Category Archives: FortiOS 6.2

High Availability – Fail Protection – FortiOS 6.2

Fail protection

The FortiGate Clustering Protocol (FGCP) provides failover protection, meaning that a cluster can provide FortiGate services even when one of the devices in the cluster encounters a problem that would result in the complete loss of connectivity for a stand-alone FortiGate unit. Fail protection provides a backup mechanism that can be used to reduce the risk of unexpected downtime, especially in mission-critical environments.

FGCP supports failover protection in two ways:

  1. Link failover maintains traffic flow if a link fails, and
  2. If a device loses power, it automatically fails over to a backup unit with minimal impact on the network.

When session-pickup is enabled in the HA settings, existing TCP session are kept, and users on the network are not impacted by downtime as the traffic can be passed without reestablishing the sessions.

When and how the failover happens

  1. link fails

Before triggering a failover when a link fails, the administrator must ensure that monitor interfaces are configured. Normally, the internal interface that connects to the internal network, and an outgoing interface for traffic to the internet or outside the network, should be monitored. Any of those links going down will trigger a failover.

  1. Loss of power for active unit.

When an active (master) unit loses power, a backup (slave) unit automatically becomes the master, and the impact on traffic is minimal. There are no settings for this kind of fail over.

High Availability – Cluster Setup – FortiOS 6.2

Cluster setup

HA active-passive cluster setup

An HA Active-Passive (A-P) cluster can be set up using the GUI or CLI.

This example uses the following network topology:

To set up an HA A-P cluster using the GUI:

  1. Make all the necessary connections as shown in the topology diagram.
  2. Log into one of the FortiGates.
  3. Go to System > HA and set the following options:
Mode Active-Passive
Device priority 128 or higher
Group name Example_cluster
Heartbeat interfaces ha1 and ha2

Except for the device priority, these settings must be the same on all FortiGates in the cluster.

  1. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
  2. Click OK.

The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate’s interfaces.

  1. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting setting the device priority, to join the cluster.

To set up an HA A-P cluster using the CLI:

  1. Make all the necessary connections as shown in the topology diagram.
  2. Log into one of the FortiGates.
  3. Change the hostname of the FortiGate:

config system global set hostname Example1_host

end

Changing the host name makes it easier to identify individual cluster units in the cluster operations.

  1. Enable HA:

config system ha set mode a-p

set group-name Example_cluster

set hbdev ha1 10 ha2 20 end

  1. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
  2. Repeat steps 1 to 5 on the other FortiGate devices to join the cluster.

HA active-active cluster setup

An HA Active-Active (A-A) cluster can be set up using the GUI or CLI.

This example uses the following network topology:

To set up an HA A-A cluster using the GUI:

  1. Make all the necessary connections as shown in the topology diagram.
  2. Log into one of the FortiGates.
  3. Go to System > HA and set the following options:
Mode Active-Active
Device priority 128 or higher
Group name Example_cluster
Heartbeat interfaces ha1 and ha2

Except for the device priority, these settings must be the same on all FortiGates in the cluster.

  1. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
  2. Click OK.

The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate’s interfaces.

  1. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting setting the device priority, to join the cluster.

To set up an HA A-P cluster using the CLI:

  1. Make all the necessary connections as shown in the topology diagram.
  2. Log into one of the FortiGates.
  3. Change the hostname of the FortiGate:

config system global set hostname Example1_host

end

Changing the host name makes it easier to identify individual cluster units in the cluster operations.

  1. Enable HA:

config system ha set mode a-a

set group-name Example_cluster

set hbdev ha1 10 ha2 20 end

  1. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
  2. Repeat steps 1 to 5 on the other FortiGate devices to join the cluster.

HA virtual cluster setup

An HA virtual cluster can be set up using the GUI or CLI.

To set up an HA virtual cluster using the GUI:

  1. Make all the necessary connections as shown in the topology diagram.
  2. Log into one of the FortiGates.
  3. Go to System > HA and set the following options:
Mode Active-Passive
Device priority 128 or higher
Group name Example_cluster
Heartbeat interfaces ha1 and ha2

Except for the device priority, these settings must be the same on all FortiGates in the cluster.

  1. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
  2. Click OK.

The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate’s interfaces.

  1. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting setting the device priority, to join the cluster.
  2. Go to System > Settings and enable Virtual Domains.
  3. Click Apply. You will be logged out of the FortiGate.
  4. Log back into the FortiGate, ensure that you are in the global VDOM, and go to System > VDOM.
  5. Create two new VDOMs, such as VD1 and VD2:
    1. Click Create New. The New Virtual Domain page opens.
    2. Enter a name for the VDOM in the Virtual Domain field, then click OK to create the VDOM.
    3. Repeat these steps to create a second new VDOM.
  6. Implement a virtual cluster by moving the new VDOMs to Virtual cluster2:
    1. Go to System > HA.
    2. Enable VDOM Partitioning.
    3. Click on the Virtual cluster2 field and select the new VDOMs.
    4. Click OK.

To set up an HA virtual cluster using the CLI:

  1. Make all the necessary connections as shown in the topology diagram.
  2. Set up a regular A-P cluster. See HA active-passive cluster setup on page 212.
  3. Enable VDOMs:

config system global set vdom-mode multi-vdom

end

You will be logged out of the FortiGate.

  1. Create two VDOMs:

config vdom edit VD1 next edit VD2 next

end

  1. Reconfigure the HA settings to be a virtual cluster:

config global config system ha set vcluster2 enable config secondary-vcluster set vdom “VD1” “VD2”

end

end end

Use Custom Images for Replacement Messages

Use Custom Images for Replacement Messages

The replacement message list in System > Replacement Messages enables you to view and customize replacement messages. Highlight the replacement messages you want to edit and customize the message content to your requirements. Hit Save when done. If you do not see the message you want to edit, select the Extended View option in the upper right-hand corner of the screen.

If you make a mistake, select Restore Default to return to the original message and code base.

Replacement message images

You can add images to replacement messages on:

  • Disclaimer pages l Login pages l Declined disclaimer pages l Login failed pages
  • Login challenge pages l Keepalive pages

Adding images to replacement messages

To add images to replacement messages in the GUI:

  1. Go to System > Replacement Messages.
  2. Select Manage Images at the top of the page.
  3. Select Create New.
  4. Enter a name for the image.
  5. Select the Content Type.
  6. Select Browse to locate the file and select OK.

Modify images in replacement messages

Replacement messages can be modified to include an HTML message or content that suits your organization. A list of common replacement messages appear in the main window. Select Extended View to see the entire list and all categories for replacement messages.

To modify an image in a replacement message:

  1. Go to System > Replacement Messages.
  2. Select the replacement message you want to edit.

In the bottom pane of the GUI the message will be displayed on the left alongside the HTML code on the right. The message view changes in real-time as you edit the content.

  1. Select Save.

Replacement message groups

Replacement message groups enable you to view common messages in groups for large carriers. Message groups can be configured by going to Config > Replacement Message Group.

Using the defined groups, you can manage specific replacement messages from a single location, rather than searching through the entire replacement message list.

If you enable virtual domains (VDOMs) on the FortiGate unit, replacement message groups are configured separately for each virtual domain. Each VDOM has its own default replacement message group, configured from System > Replacement Message Group.

When you modify a message in a replacement message group, a reset icon appears beside the message in the group.

Select the reset icon to reset the message in the replacement message group to the default version.

 

Advanced DHCP Server

DHCP server

A DHCP server provides an address from a defined address range to a client on the network, when requested.

You can configure one or more DHCP servers on any FortiGate interface. A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP addresses using DHCP.

You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the unit.

Configure DHCP on the FortiGate

To add a DHCP server on the GUI:

  1. Go to Network > Interfaces.
  2. Edit an interface.
  3. Enable the DHCP Server option and configure the settings.

To add a DHCP server on the CLI:

config system dhcp server edit 1 set dns-service default set default-gateway 192.168.1.2 set netmask 255.255.255.0 set interface “port1” config ip-range edit 1 set start-ip 192.168.1.1 set end-ip 192.168.1.1

next edit 2 set start-ip 192.168.1.3 set end-ip 192.168.1.254

next

end set timezone-option default set tftp-server “172.16.1.2”

next end

DHCP options

When adding a DHCP server, you can include DHCP codes and options. The DHCP options are BOOTP vendor information fields that provide additional vendor-independent configuration parameters to manage the DHCP server. For example, you might need to configure a FortiGate DHCP server that gives out a separate option as well as an IP address, such as an environment that needs to support PXE boot with Windows images.

The option numbers and codes are specific to the application. The documentation for the application indicates the values to use. Option codes are represented in a option value/HEX value pairs. The option is a value between 1 and 255.

You can add up to three DHCP code/option pairs per DHCP server.

To configure option 252 with value http://192.168.1.1/wpad.dat using the CLI:

config system dhcp server edit <server_entry_number>

set option1 252 687474703a2f2f3139322e3136382e312e312f777061642e646174 end

For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions.

Option-82

DHCP option 82, also known as the DHCP relay agent information option, helps protect FortiGate against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation.

FG3H1E5818900749 (1) # show config reserved-address edit 1 set type option82 set ip 100.100.100.12 set circuit-id-type hex set circuit-id “00010102” set remote-id-type hex set remote-id “704ca5e477d6”

next

end

FG3H1E5818900749 (1) # set
type DHCP reserved-address type.
*ip IP address to be reserved for the MAC address.
circuit-id-type  DHCP option type.
circuit-id Option 82 circuit-ID of the client that will get the reserved IP address.
remote-id-type DHCP option type.
remote-id  Option 82 remote-ID of the client that will get the reserved IP address.
description  Description.

FortiGate-140D-POE (1) # set type

mac      Match with MAC address. option82 Match with DHCP option 82.

FortiGate-140D-POE (1) # set circuit-id-type hex      DHCP option in hex. string DHCP option in string.

FortiGate-140D-POE (1) # set remote-id-type hex      DHCP option in hex. string DHCP option in string.

Option-42

This option specifies a list of the NTP servers available to the client by IP address.

FortiGate-140D-POE # config system dhcp server

FortiGate-140D-POE (server) # edit 2

FortiGate-140D-POE (2) # set ntp-service local   IP address of the interface the DHCP server is added to becomes the client’s NTP server IP address. default      Clients are assigned the FortiGate’s configured NTP servers. specify       Specify up to 3 NTP servers in the DHCP server configuration.

FortiGate-140D-POE (2) # set ntp-service

FortiGate-140D-POE (2) # set ntp-server1

<class_ip>   Class A,B,C ip xxx.xxx.xxx.xxx

FortiGate-140D-POE (2) # set ntp-server1 1.1.1.1

FortiGate-140D-POE (2) # set ntp-server2 2.2.2.2 FortiGate-140D-POE (2) # set ntp-server3 3.3.3.3

FortiGate-140D-POE (2) # end

Advanced configurations FortiOS 6.2

Advanced configurations

VDOM

You can use VDOMs (virtual domains) as a method of dividing a FortiGate unit into multiple virtual units. Each unit functions as an independent unit. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network.

By default, most FortiGate units support up to ten VDOMs. Many FortiGate models support purchasing a license key to increase the maximum number of VDOMs.

Sample topology

In this sample, you use VDOMs to provide Internet access for two different companies (called Company A and Company B) using a single FortiGate.

VDOM mode

There are three VDOM modes:

  • No VDOM. The VDOM setting is disabled. When VDOMs are disabled on any FortiGate unit, there is still one active VDOM: the root VDOM. The root VDOM is always in the background. When VDOMs are disabled, the root VDOM is not visible but it is still there.
  • Split VDOM. FortiGate has two VDOMs: the root VDOM and a VDOM for FortiGate traffic.
  1. The root VDOM is the management VDOM and only does management work. The following items are hidden in the root VDOM: l All Policy & Object entries. l User & Device entries. l Security Profiles. l Traffic-related FortiView entries. l VPN entries. l Fabric Connectors, Reputation, Feature Visibility, and Object Tags entries.
  • Wan-Opt entries. l Most route entries. l Most Log Event entries.
  • Monitor entries.
  1. The FortiGate traffic VDOM can provide separate security policies and allow traffic through the FortiGate. l Multi-VDOM. Multiple VDOMs each functioning as an independent unit.

You can change VDOM modes in the following ways:

  • Change from no VDOM to split VDOM or vice versa. l Change from multi-VDOM to no VDOM. l Change from no VDOM/split VDOM to multi-VDOM is allowed only if CSF is disabled.
  • Change from multi-VDOM directly to split VDOM is not You must change to no VDOM first and then change from no VDOM to split VDOM.

To enable VDOMs in the GUI:

  1. Go to System > Settings.
  2. In the System Operation Settings section, enable Virtual Domains.
  3. Specify VDOM options.

On FortiGate 60 series models, you must use CLI to enable VDOMs.

To enable VDOMs in the CLI:

config system global set vdom-mode no-vdom/split-vdom/multi-vdom

end

To add a VDOMs in the GUI:

  1. Go to Global > System > VDOM.
  2. Select Create New and specify the new VDOM parameters.

To add a VDOMs in the CLI:

config vdom edit <new_vdom_name>

end

To edit a VDOMs in the GUI:

  1. Go to Global > System > VDOM.
  2. Select the VDOM and select Edit.
  3. Specify the new VDOM parameters.

To edit a VDOMs in the CLI:

config vdom edit vdom_name config system settings

set opmode nat

end

To delete a VDOMs in the GUI:

  1. Go to Global > System > VDOM.
  2. Select the VDOM and select Delete.

To delete a VDOMs in the CLI:

config vdom delete vdom_name

end

Operation mode

A FortiGate can operate in one of two modes: NAT/Route or Transparent.

NAT/Route is the most common operating mode. In this mode, a FortiGate is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using network address translation (NAT). You can also use NAT/Route mode when several Internet service providers (ISPs) provide the FortiGate with redundant Internet connections.

In Transparent mode, the FortiGate is installed between the internal network and the router. In this mode, the FortiGate does not changes any IP addresses and only applies security scanning to traffic. When you add a FortiGate to a network in Transparent mode, no network changes are requiredexcept to provide the FortiGate with a management IP address. Transparent mode is used primarily when there is a need to increase network protection but changing the configuration of the network itself is impractical.

By default, new VDOMs are set to NAT/Route operation mode. If you want a VDOM to be in Transparent operation mode, you must manually change it.

To change operation mode in the CLI:

config system settings set opmode nat | transparent

end

SNMP

The Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You can configure the hardware, such as the FortiGate SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers.

SNMP v1/v2c

SNMPWALK is a Simple Network Management Protocol (SNMP) application present on the Security Management

System (SMS) CLI that uses SNMP GETNEXT requests to query a network device for information. An object identifier (OID) may be given on the command line. This OID specifies which portion of the object identifier space will be searched using GETNEXT requests. All variables in the subtree below the given OID are queried and their values presented to the user.

To configure SNMP v1/v2c:

config system snmp community edit 1 set name “REGR-SYS” config hosts edit 1 set ip 10.1.100.11 255.255.255.255

next

end

set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-

failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change fm-conf-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-confchange av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-failopen faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down load-balancereal-server-down device-new next

end

Below is a sample SNMPWALK output on the above configuration:

snmpwalk -v2c -c REGR-SYS 10.1.100.1 1 SNMPv2-MIB::sysDescr.0 = STRING: REGR-SYS

SNMPv2-MIB::sysObjectID.0 = OID: FORTINET-FORTIGATE-MIB::fgt140P

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (224721) 0:37:27.21

SNMPv2-MIB::sysContact.0 = STRING: Gundam-Justice

SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE

SNMPv2-MIB::sysLocation.0 = STRING: Gundam-Seed

SNMPv2-MIB::sysServices.0 = INTEGER: 78

SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

SNMPv2-MIB::sysORIndex.1 = INTEGER: 1

SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::zeroDotZero.0 SNMPv2-MIB::sysORDescr.1 = STRING:

SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00

IF-MIB::ifNumber.0 = INTEGER: 45

IF-MIB::ifIndex.1 = INTEGER: 1

IF-MIB::ifIndex.2 = INTEGER: 2

IF-MIB::ifIndex.3 = INTEGER: 3

IF-MIB::ifIndex.4 = INTEGER: 4

IF-MIB::ifIndex.5 = INTEGER: 5

IF-MIB::ifIndex.6 = INTEGER: 6

IF-MIB::ifIndex.7 = INTEGER: 7

IF-MIB::ifIndex.8 = INTEGER: 8

IF-MIB::ifIndex.9 = INTEGER: 9

IF-MIB::ifIndex.10 = INTEGER: 10

IF-MIB::ifIndex.11 = INTEGER: 11

IF-MIB::ifIndex.12 = INTEGER: 12

IF-MIB::ifIndex.13 = INTEGER: 13

IF-MIB::ifIndex.14 = INTEGER: 14

IF-MIB::ifIndex.15 = INTEGER: 15

—————truncated———————–

SNMP v3

Authentication is used to ensure the identity of users. Privacy allows for encryption of SNMP v3 messages to ensure confidentiality of data. These protocols provide a higher level of security than is available in SNMP v1 and v2c, which use community strings for security. Both authentication and privacy are optional.

To configure SNMP v3:

config system snmp user edit “v3user” set notify-hosts 10.1.100.11

set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-

failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change fm-conf-change ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversizepassed av-oversize-blocked ips-pkg-update faz-disconnect set security-level auth-priv

set auth-pwd ENC nu9t3vKW5BOw03RBzrp8cRVgq5kXg/ZqMgEACPNeNi+o-

pioCE6ztKXjkn+eReY9DxSUjgO5TckbMgqfH+YpVzNJxvL8jueq8g00Hs5gJyRy-

ueP22xsRudVv6v0gdfX47WTYvhqxBIDGnUKsL4NsztG0rJVUVZWNVPepdtWYMNDgGgePhvir3Rk/M1OjbS+mGX0YkYw== set priv-pwd ENC

YlZKutoqQPWK0fut2QPy-

fFayGaMssCaBT4y+6mP0AXNC+NJSbOeYCfhL4XFvyvhH8l07Hww6QYcoIGAU9jBcMt+tJk97MExQ/VutOwlSizKNqfy9MnJjLWARoKQwOYKpnE2b-

tZGxiFnFmD37mQHcKAtC9n531CPTYOuCtPQB26IjQ97yyWca4SqhRvuSZs6sjkSVWA== next

end

Below is a sample SNMPWALK output on the above configuration:

snmpwalk -v3 -u v3user -c REGR-SYS -a sha -A 1234567890 -x aes -X 1234567890 10.1.100.1 1 -l authpriv

SNMPv2-MIB::sysDescr.0 = STRING: REGR-SYS

SNMPv2-MIB::sysObjectID.0 = OID: FORTINET-FORTIGATE-MIB::fgt140P

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (14328) 0:02:23.28

SNMPv2-MIB::sysContact.0 = STRING: Gundam-Justice

SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE

SNMPv2-MIB::sysLocation.0 = STRING: Gundam-Seed

SNMPv2-MIB::sysServices.0 = INTEGER: 78

SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

SNMPv2-MIB::sysORIndex.1 = INTEGER: 1

SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::zeroDotZero.0 SNMPv2-MIB::sysORDescr.1 = STRING:

SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00

IF-MIB::ifNumber.0 = INTEGER: 45

IF-MIB::ifIndex.1 = INTEGER: 1

IF-MIB::ifIndex.2 = INTEGER: 2

IF-MIB::ifIndex.3 = INTEGER: 3

IF-MIB::ifIndex.4 = INTEGER: 4

IF-MIB::ifIndex.5 = INTEGER: 5

IF-MIB::ifIndex.6 = INTEGER: 6

IF-MIB::ifIndex.7 = INTEGER: 7

IF-MIB::ifIndex.8 = INTEGER: 8

IF-MIB::ifIndex.9 = INTEGER: 9

IF-MIB::ifIndex.10 = INTEGER: 10

IF-MIB::ifIndex.11 = INTEGER: 11

IF-MIB::ifIndex.12 = INTEGER: 12

IF-MIB::ifIndex.13 = INTEGER: 13

IF-MIB::ifIndex.14 = INTEGER: 14

IF-MIB::ifIndex.15 = INTEGER: 15

IF-MIB::ifIndex.16 = INTEGER: 16

IF-MIB::ifIndex.17 = INTEGER: 17

IF-MIB::ifIndex.18 = INTEGER: 18

IF-MIB::ifIndex.19 = INTEGER: 19

IF-MIB::ifIndex.20 = INTEGER: 20

IF-MIB::ifIndex.21 = INTEGER: 21

IF-MIB::ifIndex.22 = INTEGER: 22

IF-MIB::ifIndex.23 = INTEGER: 23

IF-MIB::ifIndex.24 = INTEGER: 24

IF-MIB::ifIndex.25 = INTEGER: 25

IF-MIB::ifIndex.26 = INTEGER: 26

IF-MIB::ifIndex.27 = INTEGER: 27

IF-MIB::ifIndex.28 = INTEGER: 28

IF-MIB::ifIndex.29 = INTEGER: 29

IF-MIB::ifIndex.30 = INTEGER: 30

IF-MIB::ifIndex.31 = INTEGER: 31

IF-MIB::ifIndex.32 = INTEGER: 32

IF-MIB::ifIndex.33 = INTEGER: 33

IF-MIB::ifIndex.34 = INTEGER: 34

IF-MIB::ifIndex.35 = INTEGER: 35

IF-MIB::ifIndex.36 = INTEGER: 36

IF-MIB::ifIndex.37 = INTEGER: 37

IF-MIB::ifIndex.38 = INTEGER: 38

IF-MIB::ifIndex.39 = INTEGER: 39

IF-MIB::ifIndex.40 = INTEGER: 40

IF-MIB::ifIndex.41 = INTEGER: 41

IF-MIB::ifIndex.42 = INTEGER: 42

IF-MIB::ifIndex.43 = INTEGER: 43

IF-MIB::ifIndex.44 = INTEGER: 44

IF-MIB::ifIndex.45 = INTEGER: 45

=====================Truncated=========================

Important SNMP traps

Link Down and Link Up traps

This trap is sent when a FortiGate port goes down or is brought up. For example, the below traps are generated when the state of port34 is set to down using set status down and then brought up using set status up.

NET-SNMP version 5.7.3 2019-01-31 14:11:48 10.1.100.1(via UDP: [10.1.100.1]:162->

[10.1.100.11]:162) TRAP, SNMP v1, community REGR-SYS SNMPv2-MIB::snmpTraps Link Down Trap (0) Uptime: 0:14:44.95 IF-MIB::ifIndex.42 = INTEGER: 42 IF-MIB::ifAdminStatus.42 = INTEGER: down (2) IF-MIB::ifOperStatus.42 = INTEGER: down(2) FORTINET-CORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE

2019-01-31 14:11:48 <UNKNOWN> [UDP: [10.1.100.1]:162->[10.1.100.11]:162]: DISMAN-EVENTMIB::sysUpTimeInstance = Timeticks: (88495) 0:14:44.95 SNMPv2-MIB::snmpTrapOID.0 = OID: IFMIB::linkDown IF-MIB::ifIndex.42 = INTEGER: 42 IF-MIB::ifAdminStatus.42 = INTEGER: down(2) IFMIB::ifOperStatus.42 = INTEGER: down(2) FORTINET-CORE-MIB::fnSysSerial.0 = STRING:

FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE 2019-01-31 14:12:01

10.1.100.1(via UDP: [10.1.100.1]:162->[10.1.100.11]:162) TRAP, SNMP v1, community REGR-SYS

SNMPv2-MIB::snmpTraps Link Up Trap (0) Uptime: 0:14:57.98 IF-MIB::ifIndex.42 = INTEGER: 42 IFMIB::ifAdminStatus.42 = INTEGER: up(1) IF-MIB::ifOperStatus.42 = INTEGER: up(1) FORTINET-COREMIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-140DPOE

2019-01-31 14:12:01 <UNKNOWN> [UDP: [10.1.100.1]:162->[10.1.100.11]:162]: DISMAN-EVENTMIB::sysUpTimeInstance = Timeticks: (89798) 0:14:57.98 SNMPv2-MIB::snmpTrapOID.0 = OID: IFMIB::linkUp IF-MIB::ifIndex.42 = INTEGER: 42 IF-MIB::ifAdminStatus.42 = INTEGER: up(1) IFMIB::ifOperStatus.42 = INTEGER: up(1) FORTINET-CORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE fgFmTrapIfChange trap

This trap is sent when any changes are detected on the interface. The change can be very simple, such as giving an IPV4 address. For example, the user has given the IP address of 1.2.3.4/24 to port 1 and the EMS Manager has detected the below trap.

DISMAN-EXPRESSION-MIB::sysUpTimeInstance = Timeticks: (7975058) 22:09:10.58 SNMPv2-MIB::snmpTrapOID.0 = OID: FORTINET-FORTIGATE-MIB::fgFmTrapIfChange FORTINET-CORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 IF-MIB::ifName.45 = STRING: port1 FORTINET-FORTIGATEMIB::fgManIfIp.0 = IpAddress: 1.2.3.4 FORTINET-FORTIGATE-MIB::fgManIfMask.0 = IpAddress:

255.255.255.0 FORTINET-FORTIGATE-MIB::fgManIfIp6.0 = STRING: 0:0:0:0:0:0:0:0 entConfigChange trap

The change to the interface in the example above has also triggered the ConfChange Trap which is sent along with the fgFmTrapIfChange trap.

2018-11-15 09:30:23 FGT_A [UDP: [172.16.200.1]:162->[172.16.200.55]:162]: DISMAN-EXPRESSIONMIB::sysUpTimeInstance = Timeticks: (8035097) 22:19:10.97 SNMPv2-MIB::snmpTrapOID.0 = OID: ENTITY-MIB::entConfigChange fgTrapDeviceNew trap

This trap is triggered when a new device like FortiAP/FortiSwitch is connected to the FortiGate. For example, the below scenario has given the device a new trap for adding FortiAP on a POE interface of FGT140D-POE. The trap has important information about the device name, device MAC address, and when it was last seen.

2018-11-15 11:17:43 UDP/IPv6: [2000:172:16:200::1]:162 [UDP/IPv6: [2000:172:16:200::1]:162]: DISMAN-EXPRESSION-MIB::sysUpTimeInstance = Timeticks: (520817) 1:26:48.17 SNMPv2-MIB::snmpTrapOID.0 = OID: FORTINET-FORTIGATE-MIB::fgTrapDeviceNew FORTINET-CORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FGT_A IF-MIB::ifIndex.0 = INTEGER: 0

FORTINET-FORTIGATE-MIB::fgVdEntIndex.0 = INTEGER: 0 FORTINET-FORTIGATE-MIB::fgDeviceCreated.0

= Gauge32: 5 FORTINET-FORTIGATE-MIB::fgDeviceLastSeen.0 = Gauge32: 5 FORTINET-FORTIGATEMIB::fgDeviceMacAddress.0 = STRING: 90:6c:ac:f9:97:a0

2018-11-15 11:17:43 FGT_A [UDP: [172.16.200.1]:162->[172.16.200.55]:162]: DISMAN-EXPRESSIONMIB::sysUpTimeInstance = Timeticks: (520817) 1:26:48.17 SNMPv2-MIB::snmpTrapOID.0 = OID:

FORTINET-FORTIGATE-MIB::fgTrapDeviceNew FORTINET-CORE-MIB::fnSysSerial.0 = STRING:

FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FGT_A IF-MIB::ifIndex.0 = INTEGER: 0

FORTINET-FORTIGATE-MIB::fgVdEntIndex.0 = INTEGER: 0 FORTINET-FORTIGATE-MIB::fgDeviceCreated.0

= Gauge32: 5 FORTINET-FORTIGATE-MIB::fgDeviceLastSeen.0 = Gauge32: 5 FORTINET-FORTIGATE-

MIB::fgDeviceMacAddress.0 = STRING: 90:6c:ac:f9:97:a0 fgTrapAvOversize trap

The fgTrapAvOversize trap is generated when Antivirus Scanner detects an Oversized File.

019-01-31 13:22:04 10.1.100.1(via UDP: [10.1.100.1]:162->[10.1.100.11]:162) TRAP, SNMP v1, community REGR-SYS FORTINET-FORTIGATE-MIB::fgt140P Enterprise Specific Trap (602) Uptime: 1 day, 3:41:10.31 FORTINET-CORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 =

STRING: FortiGate-140D-POE 2019-01-31 13:22:29 <UNKNOWN> [UDP: [10.1.100.1]:162->

[10.1.100.11]:162]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (9967031) 1 day,

3:41:10.31 SNMPv2-MIB::snmpTrapOID.0 = OID: FORTINET-FORTIGATE-MIB::fgTrapAvOversize FORTINETCORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-

140D-POE

System Configuration – Virtual Domains – FortiOS 6.2

Virtual Domains

Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network.

There are two VDOM modes:

  • Split-task VDOM mode: One VDOM is used only for management, and the other is used to manage traffic. See Split-task VDOM mode on page 181.
  • Multi VDOM mode: Multiple VDOMs can be created and managed as independent units. See Multi VDOM mode on page 185.

By default, most FortiGate units support 10 VDOMs, and many FortiGate models support purchasing a license key to increase the maximum number.

Global settings are configured outside of a VDOM. They effect the entire FortiGate, and include settings such as interfaces, firmware, DNS, some logging and sandboxing options, and others. Global settings should only be changed by top level administrators.

Switching VDOM modes

Current VDOM mode New VDOM mode Rule
No VDOM Split-task VDOM Allowed
Split-task VDOM No VDOM Allowed
No VDOM Multi VDOM Allowed only if CSF is disabled
Multi VDOM No VDOM Allowed
Split-task VDOM Multi VDOM Allowed only if CSF is disabled
Multi VDOM Split-task VDOM Not Allowed. User must first switch to No

VDOM

Split-task VDOM mode

In split-task VDOM mode, the FortiGate has two VDOMs: the management VDOM (root) and the traffic VDOM (FGtraffic).

The management VDOM is used to manage the FortiGate, and cannot be used to process traffic.

The following GUI sections are available when in the management VDOM:

  • The Status dashboard l Security Fabric topology and settings (read-only, except for HTTP Service settings) l Interface and static route configuration l FortiClient configuration l Replacement messages l Advanced system settings
  • Certificates l System events l Log and email alert settings l Threat weight definitions

The traffic VDOM provides separate security policies, and is used to process all network traffic.

The following GUI sections are available when in the traffic VDOM:

  • The Status, Top Usage LAN/DMZ, and Security dashboards l Security Fabric topology, settings (read-only, except for HTTP Service settings), and Fabric Connectors

(SSO/Identity connectors only) l FortiView l Interface configuration l Packet capture

  • SD-WAN, SD-WAN Rules, and Performance SLA
  • Static and policy routes l RIP, OSPF, BGP, and Multicast l Replacement messages l Advanced system settings l Feature visibility
  • Tags
  • Certificates l Policies and objects l Security profiles
  • VPNs
  • User and device authentication l Wifi and switch controller
  • Logging l Monitoring

Split-task VDOM mode is not available on all FortiGate models. The Fortinet Security Fabric supports split-task VDOM mode.

Enable split-task VDOM mode

Split-task VDOM mode can be enabled in the GUI or CLI. Enabling it does not require a reboot, but does log you out of the FortiGate.

When split-task VDOM mode is enabled, all current management configuration is assigned to the root VDOM, and all non-management settings, such as firewall policies and security profiles, are deleted.

To enable split-task VDOM mode in the GUI:

  1. On the FortiGate, go to System > Settings.
  2. In the System Operation Settings section, enable Virtual Domains.
  3. Select Split-Task VDOM for the VDOM mode.
  4. Select a Dedicated Management Interface from the Interface This interface is used to access the management VDOM, and cannot be used in firewall policies.
  5. Click OK.

To enable split-task VDOM mode with the CLI:

config system global set vdom-mode split-vdom

end

Assign interfaces to a VDOM

An interface can only be assigned to one of the VDOMs. When split-task VDOM mode is enabled, all interfaces are assigned to the root VDOM. To use an interface in a policy, it must first be assigned to the traffic VDOM.

An interface cannot be moved if it is referenced in an existing configuration.

To assign an interface to a VDOM in the GUI:

  1. On the FortiGate, go to Global > Network > Interfaces.
  2. Edit the interface that will be assigned to a VDOM.
  3. Select the VDOM that the interface will be assigned to from the Virtual Domain
  4. Click OK.

To assign an interface to a VDOM using the CLI:

config global config system interface edit <interface>

set vdom <VDOM_name>

next

end

end

Create per-VDOM administrators

Per-VDOM administrators can be created that can access only the management or traffic VDOM. These administrators must use either the prof_admin administrator profile, or a custom profile.

A per-VDOM administrator can only access the FortiGate through a network interface that is assigned to the VDOM that they are assigned to. The interface must also be configured to allow management access. They can also connect to the FortiGate using the console port.

To assign an administrator to multiple VDOMs, they must be created at the global level. When creating an administrator at the VDOM level, the super_admin administrator profile cannot be used.

To create a per-VDOM administrator in the GUI:

  1. On the FortiGate, connect to the management VDOM.
  2. Go to Global > System > Administrators and click Create New > Administrator.
  3. Fill in the required information, setting the Type as Local User.
  4. In the Virtual Domains field, add the VDOM that the administrator will be assigned to, and if necessary, remove the other VDOM from the list.
  5. Click OK.

To create a per-VDOM administrator using the CLI:

config global config system admin edit <name> set vdom <VDOM_name> set password <password> set accprofile <admin_profile> …

next end

end

Multi VDOM mode

In multi VDOM mode, the FortiGate can have multiple VDOMs that function as independent units. One VDOM is used to manage global settings.

Multi VDOM mode isn’t available on all FortiGate models. The Fortinet Security Fabric does not support multi VDOM mode.

There are three main configuration types in multi VDOM mode:

Independent VDOMs:

Multiple, completely separate VDOMs are created. Any VDOM can be the management VDOM, as long as it has Internet access. There are no inter-VDOM links, and each VDOM is independently managed.

Management VDOM:

A management VDOM is located between the other VDOMs and the Internet, and the other VDOMs connect to the management VDOM with inter-VDOM links. The management VDOM has complete control over Internet access, including the types of traffic that are allowed in both directions. This can improve security, as there is only one point of ingress and egress.

There is no communication between the other VDOMs.

Meshed VDOMs:

VDOMs can communicate with inter-VDOM links. In full-mesh configurations, all the VDOMs are interconnected. In partial-mesh configurations, only some of the VDOMs are interconnected.

In this configuration, proper security must be achieved by using firewall policies and ensuring secure account access for administrators and users.

Multi VDOM configuration examples

The following examples show how to configure per-VDOM settings, such as operation mode, routing, and security policies, in a network that includes the following VDOMs:

l VDOM-A: allows the internal network to access the Internet. l VDOM-B: allows external connections to an FTP server. l root: the management VDOM.

You can use VDOMs in either NAT or transparent mode on the same FortiGate. By default, VDOMs operate in NAT mode.

For both examples, multi VDOM mode must be enabled, and VDOM-A and VDOM-B must be created.

Enable multi VDOM mode

Multi VDOM mode can be enabled in the GUI or CLI. Enabling it does not require a reboot, but does log you out of the device. The current configuration is assigned to the root VDOM.

To enable multi VDOM mode in the GUI:

  1. On the FortiGate, go to System > Settings.
  2. In the System Operation Settings section, enable Virtual Domains.
  3. Select Multi VDOM for the VDOM mode.
  4. Click OK.

To enable multi VDOM mode with the CLI:

config system global set vdom-mode multi-vdom

end

Create the VDOMs

To create the VDOMs in the GUI:

  1. In the Global VDOM, go to System > VDOM, and click Create New. The New Virtual Domain page opens.
  2. In the Virtual Domain field, enter VDOM-A.
  3. If required, set the NGFW Mode. If the NGFW Mode is Policy-based, select an SSL/SSH Inspection from the list.
  4. Optionally, enter a comment.
  5. Click OK to create the VDOM.
  6. Repeat the above steps for VDOM-B.

To create the VDOMs with the CLI:

config vdom edit <VDOM-A> next

edit <VDOM-B> next

end

end

NAT mode

In this example, both VDOM-A and VDOM-B use NAT mode. A VDOM link is created that allows users on the internal network to access the FTP server.

This configuration requires the following steps:

  1. Configure VDOM-A on page 187
  2. Configure VDOM-B on page 189
  3. Configure the VDOM link on page 192

Configure VDOM-A

VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

The per-VDOM configuration for VDOM-A includes the following:

  • A firewall address for the internal network l A static route to the ISP gateway
  • A security policy allowing the internal network to access the Internet

All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:

  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:
Name internal-network
Type Subnet
Subnet / IP Range 192.168.10.0/255.255.255.0
Interface port1
Show in Address List enabled

To add the firewall addresses with the CLI:

config vdom edit VDOM-A config firewall address edit internal-network set associated-interface port1 set subnet 192.168.10.0 255.255.255.0

next

end

next

end

To add a default route in the GUI:

  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:
Destination Subnet
IP address 0.0.0.0/0.0.0.0
Gateway 172.20.201.7
Interface wan1
Distance 10

To add a default route with the CLI:

config vdom edit VDOM-A config router static

edit 0

set gateway 172.20.201.7 set device wan1

next

end

next

end

To add the security policy in the GUI:

  1. Connect to VDOM-A.
  2. Go to Policy & Objects > IPv4 Policy and create a new policy.
  3. Enter the following information:
Name VDOM-A-Internet
Incoming Interface port1
Outgoing Interface wan1
Source Address internal-network
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT enabled

To add the security policy with the CLI:

config vdom edit VDOM-A config firewall policy edit 0 set name VDOM-A-Internet set srcintf port1 set dstintf wan1 set srcaddr internal-network

set dstaddr all set action accept set schedule always set service ALL set nat enable

next

end

next

end

Configure VDOM-B

VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

The per-VDOM configuration for VDOM-B includes the following:

  • A firewall address for the FTP server l A virtual IP address for the FTP server l A static route to the ISP gateway
  • A security policy allowing external traffic to reach the FTP server

All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:

  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:
Address Name FTP-server
Type Subnet
Subnet / IP Range 192.168.20.10/32
Interface port2
Show in Address List enabled

To add the firewall addresses with the CLI:

config vdom edit VDOM-B config firewall address edit FTP-server set associated-interface port2 set subnet 192.168.20.10 255.255.255.255

next

end

next

end

To add the virtual IP address in the GUI:

  1. Go to Policy & Objects > Virtual IPs and create a new virtual IP address.
  2. Enter the following information:
Name FTP-server-VIP
Interface wan2
External IP Address/Range 172.25.177.42
Internal IP Address/Range 192.168.20.10

To add the virtual IP address with the CLI:

config firewall vip edit FTP-server-VIP set extip 172.25.177.42 set extintf wan2 set mappedip 192.168.20.10

next

end

To add a default route in the GUI:

  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:
Destination Subnet
IP address 0.0.0.0/0.0.0.0
Gateway 172.20.10.10
Interface wan2
Distance 10

To add a default route with the CLI:

config vdom

edit VDOM-B config router static edit 0

set device wan2 set gateway 172.20.10.10

next

end

next

end

To add the security policy in the GUI:

  1. Go to Policy & Objects > IPv4 Policy and create a new policy.
  2. Enter the following information:
Name Access-server
Incoming Interface wan2
Outgoing Interface port2
Source Address all
Destination Address FTP-server-VIP
Schedule always
Service FTP
Action ACCEPT
NAT enabled

To add the security policy with the CLI:

config vdom edit VDOM-B config firewall policy edit 0 set name Access-server set srcintf wan2 set dstintf port2 set srcaddr all set dstaddr FTP-server-VIP set action accept set schedule always set service FTP set nat enable

next

end

next

end

Configure the VDOM link

The VDOM link allows connections from VDOM-A to VDOM-B. This allows users on the internal network to access the FTP server through the FortiGate.

The configuration for the VDOM link includes the following:

  • The VDOM link interface
  • Firewall addresses for the FTP server on VDOM-A and for the internal network on VDOM-B l Static routes for the FTP server on VDOM-A and for the internal network on VDOM-B l Policies allowing traffic using the VDOM link

All procedures in this section require you to connect to the global VDOM using a global administrator account.

To add the VDOM link in the GUI:

  1. Connect to root.
  2. Go to Global > Network > Interfaces and select Create New > VDOM link.
  3. Enter the following information:
Name VDOM-link
Interface 0  
  Virtual Domain VDOM-A
IP/Netmask 0.0.0.0/0.0.0.0
Interface 1  
  Virtual Domain VDOM-B
IP/Netmask 0.0.0.0/0.0.0.0

To add the VDOM link with the CLI:

config global config system vdom-link edit vlink end

config system interface edit VDOM-link0

set vdom VDOM-A set ip 0.0.0.0 0.0.0.0

next edit VDOM-link1

set vdom VDOM-B set ip 0.0.0.0 0.0.0.0

next end

end

To add the firewall address on VDOM-A in the GUI:

  1. Connect to VDOM-A.
  2. Go to Policy & Objects > Addresses and create a new address.
  3. Enter the following information:
Address Name FTP-server
Type Subnet
Subnet / IP Range 192.168.20.10/32
Interface VDOM-link0
Show in Address List enabled
Static Route Configuration enabled

To add the firewall addresses on VDOM-A with the CLI:

config vdom

edit VDOM-B

config firewall address

edit FTP-server

set associated-interface VDOM-link0 set allow-routing enable set subnet 192.168.20.10 255.255.255.255

next

end

next

end

To add the static route on VDOM-A in the GUI:

  1. Connect to VDOM-A.
  2. Go to Network > Static Routes and create a new route.
  3. Enter the following information:
Destination Named Address
Named Address FTP-server
Gateway 0.0.0.0
Interface VDOM-link0

To add the static route on VDOM-A with the CLI:

config vdom

edit VDOM-A config router static

edit 0

set device VDOM-link0 set dstaddr FTP-server

next

end

next

end

To add the security policy on VDOM-A in the GUI:

  1. Connect to VDOM-A.
  2. Go to Policy & Objects > IPv4 Policy and create a new policy.
  3. Enter the following information:
Name Access-FTP-server
Incoming Interface port1
Outgoing Interface VDOM-link0
Source internal-network
Destination FTP-server
Schedule always
Service FTP
Action ACCEPT
NAT disabled

To add the security policy on VDOM-A with the CLI:

config vdom

edit VDOM-A config firewall policy

edit 0

set name Access-FTP-server set srcintf port1 set dstintf VDOM-link0 set srcaddr internal-network set dstaddr FTP-server set action accept set schedule always set service FTP

next end next

end

To add the firewall address on VDOM-B in the GUI:

  1. Connect to VDOM-B.
  2. Go to Policy & Objects > Addresses and create a new address.
  3. Enter the following information:
Address Name internal-network
Type Subnet
Subnet / IP Range 192.168.10.0/24
Interface VDOM-link1
Show in Address List enabled
Static Route Configuration enabled

To add the firewall addresses on VDOM-B with the CLI:

config vdom

edit VDOM-B

config firewall address

edit internal-network

set associated-interface VDOM-link1 set allow-routing enable set subnet 192.168.10.0 255.255.255.0

next

end

next

end

To add the static route on VDOM-B in the GUI:

  1. Connect to VDOM-B.
  2. Go to Network > Static Routes and create a new route.
  3. Enter the following information:
Destination Named Address
Named Address internal-network
Gateway 0.0.0.0
Interface VDOM-link1

To add the static route on VDOM-B with the CLI:

config vdom

edit VDOM-B config router static

edit 0

set device VDOM-link1

set dstaddr internal-network

next

end

next

end

To add the security policy on VDOM-B in the GUI:

  1. Connect to VDOM-B.
  2. Go to Policy & Objects > IPv4 Policy and create a new policy.
  3. Enter the following information:
Name Internal-server-access
Incoming Interface VDOM-link1
Outgoing Interface port2
Source internal-network
Destination FTP-server
Schedule always
Service FTP
Action ACCEPT
NAT disabled

To add the security policy on VDOM-B with the CLI:

config vdom

edit VDOM-B config firewall policy

edit 0

set name Internal-server-access set srcintf VDOM-link1 set dstintf port2 set srcaddr internal-network set dstaddr FTP-server set action accept set schedule always set service FTP

next

end

next

end

NAT and transparent mode

In this example, VDOM-A uses NAT mode and VDOM-B uses transparent mode.

This configuration requires the following steps:

  1. Configure VDOM-A on page 197
  2. Configure VDOM-B on page 199

Configure VDOM-A

VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

The per-VDOM configuration for VDOM-A includes the following:

  • A firewall address for the internal network l A static route to the ISP gateway
  • A security policy allowing the internal network to access the Internet

All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:

  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:
Name internal-network
Type Subnet
Subnet / IP Range 192.168.10.0/24
Interface port1
Show in Address List enabled

To add the firewall addresses with the CLI:

config vdom edit VDOM-A config firewall address edit internal-network set associated-interface port1 set subnet 192.168.10.0 255.255.255.0

next

end

next

end

To add a default route in the GUI:

  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:
Destination   Subnet
IP address   0.0.0.0/0.0.0.0
Gateway   172.20.201.7
Interface   wan1
Distance   10

To add a default route with the CLI:

config vdom

edit VDOM-A config router static

edit 0

set gateway 172.20.201.7 set device wan1

next

end

next

end

To add the security policy in the GUI:

  1. Connect to VDOM-A.
  2. Go to Policy & Objects > IPv4 Policy and create a new policy.
  3. Enter the following information:
Name VDOM-A-Internet
Incoming Interface port1
Outgoing Interface wan1
Source Address internal-network
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT enabled

To add the security policy with the CLI:

config vdom

edit VDOM-A config firewall policy

edit 0

set name VDOM-A-Internet set srcintf port1 set dstintf wan1 set srcaddr internal-network set dstaddr all set action accept set schedule always set service ALL set nat enable

next

end

next end

Configure VDOM-B

VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

The per-VDOM configuration for VDOM-B includes the following:

  • A firewall address for the FTP server l A static route to the ISP gateway
  • A security policy allowing external traffic to reach the FTP server

All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:

  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:
Address Name FTP-server
Type Subnet
Subnet / IP Range 172.25.177.42/32
Interface port2
Show in Address List enabled

To add the firewall addresses with the CLI:

config vdom edit VDOM-B config firewall address edit FTP-server set associated-interface port2 set subnet 172.25.177.42 255.255.255.255

next

end

next

end

To add a default route in the GUI:

  1. Go to Network > Routing Table and create a new route.
  2. Enter the following information:
Destination Subnet
IP address 0.0.0.0/0.0.0.0
Gateway 172.20.10.10

To add a default route with the CLI:

config vdom edit VDOM-B config router static

edit 0 set gateway 172.20.10.10

next

end next

end

To add the security policy in the GUI:

  1. Connect to VDOM-B.
  2. Go to Policy & Objects > IPv4 Policy and create a new policy.
  3. Enter the following information:
Name Access-server
Incoming Interface wan2
Outgoing Interface port2
Source Address all
Destination Address FTP-server
Schedule always
Service FTP
Action ACCEPT

To add the security policy with the CLI:

config vdom

edit VDOM-B config firewall policy

edit 0

set name Access-server set srcintf wan2 set dstintf port2 set srcaddr all set dstaddr FTP-server-VIP set action accept set schedule always set service FTP

next

end

next

end

System Configuration – Virtual Wire Pair – FortiOS 6.2

Virtual Wire Pair

A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair.

Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.

Sample topology

In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the ISFW over the virtual wire pair.

To add a virtual wire pair using the GUI:

  1. Go to Network > Interfaces.
  2. Click Create New > Virtual Wire Pair.
  3. Select the Interface Members to add to the virtual wire pair.

These interfaces cannot be part of a switch, such as the default LAN/internal interface.

  1. If desired, enable Wildcard VLAN.

To add a virtual wire pair using the CLI:

config system virtual-wire-pair edit “VWP-name”

set member “port3” “port4” set wildcard-vlan enable/disable

next

end

To create a virtual wire pair policy using the GUI:

  1. Go to Policy & Objects > IPv4 Virtual Wire PairPolicy.
  2. Click Create New.
  3. Select the direction that traffic is allowed to flow.
  4. Configure the other fields.
  5. Click OK.

To create a virtual wire pair policy using the CLI:

config firewall policy edit 1 set name “VWP-Policy” set srcintf “port3” “port4” set dstintf “port3” “port4” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set fsso disable

next

end

System Configuration – Zone – FortiOS 6.2

Zone

Zones are a group of one or more physical or virtual FortiGate interfaces that you can apply security policies to control inbound and outbound traffic. Grouping interfaces and VLAN subinterfaces into zones simplifies the creation of security policies where a number of network segments can use the same policy settings and protection profiles.

When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Each interface still has its own address. Routing is still done between interfaces, that is, routing is not affected by zones. You can use security policies to control the flow of intra-zone traffic.

For example, in the sample configuration below, the network includes three separate groups of users representing different entities on the company network. While each group has its own set of ports and VLANs in each area, they can all use the same security policy and protection profiles to access the Internet. Rather than the administrator making nine separate security policies, he can make administration simpler by adding the required interfaces to a zone and creating three policies.

Sample configuration

You can configure policies for connections to and from a zone but not between interfaces in a zone. For this example, you can create a security policy to go between zone 1 and zone 3, but not between WAN2 and WAN1, or WAN1 and DMZ1.

To create a zone in the GUI:

  1. Go to Network > Interfaces.
  2. Click Create New > Zone.
  3. Configure the Name and add the Interface Members.

To configure a zone to include the internal interface and a VLAN using the CLI:

config system zone edit Zone_1 set interface internal VLAN_1 set intrazone deny/allow

end

Using zone in a firewall policy

To configure a firewall policy to allow any interface to access the Internet using the CLI:

config firewall policy edit 2 set name “2” set srcintf “Zone_1” set dstintf “port15” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

Intra-zone traffic

In the zone configuration you can set intrazone deny to prohibit the different interfaces in the same zone to talk to each other.

For example, if you have ten interfaces in your zone and the intrazone setting is deny. You now want to allow traffic between a very small number of networks on different interfaces that are part of the zone but you do not want to disable the intra-zone blocking.

In this example, the zone VLANs are defined as: 192.168.1.0/24, 192.168.2.0/24, … 192.168.10.0/24.

This policy allows traffic from 192.168.1.x to 192.168.2.x even though they are in the same zone and intra-zone blocking is enabled. The intra-zone blocking acts as a default deny rule and you have to specifically override it by creating a policy within the zone.

To enable intra-zone traffic, create the following policy:

Source Interface Zone-name, e.g., Vlans
Source Address 192.168.1.0/24
Destination Zone-name (same as Source Interface, i.e., Vlans)
Destination Address 192.168.2.0/24