Forticache Administration-Guide PDF

FortiCache - Administration Guide
VERSION 4.0.0
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
END USER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
4/1/2016
FortiCache 4.0.0 Administration Guide
21-400-234452-20160226
TABLE OF CONTENTS
Change Log 7
Introduction 8
About this document 8
Concepts 9
Web caching topologies 9
WCCP topologies 11
Content Analysis Service 11
System Administration 12
Working with system dashboards 12
Managing dashboards 13
System information widget 14
License information widget 18
Unit operation widget 18
System resources widget 19
Alert message console widget 20
CLI console widget 21
Features widget 22
Interface history widget 22
Network settings 23
Interfaces 23
DNS settings 27
Routing table 28
Configuration 29
High availability 29
SNMP settings 31
Replacement Messages 38
FortiGuard settings 44
Disk settings 46
Features 47
Messaging servers 48
Administration settings 49
Administrators 49
Administrative profiles 52
Settings 54
Certificates 56
Local certificates 56
Remote certificates 60
CA certificates 60
Maintenance 60
Firmware maintenance 60
Disk maintenance 61
Routing 63
Policy 65
Policy 65
Managing the policy list 67
How list order affects policy matching 67
Configuring policies 67
Web cache policy address formats 73
Proxy options 74
SSL inspection 75
Firewall Objects 76
Address 76
Addresses 76
Address groups 78
Service 79
Services 79
Services groups 81
Schedule 82
Schedule 82
Schedule groups 84
Web proxy 84
Explicit web proxies 84
Forwarding servers 86
Global explicit proxies 88
Proxy auto-config configuration 89
Web proxy auto-discovery protocol 89
Security Profiles 91
Antivirus 91
Web Filter 92
Profile list 96
Managing web filter profiles 96
Web site filters 97
Data Leak Prevention 98
DLP sensors 98
File filter 102
ICAP 104
Profile 104
Server 106
Content Analysis 107
Profile 107
User Authentication 109
User 109
User definition 109
User group 112
Authentication 115
Single sign-on 115
LDAP server 118
RADIUS server 120
TACACS+ server 122
Settings 124
Monitor 125
Firewall 125
User Quarantine 126
WAN Optimization and Web Caching 128
WAN optimization profiles 128
Profile list 130
Managing WAN optimization profiles 131
WAN optimization peers 131
Peers 131
Authentication groups 132
Cache 134
Settings 135
URL match list 137
Monitor 137
Peer monitor 139
WCCP 140
WCCP service groups, numbers, IDs, and well known services 140
WCCP configuration overview 141
Caching HTTP sessions 142
Configure a WCCP server 143
Configure a WCCP client 144
Verify the WCCP status 145
WCCP packet flow 147
Configuring forward and return methods and adding authentication 147
WCCP messages 147
Troubleshooting WCCP 148
Real time debugging 148
Application debugging 148
Logging 150
Log settings 152
Local logging and archiving 153
Remote logging to a syslog server 153
Appendix A - Perl Regular Expressions 155
Block common spam phrases 156
Block purposely misspelled words 156
Block any word in a phrase 156
Change Log
Change Log
Date Change Description
2016-04-01 Updated WCCP section regarding L2-mode support.
2016-02-26 Updates for FortiCache4.0.0 initial release.
Administration Guide 7
Fortinet Technologies Inc.
Introduction
FortiCache high performance web caching appliances address bandwidth saturation, high latency, and poor
performance caused by caching popular internet content locally for carriers, service providers, enterprises, and
educational networks. FortiCache appliances reduce the cost and impact of cached content on the network while
increasing performance and the end-user experience by improving the speed of delivery of popular repeated
content.
About this document

This document contains the following sections:
l Introduction
l Concepts
l System Administration
l Routing
l Policy
l Firewall Objects
l Security Profiles
l User Authentication
l WAN Optimization and Web Caching
l WCCP
l Logging
8 Administration Guide
Concepts
FortiCache web caching is a form of object caching that accelerates web applications and web servers by
reducing bandwidth usage, server load, and perceived latency.
Web caching involves storing HTML pages, images, videos, servlet responses, and other web-based objects for
later retrieval. These objects are stored in the web cache storage location defined by the config wanopt
storage command. You can also go to System > Config > Disk to view the storage locations on the
FortiCache unit hard disks.
There are three significant advantages to using web caching to improve HTTP performance:
l reduced bandwidth consumption because fewer requests and responses go over the WAN or Internet
l reduced web server load because there are fewer requests for web servers to handle
l reduced latency because responses for cached requests are available from a local FortiCache unit instead of from
across the WAN or Internet.
When enabled in a web caching policy, the FortiCache unit caches HTTP traffic processed by that policy. A web
caching policy specifies the source and destination addresses and destination ports of the traffic to be cached.
Web caching caches compressed and non-compressed versions of the same file separately. If the HTTP protocol
considers the compressed and uncompressed versions of a file the same object, only the compressed or
uncompressed file will be cached.
You can also configure a FortiCache unit to operate as a Web Cache Communication Protocol (WCCP) client.
WCCP provides the ability to offload web caching to one or more redundant web caching servers.
This chapter describes:
l Web caching topologies

l WCCP topologies
l Content Analysis Service
Web caching topologies
FortiCache web caching involves one or more FortiCache units installed between users and web servers. The
FortiCache unit can operate in both Network Address Translator (NAT) and transparent modes. The FortiCache
unit intercepts web page requests accepted by web cache policies, requests web pages from the web servers,
caches the web page contents, and returns the web page contents to the users. When the FortiCache unit
intercepts subsequent requests for cached web pages, the FortiGate unit contacts the destination web server just
to check for changes.
Most commonly the topology uses a router to route HTTP and HTTPS traffic to be cached to one or more
FortiCache units. Traffic that should not be cached bypasses the FortiCache units. This is a scalable topology
that allows you to add more FortiCache units if usage increases.
Web caching topologies Concepts
Web caching topology with web traffic routed to FortiCache units
You can also configure reverse proxy web-caching. In this configuration, users on the Internet browse to a web
server installed behind a FortiCache unit. The FortiCache unit intercepts the web traffic (HTTP and HTTPS) and
caches pages from the web server. Reverse proxy web caching on the FortiGate unit reduces the number of
requests that the web server must handle, leaving it free to process new requests that it has not serviced before.
Since all traffic is to be cached the FortiCache unit can be installed in Transparent mode directly between the web
server and the Internet.
Reverse proxy web caching topology
The reverse proxy configuration can also include a router to route web traffic to a group of FortiCache units
operating in Transparent Mode. This is also a scalable solution for reverse proxy web caching.
Reverse proxy web caching topology with web traffic routed to FortiCache unit
When web objects and video are cached on the FortiCache hard disk, the FortiCache unit returns traffic back to
client using cached object from cache storage. The clients do not connect directly to the server.
When web objects and video are not available in the FortiCache hard disk, the FortiCache unit forwards the
request to original server. If the HTTP response indicates it is a cacheable object, the object is forwarded to cache
storage and the HTTP request is served from cache storage. Any other HTTP request for the same object will be
served from cache storage as well.
The FortiCache unit forwards HTTP responses that cannot be cached from the server back to the client that
originated the HTTP request.
Concepts WCCP topologies
All non-HTTP traffic and HTTP traffic that is not cached by FortiCache will pass through the unit. HTTP traffic is
not cached by the FortiCache unit if a web cache policy has not been added for it.
WCCP topologies
You can operate a FortiCache unit as a WCCP cache engine. As a cache engine, the FortiCache unit returns the
required cached content to the client web browser. If the cache server does not have the required content, it
accesses the content, caches it, and returns the content to the client web browser.
WCCP topology
WCCP is transparent to client web browsers. The web browsers do not have to be configured to use a web proxy.
Content Analysis Service
FortiGuard Content Analysis Service is a licensed feature for the real-time analysis of images in order to detect
adult content. Detection of adult content in images uses various patented techniques (not just color-based),
including limb and body part detection, body position, etc.
Once detected, such content can be optionally blocked or reported.
Please contact your Fortinet Account Manager should you require a trial of this service. You can purchase this
service from support.fortinet.com.
For configuration information, see Content Analysis on page 107.
System Administration
This section introduces you to the system administration. This section contains the following topics:
l Working with system dashboards

l Network settings
l Configuration
l Administration settings
l Certificates
l Maintenance
Working with system dashboards
The dashboard provides a quick look at the FortiCachesystem status. It provides a way to access information
about network activity and events, as well as configure basic system settings. The dashboard contains widgets
that display information and provide access to various system functions. You can customize which widgets are
available on the dashboard and how they operate.
To access the default dashboard go to System > Dashboard > Status.
Your browser must support javascript to view the dashboard.
Administrators must have read and write privileges for configuring dashboards as well as adding widgets to
dashboards.
This section describes:
System Administration Working with system dashboards
l Managing dashboards
l System information widget
l License information widget
l Unit operation widget
l System resources widget
l Alert message console widget
l CLI console widget
l Features widget
l Interface history widget
Managing dashboards
Dashboards can be added, renamed, edited, and deleted, and widgets can be added to and removed from
individual dashboards.
You can add widgets to any dashboard and customize the configuration of most widgets. You cannot add the
same widget more than once, except for the Interface History widget, which can be added as many times as
required.
To add a new dashboard:
1. Go to System > Dashboard > Status.
2. Select Dashboard > Add Dashboard (located at the top of the dashboard screen).
3. Enter a name for the dashboard, select the number of columns, then select OK.
4. Select the new dashboard and select Widget to begin adding widgets to the dashboard.
Except for the Interface History widget, a widget can only appear a single time,
regardless of how many dashboards are created.
To add widgets to a dashboard:
2. Select a dashboard to add widgets to.
3. Select Widget (located at the top of the dashboard screen).
4. Select a widget to add to the dashboard.The pop-up window closes automatically.
5. Drag the widgets by their title bars to arrange them in the dashboard.
6. Optionally, customize widgets by selecting Edit (the pencil icon).
See also the following title bar options:
Open/Close arrow Open or close the widget.
Widget Title The name of the widget.
History Select to show an expanded set of data.

Only available for the Alert Message Console widget.
Working with system dashboards System Administration
Detach Convert the widget into a pop-up window detached from the main browser
window that you can scale a move independently of the dashboard.
Only available for the CLI Console widget.
Edit (pencil icon) Select to change widget settings.
Refresh (refresh icon) Select to refresh or update the information displayed by the widget.
Not available on all widgets.
Close (X icon) Remove the widget from the dashboard.
To reset all dashboards to the factory default configuration:
Use the following procedure to remove all of the dashboards that you have added and reset the widget
configuration of the default dashboard.
2. Select Dashboard > Reset Dashboards and select OK in the confirmation dialog box.
System information widget

The System Information widget displays general system information, such as the FortiCache unit serial number,
firmware version, host name, and system time. You can use this widget to change the system time, host name,
firmware, operation mode, and change the password of the current administrator. You can also use this widget to
backup and restore the configuration and view current administrators.
Host Name The host name of the current FortiCache unit. When you select Change,
you are redirected to the Edit Host Name page. See Changing the host
name on page 15.
The serial number of the FortiCache unit. The serial number is specific to
Serial Number
that unit and does not change with firmware upgrades.
HA Status The status of High Availability (HA) within the cluster.

Standalone indicates that the FortiCache unit is not operating in
HA mode.
Active indicates that the FortiCache unit is operating in HA
mode.
Select Configure, to change the HA configuration. See High availability on
page 29.
The current date and time according to the FortiCache unit’s internal clock.
When you select Change, you are redirected to the Time Settings page
System Time
where you can change the unit’s system time. See Configuring system time
on page 15.
Firmware Version The version of the firmware currently installed on the FortiCache unit.
When you select Update, you are redirected to the Firmware
Update/Downgrade page. See Firmware maintenance on page 60.
The date and time of the last configuration file backup. You can select
Backup to back up the current configuration; when you select Backup, you
are redirected to the Backup page. See Backing up the configuration on
System Configuration
page 16.
If you want to restore a configuration file, select Restore to be redirected to
the Restore page. See Restoring your firmware configuration on page 16.
Operation Mode The current operating mode of the FortiCache unit. A unit can operate in
NAT mode or Transparent mode. Select Change to switch between NAT
and Transparent mode.
The name of the admin account that you have used to log into the
FortiCache unit and the number of administrator accounts. If you are
authenticated locally by password, not by PKI or remote authentication,
you can select Change Password to change the password for this account.
Current Administrators When you change the password, you are logged out and must log back in
with the new password. See Changing the currently logged in
administrator’s password on page 17.
Select Details to view more information about each administrator that is
currently logged in. See Monitoring administrators on page 17
Uptime The time in days, hours, and minutes since the FortiCache unit was
started.
Changing the host name

The host name appears in the Host Name row, in the System Information widget, at the CLI prompt and is used
as the SNMP system name. The default host name is the FortiCache unit’s serial number. Change the host name
by selecting Change beside the host name field in the System Information dashboard widget.
Configuring system time

Use the following options to change the FortiCache unit’s system time. Change the system time by selecting
Change beside the system time field in the System Information dashboard widget.
Configure the following settings:
System Time The current system date and time.
Refresh Update the display of the current system date and time.
Time Zone Select the FortiCache unit’s time zone.
Select to set the system date and time to the values you set in the Hour,
Set Time
Minute, Second, Year, Month, and Day fields.
Synchronize with NTP Select to use a Network Time Protocol (NTP) server to automatically set
Server the system date and time.
Select Use FortiGuard Servers, or select Specify, then enter the server
address and synchronization interval in the Server and Sync Interval fields.
The interval can be 1 to 1440 minutes (default = 1 minute).
FortiCache units use NTP Version 4. No RFC is currently available for NTP
version 4. The RCF for NTP Version 3 is RFC 1305. For more information
about NTP, or to find an NTP server that you can use, see
http://www.ntp.org.
Select to enable the NTP server, then select one or more interfaces from
Enable NTP Server
the Listen on Interfaces drop-down list.
Backing up the configuration

Administrators can back up the FortiCache unit’s configuration file from the System Information widget. You can
back up the firmware configuration file to a local computer, and also encrypt the configuration file for added
security.
You should always back up your configuration whenever you are:
l restoring the unit back to factory defaults

l installing a patch release
l installing a new firmware image
l re-installing an earlier firmware image
l rebooting the unit.
Local PC Select to back up the configuration file to a local management computer.
Select to enable a password to the configuration file for added security. If

Encrypt configuration file
you lose the password, the configuration file will not be accessible.
Password Enter the password that will be used to restore the configuration file.
Confirm Re-enter the password.
Restoring your firmware configuration

You can restore a configuration file that was created by doing a back up by selecting Restore in the System
Configuration row of the System Information widget. If the configuration file was encrypted, you will need the
password that was used to encrypt the configuration file.
Local PC Select to restore the configuration file from the local computer.
Filename Browse to the location of the backup file on your local hard disk.
Password Enter the password that will be used to restore the configuration file.
Changing the currently logged in administrator’s password

From within the System Information widget you can change your own admin account password by selecting
Change Password in the Current Administrator row.
Administrator The name of the administrator account.
Old Password Enter the password that you usually use to log in.
New Password Enter the new password that you will be using to log in.
Confirm Password Enter the new password again.
Monitoring administrators
You can view detailed information about each administrator that is logged into the FortiCache unit from the
System Information widget by selecting Details in the Current Administrator row.
Disconnect Select to disconnect the selected administrators. This is available only if

your admin profile gives you System Configuration write permission.
You cannot log off the default admin user.
Refresh Select to update the list.
Close Select to close the window.
User Name The administrator account name.
Access Profile The access profile of the administrator.
Type The type of access: http, https, jsconsole, sshv2.
From If Type is jsconsole, the value in From is N/A. Otherwise, From contains
the administrator’s IP address.
Time The date and time that the administrator logged on.
License information widget

The License Information widget displays the statuses of your licenses and FortiGuard subscriptions. It also
allows you to update your device’s registration status and FortiGuard definitions.
You can update your registration status by selecting Update in the Registration Status row and loading the
license file from a location on your management computer. You can update the antivirus definitions by selecting
Update in the AV Definitions row.
Selecting Configure in the Web Filtering or AntiVirus rows will take you to the FortiGuard Distribution Network
page. See FortiGuard settings on page 44.
Manually updating FortiGuard definitions

You can update the definition files for a number of FortiGuard services from the License Information widget.
To update FortiGuard definitions manually:
1. Download the latest update files from Fortinet support site and copy it to the computer that you use to connect to
the GUI.
2. Log in to the GUI, locate the License Information widget, and in the AV Definitions row select Update.
3. Select Browse and locate the update file, or type the path and filename.
4. Select OK.
5. Verify the update was successful by locating the License Information widget and viewing the date given in the
row.
Unit operation widget

The Unit Operation widget shows the FortiCache unit’s front panel and displays the status of the unit’s front
panel network interfaces. If a network interface is green, that interface is connected.
1 / 2 / 3 / 4 etc... The network interfaces on the unit. The names and number of these
interfaces vary by model.
The icon below the interface name indicates its up/down status by color.
Green indicates the interface is connected. Gray indicates there is no
connection.
For more information about the configuration and status of an interface,
pause the mouse over the icon for that interface.
Pause the mouse pointer over the interface to view the status of the interface.
System resources widget

The System Resources widget displays the FortiCache unit’s percent CPU and memory usage. The CPU usage
can be viewed by CPU. You can also view historical system usage graphs.
If you select Reboot or Shutdown, a pop-up window opens allowing you to enter the reason for the system event.
Your reason will be added to the log message that is included in the event-system log.
Powering off a FortiCache unit before shutting it down may corrupt its configuration.
Use the shutdown options here or in the CLI to make sure that proper shutdown
procedures are followed to prevent any loss of configuration.
Edit Select to configure the widget. See Configure the system resource widget
on page 19.
CPU Usage The CPU usage percent displayed graphically and in text.
Memory Usage The memory usage percent displayed graphically and in text.
Disk Usage The disk usage percent displayed graphically and in text.
Reboot Select to shutdown and restart the unit. You will be prompted to enter a
reason for the reboot that will be entered into the logs.
Select to shutdown the unit. You will be prompted for confirmation, and
Shutdown also prompted to enter a reason for the shutdown that will be entered into
the logs.
Configure the system resource widget

To configure the system resource widget, select Edit in the widget title bar to open the Custom System
Resource Display window.
Custom Widget Name Enter a custom widget name to change the name of the widget.
Change the color of the data shown on the charts. To reset to the default
Chart Color color, select Reset.
This option is only available when View Type is set to Historical.
Mutli-core CPU display Select Average to view the CPU usage for all cores, or select Each Core to
view the usage for each core individually.
Select Real Time to view real time CPU and memory usage date, or select
View Type
Historical to view historical usage data.
Time Period Select the time period for the displayed data from the drop-down list. The
options are: Last minute, Last 10 minutes, Last 30 minutes, Last 60
minutes, Last 12 hours, and Last 24 hours.
This option is only available when View Type is set to Historical.
Alert message console widget

The Alert Message Console widget displays log-based alert messages for both the FortiCache unit.
Alert messages help you track system events on your FortiCache unit, such as firmware changes. Each message
shows the date and time that the event occurred.
Alert message history

The widget displays only the most recent alerts. For a complete list of unacknowledged alert messages, select
the History icon in the widget’s title bar to open the Alert Message Console history pop-up window. To clear the
list, select Clear Alert Messages.
Custom alert display

Select the Edit icon in the title bar to open the Custom Alert Display dialog box.
Configure the following settings, then select OK to apply your changes.
Custom Widget Name Enter a custom widget name to change the name of the widget.
Select the types of messages that are displayed on the alert console. The
options include:
l System shutdown and restart
l Firmware upgrade and downgrade

l Conserver mode
l Updates from FortiGuard
Display the following
message on the alert l Device found or lost
console l FortiCloud quota details
l Log disk failure
l Power supply events
l Admin authentication failures
l FortiGuard security alerts
l Policy configuration errors
Number of alerts to display Select the number of alerts that are displayed in the dashboard widget from
on the dashboard the drop-down list. Options include: 10, 20, 30, 40, 50, 60, 70, 80, 90, and
100.
CLI console widget

The CLI Console widget allows you to access the FortiCache CLI from the GUI. This widget can also be
customized, providing greater flexibility about how the CLI Console appears to administrators.
The two controls located on the CLI Console widget title bar are Edit and Detach.
l Detach: move the CLI Console widget into a seperate browser window that you can resize and reposition. The two
controls on the detached CLI Console are Customize and Attach. Attach moves the widget back to the
dashboard’s page.
l Edit or Customize: Change the appearance of the console by defining fonts and colors for the text and background.
The Console Preferences window provides settings for modifying the widget’s appearance, font, and the option
to include an external command input box.
Preview A preview of your changes to the CLI Console’s appearance.
Select the current color swatch next to this label, then select a color from
Text
the color palette to the right to change the color of the text in the console.
Background Select the current color swatch next to this label, then select a color from
the color palette to the right to change the color of the background in the
console.
Select to display a command input field below the normal console

Use external command emulation area. When this option is enabled, you can enter commands by
input box typing them into either the console emulation area or the external
command input field.
Console buffer length Enter the number of lines the console buffer keeps in memory. Valid
numbers range from 20 to 9999.
Font Select a font from the list to change the display font of the CLI Console.
Size Select the size of the font. The default size is 10 points.
Reset Defaults Select to reset all values to their default values.
Features widget
The Features widget allows you to disable or enable a collection of FortiCache features. Disable features are not
shown in the GUI.
Select the On/ Off button to turn the feature off or on, respectively.
More options can also be disabled by selecting the edit button in the widget title bar to open the Feature Settings
window. See .
Interface history widget

The Interface History widget shows the traffic on one selected interface over three specified time periods. This
feature can help you locate peaks in traffic that you need to address, as well as their frequency and duration.
Only one interface can be monitored per widget, but multiple history widgets can be added to the dasboards. You
can change the interface being monitored by selecting Edit. All traffic history data is cleared when you select
Apply.
Hovering the cursor over a section of the graph will give you specific details on the traffic in and out of the
selected port.
Select Edit in this widget title bar to open the Traffic History Settings window.
Configure the following settings, then select OK to save your changes:
Custom Widget Name Enter a new name for the widget. This is optional.
Select an interface (FortiCache unit’s interfaces) from the drop-down list.

Select Network Interface
The interface you choose displays the traffic occurring on it.
Enable Refresh Select to enable the information to refresh.
System Administration Network settings
The time period for the first line chart. Enter a number in the first field, then
select Hour(s), Minute(s), or Day(s) from the drop-down list beside the
Time Period 0
field.
Use zero to disable the time period.
Time Period 1 The time period for the second line chart. Enter a number in the first field,
then select Hour(s), Minute(s), or Day(s) from the drop-down list beside
the field.
The time period for the third line chart. Enter a number in the first field,
then select Hour(s), Minute(s), or Day(s) from the drop-down list beside
Time Period 2
the field.
Network settings
The Network menu allows you to configure the unit to operate on the network. This menu provides features for
configuring and viewing basic network settings, such as the unit’s interfaces, Domain Name System (DNS)
options, and routing table.
l Interfaces
l DNS settings
l Routing table
Unless stated otherwise, the term interface refers to a physical FortiCache interface.
Interfaces
In System > Network > Interfaces, you can configure the interfaces that handle incoming and outgoing traffic.
The following information is available:
Create New Select to create a new interface.
Modifies settings within the interface. When you select Edit, you are
Edit
automatically redirected to the Edit Interface page.
Network settings System Administration
Delete Removes an interface from the list.

To remove multiple interfaces from within the list, on the interface page, in
each of the rows of the interfaces you want removed, select the check box
and then select Delete. To remove all interfaces from the list, on the
Interface page, select the check box in the check box column and then
select Delete.
Column Settings Select to change the columns that are displayed on the interface list.
Name The names of the physical interfaces on your FortiCache unit. This includes
any alias names that have been configured.
Type The type of the interface.
IP/Netmask The current IP address/netmask of the interface.

When IPv6 Support is enabled on the GUI, IPv6 addresses may be
displayed in this column.
Access The administrative access configuration for the interface.
Administrative Status The administrative status for the interface.

If the administrative status is a green arrow, the interface is up and can
accept network traffic. If the administrative status is a red arrow, the
interface is administratively down and cannot accept traffic. To change the
administrative status of an interface, select the Edit icon to edit the
interface and change the Administrative Status setting for the interface.
The status of the interface physical connection. Link status can be either up
or down. If link status is up there is an active physical connection between
the physical interface and a network switch. If link status is down the
Link Status
interface is not connected to the network or there is a problem with the
connection. You cannot change link status from the GUI.
Link status is only displayed for physical interfaces.
MTU The maximum number of bytes per transmission unit (MTU) for the
interface.
Shows the addressing mode of the interface. The addressing mode can be
Mode
manual, DHCP, or PPPoE.
Secondary IP Displays the secondary IP addresses added to the interface.
Displays the number of times the object is referenced to other objects.

To view the location of the referenced object, select the number in Ref.,
Ref.
and the Object Usage window appears displaying the various locations of
the referenced object.
Interface settings
Selecting Create New opens the New Interface page provides settings for configuring a new interface. Selecting
an interface from the interface list opens the Edit Interface page.
Name Enter a name of the interface. Physical interface names cannot be

changed.
Enter an alternate name for a physical interface on the FortiCache unit.

The alias can be a maximum of 25 characters. The alias name will not
Alias
appears in logs. This field appears when editing an existing physical
interface.
Link Status Indicates whether the interface is connected to a network (link status is
Up) or not (link status is Down). This field appears when editing an
existing physical interface.
Select the type of the interface you want to add from the drop-down list.
The options include: 802.3ad Aggregate, Redundant Interface, Loopback
Type Interface, and Software Switch.
You cannot change the interface type except when adding a new
interface.
Dedicated Management Port Dedicate an interface for management to simplify configuration in

transparent network deployments. This includes the ability to specify
Trusted Hosts. See below.
This section has two different forms depending on the interface type:
Software switch interface: this section is a display-only field showing the
Physical Interface Members interfaces that belong to the software switch virtual interface.
802.3ad aggregate interface: select interfaces from the drop-down list,
and add more interfaces as required.
Addressing mode The only addressing mode available on FortiCache units is Manual.
If IPv6 configuration is enabled you can add both a IPv4 and an IPv6 IP
address.
Enter an IPv4 address/subnet mask for the interface. FortiCache

IP/Netmask
interfaces cannot have IP addresses on the same subnet.
IPv6 Address If IPv6 support is enabled on the GUI, enter an IPv6 address/subnet mask
for the interface. A single interface can have both an IPv4 and IPv6
address or just one or the other.
Available when editing a physical interface. Select to configure this

interface to operate as a one-armed sniffer as part of configuring a
FortiCache unit to operate as an IDS appliance by sniffing packets for
Enable one-arm sniffer attacks without actually receiving and otherwise processing the packets.
Once the interface is enabled for sniffing you cannot use the interface for
other traffic. You must add sniffer policies for the interface to actually sniff
packets.
Enable Explicit Web Proxy Select to enable explicit web proxying on this interface. When enabled,
this interface will be displayed on System > Network > Web Proxy under
Listen on Interfaces and web traffic on this interface will be proxied
according to the Web Proxy settings.
To change the MTU, select Override default MTU value (1 500) and enter
the MTU size based on the addressing mode of the interface.
l 68 to 1 500 bytes for static mode

l 576 to 1 500 bytes for DHCP mode
l 576 to 1 492 bytes for PPPoE mode
Override Default MTU Value l larger frame sizes if supported by the FortiCache model
Only available on physical interfaces. Virtual interfaces associated with a
physical interface inherit the physical interface MTU size.
In Transparent mode, if you change the MTU of an interface, you must
change the MTU of all interfaces to match the new MTU.
This option is not available if Type is set to Loopback Interface.
Administrative Access Select the types of administrative access permitted for IPv4/IPv6
connections to this interface.
IPv6 Administrative Access
HTTPS Allow secure HTTPS connections to the GUI through this interface.
PING Interface responds to pings. Use this setting to verify your installation and
for testing.
Allow HTTP connections to the GUI through this interface. HTTP

HTTP
connections are not secure and can be intercepted by a third party.
FMG-Access Allow FortiCache Manager access on this interface.
SSH Allow SSH connections to the CLI through this interface.
SNMP Allow a remote SNMP manager to request SNMP information by

connecting to this interface.
Allow Telnet connections to the CLI through this interface. Telnet

TELNET
connections are not secure and can be intercepted by a third party.
Enable Explicit Web Proxy Select to enable explicit web proxy on the interface.
Listen for RADIUS Select to listen for Remote Authentication and Dial-in User Service
Accounting Messages (RADIUS) accounting messages on the interface.
Secondary IP Address Add additional IPv4 addresses to this interface.
Comments Enter a description up to 63 characters to describe the interface.
Administrative Status Select either Up (green arrow) or Down (red arrow) as the status of this
interface.
Up indicates the interface is active and can accept network traffic.
Down indicates the interface is not active and cannot accept traffic.
Dedicated management interface

The ability to dedicate an interface for management simplifies configuration in transparent network deployments.
The management interface can be fixed to an interface and a specific routing policy defined, separate to the
transparent bridge. IPv6 is supported.
To dedicate an interface to management
1. Go to System > Network > Interfaces.

2. Select an interface to edit, and enable Dedicated Management Port.
3. If necessary, specify Trusted Hosts.
DNS settings
Several FortiCache functions use DNS, including alert email. You can specify the IP addresses of the DNS
servers to which your unit connects. DNS server IP addresses are usually supplied by your ISP. To configure DNS
settings select System > Network > DNS.
Primary DNS Server Enter the primary DNS server IP address.
Secondary DNS Server Enter the secondary DNS server IP address.
Local Domain Name Enter the domain name to append to addresses with no domain portion
when performing DNS lookups.
Routing table
If the unit is operating in Transparent mode, you can go to System > Network > Routing Table to add static
routes to control the flow of traffic through the unit.
Create New Creates a new static or IPv6 route.
Edit Modifies settings within the static route.
Delete Removes a static route from the list.

To remove multiple static routes from within the list, on the Static Route
page, in each of the rows of the routes you want removed, select the check
box and then select Delete.
To remove all static routes from the list, on the Static Route page, select
the check box in the check box column and then select Delete.
Select to add, remove, or change the order of information columns. By

Column Settings
default, the Distance Priority and Distance columns are not displayed.
IP/Netmask The destination IP addresses and network masks of packets that the
FortiCache unit intercepts.
The IP addresses of the next-hop routers to which intercepted packets are

Gateway
forwarded.
Device The interface or port number the static route is configured to.
Comment A description of the route (optional).
Distance The number of hops the static route has to the configured gateway. Routes
with the same distance will be considered as equal-cost multi-path (ECMP)
A number for the priority of the static route. Routes with a larger number
Priority will have a lower priority. Routes with the same priority will be considered
as ECMP.
Adding a static route

Selecting Create New opens the New Static Route page, which provides settings for configuring a new static
route. Selecting a route from the route list opens the Edit Static Route page.
Destination IP/Mask Enter the IP address and netmask of the new static route. To create a
default route, set the IP and netmask to 0.0.0.0/0.0.0.0.
Device Select the static route's interface or port number.
Gateway Enter the gateway IP address for those packets that you intend the unit to
intercept.
System Administration Configuration
Enter a number to determine the cost of the route. When multiple paths

Administrative Distance
exist to the same destination, smaller distances are preferred.
Comments Enter a description up to 63 characters to describe the new interface.
Advanced Options Select to show the Priority option.
Priority Enter a number for the priority of the static route. Routes with a larger
number will have a lower priority.
Configuration
This section provides features for configuring and viewing advanced network settings, such as HA cluster and
interface settings, SNMPv1/v2 and v3, FortiGuard Web Filtering settings, replacement messages, and
messaging servers.
l High availability
l SNMP settings
l Replacement Messages
l FortiGuard settings
l Features
l Features
High availability
FortiCache HA provides a system management solution which synchronizes configuration changes among the
clustering members. You can fine tune the performance of the HA cluster to change how a cluster forms and
shares information among clustering members.
The HA heartbeat keeps cluster units communicating with each other. The heartbeat consists of hello packets
that are sent at regular intervals by the heartbeat interface of all cluster units. These hello packets describe the
state of the cluster unit and are used by other cluster units to keep all the units synchronized.
HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8890. The default
time interval between HA heartbeats is 200 ms.
Your FortiCache can be configured as a Standalone unit or you can pair multiple FortiCache devices in an Active-
Active HA cluster for load balancing and failover protection. To configure HA and cluster settings, or to view the
cliuster member list, select System > Config > HA.
Configuration System Administration
Mode Enter the mode. Select Standalone or Active-Active from the drop-down
menu.
You can set a different device priority to each cluster member to control the
order in which cluster units become the primary unit when the primary unit
Device Priority
fails. The device with the highest device priority becomes the primary unit.
The default value is 128.
Cluster Settings
Group Name Use the group name to identify the cluster.
Password Enter a password to identify the HA cluster. The maximum password length
is 15 characters. The password must be the same for all cluster FortiCache
units before the FortiCache units can form the HA cluster.
The default is no password. When the cluster is operating, you can add a
password, if required. Two clusters on the same network must have
different passwords.
Port Monitor Select the specific ports to monitor.
Heartbeat Select to enable or disable the HA heartbeat communication for each

Interface interface in the cluster, then set the heartbeat interface priority.
The heartbeat interface with the highest priority processes all heartbeat
traffic. You must select at least one heartbeat interface. If the interface
functioning as the heartbeat fails, the heartbeat is transferred to another
interface configured as an Heartbeat interface. If heartbeat communication
is interrupted, the cluster stops processing traffic. Priority ranges from 0 to
512.
SNMP settings
The Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can
configure the hardware, such as the FortiCache SNMP agent, to report system information and traps.
SNMP traps alert you to events that happen, such as a log disk becoming full, or a virus being detected. These
traps are sent to the SNMP managers. An SNMP manager (or host) is typically a computer running an application
that can read the incoming traps and event messages from the agent, and send out SNMP queries to the SNMP
agents. A FortiManager unit can act as an SNMP manager to one or more FortiCache units.
By using an SNMP manager, you can access SNMP traps and data from any FortiCache interface configured for
SNMP management access. Part of configuring an SNMP manager is to list it as a host in a community on the
FortiCache unit it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from, and be unable
to query, that FortiCache unit.
When using SNMP, you must also ensure you have added the correct Management Information Base (MIB) files
to the unit, regardless of whether or not your SNMP manager already includes standard and private MIBs in a
ready to use, compiled database. A MIB is a text file that describes a list of SNMP data objects used by the SNMP
manager. See for more information.
The FortiCache SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have
read-only access to FortiCache system information through queries, and can receive trap messages from the
unit.
The FortiCache SNMP v3 implementation includes support for queries, traps, authentication, and privacy.
Authentication and encryption are configured in the CLI.
SNMP configuration
Before a remote SNMP manager can connect to the FortiCache agent, you must configure one or more
FortiCache interfaces to accept SNMP connections. Interfaces are configured in System > Network > Interface,
see Interfaces on page 23.
For security reasons it is recommended that neither “public” nor “private” be used for
SNMP community names.
When the unit is in virtual domain mode, SNMP traps can only be sent on interfaces in
the management virtual domain.
If you want to allow SNMP access on an interface, you must go to

System > Network > Interfaces, and select SNMP in the Administrative Access
field in the settings for the interface that you want the SNMP manager to connect to.
The following are SNMP configuration settings in System > Config > SNMP.
SNMP Agent Enable the FortiCache SNMP agent.
Enter descriptive information about the unit. The description can be up to

Description
35 characters long.
Location Enter the physical location of the unit. The system location description can
be up to 35 characters long.
Enter the contact information for the person responsible for this unit. The
Contact
contact information can be up to 35 characters.
Apply Saves changes made to the description, location, and contact information.
Lists the communities for SNMP v1/v2c. From within this section you can
SNMP v1/v2c
create, edit or remove SNMP communities.
Create New Creates a new SNMP community. When you select Create New, you are
automatically redirected to the New SNMP Community page. See .
Modifies settings within an SNMP community. When you select Edit, you
Edit
are automatically redirected to the Edit SNMP Community page.
Delete Removes an SNMP community from the list.

To remove multiple SNMP communities from the list, select all the rows
you want removed, then select Delete.
To remove all communities from the list, select the check box in the check
box column and then select Delete.
Community Name The name of the community.
Queries Indicates whether queries protocols (v1 and v2c) are enabled or disabled. A
green checkmark indicates that queries are enabled; a gray x indicates that
queries are disabled. If one query is disabled and another one enabled,
there will still be a green checkmark.
Indicates whether trap protocols (v1 and v2c) are enabled or disabled. A
green checkmark indicates that traps are enabled; a gray x indicates that
Traps
traps are disabled. If one query is disabled and another one enabled, there
will still be a green checkmark.
Enable Select the check box to enable or disable the community.
Lists the SNMPv3 users. From within this section, you can edit, create or
SNMP v3
remove an SNMPv3 user.
Create New Creates a new SNMPv3 user. When you select Create New, you are
automatically redirected the Create New SNMPv3 User page.
Modifies settings within the SNMPv3 user. When you select Edit, you are
Edit
automatically redirected to the Edit SNMPv3 User page.
Delete Removes an SNMPv3 user from the page.

To remove multiple SNMPv3 users from the list, select all the rows you
want removed, then select Delete.
To remove all users from the list, select the check box in the check box
column and then select Delete.
User Name The name of the SNMPv3 user.
Security Level The security level of the user.
Notification Host The IP address or addresses of the host.
Queries Indicates whether queries are enabled or disabled. A green checkmark

indicates that queries are enabled; a gray x indicates that queries are
disabled.
Download the FortiCache MIB file by selecting Download FortiCache MIB

FortiCache SNMP MIB
File. See Fortinet MIBs on page 37.
SNMP agent
The FortiCache SNMP agent must be enabled before configuring other SNMP options. Enter information about
the FortiCache unit to identify it so that when your SNMP manager receives traps from the FortiCache unit, you
will know which unit sent the information.
To configure the SNMP agent:
1. Go to System > Config > SNMP.

2. Enable the SNMP agent by selecting Enable in the SNMP Agent field.
3. Enter a descriptive name for the agent and the location of the FortiCache unit
4. Enter a contact or administrator for the SNMP Agent or FortiCache unit.
5. Select Apply.
To configure the SNMP agent with the CLI:
Enter the following CLI commands:

config system snmp sysinfo
set status enable
set contact-info <contact_information>
set description <description_of_FortiCache>
set location <FortiCache_location>
end
Manage SNMP communities

An SNMP community is a grouping of devices for network administration purposes. Within that SNMP
community, devices can communicate by sending and receiving traps and other information. One device can
belong to multiple communities, such as one administrator terminal monitoring both a firewall SNMP and a
printer SNMP community.
Add SNMP communities to your FortiCache unit so that SNMP managers can view system information and
receive SNMP traps. You can add up to three SNMP communities. Each community can have a different
configuration for SNMP queries and traps, and can be configured to monitor the FortiCache unit for a different set
of events. You can also add the IP addresses of up to 8 SNMP managers to each community.
Selecting Create New on the SNMP v1/v2c table opens the New SNMP Community page, which provides
settings for configuring a new SNMP community. Selecting a community from the list opens the Edit SNMP
Community page.
Community Name Enter a name to identify the SNMP community.
Hosts Settings for configuring the hosts of an SNMP community.
IP Address / Enter the IP address / netmask of the SNMP managers that can use the
Netmask settings in this SNMP community to monitor the unit.
You can also set the IP address to 0.0.0.0 to so that any SNMP manager
can use this SNMP community.
Optionally select the name of the interface that this SNMP manager uses
to connect to the unit. You only have to select the interface if the SNMP
Interface
manager is not on the same subnet as the unit. This can occur if the SNMP
manager is on the Internet or behind a router.
Delete Removes an SNMP manager from the list within the Hosts section.
Select to add a blank line to the Hosts list. You can add up to eight SNMP
Add
managers to a single community.
Queries Settings for configuring ports for both v1 and v2c.
Protocol The SNMP protocol.
Port Enter the port number (161 by default) that the SNMP managers in this
community use for SNMP v1 and SNMP v2c queries to receive
configuration information from the unit.
The SNMP client software and the unit must use the same port for queries
Enable Select to activate queries for the SNMP version.
Traps Settings for configuring local and remote ports for both v1 and v2c.
Protocol The SNMP protocol.
Local Enter the remote port numbers (162 by default) that the unit uses to send
SNMP v1 or SNMP v2c traps to the SNMP managers in this community.
The SNMP client software and the unit must use the same port for traps.
Enter the remote port number (162 by default) that the unit uses to send
Remote SNMP traps to the SNMP managers in this community.
The SNMP client software and the unit must use the same port for traps.
Enable Select to activate traps for each SNMP version.
Enable each SNMP event for which the unit should send traps to the
SNMP managers in this community.
Notes:
l The CPU Overusage traps sensitivity is slightly reduced, by spreading

SNMP Event values out over 8 polling cycles. This prevents sharp spikes due to CPU
intensive short-term events such as changing a policy.
l The Power Supply Failure event trap is available only on some models.
l The AMC interfaces enter bypass mode event trap is available only on
models that support AMC modules.
Manage SNMP v3 users

Selecting Create New on the SNMP v3 table opens the Create New SNMP V3 User page, which provides
settings for configuring a new SNMP v3 user. Selecting a user name from the route list opens the Edit SNMP V3
User page.
User Name Enter the name of the user.
Select the type of security level the user will have. The options include:
l No Authentication, No Private
Security Level
l Authentication, No Private
l Authentication, Private
Auth Algorithm Select an authentication algorithm from the drop-down list; either MD5 or
SHA1. Enter a password in the requisite Password field.
This option is not available if the security level is set to No Authentication,
No Private.
Select a private algorithm from the drop-down list; either AES or DES.
Enter a password in the requisite Password field.
Private Algorithm
This option is only available if the security level is set to Authentication,
Private.
Notification Host Enter the IP address of the notification host. If you want to add more than
one host, select the plus sign to add another host. Up to 16 hosts can be
added.
Select to enable or disable the query. By default, the query is enabled.

Enable Query
Enter the port number in the Port field (161 by default).
Events Select the SNMP events that will be associated with the user.
Fortinet MIBs
The FortiCache SNMP agent supports Fortinet proprietary MIBs, as well as standard RFC 1213 and RFC 2665
MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213
(MIB II) that apply to FortiCache unit configuration.
There are two MIB files for FortiCache units; both files are required for proper SNMP data collection:
l The Fortinet MIB: contains traps, fields, and information that is common to all Fortinet products.
l The FortiCache MIB: contains traps, fields, and information that is specific to FortiCache units.
The Fortinet and FortiCache MIB files are available for download on the Fortinet Customer Support site. Each
Fortinet product has its own MIB – if you use other Fortinet products, you need to download their MIB files as
well.
The Fortinet MIB and FortiCache MIB, along with the two RFC MIBs ,are listed in .
To download the MIB files, go to System > Config > SNMP and select a MIB link in the FortiCache SNMP MIB
section. See .
Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use.
You must add the Fortinet proprietary MIB to this database to have access to the Fortinet specific information.
MIB files are updated for each version of FortiCache. When upgrading the firmware
ensure that you update the Fortinet FortiCache MIB file compiled in your SNMP
manager as well.
MIB file name or RFC Description
FORTINET-CORE-MIB.mib The Fortinet MIB includes all system configuration information and trap
information that is common to all Fortinet products. Your SNMP manager
requires this information to monitor FortiCache unit configuration settings
and receive traps from the FortiCache SNMP agent.
MIB file name or RFC Description
The FortiCache MIB includes all system configuration information and trap
information that is specific to FortiCache units. Your SNMP manager
FORTINET-FORTICACHE-
requires this information to monitor FortiCache configuration settings and
MIB.mib
receive traps from the FortiCache SNMP agent. FortiManager systems
require this MIB to monitor FortiCache units.
RFC-1213 (MIB II) The FortiCache SNMP agent supports the majority of MIB II OIDs
The FortiCache SNMP agent supports Ethernet-like MIB information.

RFC-2665 (Ethernet-like
FortiCache SNMP does not support for the dot3Tests and dot3Errors
MIB)
groups.
SNMP get command syntax

Normally, to get configuration and status information for a FortiCache unit, an SNMP manager would use an
SNMP get command to get the information in a MIB field. The SNMP get command syntax would be similar to:
snmpget -v2c -c <community_name> <address_ipv4> {<OID> | <MIB_field>}
where:
l <community_name> refers to the SNMP community name added to the FortiCache configuration. You can
add more than one community name to a FortiCache SNMP configuration. The most commonly used
community name is public.
l <address_ipv4> is the IP address of the FortiCache interface that the SNMP manager connects to
l {<OID> | <MIB_field>} is the object identifier (OID) for the MIB field or the MIB field name itself.
For example, to query the firmware version running on the FortiCache unit, the following command could be
issued
snmpget -v2c -c public 10.10.10.1 1.3.6.1.4.1.12356.109.4.1.1.0
In this example, the community name is public, the IP address of the interface configured for SNMP
management access is 10.10.10.1. The firmware version is queried via the MIB field fchSysVersion, the
OID for which is 1.3.6.1.4.1.12356.109.4.1.1.0.
The value returned is a string with a value of v2.0,build0225,130213.
Replacement Messages
Replacement pages can be customized as required from System > Config > Replacement Messages.
The following settings are available:
Manage Images Select to view the available images and their respective tags.
Select the view. Simple View displays a selection of Security and

Simple View / Extended
Authentication messages. Extended View displays all messages. See for
View
a list of all the messages.
Name The message name.
Description The message description.
Modified A checkmark is shown is the message has been modified.
Save Save any customizations that you made to the message.
Restore Default Restore the message back to its default state.
Preview A preview of how the message looks.
Message HTML The HTML code for the message that you can edit.
The following table outlines all of the messages that can be customized, as shown in Extended View :
Category Messages Description
Post-login Disclaimer Replacement message for post-login disclaimer.

Message
Administrator
Pre-login Disclaimer
Replacement message for pre-login disclaimer.
Message
Block Message Alert email text for block incidents.
Critical Event Message Alert email text for critical event notification.
Alert Email Disk Full Message Alert email text for disk full events.
Intrusion Message Alert email text for IPS events.
Virus Message Alert email text for virus incidents.
Authentication Success Page Replacement HTML for authentication success page.
Block Notification Page Replacement HTML for certificate password page.
Certificate Password Page Replacement HTML for certificate password page.
Declined Disclaimer Page Replacement HTML for user declined disclaimer page.
Disclaimer Page Replacement HTML for authentication disclaimer page.
Email Collection Replacement HTML for email collection page.
Email Collection Invalid Replacement HTML for email collection page after user
Email enters invalid email.
Email Token Page Replacement HTML for email-token authentication page.
FortiToken Page Replacement HTML for FortiToken authentication page.
Guest User Email Template Replacement text for guest-user credentials email
message.
Guest User Print Template Replacement HTML for guest-user credentials print out.
Keepalive Page Replacement HTML for authentication keep-alive page.
Authentication Replacement HTML for authentication login-challenge

Login Challenge Page
page.
Login Failed Page Replacement HTML for authentication failed page.
Login Page Replacement HTML for authentication login page.
Next FortiToken Page Replacement HTML for next FortiToken authentication

page.
Password Expiration Page Replacement HTML for password expiration page.
Portal Page Replacement HTML for post-authentication portal page.
SMS Token Page Replacement HTML for SMS-token authentication page.
Success Message Replacement text for authentication success message.
Replacement HTML for two-factor authentication failed

Two-Factor Login Failed
page.
Two-Factor Login Page Replacement HTML for two-factor authentication login

page
FortiGuard Block Page Replacement HTML for FortiGuard Webfilter block page.
FortiGuard HTTP Error Page Replacement HTML for FortiGuard Webfilter HTTP error
page.
Replacement HTML for FortiGuard Webfilter override

FortiGuard FortiGuard Override Page
page.
Web Filtering
FortiGuard Quota Page Replacement HTML for FortiGuard Webfilter quota
exceeded block page.
Replacement HTML for FortiGuard Webfilter warning

FortiGuard Warning Page
page.
Archive Block Message Replacement HTML for HTTP archive block message.
Block Message Replacement HTML for HTTP file block message.
Content Block Message Replacement HTML for content-type block message.
Content Block Page Replacement HTML for HTTP file content block page.
Replacement HTML for HTTP file upload content block

Content Upload Block Page
page.
Replacement HTML for HTTP data-leak detected ban

DLP Ban Message
message.
Invalid Certificate Message Replacement HTML for invalid certificate message.
Replacement HTML for HTTP oversized file block

Oversized File Message
message.
HTTP
Oversized Upload Message Replacement HTML for HTTP oversized file upload block
message.
POST Block Message Replacement HTML for HTTP POST block message.
Previously Infected Block Replacement HTML for HTTP URL previously-infected

Page block page.
Replacement HTML for Switching Protocols Blocked

Switching Protocols Blocked
page.
Upload Archive Block Replacement HTML for HTTP archive upload block
Message message.
Upload Block Message Replacement HTML for HTTP file upload block message.
URL Block Page Replacement HTML for HTTP url blocked page.
URL Filter Error Message Replacement HTML for webfilter service error message.
Network Quarantine Replacement HTML for network quarantine

Administrative Block Page administrative block page.
Network Quarantine AV Replacement HTML for network quarantine antivirus

Block Page block page.
Network Network Quarantine DLP Replacement HTML for network quarantine DLP block
Quarantine Block Page page.
Network Quarantine DOS Replacement HTML for network quarantine DOS block
Block Page page.
Network Quarantine IPS Replacement HTML for network quarantine IPS block
Block Page page.
Application Control Block

Replacement HTML for application control block page.
Page
DLP Block Message Replacement text for DLP block message.

Security
DLP Block Page Replacement HTML for DLP block page.
Virus Block Message Replacement text for antivirus block message.
Virus Block Page Replacement HTML for antivirus block page.
Web-proxy Web-proxy Authentication Replacement HTML for web-proxy authentication failed

Failed Page page.
Web-proxy Authorization Replacement HTML for web-proxy authorization failed

Failed Page page.
Web-proxy Block Page Replacement HTML for web-proxy block page.
Replacement HTML for web-proxy authentication

Web-proxy Challenge Page
required block page.
Web-proxy HTTP Error Page Replacement HTML for web-proxy HTTP error page.
Web-proxy IP Blackout Page Replacement HTML for web-proxy IP Blackout page.
Web-proxy User Limit Page Replacement HTML for web-proxy user limit block page.
FortiGuard settings
The FortiGuard Distribution Network page provides information and configuration settings for FortiGuard
subscription services. For more information about FortiGuard services, see the FortiGuard Center web page.
To view and configure FortiGuard connections, go to System > Config > FortiGuard.
Support Contract The availability or status of your unit’s support contract. The status displays
can be Unreachable, Not Registered, or Valid Contract.
You can update your registration status by selecting Update in the
Registration Status row and loading the license file from a location on your
management computer.
The availability or status of your FortiGuard subscription services. The

FortiGuard Subscription status displays can be Unreachable, Not Registered, or Valid Contract.
Services You can update the antivirus definitions by selecting Update in the AV
Definitions row.
AV & IPS Download Select the expand arrow to expand or hide the section.
Options
Select to allow updates to be pushed. If a specific override push IP address

Allow Push
is required, select Use override push IP and enter an IP address and port
Update
number in the requisite field.
Schedule Update Select to have scheduled updates, then select when said updates occur:
Every 1-23 hours, Daily at a specific hour, or Weekly on a specific day at a
specific hour.
Select Update Now to send an update request.
Web Filtering Options Select the expand arrow to expand or hide the section.
Enable webfilter Enable webfilter cache.

cache Enter the Time To Live (TTL) value. This is the number of seconds the
FortiCache unit will store blocked IP addresses or URLs locally, saving time
and network access traffic by not checking the FortiGuard server. Once the
TTL has expired, the FortiCache unit will contact the FDN server to verify a
web address. The TTL must be between 300 and 86400 seconds (3600 by
default).
Enable antispam
Enable antispam cache, then enter the TTL value.
cache
Port Selection Select the port assignments for contacting the FortiGuard servers, either
the default port (53) or the alternate port (8888).
Select Test Availability to verify the connection using the selected port.
To have a URL's category Select to re-evaluate a URL’s category rating using the Fortinet Live URL
rating re-evaluated... Rating system (opens in a new browser window).
Disk settings
This page shows the FortiCache's local storage. The example below shows four configurable 1 TB hard disk
drives.
Disks can be customized as required from System > Config > Disk.
Each disk displays the following information:
Format Disk Select to .
The following features are shown:
l Logging and Archiving can be configured by the following:

l Disk Logging
Feature
l DLP Archive
l WAN Optimization & Web Cache
You can change WAN Optimization Storage Settings per disk.
Storage Size Displays the storage allocated for a particular feature (in GB).
Allocated Displays how much storage is allocated to a particular feature (in MB).
Used Displays how much storage has been used by a particular feature (in MB).
Quota Usage Displays as a percentage how much of the disk's storage has been used.
Quota Settings Select which disk is responsible for Logging and Archiving and configure
Disk Logging and DLP Archive storage values.
Features
Various FortiCache features can be enabled or disabled as required. Disable features are not shown in the GUI.
Go to System > Config > Features to configure the visibility of the features.
The following options can be turned on or off by clicking anywhere within their rectangles:
WAN Opt. & Cache Controls the visibility of the WAN Opt. and Cache menu.
WAN optimization and web caching is used to reduce the amount of
bandwidth used by traffic on your WAN. See .
Controls the visiblity of the Security Profiles > AntiVirus menu.

Remove viruses, analyze suspicious files with FortiGuard Sandbox, apply
AntiVirus
botnet protection to network traffic, and setup antivirus profiles and add
them to firewall policies. See .
Web Filter Controls the visibility of the Security Profiles > Web Filter menu.
Apply web category, URL, and content filtering to control users’ access to
web resources. Setup profiles and add them to firewall policies.
Controls the visibility of the Security Profiles > Data Leak Prevention
menu.
DLP Prevent sensitive date, like credit card numbers, from leaving or entering
your network, and to setup Data Leak Prevention (DLP) sensors and add
them to firewall policies.
Exlicit Proxy Controls the visibility of the Firewall Objects > Web Proxy menu, and the
Enable Explicit Web Proxy option on the Edit Interface page.
Enable HTTP, HTTPS, or FTP proxies for your network, that can be added
to interfaces. Create security polocies to control access to the proxy and
apply UTM and other features to proxy traffic. Users on the network must
configure their to use the proxy.
Controls the visibility of the System > Certificates menu.Change the

certificates used for SSL inspection, SSL load balancing, SSL-VPN, IPsec
Certificates
VPN, and authentication. If not enabled, default FortiCache certificates will
be used. See .
ICAP Controls the visibility of the Security Profiles > ICAP (Internet Content
Adaptation Protocol) menu.
Offload services to an external server. These services can include: Ad
insertion, virus scanning, content and language translation, HTTP header
or URL manipulation, and content filtering. Setup profiles and add them to
security policies.
Controls the visibility of implicit firewall policies that deny all traffic. You
Implicit Firewall Policies can edit an implicit policy and enable logging to record log messages when
the implicit policy denies a session.
Messaging servers
To configure a messaging server, use the following CLI commands:
config system email-server
set type --Configure a custom email server.
set reply-to --Enter the default reply to email address.
set server <IP or hostname> --Enter the name or address of the SMTP email server.
set port --Set the SMTP server port.
set source-ip --Set the SMTP server source IP.
set source-ip6 --Set the SMTP server source IP.
set authenticate --Enable/disable authentication.
set security --Set connection security.
next
System Administration Administration settings
end
Administration settings
The Admin menu provides settings for configuring administrators and their profiles, as well as basic
administrative settings such as changing the default language.
l Administrators
l Administrative profiles
l Settings
Always end your FortiCache session by logging out, regardless of whether you are in
the CLI or the GUI. If you do not log out, the session remains open.
Administrators
Administrators are configured in System > Admin > Administrators . There is already a default administrator
account on the unit named admin that uses the super_admin administrator profile.
You need to use the default admin account, an account with the super_admin admin profile, or an administrator
with read-write access control to add new administrator accounts and control their permission levels. If you log in
with an administrator account that does not have the super_admin admin profile, the administrators list will show
only the administrators for the current virtual domain.
The Administrators page lists the default super-admin administrator account, and all administrator accounts that
you have created.
Create New Creates a new administrator account.
Modifies settings within an administrator’s account. When you select Edit,

Edit
you are automatically redirected to the Edit Administrator page.
Delete Remove an administrator account.

You cannot delete the original admin account until you create another user
with the super_admin profile, log out of the admin account, and log in with
the alternate user that has the super_admin profile.
To remove multiple administrator accounts, select multiple rows in the list
by holding down the Ctrl of Shift keys, then select Delete.
Name The login name for an administrator account.
Trusted Hosts The IP address and netmask of trusted hosts from which the administrator
can log in.
Administration settings System Administration
Profile The admin profile for the administrator.
Type The type of authentication for this administrator, one of:
l Local: Authentication of an account with a local password stored on the

FortiCache unit.
l Remote: Authentication of a specific account on a RADIUS, Lightweight
Directory Access Protocol (LDAP), or Terminal Access Controller Access-
Control System (TACACS+) server
l Remote+Wildcard: Authentication of any account on an LDAP, RADIUS,
or TACACS+ server.
l PKI: PKI-based certificate authentication of an account.
Comments The comments about the administrator account.
Right-click on any column heading to adjusts the visible columns or reset all the columns to their default settings.
Adding a new administrator

Select Create New to open the New Administrator page. It provides settings for configuring an administrator
account. When you are configuring an administrator account, you can enable authentication for an admin from an
LDAP, RADIUS, or local server.
Administrator Enter the login name for the administrator account.

The name of the administrator should not contain the characters <, >, (, ),
#, ", or '. Using these characters in the administrator account name can
result in a cross site scripting (XSS) vulnerability.
Type Select the type of administrator account: Regular, Remote, or PKI.
Regular Select to create a Local administrator account.
Select to authenticate the administrator using a RADIUS, LDAP, or

Remote TACACS+ server. Server authentication for administrators must be
configured first.
PKI Select to enable certificate-based authentication for the administrator.

Only one administrator can be logged in with PKI authentication enabled.
Select the administrator user group that includes the Remote server/PKI
(peer) users as members of the User Group. The administrator user group
User Group
cannot be deleted once the group is selected for authentication.
This option is only available if Type is Remote or PKI.
Wildcard Select to allow all accounts on the RADIUS, LDAP, or TACACS+ server to
be administrators.
This option is only available if Type is Remote.
Enter a password for the administrator account. For improved security, the
Password password should be at least 6 characters long.
This option is only available if Type is Regular.
Backup Password Enter a backup password for the administrator account. For improved
security, the password should be at least 6 characters long.
This option is only available if Type is Remote and Wildcard is not
selected.
Type the password for the administrator account a second time to confirm
Confirm Password that you have typed it correctly.
This option is not available if Type is PKI or Wildcard is selected.
Comments Optionally, enter comments about the administrator.
Select the admin profile for the administrator. You can also select Create
Admin Profile
New to create a new admin profile.
Restrict this Admin Login Select to restrict this administrator login to specific trusted hosts, then
from Trusted Hosts Only enter the trusted hosts IP addresses and netmasks. You can specify up to
ten trusted hosts. These addresses all default to 0.0.0.0/0 or
0.0.0.0/0.0.0.0.
Regular (password) authentication for administrators

You can use a password stored on the local unit to authenticate an administrator. When you select Regular for
Type, you will see Local as the entry in the Type column when you view the list of administrators.
Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting
administrative access. In addition to knowing the password, an administrator can connect only through the subnet
or subnets that you specify. You can even restrict an administrator to a single IP address if you define only one
trusted host IP address with a netmask of 255.255.255.255.
When you set trusted hosts for all administrators, the unit does not respond to administrative access attempts
from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit
accepts administrative access attempts on any interface that has administrative access enabled, potentially
exposing the unit to attempts to gain unauthorized access.
The trusted hosts you define apply to the GUI, Ping, SNMP, and the CLI when accessed through Telnet or SSH.
CLI access through the console port is not affected.
The trusted host addresses all default to 0.0.0.0/0.0.0.0. If you set one of the zero addresses to a non-zero
address, the other zero addresses will be ignored. The only way to use a wildcard entry is to leave the trusted
hosts at 0.0.0.0/0.0.0.0. However, this configuration is less secure.
Administrative profiles
Each administrator account belongs to an admin profile. The admin profile separates FortiCache features into
access control categories for which an administrator with read-write access can enable none (deny), read only, or
read-write access.
Read-only access for a GUI page enables the administrator to view that page. However, the administrator needs
write access to change the settings on the page.
The admin profile has a similar effect on administrator access to CLI commands. You can access get and show
commands with Read Only access, but access to config commands requires Read-Write access.
When an administrator has read-only access to a feature, the administrator can access the GUI page for that
feature but cannot make changes to the configuration. There are no Create or Apply buttons and lists display
only the View icon instead of icons for Edit, Delete, or other modification commands.
You need to use the admin account or an account with read-write access to create or edit admin profiles.
Administrative profile settings

The Admin Profile page lists all administration profiles that you created as well as the default admin profiles. On
this page, you can edit, delete, or create a new admin profile.
To view administrator profiles, go to System > Admin > Admin Profile.
The following options are available:
Create New Creates a new profile. See Adding an administrator profile on page 53.
Modifies the selected admin profile’s settings. When you select Edit, you
Edit
are automatically redirected to the Edit Admin Profile page.
Delete Removes the admin profile from the list on the page.
You cannot delete an admin profile that has administrators assigned to it.
To remove multiple admin profiles, select multiple rows in the list by
holding down the Ctrl of Shift keys, then select Delete.
Name The name of the admin profile.
Comments Comments about the admin profile.
Displays the number of times the object is referenced to other objects.

To view the location of the referenced object, select the number in Ref.;
Ref.
the Object Usage window opens and displays the various locations of the
referenced object.
Adding an administrator profile

Select Create New to open the New Admin Profile page. It provides settings for configuring an administrator
profile. When you are editing an existing admin profile, you are automatically redirected to the Edit Admin Profile
page.
Configure the following settings, then select OK to create the new administrator profile:
Profile Name Enter a name for the new admin profile.
Comments Optionally, add comments about the admin profile.
Access Control List of the items that can customize access control settings if configured.
None Deny access to all Access Control categories.
Read Only Enable read only access in all Access Control categories.
Read-Write Select to allow read-write access in all Access Control categories.
Access Control Make specific access control selections as required.

(categories)
l System Configuration
l Network Configuration
l Admin Users
l FortiGuad Update
l Maintenance
l Router Configuration
l Firewall Configuration
l Policy Configuration
l Address Configuration
l Service Configuration
l Schedule Configuration
l Other Configuration
l Security Profile Configuration
l AntiVirus
l Web filter
l User
l WAN Opt & Cache
l Log
l Configuration
l Data Access
Settings
Use admin settings to configure general settings for web administration access, password policies, idle timeout
settings, and display settings. You can also configure FortiCache Manager support.
Go to System > Admin > Settings to configure administrator settings.
Central Management
Provides support for the upcoming FortiCache Manager. You

FortiCache Manager IP/
can enable the communication in FortiCache the same way you
Domain Name
would handle a FortiGate connecting to a FortiManager.
Use FortiCache Manager Enable this option to use FortiCache Manager for all FortiGuard
for all FortiGuard communications.
communications
Administration Settings
HTTP Port TCP port to be used for administrative HTTP access. The
default is 80. Select Redirect to HTTPS to force redirection to
HTTPS.
TCP port to be used for administrative HTTPS access. The

HTTPS Port
default is 443.
Telnet Port TCP port to be used for administrative telnet access. The
default is 23.
TCP port to be used for administrative SSH access. The default

SSH Port
is 22.
Idle Timeout Change the time after which the GUI logs out idle system
administration settings, from 1 to 480 minutes.
Enable Password Policy Select to enable a password policy.
Minimum Length Set the minimum acceptable length for passwords, from 8 to 64
characters.
Select to enable special character types, upper or lower case

letters, or numbers.
Enter information for one or all of the following. Each selected
type must occur at least once in the password.
Must contain l Upper Case Letters - A, B, C, ... Z

l Lower Case Letters - a, b, c, ... z
l Numerical digits - Numbers: 0, 1, 2, ... , 9
l Non-alphanumeric Letters - Special characters: @, ?, #, ... ,
%
Apply Password Policy to Select where to apply the password policy:
l Admin Password — Apply to administrator passwords. If any

password does not conform to the policy, require that
administrator to change the password at the next login.
l IPsec Preshared Key — Apply to IPsec preshared keys.
Enable Password Require administrators to change password after a specified

Expiration number of days. Enter the number of days in the field.
View Settings
The language the GUI uses: English, French, Spanish,

Portuguese, Japanese, Traditional Chinese, Simplified
Language Chinese, or Korean.
You should select the language that the operating system of the
management computer uses.
Certificates System Administration
Lines per Page Number of lines per page to display in table lists. From 20 to
1000, default = 50.
Certificates
The FortiCache unit generates a certificate request based on the information you entered to identify the
FortiCache unit. After you generate a certificate request, you can download the request to a computer that has
management access to the FortiCache unit and then forward the request to a CA.
The certificate window also enables you to export certificates for authentication, importing, and viewing.
This section includes:
l Local certificates
l Remote certificates
l CA certificates
Local certificates
Local certificates are issued for a specific server, or website. Generally, they are very specific, and often for an
internal enterprise network.
To manage local certificates, go to System > Certificates.
Delete Select the checkbox next to a certificate entry and select Delete to remove
the selected certificate or CSR. Select OK in the confirmation dialog box to
proceed with the delete action.
Generate Generate a CSR. See To generate a CSR: on page 57.
Import Import a certificate. See Import a certificate on page 59.
View Certificate Details View a certificate. See View certificate details on page 59.
Download Select a certificate or CSR, then select Download to download that

certificate or CSR to your management computer.
Name The name of the certificate.
Subject The subject of the certificate.
Comments Comments.
System Administration Certificates
Status The status of the certificate or CSR.
l OK: the certificate is okay.

l NOT AVAILABLE: the certificate is not available, or the request was
rejected.
l PENDING: the certificate request is pending.
Displays the number of times the certificate or CSRis referenced to other

objects.
Ref. To view the location of the referenced object, select the number in Ref.,
and the Object Usage window appears displaying the various locations of
Whether you create certificates locally or obtain them from an external certificate service, a Certificate Signing
Request (CSR) will need to be generated.
When a CSR is generated, a private and public key pair is created for the FortiCache unit. The generated request
includes the public key of the device, and information such as the unit’s public static IP address, domain name, or
email address. The device’s private key remains confidential on the unit.
After the request is submitted to a CA, the CA will verify the information and register the contact information on a
digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then
sign the certificate, after which you can install the certificate on the FortiCache device.
To generate a CSR:
1. From the local certificates list, select Generate.

The Generate Signing Request page opens.
Certificates System Administration
2. Enter the following information:
Certificate Name Enter a unique name for the certificate request, such as the host name, or
the serial number of the device.
Do not include spaces in the certificate to ensure compatibility as a
PKCS12 file.
Select the ID type from the drop-down list:
l Host IP: Select if the unit has a static IP address. Enter the device’s IP
address in the IP Address field.
Subject Information l Domain Name: Enter the device’s domain name or FQDN in the Domain
Name field.
l E-mail: Enter the email address of the device’s administrator in the E-
mail field.
Optional Information Optional information to further identify the device.
Organization Unit The name of the department. Up to 5 OUs can be added.
Organization The legal name of the company or organization.
Locality (City) The name of the city where the unit is located.
State/Province The name of the state or province where the unit is located.
Country/Region The country where the unit is located. Select from the drop-down list.
E-mail The contact email address.
One or more alternative names, seperate by commas, for which the

certificate is also valid.
Subject An alternative name can be: email address, IP address, URI, DNS name,
Alternative Name or a directory name.
Each name must be preceded by it’s type, for example: IP:1/2/3/4, or URL:
http://your.url.here/.
Key Type The key type is RSA. It cannot be changed.
Select the key size from the drop-down list: 1024, 1536, or 2048 bits.
Key Size
Larger key sizes are more secure, but slower to generate.
Enrollment Method Select the enrollment method:
l File Based: Generate the certificate request.

l Online SCEP: Obtain a signed, Simple Certificate Enrollment Protocol
(SCEP) based certificate automatically over the network. Enter CA server
URL and challenge password in their respective fields.
3. Select OK to generate the CSR.
System Administration Certificates
Import a certificate
Signed local certificates can be imported to the FortiCache unit.
To import a certificate:
1. From the local certificates list, select Import.

The Import Certificate page opens.
2. Select the Type from the drop-down list.

3. If the Type is Local Certificate:
a. select Browse... and locate the certificate file on your computer.
4. If the Type is PKCS12 Certificate:
a. select Browse... and locate the certificate with key file on your computer.
b. Enter the password into the Password field.
5. If the Type is Certificate:
a. select Browse... and locate the certificate file on your computer.
b. Select Browse... and locate the key file on your computer.
c. Enter the password into the Password field.
6. Select OK to import the certificate.
View certificate details

Certificate details can be viewed by selecting a certificate, then selecting View Certificate Detail from the
toolbar.
The following information is displayed:
Certificate Name The name of the certificate.
Issuer The issuer of the certificate.
Subject The subject of the certificate.
Valid From The date from which the certificate is valid.
Valid To The last day that the certificate is valid. The certificate should be renewed
before this date.
Version The certificate’s version.
Serial Number The serial number of the certificate.
Extension The certificate extension information.
Select Close to return to the certificate list.
Maintenance System Administration
Remote certificates
Remote certificates are public certificates without private keys.
They can be deleted, imported, and downloaded, and their details can be viewed, in the same way as local
certificates.
CA certificates
CA certificates are similar to local certificates, except they apply to a broader range of addresses or to whole
company. A CA certificate would be issued for an entire web domain, instead just a single web page.
CA certificates can be deleted, downloaded, and their details can be viewed, in the same way as local
certificates.
To import a CA certificate:
1. From the CA certificate list, select Import in the toolbar.

The Import CA Certificate screen opens.
2. To import the certificate from your local computer, select Local PC, then select Browse... and locate the file on
the computer.
3. To import from SCEP, select SCEP, enter the URL of the SCEP server that the CA certificate will be retrieved
from, and, optionally, enter identifying information about the CA.
4. Select OK to import the CA certificate.
Maintenance
The Maintenance menu provides settings for firmware management, viewing and configuring disk management,
and related features.
l Firmware maintenance
l Disk maintenance
Firmware maintenance
Administrators whose admin profiles permit maintenance read and write access can change the FortiCache unit’s
firmware version. Firmware images can be installed from a number of sources including a local hard disk or the
FortiGuard network. Firmware changes either upgrade to a newer version or revert to an earlier version.
You must register your unit with Fortinet Customer Support to access firmware
updates for your model. For more information, go to https://support.fortinet.com, or
contact Fortinet Customer Service & Support.
Go to System > Dashboard > Status to view the System Information widget, where you can see the current
version of the firmware that is running on the device.
System Administration Maintenance
Select Update to open the Firmware Management window, where you can select Upload Firmware to either
upgrade or downgrade the device’s firmware.
By installing an older firmware image, some system settings may be lost. You should
always back up your configuration before changing the firmware image.
Disk maintenance
The Disk page shows information about the storage space for different features for each hard disk, and allows
you to edit quota and storage settings.
Go to System >Config > Disk to view the disk information.
Feature The feature that will be storing information on the disk.
Storage Size The size of the storage space on the disk.
Allocated The amount of space that is allowed for storage for a feature.
The current amount of space that has been used to store information of a
Used
feature.
Quota Usage The percentage of the quota that is currently being used. If there is no
quota being used, the number is 100 percent.
Select to modify the current amount of space that is being used. See Disk
Edit
configuration on page 61.
Disk configuration
When possible, performance can be improved by logging to a disk that is not used for caching. A disk can be
reserved for logging by setting the quota storage setting to 0 MB.
For optimal performance, avoid allowing the disks used for caching from reaching
100% capacity. This can be achieved by limiting the cache file size to 70% of the total
disk capacity.
Select Edit in the Logging and Archiving row to edit the quota settings for logging and archiving.
Select Storage Select a storage device from the drop-down list; either Default, or one of
the available hard disks.
Disk Logging Enter the quota, in MB, for disk logging.
DLP Archive Enter the quota, in MB, for the DLP archive.
Historic Reports Enter the quota, in MB, for historic reports.
Maintenance System Administration
Select Edit in the WAN Optimization & Web Cache row to change the WAN optimization storage settings. Enter
a value, in MB, to be used for WAN optimization storage, then select Apply to apply your changes.
Routing
Go to System > Network > Routing Table to configure static routes for controlling the flow of traffic through the
unit. Static routes can be added, edited, and deleted as needed.
Create New Create a new static route. See To add a static route: on page 63.
Modify settings within the static route. See To edit a static route: on page
Edit
64.
Delete Remove a static route from the list. Select the route or routes that you
would like to delete, then select Delete in the toolbar. Select OK in the
confirmation dialog box to delete the selected route or routes.
The destination IP addresses and network masks of packets that the

IP/Mask
FortiCache unit intercepts.
Gateway The IP addresses of the next-hop routers to which intercepted packets are
forwarded.
The names of the FortiCache interfaces through which intercepted packets

Device
are received and sent.
Comment A description of the route.
The administrative distances associated with each route. The values

Distance
represent distances to next-hop routers.
Priority A number for the priority of the static route.
Right-click on a column header to adjust the column settings and to reset the column to their default view.By
default, the Priority and Distance columns are not displayed.
To add a static route:
1. In the static routes list, select Create New from the toolbar. The New Static Route window opens.
Routing
2. Configure the following settings:
Destination IP/Netmask Enter the IP address and netmask of the new static route. To create a
default route, set the IP and netmask to 0.0.0.0/0.0.0.0.
Device Select the interface through which intercepted packets are received and
sent from the drop-down list.
Gateway Enter the gateway IP address for those packets that you intend the unit to
intercept.
Distance Enter the number that represents the distances to the next-hop routers,
from 1 to 255 (default = 10).
The administrative distance allows you to make one route preferred over
another. This is useful when one route is unreliable. For example, if route A
has an administrative distance of 10 and route B has an administrative
distance of 30, the preferred route is route A, with the smaller
administrative distance of 10. If you discover that route A is unreliable, you
can change the administrative distance for route A from 10 to 40, which will
make the route B the preferred route.
Priority Enter a number for the priority of the static route, from 0 to 4294967295.
Comment Optionally, enter a description up to 63 characters to describe the new

interface.
3. Select OK to create the new static route.
To edit a static route:
1. From the static route list, either double-click the route that you would like to edit, or select the route then select
Edit from the toolbar.
2. The Edit Static Route window opens.
3. Edit the route information as required, then select OK.
Policy
The Policy menu provides options for configuring policies, proxy options, and SSL inspection options.
Policy
The policy list displays web cache policies in their order of matching precedence. Web cache policy order affects
policy matching. For details about arranging policies in the policy list, see and .
You add web cache policies that match HTTP traffic to be cached according to source and destination addresses,
and the destination port of the traffic.
Various right-click menus are hidden throughout the policy list. The columns displayed in the policy list can be
customized, and filters can be added in a variety of ways to filter the information that is displayed. See .
To view the policy list, go to Policy & Objects > Policy > Policy.
Create New Add a new policy. New policies are added to the bottom of the list.
Edit Edit the selected policy..
Delete Delete the selected policy.
Select whether to view the policies based on sections, or in a single list

Section/Global View
(Global View ).
Search Enter a search term to search the policy list.
Seq.# The policy sequence number.
Source The source address or address range that the policy matches. For more
information, see Web cache policy address formats on page 73.
The destination address or address range that the policy matches. For
Destination
more information, see Web cache policy address formats on page 73.
Policy Policy
Schedule The policy schedule. See Schedule on page 82.
Service The service affected by the policy. See Service on page 79.
Authentication
Action The action to be taken by the policy, such as ACCEPT or DENY.
AV The antivirus profile used by the policy. See Antivirus on page 91.
Comments Comments about the policy.
Count
DLP The DLP sensor used by the policy. See Data Leak Prevention on page 98.
From
ICAP The ICAP profile used by the policy. See ICAP on page 104.
ID The policy identifier. Policies are numbered in the order they are added to
the configuration.
Last Used
Log The logging level of the policy. Options vary depending on the policy type.
NAT Whether or not NAT is enabled.
Proxy Options The proxy options used by the policy. See Proxy options on page 74.
All the profiles used by the policy, such as: AV profile, Web Filter profile,
Security Profiles DLP sensor, ICAP profile, Proxy options, and SSL inspection options. See
Security Profiles on page 91.
Sessions The number of sessions.
The SSL inspection options used by the policy. See SSL inspection on page
SSL Inspection
75.
Status Select to enable a policy or clear to disable a policy. A disabled policy is out
of service.
To
VPN Tunnel
Web Filter The web filter profile used be the policy. See Web Filter on page 92.
Policy Policy
Managing the policy list

To customize the displayed columns, right-click on any column heading, then select the columns that are to be
added or removed. Select Reset All Columns to return to the default column view.
The displayed policies can be filtered by either using the search field in the toolbar, or by selecting the filter icon in
a column heading. The available filter options will vary depending on the type of data that the selected column
contains.
How list order affects policy matching

The FortiCache unit uses the first-matching technique to select which policy to apply to a communication session.
When policies have been added, each time the FortiCache unit accepts a communication session, it then
searches the policy list for a matching policy. Matching policies are determined by comparing the policy with the
session source and destination addresses, and the destination port. The search begins at the top of the policy list
and progresses in order towards the bottom. Each policy in the policy list is compared with the communication
session until a match is found. When the FortiCache unit finds the first matching policy, it applies that policy and
disregards subsequent policies.
If no policy matches, the session is accepted.
As a general rule, you should order the policy list from most specific to most general because of the order in which
policies are evaluated for a match, and because only the first matching policy is applied to a session. Subsequent
possible matches are not considered or applied. Ordering policies from most specific to most general prevents
policies that match a wide range of traffic from superseding and effectively masking policies that match
exceptions.
Configuring policies
Policies can be added, edited, copied, moved, and deleted. To help organize your policies, you can also create
sections to group policies together.
Policies can be inserted above or below existing policies, and can also be disabled if needed.
Creating a new policy

New policies can be created at the bottom of the policy list by selecting Create New in the toolbar. New policies
can be created above or below an existing policy by right-clicking a policy sequence number and selecting Insert
Policy Above or Insert Policy Below, or by copying or cutting an existing policy and then selecting Paste Before
or Paste After from the right-click menu.
To create a new address policy:
1. From the policy list, select Create New from the toolbar, or right-click on a sequence number and select Insert
Policy Above, Insert Policy Below or, if applicable, Paste Before or Paste After. The New Policy window opens.
2. Select Address in the Policy Subtype field.
Policy Policy
Incoming Interface Select the name of the network interface on which IP packets are received.
For more information, see Interfaces on page 23.
You can also create a web proxy by selecting web-proxy in Incoming
Interface. For more information, see Web proxy on page 84.
Multiple incoming interfaces can be added to a policy.
If you select any, the policy matches all interfaces as sources, and the
policy list is then displayed only in global view. Fortinet does not
recommend this option, because it can have unexpected results. It should
be used rarely, and only by a knowledgeable administrator.
When any is used as the incoming interface, the implicit security policy
includes any as well.
Source Address Select a source address or address group.

Only packets whose header contains an IPv4/IPv6 address matching the
Source IPv6 Address selected address will be subject to this policy. For more information, see
Web cache policy address formats on page 73.
You can also create addresses by selecting Create New from this list. For
more information, see Address on page 76.
Multiple addresses or address groups can be added to the policy.
Policy Policy
Outgoing Interface Select the name of the network interface to which IP packets are
forwarded. For more information, see Interfaces on page 23.
Multiple outgoing interfaces can be added to a policy.
If you select any, the policy matches all interfaces as destination, and the
Destination Address Select a destination address or address group.

Destination IPv6 Address selected address will be subject to this policy. For more information, see
Multiple destination addresses can be added.
Schedule Select a schedule from the drop down list. Select Create New to create a
new schedule. For more information see Schedule on page 82.
Service Select a service or service group that packets must match to trigger this
policy. Select Create New to create a new servicelist. See Service on page
79.
Multiple services can be added.
Action Select how you want the policy to respond when a packet matches the
conditions of the policy. The options available will vary widely depending on
this selection.
ACCEPT - Accept traffic matched by the policy.
DENY - Reject traffic matched by the policy.
Enable NAT Select to enable NAT.

This option is only available if Action is set to ACCEPT.
Logging Options If Action is set to ACCEPT, select one of the following options: No Log,
Log Security Events, or Log All Sessions.
If Action is set to DENY, enable Log Violation Traffic to log violation
traffic.
Security Profiles Select the security profiles to apply to the policy.

AntiVirus Enable antivirus and select or create a new profile from the drop-down list.
See Antivirus on page 91.
Web Filter Enable web filter and select or create a new profile from the drop-down list.
See Web Filter on page 92.
DLP Sensor Enable DLP sensors and select or create a new sensor from the drop-down
list. See Data Leak Prevention on page 98.
ICAP Enable ICAP and select or create a new profile from the drop-down list. See
ICAP on page 104.
Policy Policy
SSL Inspection Enable SSL inspection and select or create a new option from the drop-
down list. See SSL inspection on page 75.
Enable Web cache Select to enable web caching.

Enable WAN Optimization Select to enable WAN Optimization for traffic accepted by the policy.
If enabled, select active or passive from the drop down list, then select or
create a new profile to use for the optimization. See WAN Optimization and
Web Caching on page 128.
Comments Enter a description up to 1023 characters to describe the policy.
4. Select OK to create the new address policy.
To create a new user identity policy:
1. From the policy list, select Create New from the toolbar, or right-click on a sequence number and select Insert
Policy Above, Insert Policy Below or, if applicable, Paste Before or Paste After. The New Policy window opens.
2. Select User Identity in the Policy Subtype field.
Policy Policy
Incoming Interface Select the name of the network interface on which IP packets are received.
For more information, see Interfaces on page 23.
You can also create a web proxy by selecting web-proxy in Incoming
Interface. For more information, see Web proxy on page 84.
Multiple incoming interfaces can be added to a policy.
When any is used as the incoming interface, the implicit security policy
includes any as well.
Source Address Select a source address or address group.

Source IPv6 Address selected address will be subject to this policy. For more information, see
Multiple addresses or address groups can be added to the policy.
Outgoing Interface Select the name of the network interface to which IP packets are
forwarded. For more information, see Interfaces on page 23.
Multiple outgoing interfaces can be added to a policy.
Destination Address Select a destination address or address group.

Destination IPv6 Address selected address will be subject to this policy. For more information, see
Multiple destination addresses can be added.
Service Select a service or service group that packets must match to trigger this
policy. Select Create New to create a new servicelist. See Service on page
79.
Multiple services can be added.
Enable Web cache Select to enable web caching.

Web Proxy Forwarding Enable a web proxy forwarding server, then select a server from the drop-
Server down list. See Forwarding servers on page 86.
Explicit Proxy Authentication Options
Enable IP based Select to enable IP based authentication, then select the single sign-on
Authentication method from the Single Sign-On Method drop-down list.
Policy Policy
Default Select the default authentication method from the drop-down list.
Authentication
Method
Comments Enter a description up to 1023 characters to describe the policy.
4. Select OK to create the new user identity policy.
Creating a section
Sections can be used to help organize your policy list.
To create a new section:
1. Right-click on the sequence number of a policy in the policy list and select Insert Section. The Insert Section
dialog box opens.
2. Enter a name for the section title in the Section Title field.
3. Select OK to create the section.
Editing policies
Policy information can be edited as required by either double clicking on the policy, selecting a policy then
selecting Edit from the toolbar, or by right-clicking on the sequence number of the the policy and selecting Edit
from the right-click menu.
The editing window for regular policies contains the same information as when creating new policies. See
Creating a new policy on page 67.
There are only two options that can be edited for the implicit policy rule:
l enabling or disabling violation traffic logging by selecting or deselecting Log Violation Traffic
l the Action field
Policies can also be edited inline, by right and left clicking on the text or blank space within specific cells. For
example, you can right-click in the blank space in a Schedule cell to select a new schedule from the right-click
menu, but if you right or left-click on the text in the cell and then select Edit Schedule from the pop-up menu, the
Edit Recurring Schedule window opens, allowing you to edit the selected schedule, or create a new one.
Moving policies
When more than one policy has been defined, the first matching policy is applied to the traffic session. You can
arrange the policy list to influence the order in which policies are evaluated for matches with incoming traffic. See
How list order affects policy matching on page 67 for more information.
Moving a policy in the policy list does not change its ID, which only indicates the order in which the policies were
created.
To move a policy, click and drag the policy to a new location. You can also move a policy by cutting and pasting it
into a new location.
Copy and paste

Policies can be copied and pasted to create clones. Right-click on the policy sequence number then select Copy
Policy from the pop-up menu. Right-click in the sequence number cell of the policy that the new clone policy will
Policy Policy
be placed next to and select Paste Before or Paste After to insert the new policy before or after the selected
policy.
Web cache policy address formats

A source or destination address can contain one or more network addresses. Network addresses can be
represented by an IP address with a netmask or an IP address range.
When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For
example, a source or destination address can be:
l a single computer, for example, 192.45.46.45

l a subnetwork, for example, 192.168.1.* for a class C subnet
l 0.0.0.0, matches any IP address.
The netmask corresponds to the subnet class of the address being added, and can be represented in either
dotted decimal or CIDR format. The FortiCache unit automatically converts CIDR-formatted netmasks to dotted
decimal format. Example formats:
l netmask for a single computer: 255.255.255.255, or /32

l netmask for a class A subnet: 255.0.0.0, or /8
l netmask for a class B subnet: 255.255.0.0, or /16
l netmask for a class C subnet: 255.255.255.0, or /24
l netmask including all IP addresses: 0.0.0.0
Valid IP address and netmask formats include:
l x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0

l x.x.x.x/x, such as 192.168.1.0/24
An IP address 0.0.0.0 with netmask 255.255.255.255 is not a valid source or

destination address.
When representing hosts by an IP range, the range indicates hosts with continuous IP addresses in a subnet,
such as 192.168.1.[2-10], or 192.168.1.* to indicate the complete range of hosts on that subnet. You
can also indicate the complete range of hosts on a subnet by entering 192.168.1.[0-255] or 192.168.1.0-
192.168.1.255. Valid IP range formats include:
l x.x.x.x-x.x.x.x, for example, 192.168.110.100-192.168.110.120

l x.x.x.[x-x], for example, 192.168.110.[100-120]
l x.x.x.*, for a complete subnet, for example: 192.168.110.*
l x.x.x.[0-255] for a complete subnet, such as 192.168.110.[0-255]
l x.x.x.0 -x.x.x.255 for a complete subnet, such as 192.168.110.0 - 192.168.110.255
You cannot use square brackets [ ] or asterisks * when adding addresses to the CLI.
Instead you must enter the start and end addresses of the subnet range separated by
a dash -. For example, 192.168.20.0-192.168.20.255 for a complete subnet and
192.168.10.10-192.168.10.100 for a range of addresses.
Proxy options Policy
Proxy options
The Proxy Options menu allows you to configure settings for specific proxies, which can then be applied to
policies.
Protocol options are configured in Policy & Objects > Policy > Proxy Options.
Proxy Select a proxy option to edit from the drop-down list.
Select to open the New Proxy Options window, where you can create a
Create New
new proxy option.
Clone Clone the current policy option.
View the proxy list.

The proxy options list lists all the proxy options. From the list, you can
View List
create new options, edit or delete existing options, and view the number of
times the policy option is referenced to other objects.
Name The name of the proxy option.
Comments A description given to the option. This is an optional setting.
Protocol Port Mapping Enable a protocol, then enter the inspections port or ports.
Common Options
Comfort Clients Select to enable. Configure the following:
l Interval (1-900 seconds) – enter the interval time in seconds.

l Amount (1-10240 bytes) – enter the amount in bytes.
Policy SSL inspection
Select to Pass or Block oversized files or emails, and configure the size
threshold:
Block Oversized
File/Email l Threshold – enter the threshold amount for an oversized email message
or file in MB.
Web Options
Enable Chunked
Select to enable the chunked bypass setting.
Bypass
SSL inspection
To configure deep inspection options, go to Policy & Objects > Policy > SSL Inspection. SSL inspection options
can be used in policies.
Select a deep inspection option from the drop-down list in the toolbar, edit the settings as required or create new
options, then select apply to apply your changes.
Create New Select to open the New Deep Inspection Options window, where you can
create a new deep inspection option.
Clone Select to clone the current deep inspection option.
View List Select to view a list of the deep inspection options.

The SSL inspection options list lists all the SSL inspection options. From
the list, you can create new options and edit or delete existing options.
Name The name of the deep inspection option.
Comments A description given to the option. This is an optional setting.
SSL Inspection Options SSL inspection options.
CA Certificate Select a CA certificate from the drop-down list.
Inspection Port(s) Select to enable, and then customize the inspection ports as needed.
Common Options Common options.
Allow Invalid SSL

Select to allow invalid SSL certificates.
Certificates
Firewall Objects
The firewall objects menu provides options for configuring addresses, services, schedules, and web proxy
settings.
This chapter contains the following sections:
l Address
l Service
l Schedule
l Web proxy
Address
Web cache addresses and address groups define network addresses that you use when configuring source and
destination addresses for security policies. The FortiCache unit compares the IP addresses contained in packet
headers with security policy source and destination addresses to determine if the security policy matches the
traffic. Addresses can be IPv4 addresses and address ranges, IPv6 addresses, and fully qualified domain names
(FQDNs).
Be careful if employing FQDN web cache addresses. Using a fully qualified domain
name in a security policy, while convenient, does present some security risks because
policy matching then relies on a trusted DNS server. If the DNS server should ever be
compromised, security policies requiring domain name resolution may no longer
function properly.
Addresses
Web cache addresses in the address list are grouped by type: IP/Netmask, FQDN, or IPv6. A FortiCache unit’s
default configurations include the all address, which represents any IPv4 IP address on any network. You can also
add a firewall address list when configuring a security policy.
To view the address list, go to Policy & Objects > Objects > Addresses.
Create New > Address Add a new address.
Edit Address Edit the selected address.
Delete Remove the selected address or addresses. This icon appears only if a
policy or address group is not currently using the address.
Name The name of the address.
Firewall Objects Address
Address The IP address and mask, IP address range, or FQDN of the address.
Interface The interface to which the address is bound.
Type The type of address: Subnet, IP Range, FQDN.
Comments Optional description of the address.
Ref. Displays the number of times the address is referenced to other objects.
To view the location of the referenced address, select the number in Ref.
The Object Usage window appears displaying the various locations of the
referenced object.
Show in Address List
Tags
To create a new address:
1. Go to Policy & Objects > Objects > Addresses and select Create New > Address. The New Address window
opens.
Name Enter a name for the address. Addresses must have unique names.
Type Select the type of address: Subnet , IP Range, or FQDN . You can enter
either an IP range or an IP address with subnet mask.
Subnet / IP Range Enter the IP address, followed by a forward slash (/), then subnet mask, or
enter an IP address range separated by a hyphen. See Web cache policy
address formats on page 73.
FQDN Enter the FQDN. This option is only available when Type is FQDN .
Interface Select the interface to which you want to bind the IP address. Select Any if
you want to bind the IP address with the interface when you create a policy.
Comments Optionally, enter a description of the address.
3. Select OK to create the new address.
To edit an address:
1. Select the address you would like to edit then select Edit from the toolbar, or double-click on the address in the
address table. The Edit Address window opens.
2. Edit the address information as required and select OK to apply your changes.
To delete an address or addresses:
1. Select the address or addresses that you would like to delete.

2. Select Delete from the toolbar.
Address Firewall Objects
3. Select OK in the confirmation dialog box to delete the selected address or addresses.
Address groups
You can organize multiple addresses into an address group to simplify your policy list. For example, instead of
having five identical policies for five different but related addresses, you might combine the five addresses into a
single address group, which is used by a single policy. To view the address group list, go to Policy & Objects >
Objects > Addresses.
Create New > Address Add an address group.

Group
Edit Select the edit the address group.
Delete Select to remove the address group. This icon appears only if the address
group is not currently being used by a policy.
Group Name The name of the address group.
Members The addresses in the address group.
Comments Option description of the address group.
Ref. Displays the number of times the address group is referenced to other
objects.
To view the location of the referenced address group, select the number in
Ref. The Object Usage window appears displaying the various locations of
Show in Address List Whether or not the group is shown in the address list.
Tags
To create a new address group:
1. Select Create New > Address Group. The New Address Group window opens.
2. Configure the following information:
Group Name Enter a name to identify the address group. Addresses, address groups,
and virtual IPs must have unique names.
Comments Optionally, enter a description of the address group.
Show in Address List Select to show the address group is the address list.
Members Select the addresses to add to the address group.
3. Select OK to create the new address group.
Firewall Objects Service
To edit an address group:
1. Select the group you would like to edit, then select Edit from the toolbar, or double-click on the address group. The
Edit Address Group window opens.
2. Edit the address group information as required and select OK to apply your changes.
To delete an address group or groups:

3. Select OK in the confirmation dialog box to delete the selected address or addresses.
Service
Web cache services define one or more protocols and port numbers associated with each service. Web cache
policies use service definitions to match session types. You can organize related services into service groups to
simplify your policy list.
Services
If you need to create a web cache policy for a service that is not in the predefined service list, you can add a
custom service. Custom services are configured in Policy & Objects > Objects > Services.
The following options are available:
Create New Create a new custom service or category. See To create a new service: on
page 80 and Adding a service category on page 81.
Edit Edit the selected service.
Delete Remove the selected custom service. This icon appears only if a service is
not currently being used in a web cache policy.
Edit the order in which the categories are displayed in the list when viewing
Category Settings
the list by category.
By Category View the list organized by categories.
Alphabetically View the list organized alphabetically.
Service Name The name of the custom service.
Ports The port numbers for each service.
IP/FQDN The IP address or FQDN of the service.
Show in Service List Whether or not the service is shown in the service list.
Service Firewall Objects
Comments Optional description of the service.
Protocol The protocl type for the service.
Ref. Displays the number of times the service is referenced to other objects.
To view the location of the referenced service, select the number in Ref.;
the Object Usage window appears displaying the various locations of the
referenced object.
Type The type of service.
To create a new service:
1. Go to Policy & Objects > Objects > Services and select Create New > Service. The New Service window
opens.
Name Enter a name for the custom service.
Comments Optionally, enter a description of the service.
Service Type Select the service type: Firewall or Explicit Proxy.
Show in Service List Select to show the service in the service list.
Category Select the category for the service: Uncategorized, General, or Web
Proxy.
Protocol Type Select the type of protocol for the service.

If Service Type is Firewall, select one of: TCP/UDP/SCTP, ICMP,
ICMP6, or IP.
If Service Type is Explicit Proxy, select one of: ALL, CONNECT, FTP,
HTTP, or SOCKS.
IP/FQDN Enter the IP address or FQDN for the service.

This option is only available if Protocol Type is set to TCP/UDP/SCTP,
ALL, CONNECT, FTP, HTTP, or SOCKS.
Firewall Objects Service
Protocol Select the protocol from the drop-down list that you are configuring settings
for: TCP, UDP, or SCTP. Then, enter the low and high destination and
sources ports in the requisite fields.
Up to 16 protocols can be added.
When Service Type is Explicit Proxy, the protocol is TCP.
This option is only available if Protocol Type is set to TCP/UDP/SCTP,
ALL, CONNECT, FTP, HTTP, or SOCKS.
Type Enter the ICMP type number for the ICMP protocol configuration.
This option is only available if Protocol Type is set to ICMP, or ICMP6.
Code Enter the ICMP code number for the ICMP protocol configuration.
This option is only available if Protocol Type is set to ICMP, or ICMP6.
Protocol Number Enter the protocol number for the IP protocol configuration.
This option is only available if Protocol Type is set to IP.
3. Select OK to create the new service.
To edit a service:
1. Select the service you would like to edit then select Edit in the toolbar, or double-click on the service in the table.
The Edit Service window opens.
2. Edit the service as required, then select OK to apply your changes.
To delete a service or services:

3. Select OK in the confirmation dialog box to delete the selected service or services.
Adding a service category

1. From Policy & Objects > Objects > Services, select Create New > Category. The New Service Category
window opens.
2. Enter a name for the new category in the Name field.
3. Optionally, enter a description of the category in the Comments field.
4. Select OK to create the new service category.
Services groups
You can organize multiple services into a service group to simplify your policy list. For example, instead of having
five identical policies for five different but related services, you can combine the five services into a single address
group that is used by a single policy.
Service groups cannot contain other service groups.
Configure a service group using the following CLI command:

config firewall service group
edit <name>
set member --Address group member.
Schedule Firewall Objects
set explicit-proxy --Enable/disable explicit web proxy service group.

set comment --Comment.
set color --GUI icon color.
next
end
Schedule
When you add security policies on a FortiCache unit, those policies are always on, policing the traffic through the
device. Schedules control when policies are in effect.
Schedule
The schedule list lists all the schedules. Recurring and one-time schedules can be created, edited, and deleted as
needed.
You can create a recurring schedule that activates a policy during a specified period of time. If a recurring
schedule has a stop time that is earlier than the start time, the schedule will take effect at the start time but end
at the stop time on the next day. You can use this technique to create recurring schedules that run from one day
to the next. To create a recurring schedule that runs for 24 hours, set the start and stop times to 00.
You can create one-time schedules which are schedules that are in effect only once for the period of time
specified in the schedule.
To manage schedules, go to Policy & Objects > Objects > Schedules.
Create New Create a new recurring or one-time schedule. See To create a new
recurring schedule: and To create a new one-time schedule:.
Edit Edit the selected schedule.
Delete Remove the selected schedule. This icon is only available if the selected
schedule is not currently being used in a policy.
Name The name of the schedule.
Type The type of schedule, either Recurring or One-Time.
Start The time of day that the schedule is configured to start.
End The time of day that the schedule is configured to end.
Displays the number of times the schedule is referenced to other objects.

To view the location of the referenced schedule, select the number in Ref.;
Ref.
referenced object.
Firewall Objects Schedule
To create a new recurring schedule:
1. Go to Policy & Objects > Objects > Schedules and select Create New > Schedule. The New Schedule window
opens.
Name Enter the name of the recurring schedule.
Type Set to Recurring.
Day of the Week Select the days of the week when the schedule will be run.
Start Time Select the start time for the schedule.
Stop Time Select the stop time for the schedule. If the stop time is set earlier than the
start time, the stop time will be during the next day. If the start time is
equal to the stop time, the schedule will run for 24 hours.
3. Select OK to create the recurring schedule.
To create a new one-time schedule:
1. Go to Policy & Objects > Objects > Schedules and select Create New > Schedule. The New Schedule window
opens.
Name Enter the name of the one-time schedule.
Type Set to One-time.
Start Select the year, month, day, hour, and minute that the schedule will start.
Stop Select the year, month, day, hour, and minute that the schedule will stop.
The stop time must be later than the start time.
Generate event log... Select to generate an event log prior to the schedule expiring.
Enter the number of days prior to the expiry that the event log will be
generated, from 1 to 100.
3. Select OK to create the one-time schedule.
To edit a schedule:
1. Select the schedule you would like to edit, then select Edit from the toolbar, or double-click on the schedule in the
table. The Edit Recurring Schedule or Edit One-time Schedule window opens.
2. Edit the information as required, then select OK to apply your changes.
To delete schedules:
1. Select the schedule or schedules that you would like to delete.

3. Select OK in the confirmation dialog box to delete the selected schedule or schedules.
Web proxy Firewall Objects
Schedule groups
You can organize multiple schedules into a schedule group to simplify your security policy list. For example,
instead of having five identical policies for five different but related schedules, you might combine the five
schedules into a single schedule group that is used by a single security policy.
Schedule groups can contain both recurring and one-time schedules. Schedule groups cannot contain other
schedule groups
To configure schedule groups go to Policy & Objects > Objects > Schedules.
To create a new schedule group:
1. Go to Policy & Objects > Objects > Schedules and select Create New > Schedule Group. The New Schedule
Group window opens.
Group Name Enter the name of the schedule group.
Available Schedules Select the schedules that you would like to have included in the group by
double-clicking on the schedule name, or selecting the name then selecting
the down arrow icon.
Members The schedules that are currently in the group.
3. Select OK to create the schedule group.
To edit a schedule group:
1. Select the schedule group you would like to edit, then select Edit from the toolbar, or double-click on the schedule
group in the table. The Edit Schedule Group window opens.
To delete schedule groups:
1. Select the group or groups that you would like to delete.

3. Select OK in the confirmation dialog box to delete the selected group or groups.
Web proxy
Explicit web proxies, web proxy forwarding servers, and global explicit web proxies can be configures in the Web
Proxy section of the Firewall Objects menu.
Explicit web proxies

Use the explicit web proxy to enable explicit HTTP proxying on one or more Fortinet interfaces. IPv6 is supported.
To configure the explicit web proxies, go to Policy & Objects > Objects > Explicit.
Firewall Objects Web proxy
Create New Create a new explicit web proxy.
Edit Modify settings to an explicit web proxy.
Delete Remove a proxy from the list.
Status The status of the explicit web proxy.
Name The name of the explicit web proxy.
Interface The interface to which the proxy applies.
Ref. Displays the number of times the proxy is referenced to other objects.
To view the location of the referenced proxy, select the number in Ref.; the
Object Usage window appears displaying the various locations of the
referenced object.
To create a new explicit web proxy:
1. Go to Policy & Objects > Objects > Explicit and select Create New . The New Web Proxy Explicit window
opens.
Name Enter the name of the explicit web proxy.
Interface Select the interface that are being monitored by the explicit web proxy from
the drop-down list.
Enable FTP over HTTP Select to enable FTP over HTTP for the explicit web proxy.
HTTP Port Enter the HTTP port number that traffic from client web browsers use to
connect to the explicit proxy for the specific protocol. Explicit proxy users
must configure their web browser’s protocols proxy settings to use this port
(default = 8080).
HTTPS Port Enter the HTTPS port number that traffic from client web browsers use to
connect to the explicit proxy for the specific protocol. Explicit proxy users
must configure their web browser’s protocols proxy settings to use this port.
Enter 0 to use the HTTP port.
PAC Port Enter the Proxy Auto-Config (PAC) port number that traffic from client web
browsers use to connect to the explicit proxy for the specific protocol.
Explicit proxy users must configure their web browser’s protocols proxy
settings to use this port.
Enter 0 to use the HTTP port.
Realm The authentication realm to identify the explicit web proxy. The realm is a
text string of up to 63 characters. If the realm includes spaces, the name
must be enclosed in quotation marks
When a user authenticates with the explicit proxy, the HTTP authentication
dialog includes the realm, so it can be used to identify the explicitly web
proxy for your users.
Enable SOCKS proxy Select to enable the SOCKS proxy protocol.

The SOCKS proxy protocol is an optional protocol that routes packets
between a client and a server through a proxy.
SOCKS is supported by many major web browsers.
The SOCKS proxy protocol does not support authentication.
Unknown HTTP version Select the action to take when the proxy must handle a request or
message from an unknown HTTP version.
l Best Effort : Attempt to handle the HTTP traffic as well as possible.

l Reject : Treat the traffic as malformed and drop it. This option is more
secure and it the default setting.
3. Select OK to create the explicit web proxy.
To edit an explicit web proxy:
1. Select the explicit web proxy you would like to edit, then select Edit from the toolbar, or double-click on the
schedule group in the table. The Edit Web Proxy Explicit window opens.
To delete explicit web proxies:
1. Select the explicit web proxy or proxies that you would like to delete.
Forwarding servers
By default, the FortiCache unit monitors a web proxy forwarding server by forwarding a connection to the remote
server every 10 seconds. If the remote server does not respond, it is assumed to be down. Checking will continue
until, when the server does send a response, the server is assumed to be back up. If health checking is enabled,
the FortiCache unit will attempt to get a response from a web server by connecting through the remote forwarding
server every 10 seconds.
You can enable health checking for each remote server, and specify a different website to check for each one.
If the remote server is found to be down, you can configure the FortiCache unit to either block sessions until the
server comes back up, or allow sessions to connect to their destination using the original server. You cannot
configure the FortiCache unit to fail over to another remote forwarding server.
To configure the server down action and enable health monitoring, go to Policy & Objects > Objects > Forward
Server.
Create New Create a new forwarding server.
Edit Edit a forwarding server.
Delete Remove a forwarding server setting from the list.
Server Name The name of the forwarding server.
Address The IP address of the forwarding server.
Port The port number of the forwarding server.
Health Check Indicates whether the health check is disabled or enabled for that
forwarding server. A green checkmark indicates that health check is
enabled; a gray x indicates that health check is disabled.
Server Down The action that the FortiCache unit will take when the server is down.
Ref. Displays the number of times the forwarding server is referenced to other
objects.
To view the location of the referenced forwarding server, select the number
in Ref.; the Object Usage window appears displaying the various locations
of the referenced object.
Use the following CLI command to enable health checking for a web proxy forwarding server and set the server
down option to use the original server if it is down.
config web-proxy forward-server
edit fwd-srv
set healthcheck enable
set monitor http://example.com
set server-down-option pass
end
To create a new forwarding server:
1. Go to Policy & Objects > Objects > Forward Server and select Create New . The Add Forwarding Server window
opens.
Server Name Enter the name of the forwarding server.
Proxy Address Type Select the type of IP address of the forwarding server, either IP or FQDN .
Proxy Address Enter the IP address or FQDN of the forwarding server.
Port Enter the port number.
Server Down Action Select what action the FortiCache unit will take if the forwarding server is
down, either Block or Use Original Server.
Enable Health Monitor Select to enable health check monitoring.
Health Check Monitor Site Enter the URL address of the health check monitoring site.
3. Select OK to create the forwarding server.
To edit a forwarding server:
1. Select the server you would like to edit then select Edit from the toolbar, or double-click on the schedule group in
the table. The Edit Forwarding Server window opens.
To delete forwarding servers:
1. Select the server or servers that you would like to delete.

3. Select OK in the confirmation dialog box to delete the selected server or servers.
Global explicit proxies

Use the global explicit web proxy settings to change the configuration of explicit web proxies.
Go to Policy & Objects > Objects > Web Proxy Global to change the global explicit web proxy settings.
Proxy FQDN The FQDN for the global proxy server. This is the domain name to enter
into browsers to access the proxy server.
The maximum length of an HTTP request that can be cached, in Kb. Larger
Max HTTP request length
requests will be rejected (default = 4Kb).
Max HTTP message length The maximum length of an HTTP message that can be cached, in Kb.
Larger messages will be rejected (default = 32Kb).
Add Client IP Header to Include the client IP header from the original HTTP request that is
Forwarded Requests forwarded to the internal network.
Add VIA Header to Include the via Header from the original HTTP request that is forwarded to
Forwarded Requests the internal network.
Include the X-Forwarded-For (XFF) HTTP header. The XFF HTTP header
Add X-Forwarded-For
identifies the originating IP address of a web client or browser that is
Header to Forwarded
connecting through an HTTP proxy, and the remote addresses it has
Requests
passed through to that point.
Add Front-End-Https Include the front-end HTTP header from the original HTTPS request.
Header to Forwarded
Requests
Close the connection if errors are found in the HTTP header. For example,
Enable Strict Web Check the connection would be closed if a single line header becomes a multiple
line header, or if a request header shows up in a response.
Enable Forward Proxy Include proxy-authentication information in packets sent to the HTTP proxy
Authentication behind the FortiCache explicit proxy.
Proxy auto-config configuration

A PAC file defines how a web browser can select a proxy server for receiving HTTP content. PAC files include the
FindProxyForURL (url, host) JavaScript function that returns a string with one or more access method
specifications. These specifications cause the web browser to either use a particular proxy server, or to connect
directly to retrieve the content.
The FortiCache can be configured to serve a PAC file to define the proxy network and how it should be used by
the client. The browser must be configured appropriately to point at the FortiCache device to retrieve the PAC
file, for example:
http://<FortiCache IP>:8080/proxy.pac
Web proxy auto-discovery protocol

The Web Proxy Auto-Discovery Protocol (WPAD) is a method for a browser to automatically discover the proxy
configuration file, without any browser configuration, using settings in DNS or DHCP. For more information about
this method, refer to the following Internet Engineering Task Force (IETF) draft:
http://tools.ietf.org/html/draft-ietf-wrec-wpad-01
When using DNS, the most widely supported resolution method, an entry is made in the local authoritative zone
to map the name wpad (such as wpad.example.com) to one or more IP addresses. The browser is configured to
automatically look in the following locations to find the WPAD configuration, which is in effect a PAC file, as
described in Proxy auto-config configuration on page 89:
http://wpad.department.branch.example.com/wpad.dat
http://wpad.branch.example.com/wpad.dat
http://wpad.example.com/wpad.dat
To configure the FortiCache unit to issue a wpad.dat file, use the following CLI commands:
config web-proxy explicit
edit "web-proxy"
set ftp-over-http enable
set interface "port1"
set pac-file-name "wpad.dat"
set pac-file-server-port 80
set pac-file-server-status enable
set pac-file-data "<Put your PAD file content here, escaping quotes with \>"
next
end
If you are configuring the wpad file on port 80, you will receive an error, as the GUI is
also configured on port 80 (even when not in use). To avoid this error, first move the
GUI to a different port with the following commands:
config system global
set admin-port 81
end
Security Profiles
The Security Profiles menu provides access to antivirus, web filter, and ICAP profiles, as well as DLP sensors
and filters, and ICAP server settings.
This chapter includes the following sections:
l Antivirus
l Web Filter
l Data Leak Prevention
l ICAP
l Content Analysis
Antivirus
A profile is specific configuration information that defines how the traffic within a policy is examined and what
action may be taken based on the examination. Multiple antivirus profiles can be created for different antivirus
scanning requirements. These profiles can then be applied to firewall policies.
To manage antivirus profiles, go to Security Profiles > Antivirus > View List.
To enable antivirus scanning:
1. Go to Policy & Objects > Policy > Policy and either add or select the security policy that accepts the traffic to be
virus scanned. See Configuring policies on page 67.
2. In the New Policy or Edit Policy window, under Security Profiles, select AntiVirus, then select an antivirus profile
from the drop-down list.
3. Select OK to save the policy.
To create a new antivirus profile:
1. Go to Security Profiles > AntiVirus > View List and select Create New . The New AntiVirus Profile Server
window opens.
Name Enter the name of the antivirus profile.
Web Filter Security Profiles
Comments Optional enter a description of the profile.
Protocol The protocols for which virus scan and removal can be enabled.
Virus Scan and Removal Select to enable virus scan and removal for the required protocols.
3. Select OK to create the antivirus profile.
To edit an antivirus profile:
1. Select the profile you would like to edit then select Edit from the toolbar, or double-click on the schedule group in
the table. The Edit AntiVirus Server window opens.
To delete antivirus profiles:
1. Select the profile or profiles that you would like to delete.

3. Select OK in the confirmation dialog box to delete the selected profile or profiles.
Web Filter
This section describes how to configure web filters for HTTP traffic, and URL filters to allow or block caching of
specific URLs.
The web filter profiles menu allows you to configure a web filter profile to apply to a policy. A profile is specific
information that defines how the traffic within a policy is examined and what action may be taken based on the
examination.
To configure web filter profiles, go to Security Profiles > Web Filter > View List. The Edit Web Filter Profile
page is displayed.
Security Profiles Web Filter
Configure the following settings, then select Apply to apply any changes:
Profile Select a profile to edit from the drop-down list.
Create New Creates a new web filter profile.
Clone Clone the current web filter profile.
View List View the web filter profile list. See Profile list on page 96.
Name The name of the web filter profile.
Comments Optional description of the profile.
FortiGuard Categories Select to enable Fortiguard categories. If the device is not licensed for the
FortiGuard web filtering service, traffic may be blocked by enabling this
option.
In the category list, right-click on a specific category, then select the action
Show to take from the pop-up menu: Allow , Block, Monitor, Warning, or
Authenticate.
Quota Quotas can be configured on categories set to the Monitor, Warning, or

Authenticate actions.
1. Expand the quota list then select Create New in the table to open the
New/Edit Quota window.
2. Select categories from the list
3. Select the length of the quota,
4. Select OK to create the new quota.
Quotas can also be edited and deleted as required.
Enable Safe Search Select to enable safe search.
Search Engine When enabled, the supported search engines exclude offensive material
from search results.
Supported search engines include: Google, Yahoo!, Bing, and Yandex.
YouTube Select to enable YouTube education filter, then enter the filter in the text
Education Filter field.
Enable Web Site Filter Select to enable web site filters. See Web site filters on page 97.
Enable to prevent a download from resuming after it has been interrupted.

With this filter enabled, any attempt to restart an aborted download will
download the file from the beginning rather than resuming from where it
left off. This prevents the unintentional download of viruses hidden in
Web Resume Download
fragmented files.
Block
Some types of files, such as PDF, fragment files to increase download
speed. Enabling this option can cause download interruptions and may also
break certain applications that use the Range Header in the HTTP protocol,
such as YUM, a Linux update manager.
Provide Details for Blocked Enable to have the unit to display its own replacement message for 400
HTTP 4xx and 5xx Errors and 500-series HTTP errors . If the server error is allowed through,
malicious or objectionable sites can use these common error pages to
circumvent web filtering. See .
Enable to block web sites when their SSL certificate CN field does not
Block Invalid URLs
contain a valid domain name.
Rate Images by URL Enable to have the unit retrieve ratings for individual images in addition to
(Blocked images will be web sites. Images in a blocked category are not displayed even if they are
replaced with blanks) part of a site in an allowed category.
Blocked images are replaced on the originating web pages with blank
place-holders. Rated image file types include GIF, JPEG, PNG, BMP, and
TIFF.
Select the action to take with HTTP POST traffic. HTTP POST is the
command used by your browser when you send information, such as a
filled out form or a file you are uploading, to a web server.
The available actions include:
l Comfort: Use client comforting to slowly send data to the web server as
the FortiCache unit scans the file. This option prevents a server time-out
when scanning or other filtering is enabled for outgoing traffic.
HTTP POST Action
l The client comforting settings used are those defined in the protocol
options profile selected in the security policy.
l Block: Block the HTTP POST command. This will limit users from
sending information and files to web sites.
l When the post request is blocked, the unit sends the http-post-block
replacement message to the web browser attempting to use the
command.
Web Content Filter Enable to block access to web pages that include the words included in the
selected web content filter list.
Enable to filter java applets from web traffic. Web sites using java applets
Remove Java Applet Filter
may not function properly when this filter is enabled.
Allow Websites When a Enable to allow access to web pages that return a rating error from the web
Rating Error Occurs filter service.
If your unit is temporarily unable to contact the FortiGuard service, this
setting determines what access the unit allows until contact is re-
established. If enabled, users will have full unfiltered access to all web
sites. If disabled, users will not be allowed access to any web sites.
Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX
Remove ActiveX Filter
may not function properly when this filter is enabled.
Rate URLs by Domain and Enable to have the unit request site ratings by URL and IP address
IP Address separately, providing additional security against attempts to bypass the
FortiGuard Web Filter.
FortiGuard Web Filter ratings for IP addresses are not updated as quickly
as ratings for URLs. This can sometimes cause the unit to allow access to
sites that should be blocked, or to block sites that should be allowed.
Enable to filter cookies from web traffic. Web sites using cookies may not
Remove Cookie Filter
function properly when this filter is enabled.
Block HTTP Redirects by Enable to block HTTP redirects.

Rating Many web sites use HTTP redirects legitimately, but, in some cases,
redirects may be designed specifically to circumvent web filtering, as the
initial web page could have a different rating than the destination web page
of the redirect.
Log all search keywords Enable to log all search keywords.
Allow Blocked Override Enable to allow blocked override. This will allow the specified user, group,
or IP address to access web sites blocked by web filtering profiles for a
specified length of time.
Select the user group or groups to which the override will apply. See User
Apply to Groups
on page 109.
Assign to Profile Select the web filter profile or profiles to which the override will apply.
Scope Select the scope of the override: User, User Group, or IP.
Duration Mode Select the duration mode: Constant or Ask.
If Duration Mode is set the Constant, enter the duration of the override in
Duration
Days (from 0 to 364), Hours (0 to 23), and Minutes (0 to 59).
Profile list
The web filter profile list can be viewed by selecting View List in the Edit Web Filter Profile page toolbar.
Create New Create a new web filter profile.
Edit Modify the web filter profile.
Delete Remove the web filter profile.
Name The name of the web filter profile.
Comments An optional description of the web filter profile.
Displays the number of times the profile is referenced to other objects.

To view the location of the referenced profile, select the number in Ref.;
Ref.
referenced object.
Managing web filter profiles

Web filter profiles can be added, edited, cloned, and deleted as required.
To create a new web filter profile:
1. From either the Edit Web Filter Profile page or the web filter profile list, select Create New.
2. Enter the required information, then select OK to create the new web filter profile.
To edit a web filter profile:
1. From the Edit Web Filter Profile page, select the profile you need to edit from the profile drop-down list.
From the profile list, either select the profile you would like to edit then select Edit from the toolbar, or
double-click on the profile name in the list.
The Edit Web Filter Profile window opens.
2. Edit the information as required, then select Apply to apply your changes.
To clone a web filter profile:
1. From the Edit Web Filter Profile page, select the profile you need to clone from the profile drop-down list.
2. Select Clone from the toolbar.
3. Enter a name for the profile in the dialog box, then select OK. The profile list opens, with the clone added.
4. Edit the clone as required.
To delete a profile or profiles:
1. From the profile list, select the profile or profiles that you would like to delete.
Web site filters

You can allow or block access to specific web sites by adding them to the URL filter list. You add the web sites by
using patterns containing text and regular expressions. The unit allows or blocks web pages matching any
specified URLs or patterns and displays a replacement message instead.
Web site blocking does not block access to other services that users can access with a
web browser. For example, web site blocking does not block access to
ftp://ftp.example.com. Instead, use firewall policies to deny ftp connections.
When adding a URL to the web site filter list, follow these rules:
l Type a top-level URL or IP address to control access to all pages on a web site. For example, www.example.com or
192.168.144.155 controls access to all pages at this web site.
l Enter a top-level URL followed by the path and file name to control access to a single page on a web site. For
example, www.example.com/monkey.html or 192.168.144.155/monkey.html controls access to the monkey page
on this web site.
l To control access to all pages with a URL that ends with example.com, add example.com to the filter list. For
example, adding example.com controls access to www.example.com, mail.example.com,
www.finance.example.com, and so on.
l Control access to all URLs that match patterns using text and regular expressions (or wildcard characters). For
example, example.* matches example.com, example.org, example.net and so on.
URLs with an action set to exempt or pass are not scanned for viruses. If users on the
network download files through the unit from a trusted web site, add the URL of this
web site to the URL filter list with an action to pass it so the unit does not virus scan
files downloaded from this URL.
Data Leak Prevention Security Profiles
To create a new web site filter:
1. In either the New Web Filter Profile or Edit Web Filter Profile page, select Enable Web Site Filter.
2. In the filter table, select Create New to add a new row to the table.
3. Enter the URL to filter in the URL column. Enter a top-level domain suffix (for example, “com” without the leading
period) to block access to all web sites with this suffix.
4. Select the type from the drop-down list in the Type column. One of: Simple, Reg. Expression, or Wildcard.
5. Select the action to take from the drop-down list in the Action column. One of:
l Exempt: Allow trusted traffic to bypass the antivirus proxy operations.
l Block: Block access to any URLs matching the URL pattern and display a replacement message.
SeeReplacement Messages on page 38.
l Allow: Allow access to any URL that matches the URL pattern.
l Monitor: Monitor traffic to and from URLs matching the URL pattern.
6. Select the status of the filter from the drop-down list in the Status column, either Enable or Disable, to enable or
disable the filter.
To edit a web site filter:
2. In the filter table, double-click on a filter, or select the filter then select Edit in the toolbar.
3. Edit the filter settings as required.
To delete a filter or filters:
2. In the filter table, select the filter or filters that need to be deleted, then select delete in the toolbar.
3. Select OK in the confirmation dialog box to delete the selected filter or filters.
Data Leak Prevention
The DLP system allows you to prevent sensitive data from leaving your network. Once sensitive data patterns are
defined, data matching the patterns will either be blocked, or logged then allowed.
The DLP system is configured by creating filters based on various attributes and expressions within DLP sensors,
then assigning the sensors to security policies.
DLP can also be used to prevent unwanted data from entering your network, and to archive content passing
through the FortiCache device.
DLP sensors
A DLP sensor is a package of filters. To use DLP, a DLP sensor must be selected and enabled in a security policy.
The traffic controlled by the security policy will be searched for the patterns defined in the filters contained in the
DLP sensor. Matching traffic will be passed or blocked according to the filters.
To configure DLP sensors, go to Security Profiles > Data Leak Prevention.
Security Profiles Data Leak Prevention
Create New Create a new sensor.
Edit Edit the selected sensor.
Delete Delete the selected sensor or sensors.
Name The name of the sensor.
Comments Optional description of the sensor.
# Filters The number of filters used by the sensor.
Ref. Displays the number of times the sensor is referenced to other objects.
To view the location of the referenced sensor, select the number in Ref.;
referenced object.
To create a new DLP sensor:
1. Go to Security Profiles > Data Leak Prevention and select Create New from the toolbar. The New Sensor
window opens.
2. Enter a name for the new sensor in the Name field and, optionally, enter a description of the sensor in the
Comment field.
3. Add filters to the sensor. See To create a new sensor filter: on page 100.
4. Select OK to create the new sensor.
To edit a DLP sensor:
1. Select the sensor you would like to edit then select Edit from the toolbar, or double-click on the sensor group in the
table. The Edit Sensor window opens.
2. Edit the sensor name and comments as required.
3. Edit, create new, or delete sensor filters as required. See Sensor filters on page 99.
4. Select OK to apply your changes.
To delete a sensor or sensors:
1. From the sensor list, select the sensor or sensors that you would like to delete, then select Delete from the
toolbar.
2. Select OK in the confirmation dialog box to delete the selected sensor or sensors.
To clone a sensor:
1. From the sensor list, right-click a sensor and select Clone.

2. Enter a name for the sensor in the dialog box, then select OK. The sensor list opens, with the clone added.
Sensor filters
Each DLP sensor must have one or more filters configured within it. Filters can examine traffic for:
l Known files using DLP fingerprints

l Files of a particular name or type
l Files larger than a specified size
l Data matching a specified regular expression
l Traffic matching an advanced or compound rule.
To create a new sensor filter:
1. From the New Sensor or Edit Sensor window, select Create New in the filter table toolbar. The New Filter
window opens.
2. Configure the following information:
Filter Select Messages or Files to filter for specific messages or based on file
attributes, respectively.
Containing Select, then select Credit Card # or SSN from the drop-down list.
File Size Select, then enter the maximum file size allowed, in kb.
This option is only available when filtering files.
File Type Select, then select a file filter from the drop-down list. See File filter on
included in page 102.
Watermark If you are using watermarking on your files you can use this filter to check
Sensitivity for watermarks that correspond to sensitivity categories that you have
setup. See Watermarking on page 102.
The Corporate Identifier ensures that you are only blocking watermarks
that your company has placed on files, not watermarks with the same
name from other companies.
Regular Network traffic is examined for the pattern described by the regular
Expression expression. See Regular expressions on page 102
Encrypted Select to cause encrypted files to trigger the filter.


Examine the Following Select the services whose traffic the filter will examine. This allows
Services resources to be optimized by only examining relevant traffic.
The available services are: HTTP-POST, HTTP-GET, SMTP, POP3,
IMAP, MAPI, FTP, and NNTP.
Action Select an action to take if the filter is triggered from the drop-down list.
None No action is taken when the filter is triggered.
Log Only When the filter is triggered, the match is logged, but no other action is
taken.
Block Traffic matching the filter is blocked and replaced with a replacement
message. See Replacement Messages on page 38.
Quarantine User If the user has been authenticated: block all traffic to and from the user
using the protocol that triggered the rule, and add the user to banned user
list (see User Quarantine on page 126).
If the user has not been authenticated: block all traffic to and from the user
using the protocol that triggered the rule from the user’s IP address.
The banned user will receive an appropriate replacement message,
depending on the service being used, until the quarantine time expires.
Enter the amount of time that the user will be quarantined for
(>= 1 minute).
Quarantine IP Block access for any IP address that sends traffic matching the filter. The
Address IP address is added to the banned user list (see ), and an appropriate
replacement message is sent for all connection attempts until the
quarantine time expires.
Enter the amount of time that the IP address will be quarantined for (>= 1
minute).
Quarantine Block access to all users connecting to the interface that received the traffic
Interface matching the filter. The interface is added to the banned user list (see ),
and an appropriate replacement message is sent for all connection
attempts until the quarantine time expires.
Enter the amount of time that the interface will be quarantined for
(>= 1 minute).
Archive Select Enable to enable archiving.
3. Select OK to create the new filter.
To edit a sensor filter:
1. From the New Sensor or Edit Sensor window, either double-click on a filter, or select a filter then select Edit in
the filter table toolbar. The Edit Filter window opens.
2. Edit the filter as required and select OK to apply your changes.
To delete sensor filters:
1. From the New Sensor or Edit Sensor window, select the filter or filters that you would like to delete, then select
Delete from the filter table toolbar.

2. Select OK in the confirmation dialog box to delete the selected filter or filters.
Regular expressions
Network traffic is examined for the pattern described by the regular expression specified in the DLP sensor filters.
Fortinet uses a variation of the Perl Compatible Regular Expressions (PCRE) library. For some examples of Perl
expressions, see Appendix A - Perl Regular Expressions on page 155. For more information about using Perl
regular expressions, go to http://perldoc.perl.org/perlretut.html.
By adding multiple filters containing regular expressions to a sensor, a dictionary can be developed within the
sensor. The filters can include expressions that accomodate copmlex variations of words or target phrases.
Within the sensors each expression can be assigned a different action, allowing for a very granular
implementation.
Watermarking
Watermarking means marking files with a digital pattern to designate them as proprietary to a specific company.
Fortinet’s watermarking tool is built in to FortiExplorer. It can add watermarks to single files as well as entire
directories. The tool adds a small (~178B) pattern to a file that is recognized by the DLP watermark filter
configured on your device.
The DLP system only works with Fortinet’s watermaking tool. For more information, see the FortiExplorer User
Guide, available from the Fortinet Document Library.
File filter
File filters allow you to block files based on their file names and types.
When a file filter list is applied to a DLP sensor filter, the network traffic is examined against the list entries, and,
if the sensor filter is triggered, the predefined action is taken by the DLP sensor filter.
The general steps for configuring file filters are as follows:
1. Create a DLP sensor.
2. Edit the sensor to filter either messages or specific file types.
3. Select the DLP sensor in a security policy.
To edit a file filter:
1. From the Edit DLP Sensor window, either double-click on a filter in the file filter table, or select a filter then select
Edit Filter in the table toolbar. The Edit Filter window opens.
2. Edit the filter settings as required, then select OK to apply your changes.
To delete a file filter or filters:
1. From the Edit File Filter Table window, select the file filter or filters that you need to delete.
3. Select OK in the confirmation dialog box to delete the selected file filter or filters.
File type filter

In this example, the file filter senses for specific file types.

1. Go to Security Profiles > Data Leak Prevention and edit the desired sensor.
2. Select Create New from the file filters table.
3. In the New Filter window, select the Files filter type.
4. Select to Specify File Types and select the file types to filter.
5. Configure the remaining options as desired.

ICAP Security Profiles
File types
Archive (arj) Encoded Data (base64) PDF (pdf)
Archive (bzip) Encoded Data (binhex) PNG Image (png)
Archive (bzip2) Encoded Data (mime) Packer (aspack)
Archive (cab) Encoded Data (uue) Packer (fsg)
Archive (gzip) Executable (elf) Packer (petite)
Archive (lzh) Executable (exe) Packer (upx)
Archive (rar) GIF Image (gif) PalmOS Application (prc)
Archive (tar) HTML Application (hta) Real Media Streaming (rm)
Archive (zip) HTML File (html) Symbian Installer System

File (sis)
Audio (avi) Ignored Filetype (ignored)
TIFF Image (tiff)
Audio (mp3) JPEG Image (jpeg)
Torrent (torrent)
Audio (wav) Java Application Descriptor
(jad) Unknown Filetype
Audio (wma)
(unknown)
Java Class File (class)
BMP Image (bmp)
Video (mov)
Java Compiled Bytecode
Batch File (bat)
(cod) Video (mpeg)
Common Console
JavaScript File (javascript) Windows Help File (hlp)
Document (msc)
Microsoft Office (msoffice) activemime (activemime)
ICAP
The ICAP is supported in this release. The ICAP is a light-weight response/request protocol that allows the
FortiCache unit to offload HTTP and HTTPS traffic to external servers for different kinds of processing.
You can offload HTTP responses or HTTP requests (or both) to the same or different ICAP servers.
ICAP does not appear by default in the GUI. You must enable it in System > Admin >
Settings to display ICAP in the GUI. See Settings on page 54.
Profile
The ICAP menu allows you to view and configure ICAP profiles and ICAP servers which can then be applied to a
policy.
If you enable ICAP in a security policy, HTTP traffic intercepted by the policy is transferred to the ICAP servers in
the ICAP profile added to the policy. The FortiCache unit acts as the surrogate, or middle-man, and carries the

Security Profiles ICAP
ICAP responses from the ICAP server to the ICAP client. The ICAP client then responds back, and the FortiCache
unit determines the action that should be taken with these ICAP responses and requests.
ICAP profiles are configured under Security Profiles > Advanced > ICAP Servers.
Create New Create a new ICAP profile.
Edit Edit an ICAP profile.
Delete Delete a profile or profiles.
Name The name of the ICAP profile.
Request Processing If request processing is enabled, a green circle with a check mark is shown.
If disabled, a gray circle with an x is shown.
If response processing is enabled, a green circle with a check mark is

Response Processing
shown. If disabled, a gray circle with an x is shown.
Bypass Streaming Media If media streaming is bypassed, a green circle with a check mark is shown.
If it is not bypassed, a gray circle with an x is shown.
Displays the number of times the profile is referenced to other objects.

To view the location of the referenced profile, select the number in Ref.;
Ref.
referenced object.
To create a new ICAP profile:
1. In the ICAP profile list, select Create New from the toolbar. The New ICAP Profile page opens.
Name Specify a name for the ICAP profile.

ICAP Security Profiles
Enable Request Processing Select to enable request processing.
Select a server from the drop down menu, specify the path on the server to
the processing component, and then select the behavior on failure, either
Error or Bypass.
Enable Response Select to enable request processing.

Processing
Select a server from the drop down menu, specify the path on the server to
the processing component, and then select the behavior on failure, either
Error or Bypass.
Enable Streaming Media Select to allow streaming media to ignore offloading to the ICAP server.
Bypass
3. Select Apply to create the new profile.
To edit an ICAP profile:
1. Select the profile you would like to edit then select Edit from the toolbar, or double-click on the profile. The Edit
ICAP Profile window opens.
2. Edit the profile information as required and select Apply to apply your changes.
To delete an ICAP profile or profiles:
1. Select the profile or profiles that you would like to delete.

Server
To view the ICAP server list, go to Security Profiles > Advanced > ICAP Servers.
To create a new ICAP server:
1. In the ICAP Server list, select Create New from theropdown. The New ICAP Server window opens.
Name Enter a name for the ICAP server.
IP Address Enter the ICAP server IP address.
Port Enter the TCP port number used by the ICAP server, from 1 to 65535
(default = 1344).
3. Select OK to create the new ICAP server.

Security Profiles Content Analysis
To edit an ICAP server:
1. Select the server you would like to edit then select Edit from the toolbar, or double-click on the server. The Edit
ICAP Server window opens.
2. Edit the ICAP server information as required and select OK to apply your changes.
To delete an ICAP server or servers:
1. Select the ICAP server or servers that you would like to delete.
Content Analysis
Content Analysis is a licensed feature that allows you to detect adult content in real-time. This service is a real
time analysis of the content passing through the FortiCache. Unlike other image analysis tools, this one does not
just look for skin tone colors but can detect limbs, body parts, and the position of bodies. Once detected, such
content can be optionally blocked or reported.
In general, the procedure is similar to the HTTP AV scanning procedure.
When a client HTTP requests an image, the HTTP header content-type determines the image type. Then the
WAD process holds the image content from the server for scanning prior to sending it to the client.
If the scan results are larger than the configurable threshold, the requested image will be blocked and the client
will receive a replacement image. This replacement image will keep the same image type and size if you enable
the option to re-size images. The FortiCache will store the results to improve performance for future requests.
The default settings provide a good balance, but they will never be 100% and may require some adjustment.
Profile
In order to use Content Analysis you need to setup at least one profile and apply it to a policy. Content Analysis
profiles are configured under Security Profiles > Content Analysis.
When you select Create New or Edit, the following attributes can be configured:
Name Enter a name for this profile.

Content Analysis Security Profiles
Enter a value between 0 and 9999.
The higher the image score, the the more chance of the image being explicit. The challenge
Image Score with this is that if you set it too high, it will block legitimate images. If you set it too low it will
Threshold allow explicit images through. If the image score is above the Image Score Threshold
setting, the Rating Error Action is taken (see below).
The default value is 600.
Image Skip Size Enter a value between 0 and 2048.
This value represents the size of image that will be skipped by the image scan unit, in
kilobytes. Images that are too small are difficult to scan and are more likely to be rated
incorrectly by the image scan engine.
This value determines the strictness of the Image Score Threshold. The higher the
sensitivity, the more strict it will be on the threshold. Make it too strict and you end up
Image
blocking legitimate images.
Rating Sensitivity
The default, but balanced value is 75.
Rating Error Set to either Pass or Block the image when it exceeds the rating threshold.
Action
If you choose to display a replacement image (see below), you can set the Replace Image
Replace Image
Action value to re-size the replacement image to match the original (re-size), or leave the
Action
replacement image at its default size (no re-size).
Replace Image Choose whether or not to display a replacement image.
Validing content analysis

You can use the following debug commands to validate the service licensing and image cache:
get system fortiguard - Display licensing information.

diag test app wad 143 - Display image cache.
diag test app wad 144 - Clear image cache.
Displaying and clearing the image cache require a license, otherwise these commands will not be available.

User Authentication
The User menu allows you to configure authentication settings and user accounts. Users can also be monitored,
and user groups and remote servers can be configured.
The following topics are included in this section:
l User
l Authentication
l Monitor
User
A user is a user account that consists of a user name, password and, in some cases, other information that can be
configured on the unit or on an external authentication server. Users can access resources that require
authentication only if they are members of an allowed user group.
User definition
A local user is a user configured on a unit. The user can be authenticated with a password stored on the unit or
with a password stored on an authentication server. The user name must match a user account stored on the unit
and the user name and password must match a user account stored on the authentication server associated with
the user.
New users can be created using the User Creation Wizard.
To configure users, go to User > User > User Definition.
Create New Run the new user wizard and create a new user.
Edit User Edit a user.
Delete Delete a user or users.
Search Enter a search term to search the user list.
User Name The name of the user.
Type The type of user, such as Local or LDAP.
Ref. Displays the number of times the user is referenced to other objects.
To view the location of the referenced user, select the number in Ref.; the
referenced object.

User User Authentication
To edit a user:
1. Select the user you would like to edit then select Edit from the toolbar, or double-click on the user in the table. The
Edit User window opens.
2. Edit the user information as required, or select Disable to disable the user.
3. Select OK to apply your changes.
To delete a user or users:
1. Select the user or users that you would like to delete. You cannot delete a user that is currently in a group.
3. Select OK in the confirmation dialog box to delete the selected user or users.
New user wizard

The New User Wizard is used to create new user accounts. From the user list, select Create New to start the
wizard.
To create a new local user:
1. In the Choose User Type page of the User Creation Wizard, select Local User, then select Next. The Specify
Login Credentials page opens.
2. Enter a name for the user in the User Name field, and enter a password in the Password field.
3. Select Next to proceed to the Provide Contact Info page.
4. Enter an email address for the user in the Email Address field, then select next to proceed to the Provide Extra
Info page.
5. Select Enable to enable the new user.
6. To place the user into a group, select User Group, then select a group from the frop-fown menu. For information
on user groups, see User on page 109.
7. Select Done to create the new local user and return to the user list.
To create a new remote RADIUS user:
1. In the Choose User Type page of the User Creation Wizard, select Remote RADIUS User, then select Next.
The Specify RADIUS Server page opens.
2. Enter a name for the user in the User Name field.
3. Select a RADIUS server from the drop-down list. For information on RADIUS servers, see RADIUS server on page
120.
5. Enter an email address for the user in the Email Address field, then select Next to proceed to the Provide Extra
Info page.

User Authentication User
8. Select Done to create the new RADIUS user and return to the user list.
To create a new remote TACACS+ user:
By default, the TACACS+ Server option is not visible unless you add a server using the following CLI command:
config user tacacs+
edit <name>
set server <IP>
next
end
1. In the Choose User Type page of the User Creation Wizard, select Remote TACACS+ User.
2. Select Next to proceed to the Specify TACACS+ Server page.
3. Enter a name for the user in the User Name field.
4. Select a TACACS+ server from the drop-down list. For information on TACACS+ servers, see TACACS+ server on
page 122.
6. Enter an email address for the user in the Email Address field, then select Next to proceed to the Provide Extra
Info page.
9. Select Done to create the new TACACS+ user and return to the user list.
To create a new remote LDAP user:
1. In the Choose User Type page of the User Creation Wizard, select Remote LDAP User, then select Next. The
Specify LDAP Server page opens.
2. To choose an existing LDAP server, select Choose Existing, then select a server from the drop-down list.
3. To create a new LDAP server, select Create New, then enter the required information. See LDAP server on page
118.
4. Select Next to proceed to the Select Remote User page.
5. Enter the LDAP filter in the LDAP Filter field, then select Apply Filter.

6. Enter a search term in the Search field to search the server, then select a user from the results.
7. Select Next to proceed to the Confirm Selection page.
8. Confirm that the selection is correct, then select Done to add the remote LDAP user.
User group
A user group is a list of user identities. An identity can be:
l a local user account (user name and password) stored on the Fortinet unit
l a local user account with a password stored on a RADIUS, LDAP, or TACACS+ server
l a RADIUS, LDAP, or TACACS+ server (all identities on the server can authenticate)
l a user or user group defined on a Directory Service server.
Each user group belongs to one of three types: Firewall, FSSO, Guest, or RADIUS Single Sign-On (RSSO).
For each resource that requires authentication, you specify which user groups are permitted access. You need to
determine the number and membership of user groups appropriate to your authentication needs.
Users that are associated with multiple groups have access to all services within all the user groups that they are
associated with. This is only available in the CLI. The command used is auth-multi-group, which is enabled
by default. This feature checks all groups a user belongs to for firewall authentication.
To configure user groups, go to User > User Group.
Create New Create a new user group.
Edit Edit a user group.
Delete Delete a group or groups.
Search Enter a search term to search the user group list.
Group Name The name of the group.
Group type The type of group.
Members The names of the members in the group. To adjust the way users are listed
in the column, see To configure the member column: on page 114.
Displays the number of times the group is referenced to other objects.

To view the location of the referenced group, select the number in Ref.; the
Ref.
referenced object.
To create a new user group:
1. In the user group list, select Create New from the toolbar. The New User Group window opens.
2. Enter a name for the group in the Name field.
3. Select the group type in the Type field, one of: Firewall, FSSO, Guest, or RSSO.

User Authentication User
4. Enter the following information, depending on the group type selected:
Firewall This type of group can be selected in any security policy that requires
firewall authentication.
Members Select users to add to the group from the drop-down list.
Remote Add remote authentication servers to the group.

Authentication Select Add, then select the server from the drop down list in the Remote
Servers Server column. Then, if required, enter a group name or names for the
server (seperated by commas
Servers can be edited and deleted as necessary.
Fortinet Single Sign- On This type of group can be selected in any security policy that requires
(FSSO) Fortinet Single Sign-On (FSSO) authentication.
Members Select users to add to the group from the drop-down list.
Guest This type of group can be selected in any security policy that allows guest
authentication.
Enable Batch Select to enable the creation of batches of guest accounts.

Guest Account When enabled, only the Expire Type and Default Expire Time options will
Creation be available.
User ID Select a user ID option from the drop-down list.
l Auto-Generate: The user ID is generated automatically.

l Email: The user ID is emailed.
l Specify: The user ID must be specified.
Password Select a password option from the drop-down list.
l Auto-Generate: The password is generated automatically.

l Specify: The password must be specified.
l Disable: No password is required.
Expire Type Select the expire type, either After first login, or Immediately.

Default Expire Select the default expire time in Days, Hours, Minutes, or Seconds.
Time
Enable Name Select to enable name.
Enable Sponsor Select to enable sponsor. Select Required to make a sponsor a

requirement.
Enable Company Select to enable company. Select Required to make a company a

requirement.
Enable Email Select to enable email.
Enable SMS Select to enable SMS, then select a service type from the Service Type
drop-down list..
RADIUS Signle Sign- On This type of group can be selected in any security policy that requires
(RSSO) RSSO authentication.
RADIUS Attribute Enter the RADIUS attribute value. This value matches the value from the
Value RADIUS Accounting-Start attribut “Class”.
5. Select OK to create the new user group.
To edit a user group:
1. Select the group you would like to edit then select Edit from the toolbar, or double-click on the group in the table.
The Edit User Group window opens.
To delete a user group or groups:

To configure the member column:
1. In the user group list, right-click anywhere on the column headings and select Members Column Option. The
Member Column Option window opens.
2. Enter the number of subcolumns that the member column will contain in the Number of Sub-Columns field, from
1 to 12 (default = 4).
3. Enter the number of lines to display in the Lines of Objects to Display field, from 1 to 100 (default = 6).
If more users are in a group than can be displayed in accordance with the member column settings, a
Display More option will be added to the row that also shows how many users are hidden and how many
users are contained in the group in total.

User Authentication Authentication
Authentication
FortiCache units support the use of external authentication servers. An authentication server can provide
password checking for selected FortiCache users or it can be added as a member of a FortiCache user group.
If you are going to use authentication servers, you must configure the servers before you configure FortiCache
users or user groups that require them.
The following menus are available:
l Single sign-on
l LDAP server
l RADIUS server
l TACACS+ server
l Settings
Single sign-on
Fortinet units use security policies to control access to resources based on user groups configured in the policies.
Each Fortinet user group is associated with one or more Directory Service user groups. When a user logs in to the
Windows or Novell domain, an FSSO agent sends the user’s IP address, and the names of the Directory Service
user groups that the user belongs to, to the FortiCache unit.
The FSSO agent has two components that must be installed on your network:
l The domain controller agent must be installed on every domain controller to monitor user logins and send
information about them to the collector agent.
l The Collector agent must be installed on at least one domain controller to send the information received from the
domain controller agents to the Fortinet unit. Alternately a FortiAuthenticator server can take the place of the
Collector agent in an FSSO polling mode configuration.
The unit uses this information to maintain a copy of the domain controller user group database. Because the
domain controller authenticates users, the unit does not perform authentication. It recognizes group members by
their IP address. You must install the FSSO Agent on the network and configure the unit to retrieve information
from the Directory Service server.
To manage single sign-on (SSO) servers, go to User > Authentication > Single Sign-on.
Create New Create a new FSSO server.
Edit Edit an FSSO server.
Delete Delete an FSSO server or servers.
Name The name of the FSSO server.
Type An icon representing the type of server. Hover your cursor over the icon to
view the type.

Authentication User Authentication
LDAP Server The LDAP server associated with the FSSO server.
Users/Groups The users and groups associated with the server.
FSSO Agent IP/Name The IP address or name of the FSSO agent.
Status The status of the FSSO server.
Displays the number of times the server is referenced to other objects.

To view the location of the referenced server, select the number in Ref.;
Ref.
referenced object.
To create a new SSO server:
1. In the single sign-on server list, select Create New from the toolbar. The New Single Sign-On Server page
opens.
2. Select the type of server that will be created in the Type field. One of: Poll Active Directory Server, Fortinet
Single Sign-On Agent, or RADIUS Single Sign-On Agent.
Only one RADIUS single sign-on agent can be created on the FortiCache device.

3. Enter the following information, depending on the type selected:
Poll Active Directory Server
Server Name/IP Enter the server name or IP address.
User Enter the user name.
Password Enter the password for the user.
LDAP Server Select an LDAP server from the drop-down list to access the Directory
Service.
Enable Polling Select to enable polling.
Users/Groups If an LDAP server is selected, view or edit the users or groups associated
with the server.
Fortinet Single Sign-On Agent
Name Enter a name for the agent.
Primary Agent Enter the IP address or name for the primary agent. Then enter the
IP/Name password in the Password field.
Secondary Agent Enter the IP address or name for the secondary agent. Then enter the
Name/IP password in the Password field.
More FSSO Select More FSSO agents to add up to three more FSSO agents.
agents Enter the IP address or name of the Directory Service server where the
collector agent is installed. The maximum number of characters is 63.
Then enter the password for the collector agent. This is required only if you
configured your FSSO agent collector agent to require authenticated
access.
LDAP Server Select an LDAP server from the drop-down list to access the Directory
Service.
Users/Groups If an LDAP server is selected, view or edit the users or groups associated
with the server.
RADIUS Single Sign-On Agent
User RADIUS Select to use a RADIUS shared secret, then enter the shared secret in the
Shared Secret Shared Secret field.
Send RADIUS Select to send RADIUS responses.

Responses
4. Select OK to create the new single sign-on server.
To edit an SSO server:
1. Select the server you would like to edit, then select Edit from the toolbar, or double-click on the address group.
The Edit Single Sign-On Server window opens.

2. Edit the server information as required and select OK to apply your changes.
To delete a server or servers:

LDAP server
LDAP is an Internet protocol used to maintain authentication data that may include departments, people, groups
of people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of
defined operations, and a request/response network.
To manage LDAP servers, go to User > Authentication > LDAP Servers.
Create New Create a new LDAP server.
Edit Edit an LDAP server.
Delete Delete a server or servers.
Name The name that identifies the LDAP server on the Fortinet unit.
Server Name/IP The domain name or IP address of the LDAP server.
The TCP port used to communicate with the LDAP server. By default,
Port
LDAP uses port 389.
Common Name Identifier The common name identifier for the LDAP server.
The base distinguished name for the server using the correct X.500 or
Distinguished Names LDAP format. The unit passes this distinguished name unchanged to the
server.
Ref. Displays the number of times the server is referenced to other objects.
referenced object.

To add a new LDAP server:
1. In the LDAP server list, select Create New from the toolbar. The New LDAP Server window opens.
2. Configure the following:
Name Enter the name that identifies the LDAP server on the Fortinet unit.
Server Name/IP Enter the domain name or IP address of the LDAP server.
Server Port Enter the TCP port used to communicate with the LDAP server. By default,
LDAP uses port 389.
If you use a secure LDAP server, the default port changes if you select
Secure Connection.
Common Name Identifier Enter the common name identifier for the LDAP server. The maximum
number of characters is 20.
Distinguished Name Enter the base distinguished name for the server using the correct X.500 or
LDAP format. The unit passes this distinguished name unchanged to the
server. The maximum number of characters is 512.
Query icon View the LDAP server Distinguished Name Query tree for the LDAP server
that you are configuring so that you can cross reference to the
Distinguished Name.
Bind Type Select the type of binding for LDAP authentication.
l Simple: Connect directly to the LDAP server with user name/password

authentication.
l Anonymous: Connect as an anonymous user on the LDAP server, then
retrieve the user name/password and compare them to given values.
l Regular: Connect to the LDAP server directly with user name/password,
then receive accept or reject based on search of given values.
Enter the distinguished name and password of the user to be
authenticated in the User DN and Password fields.
Secure Connection Select to use a secure LDAP server connection for authentication.

Protocol Select a secure LDAP protocol to use for authentication, either LDAPS or
STARTTLS.
Depending on your selection, the server port will change to the default port
for the selected protocol:
l LDAPS: port 636

l STARTTLS: port 389
Certificate Select a certificate to use for authentication from the list.
Test Select Test to test the LDAP query.
3. Select OK to create the new LDAP server.
To edit an LDAP server:
1. Select the LDAP server you would like to edit then select Edit from the toolbar, or double-click on the address in
the address table. The Edit LDAP Server window opens.

RADIUS server
RADIUS is a broadly supported client server protocol that provides centralized authentication, authorization, and
accounting functions. RADIUS clients are built into gateways that allow access to networks such as Virtual Private
Network (VPN) servers, Network Access Servers (NAS), as well as network switches and firewalls that use
authentication. FortiCache units fall into the last category.
RADIUS servers use UDP packets to communicate with the RADIUS clients on the network to:
l Authenticate users before allowing them access to the network

l Authorize access to resources by appropriate users
l Account or bill for those resources that are used.
RADIUS servers are currently defined by RFC 2865 (RADIUS) and RFC 2866 (Accounting), and listen on either
UDP ports 1812 (authentication) and 1813 (accounting) or ports 1645 (authentication) and 1646 (accounting)
requests. RADIUS servers exist for all major operating systems.
You must configure the RADIUS server to accept the FortiCache unit as a client. FortiCache units use the
authentication and accounting functions of the RADIUS server.
When a configured user attempts to access the network, the FortiCache unit will forward the authentication
request to the RADIUS server, which will then match the username and password remotely. Once authenticated,
the RADIUS server passes the Authorization Granted message to the FortiCache unit, which then grants the user
permission to access the network.

The RADIUS server uses a “shared secret” key, along with MD5 hashing, to encrypt information passed between
RADIUS servers and clients, including the FortiCache unit. Typically, only user credentials are encrypted.
To manage RADIUS servers, go to User > Authentication > RADIUS Servers.
Create New Create a new RADIUS server.
Edit Edit an RADIUS server.
Name The name that identifies the RADIUS server on the unit.
Server Name/IP The domain name or IP address of the primary and, if applicable,
secondary, RADIUS server.
Displays the number of times the server is referenced to other objects.

Ref.
referenced object.
To add a new RADIUS server:
1. In the RADIUS server list, select Create New from the toolbar. The New RADIUS Server window opens.
Name Enter the name that is used to identify the RADIUS server on the unit.
Primary Server Name/IP Enter the domain name or IP address of the primary RADIUS server.
Primary Server Secret Enter the RADIUS server secret key for the primary RADIUS server. The
primary server secret key length can be up to a maximum of 16 characters.
For security reason, it is recommended that the server secret key be the
maximum length.
Secondary Server Name/IP Enter the domain name or IP address of the secondary RADIUS server, if
applicable.
Secondary Server Secret Enter the RADIUS server secret key for the secondary RADIUS server. The
secondary server secret key can be up to a maximum length of 16
characters.

Authentication Scheme Select Use Default Authentication Scheme to authenticate with the
default method: PAP, MSCHAP-V2, and CHAP, in that order.
Select Specify Authentication Protocol to override the default
authentication method, then choose the protocol from the list: MSCHAP-
V2, MS-CHAP, CHAP, or PAP.
NAS IP/Called Station ID Optionally, enter the NAS IP address (RADIUS Attribute 31, outlined in
RFC 2548).
In this configuration, the FortiCache unit is the NAS and this is how the
RADIUS server registers all valid servers that use its records.
If you do not enter an IP address, the IP address that the Fortinet interface
uses to communicate with the RADIUS server will be applied.
Include in every User Select Enable to have the RADIUS server automatically included in all user
Group groups.
3. Select OK to create the new RADIUS server.
To edit a RADIUS server:
1. Select the RADIUS server you would like to edit then select Edit from the toolbar, or double-click on the address in
the address table. The Edit RADIUS Server window opens.

TACACS+ server
TACACS+ is a remote authentication protocol that provides access control for routers, network access servers,
and other networked computing devices via one or more centralized servers. TACACS+ allows a client to accept a
username and password and send a query to a TACACS+ authentication server. The server host determines
whether to accept or deny the request and sends a response back that allows or denies the user access to the
network.
TACACS+ offers fully encrypted packet bodies, and supports both IP and AppleTalk protocols. TACACS+ uses
TCP port 49, which is seen as more reliable than RADIUS’s UDP protocol.
There are several different authentication protocols that TACACS+ can use during the authentication process.
Protocol Definition
ASCII Machine-independent technique that uses representations of English

characters. Requires user to type a username and password that are sent
in clear text (unencrypted) and matched with an entry in the user database
stored in ASCII format.

Protocol Definition
Password Authentication Protocol (PAP) Used to authenticate PPP

PAP
connections. Transmits passwords and other user information in clear text.
CHAP Challenge-Handshake Authentication Protocol (CHAP) Provides the same

functionality as PAP, but is more secure as it does not send the password
and other user information over the network to the security server.
MS-CHAP MicroSoft Challenge-Handshake Authentication Protocol v1

MS-CHAP
(MSCHAP) Microsoft-specific version of CHAP.
Auto The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP,
in that order.
By default, the TACACS+ Servers option is not visible unless you add a server using
the following CLI command:
config user tacacs+

edit <name>
set server <IP>
next
end
To manage TACACS+ servers, go to User > Authentication > TACACS+ Servers.
Create New Create a new TACACS+ server.
Edit Edit an TACACS+ server.
Name The name that identifies the TACACS+ server on the unit.
Server The domain name or IP address of the TACACS+ server.
Authentication Type The authentication type used by the server.
Ref. Displays the number of times the server is referenced to other objects.
To view the location of the referenced server, select the number in Ref.
The Object Usage window appears displaying the various locations of the
referenced object.

To add a new TACACS+ server:
1. In the TACACS+ server list, select Create New from the toolbar. The New TACACS+ Server window opens.
Name Enter the name of the TACACS+ server.
Server IP/Name Enter the server domain name or IP address of the TACACS+ server.
Server Secret Enter the key to access the TACACS+ server. The server key can be a
maximum of 16 characters in length.
Authentication Type Select the authentication type to use for the TACACS+ server: Auto,
ASCII, PAP, CHAP, or MSCHAP.
Auto authenticates using PAP, MSCHAP, then CHAP (in that order).
3. Select OK to create the new TACACS+ server.
To edit a TACACS+ server:
1. Select the TACACS+ server you would like to edit then select Edit from the toolbar, or double-click on the address
in the address table. The Edit TACACS+ Server window opens.

Settings
This submenu provides settings for configuring authentication timeout, protocol support, and authentication
certificates. When user authentication is enabled within a security policy, the authentication challenge is normally
issued for any of the four protocols (depending on the connection protocol):
l HTTP (can also be set to redirect to HTTPS)

l HTTPS
l FTP
l Telnet.
The selections control which protocols support the authentication challenge. Users must connect with a
supported protocol first so that they can subsequently connect with other protocols. If HTTPS is selected as a
method of protocol support, it allows the user to authenticate with a customized local certificate.

User Authentication Monitor
When you enable user authentication within a security policy, the security policy user will be challenged to
authenticate. For user ID and password authentication, users must provide their user names and passwords. For
certificate authentication (HTTPS or HTTP redirected to HTTPS only), you can install customized certificates on
the unit, and the users can also have customized certificates installed on their browsers. Otherwise, users will see
a warning message and have to accept a default Fortinet certificate.
To configure authentication settings, go to User > Authentication > Settings.
Configure the following settings, then select Apply to apply your changes:
Authentication Timeout Enter the amount of time, in minutes, that an authenticated firewall
connection can be idle before the user must authenticate again. From 1 to
480 minutes (default = 5).
Select the protocols to challenge during firewall user authentication from

the following:
l HTTP
Protocol Support l Redirect HTTP Challenge to a Secure Channel (HTTPS)
l HTTPS
l FTP
l Telnet
Certificate Select the local certificate to use for authentication.

This option is only available if HTTPS or HTTP redirected to HTTPS is
selected.
Monitor
You can go to the Monitor menu to view lists of currently authenticated users, and banned users. For each
authenticated user, the list includes the user name, user group, how long the user has been authenticated
(Duration), how long until the user’s session times out (Time left), and the method of authentication used. The
Banned User list includes users configured by administrators.
Firewall
In some environments, it is useful to determine which users are authenticated by the FortiCache unit and allow
the system administrator to de-authenticate (stop current session) users. With the firewall monitor, you can de-
authenticate all currently authenticated users, or select individual users to de-authenticate. To permanently stop
a user from re-authenticating, change the configuration (disable a user account) and then use the user monitor to
immediately end the user’s current session.

Monitor User Authentication
Monitored firewall users can be viewed from User > Monitor > Firewall. This page lists all authenticated firewall
users that are currently authenticated by the unit and active. This page allows you to refresh the information on
the page, as well as filter the information.
Refresh Refresh the Firewall user monitor list.
Stop authenticated sessions for all selected users in the Firewall user
De-authenticate monitor list. Users must re-authenticate with the firewall to resume their
communication session.
Show all FSSO Logons Select to include all of the FSSO logins in the list.
User Name The names of all connected remote users.
User Group The group that the remote user is a member of.
Policy ID The policy identification number of the user.
Duration The length of time since the user was authenticated.
IP Address The user’s source IP address.
Traffic Volume The amount of traffic going through the unit that is generated by the user.
The authentication method used for the user by the unit, such as FSSO
Method
Agent, firewall authentication, or NTLM.
Time-left Shows the amount of time remaining for the user. This column is not visible
by default. Right-click in the column headings to add it.
User Quarantine
The user quaratine shows all IP addresses and interfaces blocked by Network Access Control (NAC) quarantine.
The list also shows all IP addresses, authenticated users, senders, and interfaces blocked by DLP.
The system administrator can selectively release users or interfaces from quarantine, or configure quarantine to
expire after a selected time period.
All sessions started by users or IP addresses on the banned user list are blocked until the user or IP address is
removed from the list. All sessions to an interface on the list are blocked until the interface is removed from the
list.
The user quarantine is viewed from User > Monitor > User Quarantine.
Page Controls Use to navigate through the list.
Clear Remove all users and IP addresses from the list.
# The position number of the user or IP address in the list.

User Authentication Monitor
Ban Key The ban key.
Application Protocol The protocol that was used by the user or IP address.
The Fortinet function that caused the user or IP address to be added to the
Cause or rule
list.
Created The date and time that the user or IP address was added to the list.
The date and time that the user or IP address will be automatically
Expires removed from the list. If Expires is Indefinite, the entry must be manually
removed from the list.

WAN Optimization and Web Caching
You can use web caching to cache web pages from any web server. All traffic between a client network and one or
more web servers is then intercepted by a web cache policy. This policy causes the FortiCache unit to cache
pages from the web servers on the FortiCache unit and makes the cached pages available to users on the client
network. Web caching can be configured for standard and reverse web caching.
In a standard web caching configuration, the FortiCache unit caches pages for users on a client network. A router
sends HTTP traffic to be cached to the FortiCache unit.
You can also create a reverse proxy web caching configuration where the FortiCache unit is dedicated to
providing web caching for a single web server or server farm. In this second configuration, the one or more
FortiCache units can be installed between the server network and the WAN or Internet or traffic to be cached can
be routed to the FortiCache units.
You can add WAN Optimization to improve traffic performance and efficiency as it crosses the WAN.
FortiCache WAN optimization consists of a number of techniques that you can apply to improve the efficiency of
communication across your WAN. These techniques include protocol optimization, byte caching, SSL offloading,
and secure tunnelling.
Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or MAPI protocol, as
well as general TCP traffic. Byte caching caches files and other data on FortiCache units to reduce the amount of
data transmitted across the WAN. Web caching stores web pages on FortiCache units to reduce latency and
delays between the WAN and web servers. SSL offloading offloads SSL decryption and encryption from web
servers onto FortiCache SSL acceleration hardware. Secure tunnelling secures traffic as it crosses the WAN.
You can apply different combinations of these WAN optimization techniques to a single traffic stream depending
on the traffic type. For example, you can apply byte caching and secure tunneling to any TCP traffic. For HTTP
and HTTPS traffic, you can also apply protocol optimization and web caching.
This chapter describes:
l WAN optimization profiles

l WAN optimization peers
l Cache
l Monitor
WAN optimization profiles
FortiCacheWAN optimization consists of a number of techniques that you can apply to improve the efficiency of
communication across your WAN. These techniques include protocol optimization, byte caching, web caching,
SSL offloading, and secure tunneling.
Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or MAPI protocol, as
well as general TCP traffic. Byte caching caches files and other data on FortiCache units to reduce the amount of
data transmitted across the WAN. Web caching stores web pages on FortiCache units to reduce latency and
delays between the WAN and web servers. SSL offloading offloads SSL decryption and encryption from web
servers onto FortiCache SSL acceleration hardware. Secure tunneling secures traffic as it crosses the WAN.

WAN Optimization and Web Caching WAN optimization profiles
You can apply different combinations of these WAN optimization techniques to a single traffic stream depending
on the traffic type. For example, you can apply byte caching and secure tunneling to any TCP traffic. For HTTP
and HTTPS traffic, you can also apply protocol optimization and web caching.
To configure WAN optimization profiles, go to WAN Opt. & Cache > WAN Opt. Profiles > Profiles. The Edit
WAN Optimization Profile page is displayed.
Configure the following settings, then select Apply to apply any changes:
Profile Select a profile to edit from the drop-down list.
Create New Create a new WAN optimization profile.
Clone Clone the current profile.
Delete Delete the current profile.
View List View the web filter profile list. See Profile list on page 130.
Name Enter a name for the WAN optimization profile.
Comments Optionally, enater a description of the profile.
Transparent Mode Select checkbox to enable transparent mode.
Authentication Group Enable, then select the authentication group from the drop-down list that
will be applied to the WAN optimization profile.
Select the protocols that are enabled for this profile: CIFS, FTP, HTTP,
Protocol Options
MAPI, TCP.
SSL Offloading Select to enable SSL offloading.

SSL offloading offloads SSL decryption and encryption from web servers
onto FortiCache SSL acceleration hardware. It is only available for HTTP
and TCP protocols.

WAN optimization profiles WAN Optimization and Web Caching
Select to enable secure tunneling.

To use secure tunneling, it must be enabled for a protocol, and an
authentication group must be added. The authentication group specifies
the certificate or pre-shared key used to set up the secure tunnel. The Peer
Secure Tunneling Acceptance setting of the authentication group does not affect secure
tunneling.
The FortiCache units at each end of the secure tunnel must have the same
authentication group with the same name and the same configuration,
including the same pre-shared key or certificate.
Byte Caching Select to enable byte caching.

Byte caching breaks large units of application data (for example, a file
being downloaded from a web page) into small chunks of data, labelling
each chunk of data with a hash of the chunk and storing those chunks and
their hashes in a database. The database is stored on a WAN optimization
storage device.
Specify the port number for the protocol. The default values are:
l CIFS: 445
l FTP: 21
Port
l HTTP: 80
l MAPI: 135
l TCP: 1 - 65535
Profile list
The WAN optimization profile list can be viewed by selecting View List in the Edit WAN Optimization Profile
page toolbar.
Create New Create a new WAN optimization profile.
Edit Modify the profile.
Delete Remove the profile.
Name The name of the WAN optimization profile.
Ports The ports used by the profile.
Transparent Whether or not transparent mode is enabled.
Authentication Goup The authentication group used by the profile, if any. See Authentication
groups on page 132.
Comments Optional description of the WAN optimization profile.

WAN Optimization and Web Caching WAN optimization peers
Managing WAN optimization profiles

WAN optimization profiles can be added, edited, cloned, and deleted as required.
To create a new WAN optimization profile:
1. From either the Edit WAN Optimization Profile page or the WAN optimization profile list, select Create New.
2. Enter the required information, then select OK to create the new WAN optimization profile.
To edit a WAN optimization profile:
1. From the Edit WAN Optimization Profile page, select the profile you need to edit from the profile drop-down list.
From the profile list, either select the profile you would like to edit then select Edit from the toolbar, or
double-click on the profile name in the list.
The Edit WAN Optimization Profile window opens.
2. Edit the information as required, then select Apply to apply your changes.
To clone a WAN optimization profile:
1. From the Edit WAN Optimization Profile page, select the profile you need to clone from the profile drop-down list.
2. Select Clone from the toolbar.
3. Enter a name for the profile in the dialog box, then select OK.
To delete a profile or profiles:
1. From the profile list, select the profile or profiles that you would like to delete.
WAN optimization peers
The client-side and server-side FortiCache units are called WAN optimization peers because all of the FortiCache
units in a WAN optimization network have the same peer relationship with each other. The client and server roles
relate to how a session is started. Any FortiCache unit configured for WAN optimization can be both a client-side
and a server-side FortiCache unit at the same time, depending on the direction of the traffic. Client-side
FortiCache units initiate WAN optimization sessions and server-side FortiCache units respond to the session
requests. Any FortiCache unit can be a client-side FortiCache unit for some sessions and a server-side
FortiCache unit for others.
To identify all of the WAN optimization peers that a FortiCache unit can perform WAN optimization with, host IDs
and IP addresses of all of the peers are added to the FortiCache unit configuration. The peer IP address is
actually the IP address of the peer unit interface that communicates with the FortiCache unit.
Peers
Go to WAN Opt. & Cache > WAN Opt. Peers > Peers to view the WAN optimization peer list

WAN optimization peers WAN Optimization and Web Caching
Create New Create a new WAN optimization peer.
Edit Edit a WAN optimization peer.
Delete Delete a WAN optimization peer or peers.
Local Host ID The local host ID. Enter an ID, then select Apply to apply the ID.
Peer Host ID The peer host ID of the WAN optimization peer.
IP Address The IP address of the peer.
Ref. Displays the number of times the peer is referenced to other objects.
To view the location of the referenced peer, select the number in Ref.; the
referenced object.
To create a new WAN optimization peer:
1. From the peer list, select Create New in the toolbar. The New WAN Optimization Peer window opens.
2. Enter the Peer Host ID and IP Address.

3. Select OK to create the new peer.
To edit a WAN optimization peer:
1. Select the peer you would like to edit then select Edit from the toolbar, or double-click on the peer in the peer list.
The Edit WAN Optimization Peer window opens.
2. Edit the peer as required and select OK to apply your changes.
To delete a WAN optimization peer or peers:
1. Select the peer or peers that you would like to delete.

3. Select OK in the confirmation dialog box to delete the selected peer or peers.
Authentication groups
You need to add authentication groups to support authentication and secure tunneling between WAN
optimization peers.
To perform authentication, WAN optimization peers use a certificate or a pre-shared key added to an
authentication group so they can identify each other before forming a WAN optimization tunnel. Both peers must
have an authentication group with the same name and settings. The authentication group is added to a peer-to-
peer or active rule on the client-side FortiCache unit. When the server-side FortiCache unit receives a tunnel start

WAN Optimization and Web Caching WAN optimization peers
request that includes an authentication group from the client-side unit, the server-side unit finds an authentication
group in its configuration with the same name. If both authentication groups have the same certificate or pre-
shared key, the peers can authenticate and set up the tunnel.
Go to WAN Opt. & Cache > WAN Opt. Peers > Authentication Groups to manage the authentication groups.
Create New Create a new authentication group.
Edit Edit an authentication group.
Delete Delete an authentication group or groups.
Name The name of the group.
Authentication Method The authentication used by the group, either Certificate or Pre-shared key.
Peer(s) The peer or peers in the group.
Ref. Displays the number of times the group is referenced to other objects.
To view the location of the referenced group, select the number in Ref.; the
referenced object.
To create a new authentication group:
1. Select Create New from the toolbar. The New Authentication Group window opens.
2. Enter the following information:
Name Enter a name for the authentication group.

Cache WAN Optimization and Web Caching
Authentication Method Select the authentication method to use.
l Certificate: Use a certificate to authenticate and encrypt WAN

optimization tunnels. Then select a local certificate that has been added
to this FortiCache unit from the drop-down list.
l Pre-shared key: Use a pre-shared key or password to authenticate and
encrypt WAN optimization tunnels. Then enter the password (or pre-
shared key) in the Password field.
Other FortiCache units that participate in WAN optimization tunnels with
this unit must have an authentication group with the same name and
password. The password must contain at least 6 printable characters and
should be known only by network administrators. For optimum protection
against currently known attacks, the key should consist of a minimum of
16 alphanumeric characters.
Accept Peer(s) Select the peer acceptance method for the authentication group.
l Any: If you do not know the peer host IDs or IP addresses of the peers
that will use this authentication group.
This setting is most often used for WAN optimization with FortiCache
units that do not have static IP addresses, such as units that use DHCP.
l Defined Only: Authenticate with peers that have added to the peer list
only.
l Specify: Select a peer from the drop-down list to authenticate with the
selected peer only. Select Create New from the drop-down list to create a
new peer; see To create a new WAN optimization peer: on page 132.
3. Select OK to create the new authentication group.

The authentication group can now be added to WAN optimization profiles to apply the authentication settings
in the authentication group to the profile. See Managing WAN optimization profiles on page 131.
To edit an authentication group:
1. Select the group you would like to edit then select Edit from the toolbar, or double-click on the group in the
authentication group list. The Edit Authentication Group window opens.
2. Edit the group information as required and select OK to apply your changes.
To delete an authentication group or groups:

Cache
Web cache settings can be optimized to improve performance and specific URL patterns can be exempt from
caching and/or forwarded to a web proxy server.

WAN Optimization and Web Caching Cache
Settings
In most cases, the default settings for the WAN optimization web cache are acceptable. However, you may want
to change them to improve performance or optimize the cache for your configuration.
Go to WAN Opt. & Cache > Cache > Settings to configure web cache settings.
Configure the following settings, then select Apply to apply your changes:
Always Revalidate Always re-validate requested cached objects with content on the server
before serving them to the client.
The maximum size of objects (files) that are cached, from 1 to 4294967KB
(default = 512000KB).
Max Cache Object Size
Objects that are larger than this size are still delivered to the client but are
not stored in the FortiCache web cache.
Negative Response The amount of time, in minutes, that the FortiCache unit caches error
Duration responses from web servers (default = 0 minutes).
The content server might send a client error code (4xx HTTP response) or a
server error code (5xx HTTP response) as a response to some requests. If
the web cache is configured to cache these negative responses, it returns
that response in subsequent requests for that page or image for the
specified number of minutes, regardless of the actual object status.
For cached objects that do not have an expiry time, the web cache
periodically checks the server to see if the objects have expired. The higher
the fresh factor the less often the checks occur (default = 100%).
Fresh Factor For example, if you set Max TTL and Default TTL to 7200 minutes (5 days)
and set Fresh Factor to 20, the web cache check the cached objects 5
times before they expire, but if you set the Fresh Factor to 100, the web
cache will only check once.

Cache WAN Optimization and Web Caching
Max TTL The maximum amount of time (Time to Live), in minutes, an object can
stay in the web cache without the cache checking to see if it has expired on
the server. From 1 to 5256000 minutes (one year) (default = 7200
minutes).
The minimum amount of time an object can stay in the web cache before
Min TTL the web cache checks to see if it has expired on the server. From 1 to
5256000 minutes (default = 5 minutes).
Default TTL The default expiry time for objects that do not have an expiry time set by
the web server. From 1 to 5256000 minutes (default = 1440 minutes).
Proxy FQDN This option cannot be changed from the default: default.fqdn.
Max HTTP request length This option cannot be changed from the default: 4KB.
Max HTTP message length This option cannot be changed from the default: 32KB.
Ignore
If the time specified by the if-modified-since (IMS) header in the client's

conditional request is greater than the last modified time of the object in
the cache, it is a strong indication that the copy in the cache is stale. If so,
If-modified-since
HTTP does a conditional GET to the original content source, based on the
last modified time of the cached object.
Enable ignoring if-modified-since to override this behavior.
HTTP 1.1 HTTP 1.1 provides additional controls to the client for the behavior of
Conditionals caches toward stale objects. Depending on various cache-control headers,
the FortiCache unit can be forced to consult the OCS before serving the
object from the cache. For more information about the behavior of cache-
control header values, see RFC 2616.
Enable ignoring HTTP 1.1 conditionals to override this behavior.
Typically, if a client sends an HTTP GET request with a pragma no-cache

(PNC) or cache-control no-cache header, a cache must consult the OCS
before serving the content. This means that the unit always re-fetches the
entire object from the OCS, even if the cached copy of the object is fresh.
Pragma-no-cache Because of this behavior, PNC requests can degrade performance and
increase server-side bandwidth utilization.
Enable ignoring Pragma-no-cache so that the PNC header from the client
request is ignored. The FortiCache unit treats the request as if the PNC
header is not present.
IE Reload
Enable to cache expired type-1 objects (if all other conditions make the
Cache Expired Objects
object cacheable).

WAN Optimization and Web Caching Monitor
Revalidated Pragma-no- The PNC header in a request can affect how efficiently the device uses
cache bandwidth.
If you do not want to completely ignor PNC in client requests by selecting
Ignore > Pragma-no-cache, you can lower the impact on bandwidth usage
with this option.
When selected, a client's non-conditional PNC-GET request results in a
conditional GET request sent to the OCS, if the object is already in the
cache. This gives the OCS a chance to return the 304 Not Modified
response, which consumes less server-side bandwidth as the OCS has not
been forced to return full content.
By default, Revalidate Pragma-no-cache is disabled and is not affected by
changes in the top-level profile. When the Substitute Get for PNC
configuration is enabled, the revalidate PNC configuration has no effect.
Most download managers make byte-range requests with a PNC header.
To serve such requests from the cache, you should also configure byte-
range support when you configure the Revalidate pragma-no-cache
option.
URL match list

The URL match list is used to exempt URLs from caching and to enable forwarding specific URLs to a web proxy
server. URLs, URL patterns, and numeric IP addresses can be added to the match list.
For example, if your users access websites that are not compatible with FortiCache web caching, you can add the
URLs of these web sites to the web caching exempt list, and all traffic accepted by a web cache policy for these
websites will not be cached.
To configure a URL match list, use the following CLI command:

config web-proxy url-match
edit <name>
set url-pattern <value>
set cache-exemption [enable|disable]
next
end
Monitor
Using the web cache and WAN optimization monitors, you can confirm that the FortiCache unit is accepting and
caching traffic and view web caching and WAN optimization performance. The monitor presents collected log
information in a graphical format to show network traffic and bandwidth optimization information.
To view the WAN optimization monitor, go to WAN Opt. & Cache > Monitor > WAN Opt. Monitor. To view the
web cache monitor, go to WAN Opt. & Cache > Monitor > Cache Monitor.

Monitor WAN Optimization and Web Caching
Traffic Summary This section provides traffic optimization information. It displays how much
traffic has been reduced by web caching by comparing the amount of client
and server traffic.
Refresh icon Refresh the Traffic Summary.
Period Select a time period to show traffic summary for: Last 10 Minutes,
Last 1 Hour, Last 1 Day, Last 1 Week, or Last 1 Month.
Lists the protocols shown in the pie chart, including: HTTP, MAPI, CIFS,
Protocol
FTP, TCP, and WEBPROXY.
Reduction Rate The reduction rate for each protocol, in percent.
LAN The number of LAN connections for that protocol.

WAN Optimization and Web Caching Monitor
WAN The number of WAN connections for that protocol.
This section shows the bandwidth optimization.

Bandwidth Optimization A line graph compares an application’s pre-optimized (LAN data) size with
its optimized size (WAN data).
Refresh icon Select to refresh the Bandwidth Optimization display.
Select a time period to show bandwidth optimization for: Last 10 Minutes,

Period
Last 1 Hour, Last 1 Day, Last 1 Week, or Last 1 Month.
Protocol Select the protocol to show in the graph.
Chart Type Select the chart type: Column Chart or Line Chart.
Peer monitor
The Peer Monitor page under Wan Opt. & Cache > Monitor > Peer Monitor provides peer statistics including
Peer name, IP, Type, and Traffic Reduction.

WCCP
WCCP can be used to provide web caching with load balancing and fault tolerance. In a WCCP configuration, a
WCCP server receives HTTP requests from user’s web browsers and redirects the requests to one or more WCCP
clients. The clients either return cached content, or request new content from the destination web servers, before
caching it and returning it to the server. The server then returns the content to the original requestor. If a WCCP
configuration includes multiple WCCP clients, the WCCP server load balances traffic among the clients and can
detect when a client fails and failover sessions to still operating clients. WCCP is described by the Web Cache
Communication Protocol internet draft.
FortiCache units can operate as WCCP clients and supports WCCPv2. FortiCache units use UDP port 2048 for
WCCP communication, with user traffic encapsulated in GRE-mode or L2-mode.
l WCCP service groups, numbers, IDs, and well known services

l WCCP configuration overview
l Caching HTTP sessions
l WCCP packet flow
l Configuring forward and return methods and adding authentication
l WCCP messages
l Troubleshooting WCCP
WCCP service groups, numbers, IDs, and well known services
A FortiCache unit configured as a WCCP client can include multiple client configurations. Each of these
configurations is called a WCCP service group. A service group consists of one or more FortiGate units configured
as WCCP servers (or routers) and one or more FortiCache WCCP clients working together to cache a specific type
of traffic. The service group configuration includes information about the type of traffic to be cached, the
addresses of the WCCP clients and servers, and other information about the service.
A service group is identified with a numeric WCCP service ID (or service number) in the range 0 to 255. All of the
servers and clients in the same WCCP service group must have service group configurations with the same
WCCP service ID.
The value of the service ID provides some information about the type of traffic to be cached by the service group.
Service IDs in the range 0 to 50 are reserved for well known services. A well known service is any service that is
defined by the WCCP standard as being well known. Since the service is well known, just the service ID is
required to identify the traffic to be cached.
Even though the well known service ID range is 0 to 50, at this time only one well known service has been
defined. Its service ID is 0, which is used for caching HTTP (web) traffic.
To configure WCCP to cache HTTP sessions you can add a service group to the FortiGate WCCP router and
FortiCache WCCP clients with a service ID of 0. No other information about the type of traffic to cache needs to
be added to the service group.

WCCP WCCP configuration overview
Since service IDs 1 to 50 are reserved for well know services and since these services are not defined yet, you
should not add service groups with IDs in the range 1 to 50.
FortiCache allows you to add service groups with IDs between 1 and 50. However,
since these service groups have not been assigned well known services, they will not
cache any sessions. Service groups with IDs 51 to 255 allow you to set the port
numbers and protocol number of the traffic to be cached. So you can use service
groups with IDs 51 to 255 to cache different kinds of traffic based on port numbers and
protocol number of the traffic. Service groups 1 to 50 however, do not allow you to set
port or protocol numbers, so they cannot be used to cache any traffic.
To cache traffic other than HTTP traffic you must add service groups with IDs in the range 51 to 255. These
service group configurations must include the port numbers and protocol number of the traffic to be cached. It is
the port and protocol number configuration in the service group that determines what traffic will be cached by
WCCP.
WCCP configuration overview
To configure WCCP you must create a service group that includes FortiGate units configured as WCCP servers
and FortiCache units configured as WCCP clients. WCCP servers intercept sessions to be cached (for example,
sessions from users browsing the web from a private network). To intercept sessions to be cached, the WCCP
server must include a firewall policy that accepts sessions to be cached and WCCP must be enabled in this
firewall policy.
The server must have an interface configured for WCCP communication with WCCP clients. That interface sends
and receives encapsulated GRE or L2 traffic to and from WCCP clients. The server must also include a WCCP
service group that includes a service ID and the addresses of the WCCP clients, as well as other WCCP
configuration options.
To use a FortiCache unit as a WCCP client, you must configure an interface on the unit for WCCP
communication. The client sends and receives the encapsulated traffic to and from the WCCP server using this
interface.
The client must also include a WCCP service group with a service ID that matches a service ID on the server. The
client service group also includes the IP address of the servers in the service group, and specifies the port
numbers and protocol number of the sessions that will be cached on the FortiCache unit.
When the client receives sessions from the server on its WCCP interface, it either returns cached content over the
WCCP interface or connects to the destination web servers using the appropriate interface, based on the client
routing configuration. Content received from web servers is then cached by the client and returned to the WCCP
server over the WCCP link. The server then returns the received content to the initial requesting user’s web
browser.
Finally, you may also need to configure routing on the FortiGate server unit and FortiCache client units, and
additional firewall policies may have to be added to the server to accept sessions not cached by WCCP.

Caching HTTP sessions WCCP
Caching HTTP sessions
In this configuration, a FortiGate unit is operating as an Internet firewall for a private network and is also
configured as a WCCP server. The port39 interface of the FortiGate unit is connected to the Internet, and the
port38 interface is connected to the internal network.
All HTTP traffic on port 80 that is received at the port38 interface of the FortiGate unit is accepted by a port39 to
port38 firewall policy with WCCP enabled. All other traffic received at the port2 interface is allowed to connect to
the Internet by adding a general port38 to port39 firewall policy below the HTTP on port 80 firewall policy.
A WCCP service group is added to the FortiGate unit with a service ID of 0 for caching HTTP traffic on port 80.
The port1 interface of the FortiGate unit is configured for WCCP communication.
A FortiCache unit connects to the internet through the FortiGate unit. To allow for this, a port1 to port39 firewall
policy is added to the FortiGate unit.
FortiGate WCCP server and FortiCache WCCP client configuration
Note that the WCCP server and client can operate in L2-mode. The WCCP client firewall policy must specify
which ingress interface is receiving the L2-forwarded traffic. This is different from GRE-mode which uses the
w.root interface.
To enable L2-mode on the FortiCache (WCCP client):

config system wccp
edit <Service-ID>
set cache-engine-method L2
next
end
To enable L2-mode on the FortiGate (WCCP server):

config system wccp
edit <Service-ID>
set forward-method L2
set return-method L2
next
end

WCCP Caching HTTP sessions
Configure a WCCP server

Use the following steps to configure the FortiGate unit as the WCCP server for the example network. The
example steps only describe the WCCP-related configuration.
To configure the FortiGate unit as a WCCP server:
1. Add a port38 to port39 firewall policy that accepts HTTP traffic on port 80 and is configured for WCCP:
config firewall policy
edit 0
set srtintf port38
set dstintf port39
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service HTTP
set wccp enable
set nat enable
end
2. Add another port38 to port39 firewall policy to allow all other traffic to connect to the Internet:
edit 0
set srtintf port38
set dstintf port39
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
set nat enable
end
3. Move this policy below the WCCP policy in the port38 to port39 policy list.
4. Enable WCCP on the port1 interface:
config system interface
edit port1
set vdom “root”
set ip 192.168.1.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set wccp enable
end
5. Add a WCCP service group with service ID 0:

config system wccp
edit 0
set router-id 192.168.1.1
set server-list 192.168.1.0 255.255.255.0
end
6. Add a firewall policy to allow the WCCP clients to connect to the internet:

edit 3
set srcintf port1
set dstintf port39
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
set nat enable
end
Configure a WCCP client

Use the following steps to configure the FortiCache unit as the WCCP client for the example network. The
example steps only describe the WCCP-related configuration.
To configure the FortiCache unit as a WCCP client:
1. Configure the FortiCache unit to operate as a WCCP client:

config system settings
set wccp-cache-engine enable
end
You cannot enter the wccp-cache-engine enable command if you have already
added a WCCP service group. When you enter this command an interface named
w.root is added to the FortiCache configuration. All traffic redirected from a WCCP
router is considered to be received at this interface of the FortiCache unit operating as
a WCCP client. A default route to this interface with lowest priority is added.
2. Enable WCCP on the aggregate interface aggr1:

config system interface
edit agr1
set ip 192.168.1.2 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type aggregate
set explicit-web-proxy enable
set member port1 port4
set wccp enable
end
3. Add a WCCP service group with service ID 0:

config system wccp
edit 0
set cache-id 192.168.1.2
set router-list 192.168.1.1
end
4. Add a port w.root to aggr1 firewall policy that accepts HTTP traffic on port80 and is configured for WCCP:
edit 1
set srcintf w.root
set dstintf aggr1
set srcaddr all
set dstaddr all

WCCP Caching HTTP sessions
set action accept

set schedule always
set service HTTP
set nat enable
set webcache enable
set transparent disable
end
Note that if the FortiCache is operating in L2-mode, the firewall policy must specify the ingress interface
where L2-forwarded traffic is being received, as shown below:
edit 1
set srcintf <port x>
set dstintf <port y>
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service HTTP
set nat enable
set webcache enable
set transparent disable
end
Verify the WCCP status

After setting up the FortiGate and FortiCache units as WCCP server and clients, you should verify to confirm that
they are configured correctly.
Verify the WCCP status on the server

Enter the following CLI commands:
diagnose test application wccp 1
vdoms=1
pkts=0

vdom-root: work mode:router wokring NAT first_ohy_id=39
interface list:
intf=port1, gid=5 phy_ide=5
intf=port35, gid=39 phy_id=39
service list:
service: 0, router_id=192.168.1.1, group=0.0.0.0, auth(no) access
access:192.168.1.0/255.255.255.0) forward=1
return=1, assign=1.
erouter_id=192.168.1.1

service-0 in vdom-root: num=1, usable=1
cache server ID:
len=44, addr=192.168.1.2, weight=0, status=0
rcv_id=23560, usable=1, fm=1, nq=0, dev=5(k5), to=192.168.1.1
ch_no=0, num_router=1:
192.168.1.1


service-0 in vdom-root:
total_servers=1, usable_servers=1, assign_m=1, rtun_m=1, wcid_len=48, rcv_id=23560, ch_
no=2
ID=0, type=0, pri=0, pro=0 f=00000000
Port: num-routers=1:
192.168.1.1

service-0 in vdom-root: installed
key: ip=192.168.1.2, change-number=2
cache_list: 1
0. 192.168.1.2
primary assignment:
key=192.168.1.2 change-number=2
num_routers=1
router element[0]: router_id=192.168.1.1, receive_id=4, ch_no=2
cache-server-num=1, format=not standard:
192.168.1.2
buckets:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Verify the WCCP status on the FortiCache

vdom-root: work mode:cache working NAT first_phy_id=8
interface list:
intf=aggr1, gid=8 phy_id=8
service list:
service: 0, cache_id=192.168.1.2, group=0.0.0.0, auth(no)
forward=1, return=1, assign=1.
router list:
192.168.1.1
port list:
ecache_id=192.168.1.2

service-0 in vdom-root
erouter_list: 1 routers in total
0. 192.168.1.1
receive_id:23573 change_number:2
cache servers seen by this router:

WCCP WCCP packet flow
0. 192.168.1.2 weight:0 (*Designated Web Cache)
WCCP packet flow
The following packet flow sequence assumes you have configured a FortiGate unit to be a WCCP server and one
or more FortiCache units to be WCCP clients.
1. A user’s web browser sends a request for web content.

2. The FortiGate unit configured as a WCCP server includes a firewall policy that intercepts the request and forwards
it to a FortiCache WCCP client.
3. The firewall policy can apply UTM features to traffic accepted by the policy.
4. The FortiCache WCCP client receives the WCCP session.
5. The client either returns requested content to the WCCP server if it is already cached, or connects to the
destination web server, receives and caches the content, and then returns it to the WCCP server.
6. The WCCP server returns the requested content to the user’s web browser.
7. The WCCP router returns the request to the client web browser.
The client web browser is not aware that all this is taking place and does not have to be configured to use a
web proxy.
Configuring forward and return methods and adding authentication
The WCCP forwarding method determines how intercepted traffic is transmitted from the WCCP router to the
WCCP cache engine. FortiCache units use GRE forwarding.
GRE forwarding encapsulates the intercepted packet in an IP GRE header with a source IP address of the WCCP
router and a destination IP address of the target WCCP cache engine. The results is a tunnel that allows the
WCCP router to be multiple hops away from the WCCP cache server.
By default the WCCP communication between the router and cache servers is unencrypted. If you are concerned
about attackers sniffing the information in the WCCP stream you can use the following command to enable hash-
based authentication of the WCCP traffic. You must enable authentication on the router and the cache engines
and all must have the same password.
config system wccp
edit 1
set authentication enable
set password <password>
end
WCCP messages
When the WCCP service is active on a web cache server it periodically sends a WCCP HERE I AM broadcast or
unicast message to the FortiGate unit operating as a WCCP router. This message contains the following
information:

Troubleshooting WCCP WCCP
l Web cache identity (the IP address of the web cache server).

l Service info (the service group to join).
If the information received in the previous message matches what is expected, the FortiGate unit replies with a
WCCP I SEE YOU message that contains the following details:
l Router identity (the FortiGate unit’s IP address).

l Sent to IP (the web cache IP addresses to which the packets are addressed).
When both ends receive these two messages the connection is established, the service group is formed and the
designated web cache is elected.
Troubleshooting WCCP
Two types of debug commands are available for debugging or troubleshooting a WCCP connection between a
FortiCache unit operating as a WCCP router and its FortiCache WCCP cache engines.
Real time debugging

The following commands can capture live WCCP messages:
diag debug en
diag debug application wccpd <debug level>
Application debugging
The following commands display information about WCCP operations:
get test wccpd <integer>
diag test application wccpd <integer>
Where <integer> is a value between 1 and 5:
1. Display WCCP stats

2. Display WCCP config
3. Display WCCP cache servers
4. Display WCCP services
5. Display WCCP assignment
Enter the following command to view debugging output:
diag test application wccpd 3
Sample output from a successful WCCP connection:

cache server ID:
len=44, addr=172.16.78.8, weight=4135, status=0
rcv_id=6547, usable=1, fm=1, nq=0, dev=3(k3),
to=192.168.11.55
ch_no=0, num_router=1:
192.168.11.55

WCCP Troubleshooting WCCP
Sample output from the same command from an unsuccessful WCCP connection (because of a service group
password mismatch):
diag debug application wccpd -1
Sample output:
wccp_on_recv()-98: vdom-root recv: num=160, dev=3(3),
172.16.78.8->192.168.11.55
wccp2_receive_pkt()-1124: len=160, type=10, ver=0200,
length=152
wccp2_receive_pkt()-1150: found component:t=0, len=20
wccp2_check_security_info()-326: MD5 check failed

Logging
The Log menu provides an interface for viewing and downloading traffic, event, and security logs. Logging,
archiving, and user interface settings can also be configured, see Log settings on page 152.
The log messages are a record of all of the traffic that passes through the FortiCache device, and the actions
taken by the device while scanning said traffic.
After a log message is recorded, it is stored in a log file. The log files can be stored on the FortiCache device
itself, on a connected FortiManager or FortiAnalyzer device, or on a FortiCloud server (you must have a
FortiCloud subscription before you can configure the FortiCache device to send logs to a FortiCloud server). The
FortiCache device’s system memory or local disk can be configured to store logs.
The following logs are available:
Traffic Log Traffic logs are a record of all of the traffic that passes the FortiCache unit.
Forward traffic logs include log messages for traffic that passes through the
FortiCache device. It includes both traffic and security log messages, so
Forward Traffic
that messages about security events can be viewed alongside messages
about the traffic at the time of the event.
HTTP HTTP transaction related logs.

Transaction
Local traffic logs include messages for traffic that terminates at the
Local Traffic
FortiCache unit allowed or denied by a local policy.
Event Log Event logs record management and activity events within the FortiCache
device, divided into four areas: System, Router, User, and WAN Opt. &
Cache.
System System related logs.
Router Router related logs.
User User related logs.
HA HA related logs.
WAN Opt. &

WAN optimization and cache related logs.
Cache
Security Log The Security Log records attacks that are detected and prevented by the
FortiGate unit.

Logging
Antivirus logs are recorded when, during the antivirus scanning process, the
AntiVirus FortiGate unit finds a match within the antivirus profile, which includes the
presence of a virus or grayware signature.
Web Filter Web filter logs record HTTP log rating errors, including web content
blocking actions that the FortiCache device performs.
Data Leak Data Leak Prevention logs, or DLP logs, provide valuable information about
Prevention the sensitive data trying to get through to your network as well as any
unwanted data trying to get into your network.
Can log the following traffic types:

l email (SMTP, POP3 or IMAP; if SSL content SMTPS, POP3S, and
IMAPS)
l HTTP
l HTTPS
l FTP
l NNTP
l IM
Log messages can be viewed from the Log menu in the FortiCache GUI.
Refresh Select Refresh to refresh the log list.
Select Download Raw Log to download the raw log file to your local
Download Raw Log
computer. The log file can be viewed in any text editor.
Log Location The location where the displayed logs are stored.
The log messages.

The visible columns can be customized by right-clicking on a column
header and selecting which columns are displayed. The available columns
varies depending on the type of logs being viewed.
Log list
The displayed logs can be filtered by either right-clicking on a cell in the
table and selecting Set as Filter, or by selecting the filter icon in the column
heading and entering the requisite filter information, depending on the
specific column.
Page navigation Navigated to different pages of the log list. The total number of log
messages is also shown.
Details about the selected log message. The information displayed will
Log Details
vary depending on the type of log message selected.
Archive View archived versions of the selected log message.

This option is only available for traffic logs.

Log settings Logging
Log settings
The type and frequency of log messages you intend to save determines the type of log storage to use. For
example, if you want to log traffic and content logs, you need to configure the unit to log to a syslog server. The
FortiCache system disk is unable to log traffic and content logs because of their frequency and large file size.
Storing log messages to one or more locations, such as a syslog server, may be a better solution for your logging
requirements than the FortiCache system disk.
This topic contains information about logging to FortiAnalyzer or FortiManager units, a syslog server, and to disk.
To configure log settings, go to Log > Log Config > Log Settings.
Memory Select to store logs in the unit’s memory.
Disk Select to store logs on the unit’s disk.
Send Logs to Select to send logs to a FortiAnalyzer or a FortiCache Manager unit.

FortiAnalyzer/FortiCache
Manager HTTP Transaction logs will also be sent to FortiAnalyzer in order to
generate additional detail in reports.

Logging Log settings
The IP address of the FortiAnalyzer or FortiCache Manager unit.

IP Address
Select Test Connectivity to test the connectivity with the device.
Send Logs to FortiCloud This option is not available.
Send Logs to Syslog Select to send logs to a Syslog server.
Server The IP address of the Syslog server.
Select to enable event logging, then select the events to log: Enable
Event Logging All, Endpoint event, System activity event, Explicit web proxy event,
User activity event, Router activity event, and HA event.
GUI Preferences Configure GUI preferences.
Display Logs Select where logs are displayed from: Memory, Disk, or
From FortiAnalyzer.
Resolve Select to resolve hostnames using reverse DNS lookup.

Hostnames
Resolve
Select resolve unknown application using the remote application
Unknown
database.
Applications
Local logging and archiving

The FortiCache system can store log messages on disk. It can store traffic and contents logs on the system disk
or disks. When the log disk is full, logging to disk can either be suspended, or the oldest logs can be overwritten.
Remote logging to a syslog server

A syslog server is a remote computer running syslog software and is an industry standard for logging. Syslog is
used to capture log information provided by network devices. The syslog server is both a convenient and flexible
logging device, since any computer system, such as Linux, Unix, and Intel-based Windows can run syslog
software.
When configuring logging to a syslog server, you need to configure the facility and the log file format, which is
either normal or Comma Separated Values (CSV). The CSV format contains commas whereas the normal format
contains spaces. Logs saved in the CSV file format can be viewed in a spread-sheet application, while logs saved
in normal format are viewed in a text editor because they are saved as plain text files.
Configuring a facility easily identifies the device that recorded the log file. You can choose from many different
facility identifiers, such as daemon or local7.
If you are configuring multiple Syslog servers, configuration is available only in the CLI. You can also enable the
reliable delivery option for Syslog log messages in the CLI.
From the CLI, you can enable reliable delivery of syslog messages using the reliable option of the config
log {syslog | syslog2 | syslog3} settings command. The FortiCache unit implements the RAW
profile of RFC 3195 for reliable delivery of log messages. Reliable syslog protects log information through

Log settings Logging
authentication and data encryption and ensures that the log messages are reliably delivered in the correct order.
This feature is disabled by default.
If more than one syslog server is configured, the syslog servers and their settings
appear on the Log Settings page. You can configure multiple syslog servers in the CLI
using the config log {syslog | syslog2 | syslog3} settings CLI
command.
You can specify the source IP address of self-originated traffic when configuring a
Syslog server; however, this is available only in the CLI.

Appendix A - Perl Regular Expressions
The following table lists and describes some examples of Perl regular expressions.
Expression Matches
abc “abc” (the exact character sequence, but anywhere in the string).
âbc “abc” at the beginning of the string.
abc$ “abc” at the end of the string.
a|b Either “a” or “b”.
âbc|abc$ The string “abc” at the beginning or at the end of the string.
ab{2,4}c “a” followed by two, three or four “b”s followed by a “c”.
ab{2,}c “a” followed by at least two “b”s followed by a “c”.
ab*c “a” followed by any number (zero or more) of “b”s followed by a “c”.
ab+c “a” followed by one or more b's followed by a c.
ab?c “a” followed by an optional “b” followed by a” c”; that is, either “abc” or ”ac”.
a.c “a” followed by any single character (not newline) followed by a” c “.
a\.c “a.c” exactly.
[abc] Any one of “a”, “b” and “c”.
[Aa]bc Either of “Abc” and “abc”.
[abc]+ Any (nonempty) string of “a”s, “b”s and “c”s (such as “a”, “abba”, ”acbabcacaa”).
[âbc]+ Any (nonempty) string which does not contain any of “a”, “b”, and “c” (such as “defg”).
\d\d Any two decimal digits, such as 42; same as \d{2}.
Makes the pattern case insensitive. For example, /bad language/i blocks any instance of
/i
“bad language” regardless of case.
\w+ A “word”: A nonempty sequence of alphanumeric characters and low lines (underscores),
such as “foo”, “12bar8” and “foo_1”.

Appendix A - Perl Regular Expressions
Expression Matches
The strings “100” and “mk” optionally separated by any amount of white space (spaces,
100\s*mk
tabs, newlines).
abc\b “abc” when followed by a word boundary (for example, in “abc!” but not in “abcd”).
“perl” when not followed by a word boundary (for example, in “perlert” but not in “perl stuff”).
perl\B
\x Tells the regular expression parser to ignore white space that is neither preceded by a
backslash character nor within a character class.
Use this to break up a regular expression into slightly more readable parts.
Used to add regular expressions within other text.

If the first character in a pattern is forward slash '/', the '/' is treated as the delimiter. The
pattern must contain a second '/'. The pattern between the ‘/’ will be taken as a regular
/x expression, and anything after the second ‘/’ will be parsed as a list of regular expression
options ('i', 'x', etc). An error occurs if the second '/' is missing.
In regular expressions, the leading and trailing space is treated as part of the regular
expression.
Block common spam phrases

Block common phrases found in spam message with the following expressions:
/try it for free/i
/student loans/i
/you’re already approved/i
/special[\+\-\*=<>\.\,;!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i
Block purposely misspelled words

Random charaters are ofter inserted between the letter of a word to bypass spam blocking software. The
following expressions can help to block those messages:
/^.*v.*i.*a.*g.*r.*o.*$/i
/cr[eéèêë][\+\-\*=<>\.\,;!\?%&§@\^°\$£€\{\}()\[\]\|\\_01]dit/i
Block any word in a phrase

Use the following expression to block any word in a phrase:
/block|any|word/

Copyright© 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Forticache Administration-Guide PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Forticache Administration-Guide PDF

Caricato da

Copyright:

Formati disponibili

FortiCache - Administration Guide

END USER LICENSE AGREEMENT

FortiCache 4.0.0 Administration Guide

Date Change Description

2016-04-01 Updated WCCP section regarding L2-mode support.

2016-02-26 Updates for FortiCache4.0.0 initial release.

About this document

This chapter describes:

l Web caching topologies

Web caching topologies

Web caching topology with web traffic routed to FortiCache units

Reverse proxy web caching topology

Content Analysis Service

Once detected, such content can be optionally blocked or reported.

For configuration information, see Content Analysis on page 107.

l Working with system dashboards

Working with system dashboards

To access the default dashboard go to System > Dashboard > Status.

Your browser must support javascript to view the dashboard.

This section describes:

To add a new dashboard:

To add widgets to a dashboard:

Open/Close arrow Open or close the widget.

Widget Title The name of the widget.

History Select to show an expanded set of data.

Edit (pencil icon) Select to change widget settings.

Close (X icon) Remove the widget from the dashboard.

To reset all dashboards to the factory default configuration:

System information widget

HA Status The status of High Availability (HA) within the cluster.

Changing the host name

Configuring system time

Configure the following settings:

System Time The current system date and time.

Time Zone Select the FortiCache unit’s time zone.

Backing up the configuration

You should always back up your configuration whenever you are:

l restoring the unit back to factory defaults

Local PC Select to back up the configuration file to a local management computer.

Select to enable a password to the configuration file for added security. If

Confirm Re-enter the password.

Restoring your firmware configuration

Changing the currently logged in administrator’s password

Administrator The name of the administrator account.

Confirm Password Enter the new password again.

Disconnect Select to disconnect the selected administrators. This is available only if

Refresh Select to update the list.

Close Select to close the window.

User Name The administrator account name.

Access Profile The access profile of the administrator.

Type The type of access: http, https, jsconsole, sshv2.

License information widget

Manually updating FortiGuard definitions

To update FortiGuard definitions manually:

Unit operation widget

System resources widget

Configure the system resource widget

Alert message console widget

Alert message history

Custom alert display

Configure the following settings, then select OK to apply your changes.

l Firmware upgrade and downgrade

CLI console widget