list
    • Using the default certificate for HTTPS administrative access
  • Virtual Domains
    • VDOM overview
    • General configurations
    • Backing up and restoring configurations in multi VDOM mode
    • Inter-VDOM routing configuration example: Internet access
    • Inter-VDOM routing configuration example: Partial-mesh VDOMs
  • High Availability
    • FGCP
      • Failover protection
      • HA heartbeat interface
      • Unicast HA heartbeat
      • HA active-passive cluster setup
      • HA active-active cluster setup
      • HA and load balancing
      • HA virtual cluster setup
      • Check HA synchronization status
      • Out-of-band management with reserved management interfaces
      • In-band management
      • Upgrading FortiGates in an HA cluster
      • Distributed HA clusters
      • HA between remote sites over managed FortiSwitches
      • HA using a hardware switch to replace a physical switch
      • VDOM exceptions
      • Override FortiAnalyzer and syslog server settings
      • Routing NetFlow data over the HA management interface
      • Force HA failover for testing and demonstrations
      • Disabling stateful SCTP inspection
      • Resume IPS scanning of ICCP traffic after HA failover
      • Querying autoscale clusters for FortiGate VM
      • Cluster virtual MAC addresses
      • Abbreviated TLS handshake after HA failover
      • Session synchronization during HA failover for ZTNA proxy sessions
      • FGCP HA between FortiGates of the same model with different AC and DC PSUs
      • FGCP multi-version cluster upgrade NEW
      • Troubleshoot an HA formation
    • FGSP
      • FGSP basic peer setup
      • Synchronizing sessions between FGCP clusters
      • Session synchronization interfaces in FGSP
      • UTM inspection on asymmetric traffic in FGSP
      • UTM inspection on asymmetric traffic on L3
      • Encryption for L3 on asymmetric traffic in FGSP
      • Optimizing FGSP session synchronization and redundancy
      • Firmware upgrades in FGSP
      • FGSP session synchronization between different FortiGate models or firmware versions
      • Applying the session synchronization filter only between FGSP peers in an FGCP over FGSP topology
      • FGSP static site-to-site IPsec VPN setup
      • FGSP per-tunnel failover for IPsec
      • FGCP over FGSP per-tunnel failover for IPsec
      • Allow IPsec DPD in FGSP members to support failovers
    • Standalone configuration synchronization
      • Layer 3 unicast standalone configuration synchronization
    • VRRP
      • Adding IPv4 and IPv6 virtual routers to an interface
      • VRRP failover
      • VRRP groups
      • VRRP virtual MACs
      • Preempt mode
      • Single-domain VRRP example
      • Multi-domain VRRP example
      • VRRP on EMAC-VLAN interfaces
  • SNMP
    • Basic configuration
    • MIB files
    • Access control for SNMP
    • Important SNMP traps
    • SNMP examples
  • Replacement messages
  • Replacement message groups
  • FortiGuard
    • Configuring FortiGuard updates
    • Configuring a proxy server for FortiGuard updates
    • Manual updates
    • Automatic updates
    • Scheduled updates
    • Sending malware statistics to FortiGuard
    • Update server location
    • Filtering
    • Online security tools
    • Anycast and unicast services
    • Using FortiManager as a local FortiGuard server
    • Cloud service communication statistics
    • IoT detection service
    • FortiAP query to FortiGuard IoT service to determine device details
    • FortiGate Cloud / FDN communication through an explicit proxy
    • FDS-only ISDB package in firmware images
    • Licensing in air-gap environments
    • License expiration
  • Feature visibility
  • Certificates
    • Automatically provision a certificate
    • Generate a new certificate
    • Regenerate default certificates
    • Import a certificate
    • Generate a CSR
    • CA certificate
    • Remote certificate
    • Certificate revocation list
    • Export a certificate
    • Uploading certificates using an API
    • Procuring and importing a signed SSL certificate
    • Microsoft CA deep packet inspection
    • Administrative access using certificates
    • Creating certificates with XCA
    • Enrollment over Secure Transport for automatic certificate management NEW
  • Security
    • BIOS-level signature and file integrity checking
    • Real-time file system integrity checking
    • Built-in entropy source NEW
  • Configuration scripts
  • Workspace mode
  • Custom languages
  • RAID
  • FortiGate encryption algorithm cipher suites
  • Conserve mode
  • Using APIs
• Fortinet Security Fabric
  • Components
  • Security Fabric connectors
    • Configuring the root FortiGate and downstream FortiGates
    • Configuring logging and analytics
      • Configuring FortiAnalyzer
      • Configuring cloud logging
    • Configuring FortiClient EMS
    • Synchronizing FortiClient ZTNA tags
    • Configuring LAN edge devices
    • Configuring central management
    • Configuring sandboxing
    • Configuring supported connectors
      • Supported connectors overview
      • Preparing FortiGate for supported Security Fabric devices
      • Configuring pre-authorization of supported Security Fabric devices
      • Authorizing supported connectors
      • Configuring FortiDeceptor
      • Configuring FortiMail
      • Configuring FortiMonitor
      • Configuring FortiNAC
      • Configuring FortiNDR
      • Configuring FortiPolicy
      • Configuring FortiTester
      • Configuring FortiVoice
      • Configuring FortiWeb
  • Using the Security Fabric
    • Dashboard widgets
    • Topology
    • Asset Identity Center page
    • WebSocket for Security Fabric events
    • Deploying the Security Fabric
    • Deploying the Security Fabric in a multi-VDOM environment
    • Other Security Fabric topics
      • Synchronizing objects across the Security Fabric
      • Group address objects synchronized from FortiManager
      • Security Fabric over IPsec VPN
      • Leveraging LLDP to simplify Security Fabric negotiation
  • Configuring the Security Fabric with SAML
    • Configuring single-sign-on in the Security Fabric
      • Configuring the root FortiGate as the IdP
      • Configuring a downstream FortiGate as an SP
      • Configuring certificates for SAML SSO
      • Verifying the single-sign-on configuration
    • CLI commands for SAML SSO
    • SAML SSO with pre-authorized FortiGates
    • Navigating between Security Fabric members with SSO
    • Integrating FortiAnalyzer management using SAML SSO
    • Integrating FortiManager management using SAML SSO
    • Advanced option - FortiGate SP changes
  • Security rating
    • Security Fabric score
  • Automation stitches
    • Creating automation stitches
      • Default automation stitches
      • Incoming Webhook Quarantine stitch
    • Triggers
      • FortiAnalyzer event handler trigger
      • Fabric connector event trigger
      • FortiOS event log trigger
      • Event log category triggers
      • Certificate expiration trigger
      • Schedule trigger
    • Actions
      • FortiNAC Quarantine action
      • VMware NSX security tag action
      • VMware NSX-T security tag action
      • Replacement messages for email alerts
      • Slack Notification action
      • Microsoft Teams Notification action
      • AWS Lambda action
      • Azure Function action
      • Google Cloud Function action
      • AliCloud Function action
      • CLI script action
      • Execute a CLI script based on memory and CPU thresholds
      • Webhook action
      • Webhook action with Twilio for SMS text messages
      • Slack integration webhook
      • Microsoft Teams integration webhook
      • System actions
  • Public and private SDN connectors
    • Getting started with public and private SDN connectors
    • AliCloud SDN connector using access key
    • AWS SDN connector using access keys
    • Azure SDN connector using service principal
    • Cisco ACI SDN connector using a standalone connector
    • Retrieve IPv6 dynamic addresses from Cisco ACI SDN connector
    • ClearPass endpoint connector via FortiManager
    • GCP SDN connector using service account
    • IBM Cloud SDN connector using API keys
    • Kubernetes (K8s) SDN connectors
      • AliCloud Kubernetes SDN connector using access key
      • EKS SDN connector using access key
      • Azure Kubernetes (AKS) SDN connector using client secret
      • GCP Kubernetes (GKE) SDN connector using service account
      • Oracle Kubernetes (OKE) SDN connector using certificates
      • Private cloud K8s SDN connector using secret token
    • Nuage SDN connector using server credentials
    • Nutanix SDN connector using server credentials
    • OCI SDN connector using certificates
    • OpenStack SDN connector using node credentials
    • SAP SDN connector
    • VMware ESXi SDN connector using server credentials
    • VMware NSX-T Manager SDN connector using NSX-T Manager credentials
    • Multiple concurrent SDN connectors
    • Filter lookup in SDN connectors
    • Support for wildcard SDN connectors in filter configurations
  • Endpoint/Identity connectors
    • Fortinet single sign-on agent
    • Poll Active Directory server
    • Symantec endpoint connector
    • RADIUS single sign-on agent
    • Exchange Server connector
  • Threat feeds
    • Configuring a threat feed
    • FortiGuard category threat feed
    • IP address threat feed
    • Domain name threat feed
    • MAC address threat feed
    • Malware hash threat feed
    • Threat feed connectors per VDOM
    • STIX format for external threat feeds
    • Using the AusCERT malicious URL feed with an API key
  • Monitoring the Security Fabric using FortiExplorer for Apple TV
    • NOC and SOC example
      • Adding the root FortiGate to FortiExplorer for Apple TV
      • Viewing the Fabric Topology monitor
      • Viewing the Fabric Overview monitor
      • Viewing the Security Rating monitor
      • Viewing the Compromised Hosts monitor
      • Viewing the Vulnerability Monitor
      • Using the SD-WAN monitor
  • Troubleshooting
    • Viewing a summary of all connected FortiGates in a Security Fabric
    • Diagnosing automation stitches
• Log and Report
  • Viewing event logs
  • System Events log page
  • Security Events log page
  • Reports page
  • Log settings and targets
  • Logging to FortiAnalyzer
    • FortiAnalyzer log caching
    • Configuring multiple FortiAnalyzers (or syslog servers) per VDOM
    • Configuring multiple FortiAnalyzers on a FortiGate in multi-VDOM mode
    • Switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable NEW
  • Advanced and specialized logging
    • Logs for the execution of CLI commands
    • Log buffer on FortiGates with an SSD disk
    • Source and destination UUID logging
    • Configuring and debugging the free-style filter
    • Logging the signal-to-noise ratio and signal strength per client
    • RSSO information for authenticated destination users in logs
    • Destination user information in UTM logs
  • Sample logs by log type
  • Troubleshooting
    • Log-related diagnostic commands
    • Backing up log files or dumping log messages
    • SNMP OID for logs that failed to send
• WAN optimization
  • Overview
    • Peers and authentication groups
    • Tunnels
    • Transparent mode
    • Protocol optimization
    • Cache service and video caching
    • Manual and active-passive
    • Monitoring performance
    • System and feature operation with WAN optimization
    • Best practices
  • Example topologies
    • In-path WAN optimization topology
    • Out-of-path WAN optimization topology
    • Topology for multiple networks
  • Configuration examples
    • Manual (peer-to-peer) WAN optimization configuration example
    • Active-passive WAN optimization configuration example
    • Secure tunneling configuration example
    • Testing and troubleshooting the configuration
• VM
  • Amazon Web Services
  • Microsoft Azure
  • Google Cloud Platform
  • Oracle OCI
  • AliCloud
  • Private cloud
  • VM license
  • Permanent trial mode for FortiGate-VM
  • Adding VDOMs with FortiGate v-series
  • Terraform: FortiOS as a provider
  • PF and VF SR-IOV driver and virtual SPU support
  • Using OCI IMDSv2
  • FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs
• Hyperscale firewall
• Troubleshooting
  • Troubleshooting methodologies
  • Connectivity Fault Management NEW
  • Troubleshooting scenarios
    • Checking the system date and time
    • Checking the hardware connections
    • Checking FortiOS network settings
    • Troubleshooting CPU and network resources
    • Troubleshooting high CPU usage
    • Checking the modem status
    • Running ping and traceroute
    • Checking the logs
    • Verifying routing table contents in NAT mode
    • Verifying the correct route is being used
    • Verifying the correct firewall policy is being used
    • Checking the bridging information in transparent mode
    • Checking wireless information
    • Performing a sniffer trace or packet capture
    • Debugging the packet flow
    • Testing a proxy operation
    • Displaying detail Hardware NIC information
    • Performing a traffic trace
    • Using a session table
    • Finding object dependencies
    • Diagnosing NPU-based interfaces
    • Identifying the XAUI link used for a specific traffic stream
    • Date and time settings
    • Running the TAC report
    • Using the process monitor
    • Computing file hashes
    • Other commands
    • ARP table
    • IP address
    • FortiGuard troubleshooting
    • Verifying connectivity to FortiGuard
    • Troubleshooting process for FortiGuard updates
    • FortiGuard server settings
    • View open and in use ports
    • IPS and AV engine version
  • CLI troubleshooting cheat sheet
  • Additional resources
• Change Log

More Links