Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
VERSION 4.0.0
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
4/1/2016
21-400-234452-20160226
TABLE OF CONTENTS
Change Log 7
Introduction 8
About this document 8
Concepts 9
Web caching topologies 9
WCCP topologies 11
Content Analysis Service 11
System Administration 12
Working with system dashboards 12
Managing dashboards 13
System information widget 14
License information widget 18
Unit operation widget 18
System resources widget 19
Alert message console widget 20
CLI console widget 21
Features widget 22
Interface history widget 22
Network settings 23
Interfaces 23
DNS settings 27
Routing table 28
Configuration 29
High availability 29
SNMP settings 31
Replacement Messages 38
FortiGuard settings 44
Disk settings 46
Features 47
Messaging servers 48
Administration settings 49
Administrators 49
Administrative profiles 52
Settings 54
Certificates 56
Local certificates 56
Remote certificates 60
CA certificates 60
Maintenance 60
Firmware maintenance 60
Disk maintenance 61
Routing 63
Policy 65
Policy 65
Managing the policy list 67
How list order affects policy matching 67
Configuring policies 67
Web cache policy address formats 73
Proxy options 74
SSL inspection 75
Firewall Objects 76
Address 76
Addresses 76
Address groups 78
Service 79
Services 79
Services groups 81
Schedule 82
Schedule 82
Schedule groups 84
Web proxy 84
Explicit web proxies 84
Forwarding servers 86
Global explicit proxies 88
Proxy auto-config configuration 89
Web proxy auto-discovery protocol 89
Security Profiles 91
Antivirus 91
Web Filter 92
Profile list 96
Managing web filter profiles 96
Web site filters 97
Data Leak Prevention 98
DLP sensors 98
File filter 102
ICAP 104
Profile 104
Server 106
Content Analysis 107
Profile 107
User Authentication 109
User 109
User definition 109
User group 112
Authentication 115
Single sign-on 115
LDAP server 118
RADIUS server 120
TACACS+ server 122
Settings 124
Monitor 125
Firewall 125
User Quarantine 126
WAN Optimization and Web Caching 128
WAN optimization profiles 128
Profile list 130
Managing WAN optimization profiles 131
WAN optimization peers 131
Peers 131
Authentication groups 132
Cache 134
Settings 135
URL match list 137
Monitor 137
Peer monitor 139
WCCP 140
WCCP service groups, numbers, IDs, and well known services 140
WCCP configuration overview 141
Caching HTTP sessions 142
Configure a WCCP server 143
Configure a WCCP client 144
Verify the WCCP status 145
WCCP packet flow 147
Configuring forward and return methods and adding authentication 147
WCCP messages 147
Troubleshooting WCCP 148
Real time debugging 148
Application debugging 148
Logging 150
Log settings 152
Local logging and archiving 153
Remote logging to a syslog server 153
Appendix A - Perl Regular Expressions 155
Block common spam phrases 156
Block purposely misspelled words 156
Block any word in a phrase 156
Change Log
Change Log
Administration Guide 7
Fortinet Technologies Inc.
Introduction
FortiCache high performance web caching appliances address bandwidth saturation, high latency, and poor
performance caused by caching popular internet content locally for carriers, service providers, enterprises, and
educational networks. FortiCache appliances reduce the cost and impact of cached content on the network while
increasing performance and the end-user experience by improving the speed of delivery of popular repeated
content.
l Introduction
l Concepts
l System Administration
l Routing
l Policy
l Firewall Objects
l Security Profiles
l User Authentication
l WAN Optimization and Web Caching
l WCCP
l Logging
8 Administration Guide
Fortinet Technologies Inc.
Concepts
FortiCache web caching is a form of object caching that accelerates web applications and web servers by
reducing bandwidth usage, server load, and perceived latency.
Web caching involves storing HTML pages, images, videos, servlet responses, and other web-based objects for
later retrieval. These objects are stored in the web cache storage location defined by the config wanopt
storage command. You can also go to System > Config > Disk to view the storage locations on the
FortiCache unit hard disks.
There are three significant advantages to using web caching to improve HTTP performance:
l reduced bandwidth consumption because fewer requests and responses go over the WAN or Internet
l reduced web server load because there are fewer requests for web servers to handle
l reduced latency because responses for cached requests are available from a local FortiCache unit instead of from
across the WAN or Internet.
When enabled in a web caching policy, the FortiCache unit caches HTTP traffic processed by that policy. A web
caching policy specifies the source and destination addresses and destination ports of the traffic to be cached.
Web caching caches compressed and non-compressed versions of the same file separately. If the HTTP protocol
considers the compressed and uncompressed versions of a file the same object, only the compressed or
uncompressed file will be cached.
You can also configure a FortiCache unit to operate as a Web Cache Communication Protocol (WCCP) client.
WCCP provides the ability to offload web caching to one or more redundant web caching servers.
FortiCache web caching involves one or more FortiCache units installed between users and web servers. The
FortiCache unit can operate in both Network Address Translator (NAT) and transparent modes. The FortiCache
unit intercepts web page requests accepted by web cache policies, requests web pages from the web servers,
caches the web page contents, and returns the web page contents to the users. When the FortiCache unit
intercepts subsequent requests for cached web pages, the FortiGate unit contacts the destination web server just
to check for changes.
Most commonly the topology uses a router to route HTTP and HTTPS traffic to be cached to one or more
FortiCache units. Traffic that should not be cached bypasses the FortiCache units. This is a scalable topology
that allows you to add more FortiCache units if usage increases.
Administration Guide 9
Fortinet Technologies Inc.
Web caching topologies Concepts
You can also configure reverse proxy web-caching. In this configuration, users on the Internet browse to a web
server installed behind a FortiCache unit. The FortiCache unit intercepts the web traffic (HTTP and HTTPS) and
caches pages from the web server. Reverse proxy web caching on the FortiGate unit reduces the number of
requests that the web server must handle, leaving it free to process new requests that it has not serviced before.
Since all traffic is to be cached the FortiCache unit can be installed in Transparent mode directly between the web
server and the Internet.
The reverse proxy configuration can also include a router to route web traffic to a group of FortiCache units
operating in Transparent Mode. This is also a scalable solution for reverse proxy web caching.
Reverse proxy web caching topology with web traffic routed to FortiCache unit
When web objects and video are cached on the FortiCache hard disk, the FortiCache unit returns traffic back to
client using cached object from cache storage. The clients do not connect directly to the server.
When web objects and video are not available in the FortiCache hard disk, the FortiCache unit forwards the
request to original server. If the HTTP response indicates it is a cacheable object, the object is forwarded to cache
storage and the HTTP request is served from cache storage. Any other HTTP request for the same object will be
served from cache storage as well.
The FortiCache unit forwards HTTP responses that cannot be cached from the server back to the client that
originated the HTTP request.
10 Administration Guide
Fortinet Technologies Inc.
Concepts WCCP topologies
All non-HTTP traffic and HTTP traffic that is not cached by FortiCache will pass through the unit. HTTP traffic is
not cached by the FortiCache unit if a web cache policy has not been added for it.
WCCP topologies
You can operate a FortiCache unit as a WCCP cache engine. As a cache engine, the FortiCache unit returns the
required cached content to the client web browser. If the cache server does not have the required content, it
accesses the content, caches it, and returns the content to the client web browser.
WCCP topology
WCCP is transparent to client web browsers. The web browsers do not have to be configured to use a web proxy.
FortiGuard Content Analysis Service is a licensed feature for the real-time analysis of images in order to detect
adult content. Detection of adult content in images uses various patented techniques (not just color-based),
including limb and body part detection, body position, etc.
Please contact your Fortinet Account Manager should you require a trial of this service. You can purchase this
service from support.fortinet.com.
Administration Guide 11
Fortinet Technologies Inc.
System Administration
This section introduces you to the system administration. This section contains the following topics:
The dashboard provides a quick look at the FortiCachesystem status. It provides a way to access information
about network activity and events, as well as configure basic system settings. The dashboard contains widgets
that display information and provide access to various system functions. You can customize which widgets are
available on the dashboard and how they operate.
Administrators must have read and write privileges for configuring dashboards as well as adding widgets to
dashboards.
12 Administration Guide
Fortinet Technologies Inc.
System Administration Working with system dashboards
l Managing dashboards
l System information widget
l License information widget
l Unit operation widget
l System resources widget
l Alert message console widget
l CLI console widget
l Features widget
l Interface history widget
Managing dashboards
Dashboards can be added, renamed, edited, and deleted, and widgets can be added to and removed from
individual dashboards.
You can add widgets to any dashboard and customize the configuration of most widgets. You cannot add the
same widget more than once, except for the Interface History widget, which can be added as many times as
required.
1. Go to System > Dashboard > Status.
2. Select Dashboard > Add Dashboard (located at the top of the dashboard screen).
3. Enter a name for the dashboard, select the number of columns, then select OK.
4. Select the new dashboard and select Widget to begin adding widgets to the dashboard.
Except for the Interface History widget, a widget can only appear a single time,
regardless of how many dashboards are created.
1. Go to System > Dashboard > Status.
2. Select a dashboard to add widgets to.
3. Select Widget (located at the top of the dashboard screen).
4. Select a widget to add to the dashboard.The pop-up window closes automatically.
5. Drag the widgets by their title bars to arrange them in the dashboard.
6. Optionally, customize widgets by selecting Edit (the pencil icon).
See also the following title bar options:
Administration Guide 13
Fortinet Technologies Inc.
Working with system dashboards System Administration
Detach Convert the widget into a pop-up window detached from the main browser
window that you can scale a move independently of the dashboard.
Only available for the CLI Console widget.
Refresh (refresh icon) Select to refresh or update the information displayed by the widget.
Not available on all widgets.
Use the following procedure to remove all of the dashboards that you have added and reset the widget
configuration of the default dashboard.
1. Go to System > Dashboard > Status.
2. Select Dashboard > Reset Dashboards and select OK in the confirmation dialog box.
Host Name The host name of the current FortiCache unit. When you select Change,
you are redirected to the Edit Host Name page. See Changing the host
name on page 15.
The serial number of the FortiCache unit. The serial number is specific to
Serial Number
that unit and does not change with firmware upgrades.
The current date and time according to the FortiCache unit’s internal clock.
When you select Change, you are redirected to the Time Settings page
System Time
where you can change the unit’s system time. See Configuring system time
on page 15.
Firmware Version The version of the firmware currently installed on the FortiCache unit.
When you select Update, you are redirected to the Firmware
Update/Downgrade page. See Firmware maintenance on page 60.
14 Administration Guide
Fortinet Technologies Inc.
System Administration Working with system dashboards
The date and time of the last configuration file backup. You can select
Backup to back up the current configuration; when you select Backup, you
are redirected to the Backup page. See Backing up the configuration on
System Configuration
page 16.
If you want to restore a configuration file, select Restore to be redirected to
the Restore page. See Restoring your firmware configuration on page 16.
Operation Mode The current operating mode of the FortiCache unit. A unit can operate in
NAT mode or Transparent mode. Select Change to switch between NAT
and Transparent mode.
The name of the admin account that you have used to log into the
FortiCache unit and the number of administrator accounts. If you are
authenticated locally by password, not by PKI or remote authentication,
you can select Change Password to change the password for this account.
Current Administrators When you change the password, you are logged out and must log back in
with the new password. See Changing the currently logged in
administrator’s password on page 17.
Select Details to view more information about each administrator that is
currently logged in. See Monitoring administrators on page 17
Uptime The time in days, hours, and minutes since the FortiCache unit was
started.
Refresh Update the display of the current system date and time.
Administration Guide 15
Fortinet Technologies Inc.
Working with system dashboards System Administration
Select to set the system date and time to the values you set in the Hour,
Set Time
Minute, Second, Year, Month, and Day fields.
Synchronize with NTP Select to use a Network Time Protocol (NTP) server to automatically set
Server the system date and time.
Select Use FortiGuard Servers, or select Specify, then enter the server
address and synchronization interval in the Server and Sync Interval fields.
The interval can be 1 to 1440 minutes (default = 1 minute).
FortiCache units use NTP Version 4. No RFC is currently available for NTP
version 4. The RCF for NTP Version 3 is RFC 1305. For more information
about NTP, or to find an NTP server that you can use, see
http://www.ntp.org.
Select to enable the NTP server, then select one or more interfaces from
Enable NTP Server
the Listen on Interfaces drop-down list.
Password Enter the password that will be used to restore the configuration file.
Local PC Select to restore the configuration file from the local computer.
16 Administration Guide
Fortinet Technologies Inc.
System Administration Working with system dashboards
Filename Browse to the location of the backup file on your local hard disk.
Password Enter the password that will be used to restore the configuration file.
Old Password Enter the password that you usually use to log in.
New Password Enter the new password that you will be using to log in.
Monitoring administrators
You can view detailed information about each administrator that is logged into the FortiCache unit from the
System Information widget by selecting Details in the Current Administrator row.
From If Type is jsconsole, the value in From is N/A. Otherwise, From contains
the administrator’s IP address.
Time The date and time that the administrator logged on.
Administration Guide 17
Fortinet Technologies Inc.
Working with system dashboards System Administration
You can update your registration status by selecting Update in the Registration Status row and loading the
license file from a location on your management computer. You can update the antivirus definitions by selecting
Update in the AV Definitions row.
Selecting Configure in the Web Filtering or AntiVirus rows will take you to the FortiGuard Distribution Network
page. See FortiGuard settings on page 44.
1. Download the latest update files from Fortinet support site and copy it to the computer that you use to connect to
the GUI.
2. Log in to the GUI, locate the License Information widget, and in the AV Definitions row select Update.
3. Select Browse and locate the update file, or type the path and filename.
4. Select OK.
5. Verify the update was successful by locating the License Information widget and viewing the date given in the
row.
1 / 2 / 3 / 4 etc... The network interfaces on the unit. The names and number of these
interfaces vary by model.
The icon below the interface name indicates its up/down status by color.
Green indicates the interface is connected. Gray indicates there is no
connection.
For more information about the configuration and status of an interface,
pause the mouse over the icon for that interface.
Pause the mouse pointer over the interface to view the status of the interface.
18 Administration Guide
Fortinet Technologies Inc.
System Administration Working with system dashboards
If you select Reboot or Shutdown, a pop-up window opens allowing you to enter the reason for the system event.
Your reason will be added to the log message that is included in the event-system log.
Powering off a FortiCache unit before shutting it down may corrupt its configuration.
Use the shutdown options here or in the CLI to make sure that proper shutdown
procedures are followed to prevent any loss of configuration.
Edit Select to configure the widget. See Configure the system resource widget
on page 19.
CPU Usage The CPU usage percent displayed graphically and in text.
Memory Usage The memory usage percent displayed graphically and in text.
Disk Usage The disk usage percent displayed graphically and in text.
Reboot Select to shutdown and restart the unit. You will be prompted to enter a
reason for the reboot that will be entered into the logs.
Select to shutdown the unit. You will be prompted for confirmation, and
Shutdown also prompted to enter a reason for the shutdown that will be entered into
the logs.
Custom Widget Name Enter a custom widget name to change the name of the widget.
Change the color of the data shown on the charts. To reset to the default
Chart Color color, select Reset.
This option is only available when View Type is set to Historical.
Mutli-core CPU display Select Average to view the CPU usage for all cores, or select Each Core to
view the usage for each core individually.
Select Real Time to view real time CPU and memory usage date, or select
View Type
Historical to view historical usage data.
Administration Guide 19
Fortinet Technologies Inc.
Working with system dashboards System Administration
Time Period Select the time period for the displayed data from the drop-down list. The
options are: Last minute, Last 10 minutes, Last 30 minutes, Last 60
minutes, Last 12 hours, and Last 24 hours.
This option is only available when View Type is set to Historical.
Alert messages help you track system events on your FortiCache unit, such as firmware changes. Each message
shows the date and time that the event occurred.
Custom Widget Name Enter a custom widget name to change the name of the widget.
Select the types of messages that are displayed on the alert console. The
options include:
l System shutdown and restart
Number of alerts to display Select the number of alerts that are displayed in the dashboard widget from
on the dashboard the drop-down list. Options include: 10, 20, 30, 40, 50, 60, 70, 80, 90, and
100.
20 Administration Guide
Fortinet Technologies Inc.
System Administration Working with system dashboards
The two controls located on the CLI Console widget title bar are Edit and Detach.
l Detach: move the CLI Console widget into a seperate browser window that you can resize and reposition. The two
controls on the detached CLI Console are Customize and Attach. Attach moves the widget back to the
dashboard’s page.
l Edit or Customize: Change the appearance of the console by defining fonts and colors for the text and background.
The Console Preferences window provides settings for modifying the widget’s appearance, font, and the option
to include an external command input box.
Select the current color swatch next to this label, then select a color from
Text
the color palette to the right to change the color of the text in the console.
Background Select the current color swatch next to this label, then select a color from
the color palette to the right to change the color of the background in the
console.
Console buffer length Enter the number of lines the console buffer keeps in memory. Valid
numbers range from 20 to 9999.
Administration Guide 21
Fortinet Technologies Inc.
Working with system dashboards System Administration
Font Select a font from the list to change the display font of the CLI Console.
Size Select the size of the font. The default size is 10 points.
Features widget
The Features widget allows you to disable or enable a collection of FortiCache features. Disable features are not
shown in the GUI.
Select the On/ Off button to turn the feature off or on, respectively.
More options can also be disabled by selecting the edit button in the widget title bar to open the Feature Settings
window. See .
Only one interface can be monitored per widget, but multiple history widgets can be added to the dasboards. You
can change the interface being monitored by selecting Edit. All traffic history data is cleared when you select
Apply.
Hovering the cursor over a section of the graph will give you specific details on the traffic in and out of the
selected port.
Select Edit in this widget title bar to open the Traffic History Settings window.
Custom Widget Name Enter a new name for the widget. This is optional.
22 Administration Guide
Fortinet Technologies Inc.
System Administration Network settings
The time period for the first line chart. Enter a number in the first field, then
select Hour(s), Minute(s), or Day(s) from the drop-down list beside the
Time Period 0
field.
Use zero to disable the time period.
Time Period 1 The time period for the second line chart. Enter a number in the first field,
then select Hour(s), Minute(s), or Day(s) from the drop-down list beside
the field.
Use zero to disable the time period.
The time period for the third line chart. Enter a number in the first field,
then select Hour(s), Minute(s), or Day(s) from the drop-down list beside
Time Period 2
the field.
Use zero to disable the time period.
Network settings
The Network menu allows you to configure the unit to operate on the network. This menu provides features for
configuring and viewing basic network settings, such as the unit’s interfaces, Domain Name System (DNS)
options, and routing table.
l Interfaces
l DNS settings
l Routing table
Unless stated otherwise, the term interface refers to a physical FortiCache interface.
Interfaces
In System > Network > Interfaces, you can configure the interfaces that handle incoming and outgoing traffic.
Modifies settings within the interface. When you select Edit, you are
Edit
automatically redirected to the Edit Interface page.
Administration Guide 23
Fortinet Technologies Inc.
Network settings System Administration
Column Settings Select to change the columns that are displayed on the interface list.
Name The names of the physical interfaces on your FortiCache unit. This includes
any alias names that have been configured.
The status of the interface physical connection. Link status can be either up
or down. If link status is up there is an active physical connection between
the physical interface and a network switch. If link status is down the
Link Status
interface is not connected to the network or there is a problem with the
connection. You cannot change link status from the GUI.
Link status is only displayed for physical interfaces.
MTU The maximum number of bytes per transmission unit (MTU) for the
interface.
Shows the addressing mode of the interface. The addressing mode can be
Mode
manual, DHCP, or PPPoE.
Interface settings
Selecting Create New opens the New Interface page provides settings for configuring a new interface. Selecting
an interface from the interface list opens the Edit Interface page.
24 Administration Guide
Fortinet Technologies Inc.
System Administration Network settings
Link Status Indicates whether the interface is connected to a network (link status is
Up) or not (link status is Down). This field appears when editing an
existing physical interface.
Select the type of the interface you want to add from the drop-down list.
The options include: 802.3ad Aggregate, Redundant Interface, Loopback
Type Interface, and Software Switch.
You cannot change the interface type except when adding a new
interface.
This section has two different forms depending on the interface type:
Software switch interface: this section is a display-only field showing the
Physical Interface Members interfaces that belong to the software switch virtual interface.
802.3ad aggregate interface: select interfaces from the drop-down list,
and add more interfaces as required.
Administration Guide 25
Fortinet Technologies Inc.
Network settings System Administration
Addressing mode The only addressing mode available on FortiCache units is Manual.
If IPv6 configuration is enabled you can add both a IPv4 and an IPv6 IP
address.
IPv6 Address If IPv6 support is enabled on the GUI, enter an IPv6 address/subnet mask
for the interface. A single interface can have both an IPv4 and IPv6
address or just one or the other.
Enable Explicit Web Proxy Select to enable explicit web proxying on this interface. When enabled,
this interface will be displayed on System > Network > Web Proxy under
Listen on Interfaces and web traffic on this interface will be proxied
according to the Web Proxy settings.
To change the MTU, select Override default MTU value (1 500) and enter
the MTU size based on the addressing mode of the interface.
Administrative Access Select the types of administrative access permitted for IPv4/IPv6
connections to this interface.
IPv6 Administrative Access
HTTPS Allow secure HTTPS connections to the GUI through this interface.
PING Interface responds to pings. Use this setting to verify your installation and
for testing.
26 Administration Guide
Fortinet Technologies Inc.
System Administration Network settings
Enable Explicit Web Proxy Select to enable explicit web proxy on the interface.
Listen for RADIUS Select to listen for Remote Authentication and Dial-in User Service
Accounting Messages (RADIUS) accounting messages on the interface.
Administrative Status Select either Up (green arrow) or Down (red arrow) as the status of this
interface.
Up indicates the interface is active and can accept network traffic.
Down indicates the interface is not active and cannot accept traffic.
DNS settings
Several FortiCache functions use DNS, including alert email. You can specify the IP addresses of the DNS
servers to which your unit connects. DNS server IP addresses are usually supplied by your ISP. To configure DNS
settings select System > Network > DNS.
Local Domain Name Enter the domain name to append to addresses with no domain portion
when performing DNS lookups.
Administration Guide 27
Fortinet Technologies Inc.
Network settings System Administration
Routing table
If the unit is operating in Transparent mode, you can go to System > Network > Routing Table to add static
routes to control the flow of traffic through the unit.
IP/Netmask The destination IP addresses and network masks of packets that the
FortiCache unit intercepts.
Device The interface or port number the static route is configured to.
Distance The number of hops the static route has to the configured gateway. Routes
with the same distance will be considered as equal-cost multi-path (ECMP)
A number for the priority of the static route. Routes with a larger number
Priority will have a lower priority. Routes with the same priority will be considered
as ECMP.
Destination IP/Mask Enter the IP address and netmask of the new static route. To create a
default route, set the IP and netmask to 0.0.0.0/0.0.0.0.
Gateway Enter the gateway IP address for those packets that you intend the unit to
intercept.
28 Administration Guide
Fortinet Technologies Inc.
System Administration Configuration
Priority Enter a number for the priority of the static route. Routes with a larger
number will have a lower priority.
Configuration
This section provides features for configuring and viewing advanced network settings, such as HA cluster and
interface settings, SNMPv1/v2 and v3, FortiGuard Web Filtering settings, replacement messages, and
messaging servers.
l High availability
l SNMP settings
l Replacement Messages
l FortiGuard settings
l Features
l Features
High availability
FortiCache HA provides a system management solution which synchronizes configuration changes among the
clustering members. You can fine tune the performance of the HA cluster to change how a cluster forms and
shares information among clustering members.
The HA heartbeat keeps cluster units communicating with each other. The heartbeat consists of hello packets
that are sent at regular intervals by the heartbeat interface of all cluster units. These hello packets describe the
state of the cluster unit and are used by other cluster units to keep all the units synchronized.
HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8890. The default
time interval between HA heartbeats is 200 ms.
Your FortiCache can be configured as a Standalone unit or you can pair multiple FortiCache devices in an Active-
Active HA cluster for load balancing and failover protection. To configure HA and cluster settings, or to view the
cliuster member list, select System > Config > HA.
Administration Guide 29
Fortinet Technologies Inc.
Configuration System Administration
Mode Enter the mode. Select Standalone or Active-Active from the drop-down
menu.
You can set a different device priority to each cluster member to control the
order in which cluster units become the primary unit when the primary unit
Device Priority
fails. The device with the highest device priority becomes the primary unit.
The default value is 128.
Cluster Settings
Password Enter a password to identify the HA cluster. The maximum password length
is 15 characters. The password must be the same for all cluster FortiCache
units before the FortiCache units can form the HA cluster.
The default is no password. When the cluster is operating, you can add a
password, if required. Two clusters on the same network must have
different passwords.
30 Administration Guide
Fortinet Technologies Inc.
System Administration Configuration
SNMP settings
The Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can
configure the hardware, such as the FortiCache SNMP agent, to report system information and traps.
SNMP traps alert you to events that happen, such as a log disk becoming full, or a virus being detected. These
traps are sent to the SNMP managers. An SNMP manager (or host) is typically a computer running an application
that can read the incoming traps and event messages from the agent, and send out SNMP queries to the SNMP
agents. A FortiManager unit can act as an SNMP manager to one or more FortiCache units.
By using an SNMP manager, you can access SNMP traps and data from any FortiCache interface configured for
SNMP management access. Part of configuring an SNMP manager is to list it as a host in a community on the
FortiCache unit it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from, and be unable
to query, that FortiCache unit.
When using SNMP, you must also ensure you have added the correct Management Information Base (MIB) files
to the unit, regardless of whether or not your SNMP manager already includes standard and private MIBs in a
ready to use, compiled database. A MIB is a text file that describes a list of SNMP data objects used by the SNMP
manager. See for more information.
The FortiCache SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have
read-only access to FortiCache system information through queries, and can receive trap messages from the
unit.
The FortiCache SNMP v3 implementation includes support for queries, traps, authentication, and privacy.
Authentication and encryption are configured in the CLI.
SNMP configuration
Before a remote SNMP manager can connect to the FortiCache agent, you must configure one or more
FortiCache interfaces to accept SNMP connections. Interfaces are configured in System > Network > Interface,
see Interfaces on page 23.
For security reasons it is recommended that neither “public” nor “private” be used for
SNMP community names.
When the unit is in virtual domain mode, SNMP traps can only be sent on interfaces in
the management virtual domain.
Administration Guide 31
Fortinet Technologies Inc.
Configuration System Administration
Location Enter the physical location of the unit. The system location description can
be up to 35 characters long.
Enter the contact information for the person responsible for this unit. The
Contact
contact information can be up to 35 characters.
Apply Saves changes made to the description, location, and contact information.
Lists the communities for SNMP v1/v2c. From within this section you can
SNMP v1/v2c
create, edit or remove SNMP communities.
Create New Creates a new SNMP community. When you select Create New, you are
automatically redirected to the New SNMP Community page. See .
Modifies settings within an SNMP community. When you select Edit, you
Edit
are automatically redirected to the Edit SNMP Community page.
Queries Indicates whether queries protocols (v1 and v2c) are enabled or disabled. A
green checkmark indicates that queries are enabled; a gray x indicates that
queries are disabled. If one query is disabled and another one enabled,
there will still be a green checkmark.
32 Administration Guide
Fortinet Technologies Inc.
System Administration Configuration
Indicates whether trap protocols (v1 and v2c) are enabled or disabled. A
green checkmark indicates that traps are enabled; a gray x indicates that
Traps
traps are disabled. If one query is disabled and another one enabled, there
will still be a green checkmark.
Lists the SNMPv3 users. From within this section, you can edit, create or
SNMP v3
remove an SNMPv3 user.
Create New Creates a new SNMPv3 user. When you select Create New, you are
automatically redirected the Create New SNMPv3 User page.
Modifies settings within the SNMPv3 user. When you select Edit, you are
Edit
automatically redirected to the Edit SNMPv3 User page.
SNMP agent
The FortiCache SNMP agent must be enabled before configuring other SNMP options. Enter information about
the FortiCache unit to identify it so that when your SNMP manager receives traps from the FortiCache unit, you
will know which unit sent the information.
Administration Guide 33
Fortinet Technologies Inc.
Configuration System Administration
Add SNMP communities to your FortiCache unit so that SNMP managers can view system information and
receive SNMP traps. You can add up to three SNMP communities. Each community can have a different
configuration for SNMP queries and traps, and can be configured to monitor the FortiCache unit for a different set
of events. You can also add the IP addresses of up to 8 SNMP managers to each community.
Selecting Create New on the SNMP v1/v2c table opens the New SNMP Community page, which provides
settings for configuring a new SNMP community. Selecting a community from the list opens the Edit SNMP
Community page.
34 Administration Guide
Fortinet Technologies Inc.
System Administration Configuration
IP Address / Enter the IP address / netmask of the SNMP managers that can use the
Netmask settings in this SNMP community to monitor the unit.
You can also set the IP address to 0.0.0.0 to so that any SNMP manager
can use this SNMP community.
Optionally select the name of the interface that this SNMP manager uses
to connect to the unit. You only have to select the interface if the SNMP
Interface
manager is not on the same subnet as the unit. This can occur if the SNMP
manager is on the Internet or behind a router.
Delete Removes an SNMP manager from the list within the Hosts section.
Select to add a blank line to the Hosts list. You can add up to eight SNMP
Add
managers to a single community.
Port Enter the port number (161 by default) that the SNMP managers in this
community use for SNMP v1 and SNMP v2c queries to receive
configuration information from the unit.
The SNMP client software and the unit must use the same port for queries
Traps Settings for configuring local and remote ports for both v1 and v2c.
Local Enter the remote port numbers (162 by default) that the unit uses to send
SNMP v1 or SNMP v2c traps to the SNMP managers in this community.
The SNMP client software and the unit must use the same port for traps.
Enter the remote port number (162 by default) that the unit uses to send
Remote SNMP traps to the SNMP managers in this community.
The SNMP client software and the unit must use the same port for traps.
Administration Guide 35
Fortinet Technologies Inc.
Configuration System Administration
Enable each SNMP event for which the unit should send traps to the
SNMP managers in this community.
Notes:
Select the type of security level the user will have. The options include:
l No Authentication, No Private
Security Level
l Authentication, No Private
l Authentication, Private
Auth Algorithm Select an authentication algorithm from the drop-down list; either MD5 or
SHA1. Enter a password in the requisite Password field.
This option is not available if the security level is set to No Authentication,
No Private.
36 Administration Guide
Fortinet Technologies Inc.
System Administration Configuration
Select a private algorithm from the drop-down list; either AES or DES.
Enter a password in the requisite Password field.
Private Algorithm
This option is only available if the security level is set to Authentication,
Private.
Notification Host Enter the IP address of the notification host. If you want to add more than
one host, select the plus sign to add another host. Up to 16 hosts can be
added.
Events Select the SNMP events that will be associated with the user.
Fortinet MIBs
The FortiCache SNMP agent supports Fortinet proprietary MIBs, as well as standard RFC 1213 and RFC 2665
MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213
(MIB II) that apply to FortiCache unit configuration.
There are two MIB files for FortiCache units; both files are required for proper SNMP data collection:
l The Fortinet MIB: contains traps, fields, and information that is common to all Fortinet products.
l The FortiCache MIB: contains traps, fields, and information that is specific to FortiCache units.
The Fortinet and FortiCache MIB files are available for download on the Fortinet Customer Support site. Each
Fortinet product has its own MIB – if you use other Fortinet products, you need to download their MIB files as
well.
The Fortinet MIB and FortiCache MIB, along with the two RFC MIBs ,are listed in .
To download the MIB files, go to System > Config > SNMP and select a MIB link in the FortiCache SNMP MIB
section. See .
Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use.
You must add the Fortinet proprietary MIB to this database to have access to the Fortinet specific information.
MIB files are updated for each version of FortiCache. When upgrading the firmware
ensure that you update the Fortinet FortiCache MIB file compiled in your SNMP
manager as well.
FORTINET-CORE-MIB.mib The Fortinet MIB includes all system configuration information and trap
information that is common to all Fortinet products. Your SNMP manager
requires this information to monitor FortiCache unit configuration settings
and receive traps from the FortiCache SNMP agent.
Administration Guide 37
Fortinet Technologies Inc.
Configuration System Administration
The FortiCache MIB includes all system configuration information and trap
information that is specific to FortiCache units. Your SNMP manager
FORTINET-FORTICACHE-
requires this information to monitor FortiCache configuration settings and
MIB.mib
receive traps from the FortiCache SNMP agent. FortiManager systems
require this MIB to monitor FortiCache units.
RFC-1213 (MIB II) The FortiCache SNMP agent supports the majority of MIB II OIDs
l <community_name> refers to the SNMP community name added to the FortiCache configuration. You can
add more than one community name to a FortiCache SNMP configuration. The most commonly used
community name is public.
l <address_ipv4> is the IP address of the FortiCache interface that the SNMP manager connects to
l {<OID> | <MIB_field>} is the object identifier (OID) for the MIB field or the MIB field name itself.
For example, to query the firmware version running on the FortiCache unit, the following command could be
issued
snmpget -v2c -c public 10.10.10.1 1.3.6.1.4.1.12356.109.4.1.1.0
In this example, the community name is public, the IP address of the interface configured for SNMP
management access is 10.10.10.1. The firmware version is queried via the MIB field fchSysVersion, the
OID for which is 1.3.6.1.4.1.12356.109.4.1.1.0.
Replacement Messages
Replacement pages can be customized as required from System > Config > Replacement Messages.
38 Administration Guide
Fortinet Technologies Inc.
System Administration Configuration
Manage Images Select to view the available images and their respective tags.
Message HTML The HTML code for the message that you can edit.
The following table outlines all of the messages that can be customized, as shown in Extended View :
Administration Guide 39
Fortinet Technologies Inc.
Configuration System Administration
Critical Event Message Alert email text for critical event notification.
Alert Email Disk Full Message Alert email text for disk full events.
40 Administration Guide
Fortinet Technologies Inc.
System Administration Configuration
Declined Disclaimer Page Replacement HTML for user declined disclaimer page.
Email Collection Invalid Replacement HTML for email collection page after user
Email enters invalid email.
Guest User Email Template Replacement text for guest-user credentials email
message.
Guest User Print Template Replacement HTML for guest-user credentials print out.
Administration Guide 41
Fortinet Technologies Inc.
Configuration System Administration
FortiGuard Block Page Replacement HTML for FortiGuard Webfilter block page.
FortiGuard HTTP Error Page Replacement HTML for FortiGuard Webfilter HTTP error
page.
42 Administration Guide
Fortinet Technologies Inc.
System Administration Configuration
Archive Block Message Replacement HTML for HTTP archive block message.
Content Block Page Replacement HTML for HTTP file content block page.
POST Block Message Replacement HTML for HTTP POST block message.
Upload Archive Block Replacement HTML for HTTP archive upload block
Message message.
Upload Block Message Replacement HTML for HTTP file upload block message.
URL Block Page Replacement HTML for HTTP url blocked page.
URL Filter Error Message Replacement HTML for webfilter service error message.
Administration Guide 43
Fortinet Technologies Inc.
Configuration System Administration
Network Network Quarantine DLP Replacement HTML for network quarantine DLP block
Quarantine Block Page page.
Network Quarantine DOS Replacement HTML for network quarantine DOS block
Block Page page.
Network Quarantine IPS Replacement HTML for network quarantine IPS block
Block Page page.
Web-proxy HTTP Error Page Replacement HTML for web-proxy HTTP error page.
Web-proxy User Limit Page Replacement HTML for web-proxy user limit block page.
FortiGuard settings
The FortiGuard Distribution Network page provides information and configuration settings for FortiGuard
subscription services. For more information about FortiGuard services, see the FortiGuard Center web page.
44 Administration Guide
Fortinet Technologies Inc.
System Administration Configuration
Support Contract The availability or status of your unit’s support contract. The status displays
can be Unreachable, Not Registered, or Valid Contract.
You can update your registration status by selecting Update in the
Registration Status row and loading the license file from a location on your
management computer.
AV & IPS Download Select the expand arrow to expand or hide the section.
Options
Schedule Update Select to have scheduled updates, then select when said updates occur:
Every 1-23 hours, Daily at a specific hour, or Weekly on a specific day at a
specific hour.
Select Update Now to send an update request.
Web Filtering Options Select the expand arrow to expand or hide the section.
Administration Guide 45
Fortinet Technologies Inc.
Configuration System Administration
Enable antispam
Enable antispam cache, then enter the TTL value.
cache
Port Selection Select the port assignments for contacting the FortiGuard servers, either
the default port (53) or the alternate port (8888).
Select Test Availability to verify the connection using the selected port.
To have a URL's category Select to re-evaluate a URL’s category rating using the Fortinet Live URL
rating re-evaluated... Rating system (opens in a new browser window).
Disk settings
This page shows the FortiCache's local storage. The example below shows four configurable 1 TB hard disk
drives.
Disks can be customized as required from System > Config > Disk.
46 Administration Guide
Fortinet Technologies Inc.
System Administration Configuration
Storage Size Displays the storage allocated for a particular feature (in GB).
Allocated Displays how much storage is allocated to a particular feature (in MB).
Used Displays how much storage has been used by a particular feature (in MB).
Quota Usage Displays as a percentage how much of the disk's storage has been used.
Quota Settings Select which disk is responsible for Logging and Archiving and configure
Disk Logging and DLP Archive storage values.
Features
Various FortiCache features can be enabled or disabled as required. Disable features are not shown in the GUI.
Go to System > Config > Features to configure the visibility of the features.
The following options can be turned on or off by clicking anywhere within their rectangles:
WAN Opt. & Cache Controls the visibility of the WAN Opt. and Cache menu.
WAN optimization and web caching is used to reduce the amount of
bandwidth used by traffic on your WAN. See .
Administration Guide 47
Fortinet Technologies Inc.
Configuration System Administration
Web Filter Controls the visibility of the Security Profiles > Web Filter menu.
Apply web category, URL, and content filtering to control users’ access to
web resources. Setup profiles and add them to firewall policies.
Controls the visibility of the Security Profiles > Data Leak Prevention
menu.
DLP Prevent sensitive date, like credit card numbers, from leaving or entering
your network, and to setup Data Leak Prevention (DLP) sensors and add
them to firewall policies.
Exlicit Proxy Controls the visibility of the Firewall Objects > Web Proxy menu, and the
Enable Explicit Web Proxy option on the Edit Interface page.
Enable HTTP, HTTPS, or FTP proxies for your network, that can be added
to interfaces. Create security polocies to control access to the proxy and
apply UTM and other features to proxy traffic. Users on the network must
configure their to use the proxy.
ICAP Controls the visibility of the Security Profiles > ICAP (Internet Content
Adaptation Protocol) menu.
Offload services to an external server. These services can include: Ad
insertion, virus scanning, content and language translation, HTTP header
or URL manipulation, and content filtering. Setup profiles and add them to
security policies.
Controls the visibility of implicit firewall policies that deny all traffic. You
Implicit Firewall Policies can edit an implicit policy and enable logging to record log messages when
the implicit policy denies a session.
Messaging servers
To configure a messaging server, use the following CLI commands:
config system email-server
set type --Configure a custom email server.
set reply-to --Enter the default reply to email address.
set server <IP or hostname> --Enter the name or address of the SMTP email server.
set port --Set the SMTP server port.
set source-ip --Set the SMTP server source IP.
set source-ip6 --Set the SMTP server source IP.
set authenticate --Enable/disable authentication.
set security --Set connection security.
next
48 Administration Guide
Fortinet Technologies Inc.
System Administration Administration settings
end
Administration settings
The Admin menu provides settings for configuring administrators and their profiles, as well as basic
administrative settings such as changing the default language.
l Administrators
l Administrative profiles
l Settings
Always end your FortiCache session by logging out, regardless of whether you are in
the CLI or the GUI. If you do not log out, the session remains open.
Administrators
Administrators are configured in System > Admin > Administrators . There is already a default administrator
account on the unit named admin that uses the super_admin administrator profile.
You need to use the default admin account, an account with the super_admin admin profile, or an administrator
with read-write access control to add new administrator accounts and control their permission levels. If you log in
with an administrator account that does not have the super_admin admin profile, the administrators list will show
only the administrators for the current virtual domain.
The Administrators page lists the default super-admin administrator account, and all administrator accounts that
you have created.
Trusted Hosts The IP address and netmask of trusted hosts from which the administrator
can log in.
Administration Guide 49
Fortinet Technologies Inc.
Administration settings System Administration
Right-click on any column heading to adjusts the visible columns or reset all the columns to their default settings.
50 Administration Guide
Fortinet Technologies Inc.
System Administration Administration settings
Select the administrator user group that includes the Remote server/PKI
(peer) users as members of the User Group. The administrator user group
User Group
cannot be deleted once the group is selected for authentication.
This option is only available if Type is Remote or PKI.
Wildcard Select to allow all accounts on the RADIUS, LDAP, or TACACS+ server to
be administrators.
This option is only available if Type is Remote.
Enter a password for the administrator account. For improved security, the
Password password should be at least 6 characters long.
This option is only available if Type is Regular.
Backup Password Enter a backup password for the administrator account. For improved
security, the password should be at least 6 characters long.
This option is only available if Type is Remote and Wildcard is not
selected.
Type the password for the administrator account a second time to confirm
Confirm Password that you have typed it correctly.
This option is not available if Type is PKI or Wildcard is selected.
Select the admin profile for the administrator. You can also select Create
Admin Profile
New to create a new admin profile.
Restrict this Admin Login Select to restrict this administrator login to specific trusted hosts, then
from Trusted Hosts Only enter the trusted hosts IP addresses and netmasks. You can specify up to
ten trusted hosts. These addresses all default to 0.0.0.0/0 or
0.0.0.0/0.0.0.0.
Administration Guide 51
Fortinet Technologies Inc.
Administration settings System Administration
When you set trusted hosts for all administrators, the unit does not respond to administrative access attempts
from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit
accepts administrative access attempts on any interface that has administrative access enabled, potentially
exposing the unit to attempts to gain unauthorized access.
The trusted hosts you define apply to the GUI, Ping, SNMP, and the CLI when accessed through Telnet or SSH.
CLI access through the console port is not affected.
The trusted host addresses all default to 0.0.0.0/0.0.0.0. If you set one of the zero addresses to a non-zero
address, the other zero addresses will be ignored. The only way to use a wildcard entry is to leave the trusted
hosts at 0.0.0.0/0.0.0.0. However, this configuration is less secure.
Administrative profiles
Each administrator account belongs to an admin profile. The admin profile separates FortiCache features into
access control categories for which an administrator with read-write access can enable none (deny), read only, or
read-write access.
Read-only access for a GUI page enables the administrator to view that page. However, the administrator needs
write access to change the settings on the page.
The admin profile has a similar effect on administrator access to CLI commands. You can access get and show
commands with Read Only access, but access to config commands requires Read-Write access.
When an administrator has read-only access to a feature, the administrator can access the GUI page for that
feature but cannot make changes to the configuration. There are no Create or Apply buttons and lists display
only the View icon instead of icons for Edit, Delete, or other modification commands.
You need to use the admin account or an account with read-write access to create or edit admin profiles.
Create New Creates a new profile. See Adding an administrator profile on page 53.
Modifies the selected admin profile’s settings. When you select Edit, you
Edit
are automatically redirected to the Edit Admin Profile page.
Delete Removes the admin profile from the list on the page.
You cannot delete an admin profile that has administrators assigned to it.
To remove multiple admin profiles, select multiple rows in the list by
holding down the Ctrl of Shift keys, then select Delete.
52 Administration Guide
Fortinet Technologies Inc.
System Administration Administration settings
Configure the following settings, then select OK to create the new administrator profile:
Access Control List of the items that can customize access control settings if configured.
Read Only Enable read only access in all Access Control categories.
Administration Guide 53
Fortinet Technologies Inc.
Administration settings System Administration
Settings
Use admin settings to configure general settings for web administration access, password policies, idle timeout
settings, and display settings. You can also configure FortiCache Manager support.
Central Management
Use FortiCache Manager Enable this option to use FortiCache Manager for all FortiGuard
for all FortiGuard communications.
communications
Administration Settings
54 Administration Guide
Fortinet Technologies Inc.
System Administration Administration settings
HTTP Port TCP port to be used for administrative HTTP access. The
default is 80. Select Redirect to HTTPS to force redirection to
HTTPS.
Telnet Port TCP port to be used for administrative telnet access. The
default is 23.
Idle Timeout Change the time after which the GUI logs out idle system
administration settings, from 1 to 480 minutes.
Minimum Length Set the minimum acceptable length for passwords, from 8 to 64
characters.
View Settings
Administration Guide 55
Fortinet Technologies Inc.
Certificates System Administration
Lines per Page Number of lines per page to display in table lists. From 20 to
1000, default = 50.
Certificates
The FortiCache unit generates a certificate request based on the information you entered to identify the
FortiCache unit. After you generate a certificate request, you can download the request to a computer that has
management access to the FortiCache unit and then forward the request to a CA.
The certificate window also enables you to export certificates for authentication, importing, and viewing.
l Local certificates
l Remote certificates
l CA certificates
Local certificates
Local certificates are issued for a specific server, or website. Generally, they are very specific, and often for an
internal enterprise network.
Delete Select the checkbox next to a certificate entry and select Delete to remove
the selected certificate or CSR. Select OK in the confirmation dialog box to
proceed with the delete action.
View Certificate Details View a certificate. See View certificate details on page 59.
Comments Comments.
56 Administration Guide
Fortinet Technologies Inc.
System Administration Certificates
Whether you create certificates locally or obtain them from an external certificate service, a Certificate Signing
Request (CSR) will need to be generated.
When a CSR is generated, a private and public key pair is created for the FortiCache unit. The generated request
includes the public key of the device, and information such as the unit’s public static IP address, domain name, or
email address. The device’s private key remains confidential on the unit.
After the request is submitted to a CA, the CA will verify the information and register the contact information on a
digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then
sign the certificate, after which you can install the certificate on the FortiCache device.
To generate a CSR:
Administration Guide 57
Fortinet Technologies Inc.
Certificates System Administration
Certificate Name Enter a unique name for the certificate request, such as the host name, or
the serial number of the device.
Do not include spaces in the certificate to ensure compatibility as a
PKCS12 file.
l Host IP: Select if the unit has a static IP address. Enter the device’s IP
address in the IP Address field.
Subject Information l Domain Name: Enter the device’s domain name or FQDN in the Domain
Name field.
l E-mail: Enter the email address of the device’s administrator in the E-
mail field.
Locality (City) The name of the city where the unit is located.
State/Province The name of the state or province where the unit is located.
Country/Region The country where the unit is located. Select from the drop-down list.
Select the key size from the drop-down list: 1024, 1536, or 2048 bits.
Key Size
Larger key sizes are more secure, but slower to generate.
58 Administration Guide
Fortinet Technologies Inc.
System Administration Certificates
Import a certificate
Signed local certificates can be imported to the FortiCache unit.
To import a certificate:
Valid To The last day that the certificate is valid. The certificate should be renewed
before this date.
Administration Guide 59
Fortinet Technologies Inc.
Maintenance System Administration
Remote certificates
Remote certificates are public certificates without private keys.
They can be deleted, imported, and downloaded, and their details can be viewed, in the same way as local
certificates.
CA certificates
CA certificates are similar to local certificates, except they apply to a broader range of addresses or to whole
company. A CA certificate would be issued for an entire web domain, instead just a single web page.
CA certificates can be deleted, downloaded, and their details can be viewed, in the same way as local
certificates.
To import a CA certificate:
2. To import the certificate from your local computer, select Local PC, then select Browse... and locate the file on
the computer.
3. To import from SCEP, select SCEP, enter the URL of the SCEP server that the CA certificate will be retrieved
from, and, optionally, enter identifying information about the CA.
4. Select OK to import the CA certificate.
Maintenance
The Maintenance menu provides settings for firmware management, viewing and configuring disk management,
and related features.
l Firmware maintenance
l Disk maintenance
Firmware maintenance
Administrators whose admin profiles permit maintenance read and write access can change the FortiCache unit’s
firmware version. Firmware images can be installed from a number of sources including a local hard disk or the
FortiGuard network. Firmware changes either upgrade to a newer version or revert to an earlier version.
You must register your unit with Fortinet Customer Support to access firmware
updates for your model. For more information, go to https://support.fortinet.com, or
contact Fortinet Customer Service & Support.
Go to System > Dashboard > Status to view the System Information widget, where you can see the current
version of the firmware that is running on the device.
60 Administration Guide
Fortinet Technologies Inc.
System Administration Maintenance
Select Update to open the Firmware Management window, where you can select Upload Firmware to either
upgrade or downgrade the device’s firmware.
By installing an older firmware image, some system settings may be lost. You should
always back up your configuration before changing the firmware image.
Disk maintenance
The Disk page shows information about the storage space for different features for each hard disk, and allows
you to edit quota and storage settings.
Allocated The amount of space that is allowed for storage for a feature.
The current amount of space that has been used to store information of a
Used
feature.
Quota Usage The percentage of the quota that is currently being used. If there is no
quota being used, the number is 100 percent.
Select to modify the current amount of space that is being used. See Disk
Edit
configuration on page 61.
Disk configuration
When possible, performance can be improved by logging to a disk that is not used for caching. A disk can be
reserved for logging by setting the quota storage setting to 0 MB.
For optimal performance, avoid allowing the disks used for caching from reaching
100% capacity. This can be achieved by limiting the cache file size to 70% of the total
disk capacity.
Select Edit in the Logging and Archiving row to edit the quota settings for logging and archiving.
Select Storage Select a storage device from the drop-down list; either Default, or one of
the available hard disks.
DLP Archive Enter the quota, in MB, for the DLP archive.
Administration Guide 61
Fortinet Technologies Inc.
Maintenance System Administration
Select Edit in the WAN Optimization & Web Cache row to change the WAN optimization storage settings. Enter
a value, in MB, to be used for WAN optimization storage, then select Apply to apply your changes.
62 Administration Guide
Fortinet Technologies Inc.
Routing
Go to System > Network > Routing Table to configure static routes for controlling the flow of traffic through the
unit. Static routes can be added, edited, and deleted as needed.
Create New Create a new static route. See To add a static route: on page 63.
Modify settings within the static route. See To edit a static route: on page
Edit
64.
Delete Remove a static route from the list. Select the route or routes that you
would like to delete, then select Delete in the toolbar. Select OK in the
confirmation dialog box to delete the selected route or routes.
Gateway The IP addresses of the next-hop routers to which intercepted packets are
forwarded.
Right-click on a column header to adjust the column settings and to reset the column to their default view.By
default, the Priority and Distance columns are not displayed.
1. In the static routes list, select Create New from the toolbar. The New Static Route window opens.
Administration Guide 63
Fortinet Technologies Inc.
Routing
Destination IP/Netmask Enter the IP address and netmask of the new static route. To create a
default route, set the IP and netmask to 0.0.0.0/0.0.0.0.
Device Select the interface through which intercepted packets are received and
sent from the drop-down list.
Gateway Enter the gateway IP address for those packets that you intend the unit to
intercept.
Distance Enter the number that represents the distances to the next-hop routers,
from 1 to 255 (default = 10).
The administrative distance allows you to make one route preferred over
another. This is useful when one route is unreliable. For example, if route A
has an administrative distance of 10 and route B has an administrative
distance of 30, the preferred route is route A, with the smaller
administrative distance of 10. If you discover that route A is unreliable, you
can change the administrative distance for route A from 10 to 40, which will
make the route B the preferred route.
Priority Enter a number for the priority of the static route, from 0 to 4294967295.
1. From the static route list, either double-click the route that you would like to edit, or select the route then select
Edit from the toolbar.
2. The Edit Static Route window opens.
3. Edit the route information as required, then select OK.
64 Administration Guide
Fortinet Technologies Inc.
Policy
The Policy menu provides options for configuring policies, proxy options, and SSL inspection options.
Policy
The policy list displays web cache policies in their order of matching precedence. Web cache policy order affects
policy matching. For details about arranging policies in the policy list, see and .
You add web cache policies that match HTTP traffic to be cached according to source and destination addresses,
and the destination port of the traffic.
Various right-click menus are hidden throughout the policy list. The columns displayed in the policy list can be
customized, and filters can be added in a variety of ways to filter the information that is displayed. See .
Create New Add a new policy. New policies are added to the bottom of the list.
Source The source address or address range that the policy matches. For more
information, see Web cache policy address formats on page 73.
The destination address or address range that the policy matches. For
Destination
more information, see Web cache policy address formats on page 73.
Administration Guide 65
Fortinet Technologies Inc.
Policy Policy
Service The service affected by the policy. See Service on page 79.
Authentication
AV The antivirus profile used by the policy. See Antivirus on page 91.
Count
DLP The DLP sensor used by the policy. See Data Leak Prevention on page 98.
From
ICAP The ICAP profile used by the policy. See ICAP on page 104.
ID The policy identifier. Policies are numbered in the order they are added to
the configuration.
Last Used
Log The logging level of the policy. Options vary depending on the policy type.
Proxy Options The proxy options used by the policy. See Proxy options on page 74.
All the profiles used by the policy, such as: AV profile, Web Filter profile,
Security Profiles DLP sensor, ICAP profile, Proxy options, and SSL inspection options. See
Security Profiles on page 91.
The SSL inspection options used by the policy. See SSL inspection on page
SSL Inspection
75.
Status Select to enable a policy or clear to disable a policy. A disabled policy is out
of service.
To
VPN Tunnel
Web Filter The web filter profile used be the policy. See Web Filter on page 92.
66 Administration Guide
Fortinet Technologies Inc.
Policy Policy
The displayed policies can be filtered by either using the search field in the toolbar, or by selecting the filter icon in
a column heading. The available filter options will vary depending on the type of data that the selected column
contains.
When policies have been added, each time the FortiCache unit accepts a communication session, it then
searches the policy list for a matching policy. Matching policies are determined by comparing the policy with the
session source and destination addresses, and the destination port. The search begins at the top of the policy list
and progresses in order towards the bottom. Each policy in the policy list is compared with the communication
session until a match is found. When the FortiCache unit finds the first matching policy, it applies that policy and
disregards subsequent policies.
As a general rule, you should order the policy list from most specific to most general because of the order in which
policies are evaluated for a match, and because only the first matching policy is applied to a session. Subsequent
possible matches are not considered or applied. Ordering policies from most specific to most general prevents
policies that match a wide range of traffic from superseding and effectively masking policies that match
exceptions.
Configuring policies
Policies can be added, edited, copied, moved, and deleted. To help organize your policies, you can also create
sections to group policies together.
Policies can be inserted above or below existing policies, and can also be disabled if needed.
1. From the policy list, select Create New from the toolbar, or right-click on a sequence number and select Insert
Policy Above, Insert Policy Below or, if applicable, Paste Before or Paste After. The New Policy window opens.
2. Select Address in the Policy Subtype field.
Administration Guide 67
Fortinet Technologies Inc.
Policy Policy
Incoming Interface Select the name of the network interface on which IP packets are received.
For more information, see Interfaces on page 23.
You can also create a web proxy by selecting web-proxy in Incoming
Interface. For more information, see Web proxy on page 84.
Multiple incoming interfaces can be added to a policy.
If you select any, the policy matches all interfaces as sources, and the
policy list is then displayed only in global view. Fortinet does not
recommend this option, because it can have unexpected results. It should
be used rarely, and only by a knowledgeable administrator.
When any is used as the incoming interface, the implicit security policy
includes any as well.
68 Administration Guide
Fortinet Technologies Inc.
Policy Policy
Outgoing Interface Select the name of the network interface to which IP packets are
forwarded. For more information, see Interfaces on page 23.
Multiple outgoing interfaces can be added to a policy.
If you select any, the policy matches all interfaces as destination, and the
policy list is then displayed only in global view. Fortinet does not
recommend this option, because it can have unexpected results. It should
be used rarely, and only by a knowledgeable administrator.
Schedule Select a schedule from the drop down list. Select Create New to create a
new schedule. For more information see Schedule on page 82.
Service Select a service or service group that packets must match to trigger this
policy. Select Create New to create a new servicelist. See Service on page
79.
Multiple services can be added.
Action Select how you want the policy to respond when a packet matches the
conditions of the policy. The options available will vary widely depending on
this selection.
ACCEPT - Accept traffic matched by the policy.
DENY - Reject traffic matched by the policy.
Logging Options If Action is set to ACCEPT, select one of the following options: No Log,
Log Security Events, or Log All Sessions.
If Action is set to DENY, enable Log Violation Traffic to log violation
traffic.
AntiVirus Enable antivirus and select or create a new profile from the drop-down list.
See Antivirus on page 91.
Web Filter Enable web filter and select or create a new profile from the drop-down list.
See Web Filter on page 92.
DLP Sensor Enable DLP sensors and select or create a new sensor from the drop-down
list. See Data Leak Prevention on page 98.
ICAP Enable ICAP and select or create a new profile from the drop-down list. See
ICAP on page 104.
Administration Guide 69
Fortinet Technologies Inc.
Policy Policy
SSL Inspection Enable SSL inspection and select or create a new option from the drop-
down list. See SSL inspection on page 75.
Enable WAN Optimization Select to enable WAN Optimization for traffic accepted by the policy.
If enabled, select active or passive from the drop down list, then select or
create a new profile to use for the optimization. See WAN Optimization and
Web Caching on page 128.
This option is only available if Action is set to ACCEPT.
1. From the policy list, select Create New from the toolbar, or right-click on a sequence number and select Insert
Policy Above, Insert Policy Below or, if applicable, Paste Before or Paste After. The New Policy window opens.
2. Select User Identity in the Policy Subtype field.
70 Administration Guide
Fortinet Technologies Inc.
Policy Policy
Incoming Interface Select the name of the network interface on which IP packets are received.
For more information, see Interfaces on page 23.
You can also create a web proxy by selecting web-proxy in Incoming
Interface. For more information, see Web proxy on page 84.
Multiple incoming interfaces can be added to a policy.
If you select any, the policy matches all interfaces as sources, and the
policy list is then displayed only in global view. Fortinet does not
recommend this option, because it can have unexpected results. It should
be used rarely, and only by a knowledgeable administrator.
When any is used as the incoming interface, the implicit security policy
includes any as well.
Outgoing Interface Select the name of the network interface to which IP packets are
forwarded. For more information, see Interfaces on page 23.
Multiple outgoing interfaces can be added to a policy.
If you select any, the policy matches all interfaces as sources, and the
policy list is then displayed only in global view. Fortinet does not
recommend this option, because it can have unexpected results. It should
be used rarely, and only by a knowledgeable administrator.
Service Select a service or service group that packets must match to trigger this
policy. Select Create New to create a new servicelist. See Service on page
79.
Multiple services can be added.
Web Proxy Forwarding Enable a web proxy forwarding server, then select a server from the drop-
Server down list. See Forwarding servers on page 86.
Enable IP based Select to enable IP based authentication, then select the single sign-on
Authentication method from the Single Sign-On Method drop-down list.
Administration Guide 71
Fortinet Technologies Inc.
Policy Policy
Default Select the default authentication method from the drop-down list.
Authentication
Method
Creating a section
Sections can be used to help organize your policy list.
1. Right-click on the sequence number of a policy in the policy list and select Insert Section. The Insert Section
dialog box opens.
2. Enter a name for the section title in the Section Title field.
3. Select OK to create the section.
Editing policies
Policy information can be edited as required by either double clicking on the policy, selecting a policy then
selecting Edit from the toolbar, or by right-clicking on the sequence number of the the policy and selecting Edit
from the right-click menu.
The editing window for regular policies contains the same information as when creating new policies. See
Creating a new policy on page 67.
There are only two options that can be edited for the implicit policy rule:
l enabling or disabling violation traffic logging by selecting or deselecting Log Violation Traffic
l the Action field
Policies can also be edited inline, by right and left clicking on the text or blank space within specific cells. For
example, you can right-click in the blank space in a Schedule cell to select a new schedule from the right-click
menu, but if you right or left-click on the text in the cell and then select Edit Schedule from the pop-up menu, the
Edit Recurring Schedule window opens, allowing you to edit the selected schedule, or create a new one.
Moving policies
When more than one policy has been defined, the first matching policy is applied to the traffic session. You can
arrange the policy list to influence the order in which policies are evaluated for matches with incoming traffic. See
How list order affects policy matching on page 67 for more information.
Moving a policy in the policy list does not change its ID, which only indicates the order in which the policies were
created.
To move a policy, click and drag the policy to a new location. You can also move a policy by cutting and pasting it
into a new location.
72 Administration Guide
Fortinet Technologies Inc.
Policy Policy
be placed next to and select Paste Before or Paste After to insert the new policy before or after the selected
policy.
When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For
example, a source or destination address can be:
When representing hosts by an IP range, the range indicates hosts with continuous IP addresses in a subnet,
such as 192.168.1.[2-10], or 192.168.1.* to indicate the complete range of hosts on that subnet. You
can also indicate the complete range of hosts on a subnet by entering 192.168.1.[0-255] or 192.168.1.0-
192.168.1.255. Valid IP range formats include:
You cannot use square brackets [ ] or asterisks * when adding addresses to the CLI.
Instead you must enter the start and end addresses of the subnet range separated by
a dash -. For example, 192.168.20.0-192.168.20.255 for a complete subnet and
192.168.10.10-192.168.10.100 for a range of addresses.
Administration Guide 73
Fortinet Technologies Inc.
Proxy options Policy
Proxy options
The Proxy Options menu allows you to configure settings for specific proxies, which can then be applied to
policies.
Select to open the New Proxy Options window, where you can create a
Create New
new proxy option.
Protocol Port Mapping Enable a protocol, then enter the inspections port or ports.
Common Options
74 Administration Guide
Fortinet Technologies Inc.
Policy SSL inspection
Select to Pass or Block oversized files or emails, and configure the size
threshold:
Block Oversized
File/Email l Threshold – enter the threshold amount for an oversized email message
or file in MB.
Web Options
Enable Chunked
Select to enable the chunked bypass setting.
Bypass
SSL inspection
To configure deep inspection options, go to Policy & Objects > Policy > SSL Inspection. SSL inspection options
can be used in policies.
Select a deep inspection option from the drop-down list in the toolbar, edit the settings as required or create new
options, then select apply to apply your changes.
Create New Select to open the New Deep Inspection Options window, where you can
create a new deep inspection option.
Inspection Port(s) Select to enable, and then customize the inspection ports as needed.
Administration Guide 75
Fortinet Technologies Inc.
Firewall Objects
The firewall objects menu provides options for configuring addresses, services, schedules, and web proxy
settings.
l Address
l Service
l Schedule
l Web proxy
Address
Web cache addresses and address groups define network addresses that you use when configuring source and
destination addresses for security policies. The FortiCache unit compares the IP addresses contained in packet
headers with security policy source and destination addresses to determine if the security policy matches the
traffic. Addresses can be IPv4 addresses and address ranges, IPv6 addresses, and fully qualified domain names
(FQDNs).
Be careful if employing FQDN web cache addresses. Using a fully qualified domain
name in a security policy, while convenient, does present some security risks because
policy matching then relies on a trusted DNS server. If the DNS server should ever be
compromised, security policies requiring domain name resolution may no longer
function properly.
Addresses
Web cache addresses in the address list are grouped by type: IP/Netmask, FQDN, or IPv6. A FortiCache unit’s
default configurations include the all address, which represents any IPv4 IP address on any network. You can also
add a firewall address list when configuring a security policy.
To view the address list, go to Policy & Objects > Objects > Addresses.
Delete Remove the selected address or addresses. This icon appears only if a
policy or address group is not currently using the address.
76 Administration Guide
Fortinet Technologies Inc.
Firewall Objects Address
Address The IP address and mask, IP address range, or FQDN of the address.
Ref. Displays the number of times the address is referenced to other objects.
To view the location of the referenced address, select the number in Ref.
The Object Usage window appears displaying the various locations of the
referenced object.
Tags
1. Go to Policy & Objects > Objects > Addresses and select Create New > Address. The New Address window
opens.
2. Configure the following settings:
Name Enter a name for the address. Addresses must have unique names.
Type Select the type of address: Subnet , IP Range, or FQDN . You can enter
either an IP range or an IP address with subnet mask.
Subnet / IP Range Enter the IP address, followed by a forward slash (/), then subnet mask, or
enter an IP address range separated by a hyphen. See Web cache policy
address formats on page 73.
FQDN Enter the FQDN. This option is only available when Type is FQDN .
Interface Select the interface to which you want to bind the IP address. Select Any if
you want to bind the IP address with the interface when you create a policy.
To edit an address:
1. Select the address you would like to edit then select Edit from the toolbar, or double-click on the address in the
address table. The Edit Address window opens.
2. Edit the address information as required and select OK to apply your changes.
Administration Guide 77
Fortinet Technologies Inc.
Address Firewall Objects
3. Select OK in the confirmation dialog box to delete the selected address or addresses.
Address groups
You can organize multiple addresses into an address group to simplify your policy list. For example, instead of
having five identical policies for five different but related addresses, you might combine the five addresses into a
single address group, which is used by a single policy. To view the address group list, go to Policy & Objects >
Objects > Addresses.
Delete Select to remove the address group. This icon appears only if the address
group is not currently being used by a policy.
Ref. Displays the number of times the address group is referenced to other
objects.
To view the location of the referenced address group, select the number in
Ref. The Object Usage window appears displaying the various locations of
the referenced object.
Show in Address List Whether or not the group is shown in the address list.
Tags
1. Select Create New > Address Group. The New Address Group window opens.
2. Configure the following information:
Group Name Enter a name to identify the address group. Addresses, address groups,
and virtual IPs must have unique names.
Show in Address List Select to show the address group is the address list.
78 Administration Guide
Fortinet Technologies Inc.
Firewall Objects Service
1. Select the group you would like to edit, then select Edit from the toolbar, or double-click on the address group. The
Edit Address Group window opens.
2. Edit the address group information as required and select OK to apply your changes.
Service
Web cache services define one or more protocols and port numbers associated with each service. Web cache
policies use service definitions to match session types. You can organize related services into service groups to
simplify your policy list.
Services
If you need to create a web cache policy for a service that is not in the predefined service list, you can add a
custom service. Custom services are configured in Policy & Objects > Objects > Services.
Create New Create a new custom service or category. See To create a new service: on
page 80 and Adding a service category on page 81.
Delete Remove the selected custom service. This icon appears only if a service is
not currently being used in a web cache policy.
Edit the order in which the categories are displayed in the list when viewing
Category Settings
the list by category.
Show in Service List Whether or not the service is shown in the service list.
Administration Guide 79
Fortinet Technologies Inc.
Service Firewall Objects
Ref. Displays the number of times the service is referenced to other objects.
To view the location of the referenced service, select the number in Ref.;
the Object Usage window appears displaying the various locations of the
referenced object.
1. Go to Policy & Objects > Objects > Services and select Create New > Service. The New Service window
opens.
Show in Service List Select to show the service in the service list.
Category Select the category for the service: Uncategorized, General, or Web
Proxy.
80 Administration Guide
Fortinet Technologies Inc.
Firewall Objects Service
Protocol Select the protocol from the drop-down list that you are configuring settings
for: TCP, UDP, or SCTP. Then, enter the low and high destination and
sources ports in the requisite fields.
Up to 16 protocols can be added.
When Service Type is Explicit Proxy, the protocol is TCP.
This option is only available if Protocol Type is set to TCP/UDP/SCTP,
ALL, CONNECT, FTP, HTTP, or SOCKS.
Type Enter the ICMP type number for the ICMP protocol configuration.
This option is only available if Protocol Type is set to ICMP, or ICMP6.
Code Enter the ICMP code number for the ICMP protocol configuration.
This option is only available if Protocol Type is set to ICMP, or ICMP6.
Protocol Number Enter the protocol number for the IP protocol configuration.
This option is only available if Protocol Type is set to IP.
To edit a service:
1. Select the service you would like to edit then select Edit in the toolbar, or double-click on the service in the table.
The Edit Service window opens.
2. Edit the service as required, then select OK to apply your changes.
Services groups
You can organize multiple services into a service group to simplify your policy list. For example, instead of having
five identical policies for five different but related services, you can combine the five services into a single address
group that is used by a single policy.
Administration Guide 81
Fortinet Technologies Inc.
Schedule Firewall Objects
Schedule
When you add security policies on a FortiCache unit, those policies are always on, policing the traffic through the
device. Schedules control when policies are in effect.
Schedule
The schedule list lists all the schedules. Recurring and one-time schedules can be created, edited, and deleted as
needed.
You can create a recurring schedule that activates a policy during a specified period of time. If a recurring
schedule has a stop time that is earlier than the start time, the schedule will take effect at the start time but end
at the stop time on the next day. You can use this technique to create recurring schedules that run from one day
to the next. To create a recurring schedule that runs for 24 hours, set the start and stop times to 00.
You can create one-time schedules which are schedules that are in effect only once for the period of time
specified in the schedule.
Create New Create a new recurring or one-time schedule. See To create a new
recurring schedule: and To create a new one-time schedule:.
Delete Remove the selected schedule. This icon is only available if the selected
schedule is not currently being used in a policy.
82 Administration Guide
Fortinet Technologies Inc.
Firewall Objects Schedule
1. Go to Policy & Objects > Objects > Schedules and select Create New > Schedule. The New Schedule window
opens.
2. Configure the following settings:
Day of the Week Select the days of the week when the schedule will be run.
Stop Time Select the stop time for the schedule. If the stop time is set earlier than the
start time, the stop time will be during the next day. If the start time is
equal to the stop time, the schedule will run for 24 hours.
1. Go to Policy & Objects > Objects > Schedules and select Create New > Schedule. The New Schedule window
opens.
2. Configure the following settings:
Start Select the year, month, day, hour, and minute that the schedule will start.
Stop Select the year, month, day, hour, and minute that the schedule will stop.
The stop time must be later than the start time.
Generate event log... Select to generate an event log prior to the schedule expiring.
Enter the number of days prior to the expiry that the event log will be
generated, from 1 to 100.
To edit a schedule:
1. Select the schedule you would like to edit, then select Edit from the toolbar, or double-click on the schedule in the
table. The Edit Recurring Schedule or Edit One-time Schedule window opens.
2. Edit the information as required, then select OK to apply your changes.
To delete schedules:
Administration Guide 83
Fortinet Technologies Inc.
Web proxy Firewall Objects
Schedule groups
You can organize multiple schedules into a schedule group to simplify your security policy list. For example,
instead of having five identical policies for five different but related schedules, you might combine the five
schedules into a single schedule group that is used by a single security policy.
Schedule groups can contain both recurring and one-time schedules. Schedule groups cannot contain other
schedule groups
1. Go to Policy & Objects > Objects > Schedules and select Create New > Schedule Group. The New Schedule
Group window opens.
2. Configure the following settings:
Available Schedules Select the schedules that you would like to have included in the group by
double-clicking on the schedule name, or selecting the name then selecting
the down arrow icon.
1. Select the schedule group you would like to edit, then select Edit from the toolbar, or double-click on the schedule
group in the table. The Edit Schedule Group window opens.
2. Edit the information as required, then select OK to apply your changes.
Web proxy
Explicit web proxies, web proxy forwarding servers, and global explicit web proxies can be configures in the Web
Proxy section of the Firewall Objects menu.
To configure the explicit web proxies, go to Policy & Objects > Objects > Explicit.
84 Administration Guide
Fortinet Technologies Inc.
Firewall Objects Web proxy
Ref. Displays the number of times the proxy is referenced to other objects.
To view the location of the referenced proxy, select the number in Ref.; the
Object Usage window appears displaying the various locations of the
referenced object.
1. Go to Policy & Objects > Objects > Explicit and select Create New . The New Web Proxy Explicit window
opens.
Interface Select the interface that are being monitored by the explicit web proxy from
the drop-down list.
Enable FTP over HTTP Select to enable FTP over HTTP for the explicit web proxy.
HTTP Port Enter the HTTP port number that traffic from client web browsers use to
connect to the explicit proxy for the specific protocol. Explicit proxy users
must configure their web browser’s protocols proxy settings to use this port
(default = 8080).
HTTPS Port Enter the HTTPS port number that traffic from client web browsers use to
connect to the explicit proxy for the specific protocol. Explicit proxy users
must configure their web browser’s protocols proxy settings to use this port.
Enter 0 to use the HTTP port.
Administration Guide 85
Fortinet Technologies Inc.
Web proxy Firewall Objects
PAC Port Enter the Proxy Auto-Config (PAC) port number that traffic from client web
browsers use to connect to the explicit proxy for the specific protocol.
Explicit proxy users must configure their web browser’s protocols proxy
settings to use this port.
Enter 0 to use the HTTP port.
Realm The authentication realm to identify the explicit web proxy. The realm is a
text string of up to 63 characters. If the realm includes spaces, the name
must be enclosed in quotation marks
When a user authenticates with the explicit proxy, the HTTP authentication
dialog includes the realm, so it can be used to identify the explicitly web
proxy for your users.
Unknown HTTP version Select the action to take when the proxy must handle a request or
message from an unknown HTTP version.
1. Select the explicit web proxy you would like to edit, then select Edit from the toolbar, or double-click on the
schedule group in the table. The Edit Web Proxy Explicit window opens.
2. Edit the information as required, then select OK to apply your changes.
1. Select the explicit web proxy or proxies that you would like to delete.
2. Select Delete from the toolbar.
3. Select OK in the confirmation dialog box to delete the selected group or groups.
Forwarding servers
By default, the FortiCache unit monitors a web proxy forwarding server by forwarding a connection to the remote
server every 10 seconds. If the remote server does not respond, it is assumed to be down. Checking will continue
until, when the server does send a response, the server is assumed to be back up. If health checking is enabled,
the FortiCache unit will attempt to get a response from a web server by connecting through the remote forwarding
server every 10 seconds.
You can enable health checking for each remote server, and specify a different website to check for each one.
86 Administration Guide
Fortinet Technologies Inc.
Firewall Objects Web proxy
If the remote server is found to be down, you can configure the FortiCache unit to either block sessions until the
server comes back up, or allow sessions to connect to their destination using the original server. You cannot
configure the FortiCache unit to fail over to another remote forwarding server.
To configure the server down action and enable health monitoring, go to Policy & Objects > Objects > Forward
Server.
Configure the following settings:
Health Check Indicates whether the health check is disabled or enabled for that
forwarding server. A green checkmark indicates that health check is
enabled; a gray x indicates that health check is disabled.
Server Down The action that the FortiCache unit will take when the server is down.
Ref. Displays the number of times the forwarding server is referenced to other
objects.
To view the location of the referenced forwarding server, select the number
in Ref.; the Object Usage window appears displaying the various locations
of the referenced object.
Use the following CLI command to enable health checking for a web proxy forwarding server and set the server
down option to use the original server if it is down.
config web-proxy forward-server
edit fwd-srv
set healthcheck enable
set monitor http://example.com
set server-down-option pass
end
1. Go to Policy & Objects > Objects > Forward Server and select Create New . The Add Forwarding Server window
opens.
Administration Guide 87
Fortinet Technologies Inc.
Web proxy Firewall Objects
Proxy Address Type Select the type of IP address of the forwarding server, either IP or FQDN .
Server Down Action Select what action the FortiCache unit will take if the forwarding server is
down, either Block or Use Original Server.
Health Check Monitor Site Enter the URL address of the health check monitoring site.
1. Select the server you would like to edit then select Edit from the toolbar, or double-click on the schedule group in
the table. The Edit Forwarding Server window opens.
2. Edit the information as required, then select OK to apply your changes.
Go to Policy & Objects > Objects > Web Proxy Global to change the global explicit web proxy settings.
88 Administration Guide
Fortinet Technologies Inc.
Firewall Objects Web proxy
Proxy FQDN The FQDN for the global proxy server. This is the domain name to enter
into browsers to access the proxy server.
The maximum length of an HTTP request that can be cached, in Kb. Larger
Max HTTP request length
requests will be rejected (default = 4Kb).
Max HTTP message length The maximum length of an HTTP message that can be cached, in Kb.
Larger messages will be rejected (default = 32Kb).
Add Client IP Header to Include the client IP header from the original HTTP request that is
Forwarded Requests forwarded to the internal network.
Add VIA Header to Include the via Header from the original HTTP request that is forwarded to
Forwarded Requests the internal network.
Include the X-Forwarded-For (XFF) HTTP header. The XFF HTTP header
Add X-Forwarded-For
identifies the originating IP address of a web client or browser that is
Header to Forwarded
connecting through an HTTP proxy, and the remote addresses it has
Requests
passed through to that point.
Add Front-End-Https Include the front-end HTTP header from the original HTTPS request.
Header to Forwarded
Requests
Close the connection if errors are found in the HTTP header. For example,
Enable Strict Web Check the connection would be closed if a single line header becomes a multiple
line header, or if a request header shows up in a response.
Enable Forward Proxy Include proxy-authentication information in packets sent to the HTTP proxy
Authentication behind the FortiCache explicit proxy.
The FortiCache can be configured to serve a PAC file to define the proxy network and how it should be used by
the client. The browser must be configured appropriately to point at the FortiCache device to retrieve the PAC
file, for example:
http://<FortiCache IP>:8080/proxy.pac
Administration Guide 89
Fortinet Technologies Inc.
Web proxy Firewall Objects
http://tools.ietf.org/html/draft-ietf-wrec-wpad-01
When using DNS, the most widely supported resolution method, an entry is made in the local authoritative zone
to map the name wpad (such as wpad.example.com) to one or more IP addresses. The browser is configured to
automatically look in the following locations to find the WPAD configuration, which is in effect a PAC file, as
described in Proxy auto-config configuration on page 89:
http://wpad.department.branch.example.com/wpad.dat
http://wpad.branch.example.com/wpad.dat
http://wpad.example.com/wpad.dat
To configure the FortiCache unit to issue a wpad.dat file, use the following CLI commands:
config web-proxy explicit
edit "web-proxy"
set ftp-over-http enable
set interface "port1"
set pac-file-name "wpad.dat"
set pac-file-server-port 80
set pac-file-server-status enable
set pac-file-data "<Put your PAD file content here, escaping quotes with \>"
next
end
If you are configuring the wpad file on port 80, you will receive an error, as the GUI is
also configured on port 80 (even when not in use). To avoid this error, first move the
GUI to a different port with the following commands:
config system global
set admin-port 81
end
90 Administration Guide
Fortinet Technologies Inc.
Security Profiles
The Security Profiles menu provides access to antivirus, web filter, and ICAP profiles, as well as DLP sensors
and filters, and ICAP server settings.
l Antivirus
l Web Filter
l Data Leak Prevention
l ICAP
l Content Analysis
Antivirus
A profile is specific configuration information that defines how the traffic within a policy is examined and what
action may be taken based on the examination. Multiple antivirus profiles can be created for different antivirus
scanning requirements. These profiles can then be applied to firewall policies.
1. Go to Policy & Objects > Policy > Policy and either add or select the security policy that accepts the traffic to be
virus scanned. See Configuring policies on page 67.
2. In the New Policy or Edit Policy window, under Security Profiles, select AntiVirus, then select an antivirus profile
from the drop-down list.
3. Select OK to save the policy.
1. Go to Security Profiles > AntiVirus > View List and select Create New . The New AntiVirus Profile Server
window opens.
Administration Guide 91
Fortinet Technologies Inc.
Web Filter Security Profiles
Protocol The protocols for which virus scan and removal can be enabled.
Virus Scan and Removal Select to enable virus scan and removal for the required protocols.
1. Select the profile you would like to edit then select Edit from the toolbar, or double-click on the schedule group in
the table. The Edit AntiVirus Server window opens.
2. Edit the information as required, then select OK to apply your changes.
Web Filter
This section describes how to configure web filters for HTTP traffic, and URL filters to allow or block caching of
specific URLs.
The web filter profiles menu allows you to configure a web filter profile to apply to a policy. A profile is specific
information that defines how the traffic within a policy is examined and what action may be taken based on the
examination.
To configure web filter profiles, go to Security Profiles > Web Filter > View List. The Edit Web Filter Profile
page is displayed.
92 Administration Guide
Fortinet Technologies Inc.
Security Profiles Web Filter
Configure the following settings, then select Apply to apply any changes:
View List View the web filter profile list. See Profile list on page 96.
FortiGuard Categories Select to enable Fortiguard categories. If the device is not licensed for the
FortiGuard web filtering service, traffic may be blocked by enabling this
option.
In the category list, right-click on a specific category, then select the action
Show to take from the pop-up menu: Allow , Block, Monitor, Warning, or
Authenticate.
Administration Guide 93
Fortinet Technologies Inc.
Web Filter Security Profiles
Search Engine When enabled, the supported search engines exclude offensive material
from search results.
Supported search engines include: Google, Yahoo!, Bing, and Yandex.
YouTube Select to enable YouTube education filter, then enter the filter in the text
Education Filter field.
Enable Web Site Filter Select to enable web site filters. See Web site filters on page 97.
Provide Details for Blocked Enable to have the unit to display its own replacement message for 400
HTTP 4xx and 5xx Errors and 500-series HTTP errors . If the server error is allowed through,
malicious or objectionable sites can use these common error pages to
circumvent web filtering. See .
Enable to block web sites when their SSL certificate CN field does not
Block Invalid URLs
contain a valid domain name.
Rate Images by URL Enable to have the unit retrieve ratings for individual images in addition to
(Blocked images will be web sites. Images in a blocked category are not displayed even if they are
replaced with blanks) part of a site in an allowed category.
Blocked images are replaced on the originating web pages with blank
place-holders. Rated image file types include GIF, JPEG, PNG, BMP, and
TIFF.
94 Administration Guide
Fortinet Technologies Inc.
Security Profiles Web Filter
Select the action to take with HTTP POST traffic. HTTP POST is the
command used by your browser when you send information, such as a
filled out form or a file you are uploading, to a web server.
The available actions include:
l Comfort: Use client comforting to slowly send data to the web server as
the FortiCache unit scans the file. This option prevents a server time-out
when scanning or other filtering is enabled for outgoing traffic.
HTTP POST Action
l The client comforting settings used are those defined in the protocol
options profile selected in the security policy.
l Block: Block the HTTP POST command. This will limit users from
sending information and files to web sites.
l When the post request is blocked, the unit sends the http-post-block
replacement message to the web browser attempting to use the
command.
Web Content Filter Enable to block access to web pages that include the words included in the
selected web content filter list.
Enable to filter java applets from web traffic. Web sites using java applets
Remove Java Applet Filter
may not function properly when this filter is enabled.
Allow Websites When a Enable to allow access to web pages that return a rating error from the web
Rating Error Occurs filter service.
If your unit is temporarily unable to contact the FortiGuard service, this
setting determines what access the unit allows until contact is re-
established. If enabled, users will have full unfiltered access to all web
sites. If disabled, users will not be allowed access to any web sites.
Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX
Remove ActiveX Filter
may not function properly when this filter is enabled.
Rate URLs by Domain and Enable to have the unit request site ratings by URL and IP address
IP Address separately, providing additional security against attempts to bypass the
FortiGuard Web Filter.
FortiGuard Web Filter ratings for IP addresses are not updated as quickly
as ratings for URLs. This can sometimes cause the unit to allow access to
sites that should be blocked, or to block sites that should be allowed.
Enable to filter cookies from web traffic. Web sites using cookies may not
Remove Cookie Filter
function properly when this filter is enabled.
Administration Guide 95
Fortinet Technologies Inc.
Web Filter Security Profiles
Allow Blocked Override Enable to allow blocked override. This will allow the specified user, group,
or IP address to access web sites blocked by web filtering profiles for a
specified length of time.
Select the user group or groups to which the override will apply. See User
Apply to Groups
on page 109.
Assign to Profile Select the web filter profile or profiles to which the override will apply.
Scope Select the scope of the override: User, User Group, or IP.
If Duration Mode is set the Constant, enter the duration of the override in
Duration
Days (from 0 to 364), Hours (0 to 23), and Minutes (0 to 59).
Profile list
The web filter profile list can be viewed by selecting View List in the Edit Web Filter Profile page toolbar.
1. From either the Edit Web Filter Profile page or the web filter profile list, select Create New.
2. Enter the required information, then select OK to create the new web filter profile.
96 Administration Guide
Fortinet Technologies Inc.
Security Profiles Web Filter
1. From the Edit Web Filter Profile page, select the profile you need to edit from the profile drop-down list.
From the profile list, either select the profile you would like to edit then select Edit from the toolbar, or
double-click on the profile name in the list.
2. Edit the information as required, then select Apply to apply your changes.
1. From the Edit Web Filter Profile page, select the profile you need to clone from the profile drop-down list.
2. Select Clone from the toolbar.
3. Enter a name for the profile in the dialog box, then select OK. The profile list opens, with the clone added.
4. Edit the clone as required.
1. From the profile list, select the profile or profiles that you would like to delete.
2. Select Delete from the toolbar.
3. Select OK in the confirmation dialog box to delete the selected profile or profiles.
Web site blocking does not block access to other services that users can access with a
web browser. For example, web site blocking does not block access to
ftp://ftp.example.com. Instead, use firewall policies to deny ftp connections.
When adding a URL to the web site filter list, follow these rules:
l Type a top-level URL or IP address to control access to all pages on a web site. For example, www.example.com or
192.168.144.155 controls access to all pages at this web site.
l Enter a top-level URL followed by the path and file name to control access to a single page on a web site. For
example, www.example.com/monkey.html or 192.168.144.155/monkey.html controls access to the monkey page
on this web site.
l To control access to all pages with a URL that ends with example.com, add example.com to the filter list. For
example, adding example.com controls access to www.example.com, mail.example.com,
www.finance.example.com, and so on.
l Control access to all URLs that match patterns using text and regular expressions (or wildcard characters). For
example, example.* matches example.com, example.org, example.net and so on.
URLs with an action set to exempt or pass are not scanned for viruses. If users on the
network download files through the unit from a trusted web site, add the URL of this
web site to the URL filter list with an action to pass it so the unit does not virus scan
files downloaded from this URL.
Administration Guide 97
Fortinet Technologies Inc.
Data Leak Prevention Security Profiles
1. In either the New Web Filter Profile or Edit Web Filter Profile page, select Enable Web Site Filter.
2. In the filter table, select Create New to add a new row to the table.
3. Enter the URL to filter in the URL column. Enter a top-level domain suffix (for example, “com” without the leading
period) to block access to all web sites with this suffix.
4. Select the type from the drop-down list in the Type column. One of: Simple, Reg. Expression, or Wildcard.
5. Select the action to take from the drop-down list in the Action column. One of:
l Exempt: Allow trusted traffic to bypass the antivirus proxy operations.
l Block: Block access to any URLs matching the URL pattern and display a replacement message.
SeeReplacement Messages on page 38.
l Allow: Allow access to any URL that matches the URL pattern.
l Monitor: Monitor traffic to and from URLs matching the URL pattern.
6. Select the status of the filter from the drop-down list in the Status column, either Enable or Disable, to enable or
disable the filter.
1. In either the New Web Filter Profile or Edit Web Filter Profile page, select Enable Web Site Filter.
2. In the filter table, double-click on a filter, or select the filter then select Edit in the toolbar.
3. Edit the filter settings as required.
1. In either the New Web Filter Profile or Edit Web Filter Profile page, select Enable Web Site Filter.
2. In the filter table, select the filter or filters that need to be deleted, then select delete in the toolbar.
3. Select OK in the confirmation dialog box to delete the selected filter or filters.
The DLP system allows you to prevent sensitive data from leaving your network. Once sensitive data patterns are
defined, data matching the patterns will either be blocked, or logged then allowed.
The DLP system is configured by creating filters based on various attributes and expressions within DLP sensors,
then assigning the sensors to security policies.
DLP can also be used to prevent unwanted data from entering your network, and to archive content passing
through the FortiCache device.
DLP sensors
A DLP sensor is a package of filters. To use DLP, a DLP sensor must be selected and enabled in a security policy.
The traffic controlled by the security policy will be searched for the patterns defined in the filters contained in the
DLP sensor. Matching traffic will be passed or blocked according to the filters.
98 Administration Guide
Fortinet Technologies Inc.
Security Profiles Data Leak Prevention
Ref. Displays the number of times the sensor is referenced to other objects.
To view the location of the referenced sensor, select the number in Ref.;
the Object Usage window appears displaying the various locations of the
referenced object.
1. Go to Security Profiles > Data Leak Prevention and select Create New from the toolbar. The New Sensor
window opens.
2. Enter a name for the new sensor in the Name field and, optionally, enter a description of the sensor in the
Comment field.
3. Add filters to the sensor. See To create a new sensor filter: on page 100.
4. Select OK to create the new sensor.
1. Select the sensor you would like to edit then select Edit from the toolbar, or double-click on the sensor group in the
table. The Edit Sensor window opens.
2. Edit the sensor name and comments as required.
3. Edit, create new, or delete sensor filters as required. See Sensor filters on page 99.
4. Select OK to apply your changes.
1. From the sensor list, select the sensor or sensors that you would like to delete, then select Delete from the
toolbar.
2. Select OK in the confirmation dialog box to delete the selected sensor or sensors.
To clone a sensor:
Sensor filters
Each DLP sensor must have one or more filters configured within it. Filters can examine traffic for:
Administration Guide 99
Fortinet Technologies Inc.
Data Leak Prevention Security Profiles
1. From the New Sensor or Edit Sensor window, select Create New in the filter table toolbar. The New Filter
window opens.
Filter Select Messages or Files to filter for specific messages or based on file
attributes, respectively.
Containing Select, then select Credit Card # or SSN from the drop-down list.
File Size Select, then enter the maximum file size allowed, in kb.
This option is only available when filtering files.
File Type Select, then select a file filter from the drop-down list. See File filter on
included in page 102.
This option is only available when filtering files.
Watermark If you are using watermarking on your files you can use this filter to check
Sensitivity for watermarks that correspond to sensitivity categories that you have
setup. See Watermarking on page 102.
The Corporate Identifier ensures that you are only blocking watermarks
that your company has placed on files, not watermarks with the same
name from other companies.
This option is only available when filtering files.
Regular Network traffic is examined for the pattern described by the regular
Expression expression. See Regular expressions on page 102
Examine the Following Select the services whose traffic the filter will examine. This allows
Services resources to be optimized by only examining relevant traffic.
The available services are: HTTP-POST, HTTP-GET, SMTP, POP3,
IMAP, MAPI, FTP, and NNTP.
Action Select an action to take if the filter is triggered from the drop-down list.
Log Only When the filter is triggered, the match is logged, but no other action is
taken.
Block Traffic matching the filter is blocked and replaced with a replacement
message. See Replacement Messages on page 38.
Quarantine User If the user has been authenticated: block all traffic to and from the user
using the protocol that triggered the rule, and add the user to banned user
list (see User Quarantine on page 126).
If the user has not been authenticated: block all traffic to and from the user
using the protocol that triggered the rule from the user’s IP address.
The banned user will receive an appropriate replacement message,
depending on the service being used, until the quarantine time expires.
Enter the amount of time that the user will be quarantined for
(>= 1 minute).
Quarantine IP Block access for any IP address that sends traffic matching the filter. The
Address IP address is added to the banned user list (see ), and an appropriate
replacement message is sent for all connection attempts until the
quarantine time expires.
Enter the amount of time that the IP address will be quarantined for (>= 1
minute).
Quarantine Block access to all users connecting to the interface that received the traffic
Interface matching the filter. The interface is added to the banned user list (see ),
and an appropriate replacement message is sent for all connection
attempts until the quarantine time expires.
Enter the amount of time that the interface will be quarantined for
(>= 1 minute).
1. From the New Sensor or Edit Sensor window, either double-click on a filter, or select a filter then select Edit in
the filter table toolbar. The Edit Filter window opens.
2. Edit the filter as required and select OK to apply your changes.
1. From the New Sensor or Edit Sensor window, select the filter or filters that you would like to delete, then select
Delete from the filter table toolbar.
2. Select OK in the confirmation dialog box to delete the selected filter or filters.
Regular expressions
Network traffic is examined for the pattern described by the regular expression specified in the DLP sensor filters.
Fortinet uses a variation of the Perl Compatible Regular Expressions (PCRE) library. For some examples of Perl
expressions, see Appendix A - Perl Regular Expressions on page 155. For more information about using Perl
regular expressions, go to http://perldoc.perl.org/perlretut.html.
By adding multiple filters containing regular expressions to a sensor, a dictionary can be developed within the
sensor. The filters can include expressions that accomodate copmlex variations of words or target phrases.
Within the sensors each expression can be assigned a different action, allowing for a very granular
implementation.
Watermarking
Watermarking means marking files with a digital pattern to designate them as proprietary to a specific company.
Fortinet’s watermarking tool is built in to FortiExplorer. It can add watermarks to single files as well as entire
directories. The tool adds a small (~178B) pattern to a file that is recognized by the DLP watermark filter
configured on your device.
The DLP system only works with Fortinet’s watermaking tool. For more information, see the FortiExplorer User
Guide, available from the Fortinet Document Library.
File filter
File filters allow you to block files based on their file names and types.
When a file filter list is applied to a DLP sensor filter, the network traffic is examined against the list entries, and,
if the sensor filter is triggered, the predefined action is taken by the DLP sensor filter.
1. Create a DLP sensor.
2. Edit the sensor to filter either messages or specific file types.
3. Select the DLP sensor in a security policy.
1. From the Edit DLP Sensor window, either double-click on a filter in the file filter table, or select a filter then select
Edit Filter in the table toolbar. The Edit Filter window opens.
2. Edit the filter settings as required, then select OK to apply your changes.
1. From the Edit File Filter Table window, select the file filter or filters that you need to delete.
2. Select Delete from the toolbar.
3. Select OK in the confirmation dialog box to delete the selected file filter or filters.
1. Go to Security Profiles > Data Leak Prevention and edit the desired sensor.
2. Select Create New from the file filters table.
3. In the New Filter window, select the Files filter type.
4. Select to Specify File Types and select the file types to filter.
5. Configure the remaining options as desired.
File types
ICAP
The ICAP is supported in this release. The ICAP is a light-weight response/request protocol that allows the
FortiCache unit to offload HTTP and HTTPS traffic to external servers for different kinds of processing.
You can offload HTTP responses or HTTP requests (or both) to the same or different ICAP servers.
ICAP does not appear by default in the GUI. You must enable it in System > Admin >
Settings to display ICAP in the GUI. See Settings on page 54.
Profile
The ICAP menu allows you to view and configure ICAP profiles and ICAP servers which can then be applied to a
policy.
If you enable ICAP in a security policy, HTTP traffic intercepted by the policy is transferred to the ICAP servers in
the ICAP profile added to the policy. The FortiCache unit acts as the surrogate, or middle-man, and carries the
ICAP responses from the ICAP server to the ICAP client. The ICAP client then responds back, and the FortiCache
unit determines the action that should be taken with these ICAP responses and requests.
ICAP profiles are configured under Security Profiles > Advanced > ICAP Servers.
Request Processing If request processing is enabled, a green circle with a check mark is shown.
If disabled, a gray circle with an x is shown.
Bypass Streaming Media If media streaming is bypassed, a green circle with a check mark is shown.
If it is not bypassed, a gray circle with an x is shown.
1. In the ICAP profile list, select Create New from the toolbar. The New ICAP Profile page opens.
Select a server from the drop down menu, specify the path on the server to
the processing component, and then select the behavior on failure, either
Error or Bypass.
Enable Streaming Media Select to allow streaming media to ignore offloading to the ICAP server.
Bypass
1. Select the profile you would like to edit then select Edit from the toolbar, or double-click on the profile. The Edit
ICAP Profile window opens.
2. Edit the profile information as required and select Apply to apply your changes.
Server
To view the ICAP server list, go to Security Profiles > Advanced > ICAP Servers.
1. In the ICAP Server list, select Create New from theropdown. The New ICAP Server window opens.
Port Enter the TCP port number used by the ICAP server, from 1 to 65535
(default = 1344).
1. Select the server you would like to edit then select Edit from the toolbar, or double-click on the server. The Edit
ICAP Server window opens.
2. Edit the ICAP server information as required and select OK to apply your changes.
1. Select the ICAP server or servers that you would like to delete.
2. Select Delete from the toolbar.
3. Select OK in the confirmation dialog box to delete the selected server or servers.
Content Analysis
Content Analysis is a licensed feature that allows you to detect adult content in real-time. This service is a real
time analysis of the content passing through the FortiCache. Unlike other image analysis tools, this one does not
just look for skin tone colors but can detect limbs, body parts, and the position of bodies. Once detected, such
content can be optionally blocked or reported.
When a client HTTP requests an image, the HTTP header content-type determines the image type. Then the
WAD process holds the image content from the server for scanning prior to sending it to the client.
If the scan results are larger than the configurable threshold, the requested image will be blocked and the client
will receive a replacement image. This replacement image will keep the same image type and size if you enable
the option to re-size images. The FortiCache will store the results to improve performance for future requests.
The default settings provide a good balance, but they will never be 100% and may require some adjustment.
Profile
In order to use Content Analysis you need to setup at least one profile and apply it to a policy. Content Analysis
profiles are configured under Security Profiles > Content Analysis.
When you select Create New or Edit, the following attributes can be configured:
The higher the image score, the the more chance of the image being explicit. The challenge
Image Score with this is that if you set it too high, it will block legitimate images. If you set it too low it will
Threshold allow explicit images through. If the image score is above the Image Score Threshold
setting, the Rating Error Action is taken (see below).
This value represents the size of image that will be skipped by the image scan unit, in
kilobytes. Images that are too small are difficult to scan and are more likely to be rated
incorrectly by the image scan engine.
This value determines the strictness of the Image Score Threshold. The higher the
sensitivity, the more strict it will be on the threshold. Make it too strict and you end up
Image
blocking legitimate images.
Rating Sensitivity
The default, but balanced value is 75.
Rating Error Set to either Pass or Block the image when it exceeds the rating threshold.
Action
If you choose to display a replacement image (see below), you can set the Replace Image
Replace Image
Action value to re-size the replacement image to match the original (re-size), or leave the
Action
replacement image at its default size (no re-size).
Displaying and clearing the image cache require a license, otherwise these commands will not be available.
The User menu allows you to configure authentication settings and user accounts. Users can also be monitored,
and user groups and remote servers can be configured.
l User
l Authentication
l Monitor
User
A user is a user account that consists of a user name, password and, in some cases, other information that can be
configured on the unit or on an external authentication server. Users can access resources that require
authentication only if they are members of an allowed user group.
User definition
A local user is a user configured on a unit. The user can be authenticated with a password stored on the unit or
with a password stored on an authentication server. The user name must match a user account stored on the unit
and the user name and password must match a user account stored on the authentication server associated with
the user.
Create New Run the new user wizard and create a new user.
Ref. Displays the number of times the user is referenced to other objects.
To view the location of the referenced user, select the number in Ref.; the
Object Usage window appears displaying the various locations of the
referenced object.
To edit a user:
1. Select the user you would like to edit then select Edit from the toolbar, or double-click on the user in the table. The
Edit User window opens.
2. Edit the user information as required, or select Disable to disable the user.
3. Select OK to apply your changes.
1. Select the user or users that you would like to delete. You cannot delete a user that is currently in a group.
2. Select Delete from the toolbar.
3. Select OK in the confirmation dialog box to delete the selected user or users.
1. In the Choose User Type page of the User Creation Wizard, select Local User, then select Next. The Specify
Login Credentials page opens.
2. Enter a name for the user in the User Name field, and enter a password in the Password field.
3. Select Next to proceed to the Provide Contact Info page.
4. Enter an email address for the user in the Email Address field, then select next to proceed to the Provide Extra
Info page.
5. Select Enable to enable the new user.
6. To place the user into a group, select User Group, then select a group from the frop-fown menu. For information
on user groups, see User on page 109.
7. Select Done to create the new local user and return to the user list.
1. In the Choose User Type page of the User Creation Wizard, select Remote RADIUS User, then select Next.
The Specify RADIUS Server page opens.
2. Enter a name for the user in the User Name field.
3. Select a RADIUS server from the drop-down list. For information on RADIUS servers, see RADIUS server on page
120.
4. Select Next to proceed to the Provide Contact Info page.
5. Enter an email address for the user in the Email Address field, then select Next to proceed to the Provide Extra
Info page.
6. Select Enable to enable the new user.
7. To place the user into a group, select User Group, then select a group from the frop-fown menu. For information
on user groups, see User on page 109.
8. Select Done to create the new RADIUS user and return to the user list.
By default, the TACACS+ Server option is not visible unless you add a server using the following CLI command:
config user tacacs+
edit <name>
set server <IP>
next
end
1. In the Choose User Type page of the User Creation Wizard, select Remote TACACS+ User.
2. Select Next to proceed to the Specify TACACS+ Server page.
3. Enter a name for the user in the User Name field.
4. Select a TACACS+ server from the drop-down list. For information on TACACS+ servers, see TACACS+ server on
page 122.
5. Select Next to proceed to the Provide Contact Info page.
6. Enter an email address for the user in the Email Address field, then select Next to proceed to the Provide Extra
Info page.
7. Select Enable to enable the new user.
8. To place the user into a group, select User Group, then select a group from the frop-fown menu. For information
on user groups, see User on page 109.
9. Select Done to create the new TACACS+ user and return to the user list.
1. In the Choose User Type page of the User Creation Wizard, select Remote LDAP User, then select Next. The
Specify LDAP Server page opens.
2. To choose an existing LDAP server, select Choose Existing, then select a server from the drop-down list.
3. To create a new LDAP server, select Create New, then enter the required information. See LDAP server on page
118.
4. Select Next to proceed to the Select Remote User page.
5. Enter the LDAP filter in the LDAP Filter field, then select Apply Filter.
6. Enter a search term in the Search field to search the server, then select a user from the results.
7. Select Next to proceed to the Confirm Selection page.
8. Confirm that the selection is correct, then select Done to add the remote LDAP user.
User group
A user group is a list of user identities. An identity can be:
l a local user account (user name and password) stored on the Fortinet unit
l a local user account with a password stored on a RADIUS, LDAP, or TACACS+ server
l a RADIUS, LDAP, or TACACS+ server (all identities on the server can authenticate)
l a user or user group defined on a Directory Service server.
Each user group belongs to one of three types: Firewall, FSSO, Guest, or RADIUS Single Sign-On (RSSO).
For each resource that requires authentication, you specify which user groups are permitted access. You need to
determine the number and membership of user groups appropriate to your authentication needs.
Users that are associated with multiple groups have access to all services within all the user groups that they are
associated with. This is only available in the CLI. The command used is auth-multi-group, which is enabled
by default. This feature checks all groups a user belongs to for firewall authentication.
Members The names of the members in the group. To adjust the way users are listed
in the column, see To configure the member column: on page 114.
1. In the user group list, select Create New from the toolbar. The New User Group window opens.
2. Enter a name for the group in the Name field.
3. Select the group type in the Type field, one of: Firewall, FSSO, Guest, or RSSO.
Firewall This type of group can be selected in any security policy that requires
firewall authentication.
Members Select users to add to the group from the drop-down list.
Fortinet Single Sign- On This type of group can be selected in any security policy that requires
(FSSO) Fortinet Single Sign-On (FSSO) authentication.
Members Select users to add to the group from the drop-down list.
Guest This type of group can be selected in any security policy that allows guest
authentication.
Expire Type Select the expire type, either After first login, or Immediately.
Default Expire Select the default expire time in Days, Hours, Minutes, or Seconds.
Time
Enable SMS Select to enable SMS, then select a service type from the Service Type
drop-down list..
RADIUS Signle Sign- On This type of group can be selected in any security policy that requires
(RSSO) RSSO authentication.
RADIUS Attribute Enter the RADIUS attribute value. This value matches the value from the
Value RADIUS Accounting-Start attribut “Class”.
1. Select the group you would like to edit then select Edit from the toolbar, or double-click on the group in the table.
The Edit User Group window opens.
2. Edit the information as required, then select OK to apply your changes.
1. In the user group list, right-click anywhere on the column headings and select Members Column Option. The
Member Column Option window opens.
2. Enter the number of subcolumns that the member column will contain in the Number of Sub-Columns field, from
1 to 12 (default = 4).
3. Enter the number of lines to display in the Lines of Objects to Display field, from 1 to 100 (default = 6).
If more users are in a group than can be displayed in accordance with the member column settings, a
Display More option will be added to the row that also shows how many users are hidden and how many
users are contained in the group in total.
Authentication
FortiCache units support the use of external authentication servers. An authentication server can provide
password checking for selected FortiCache users or it can be added as a member of a FortiCache user group.
If you are going to use authentication servers, you must configure the servers before you configure FortiCache
users or user groups that require them.
l Single sign-on
l LDAP server
l RADIUS server
l TACACS+ server
l Settings
Single sign-on
Fortinet units use security policies to control access to resources based on user groups configured in the policies.
Each Fortinet user group is associated with one or more Directory Service user groups. When a user logs in to the
Windows or Novell domain, an FSSO agent sends the user’s IP address, and the names of the Directory Service
user groups that the user belongs to, to the FortiCache unit.
The FSSO agent has two components that must be installed on your network:
l The domain controller agent must be installed on every domain controller to monitor user logins and send
information about them to the collector agent.
l The Collector agent must be installed on at least one domain controller to send the information received from the
domain controller agents to the Fortinet unit. Alternately a FortiAuthenticator server can take the place of the
Collector agent in an FSSO polling mode configuration.
The unit uses this information to maintain a copy of the domain controller user group database. Because the
domain controller authenticates users, the unit does not perform authentication. It recognizes group members by
their IP address. You must install the FSSO Agent on the network and configure the unit to retrieve information
from the Directory Service server.
To manage single sign-on (SSO) servers, go to User > Authentication > Single Sign-on.
Type An icon representing the type of server. Hover your cursor over the icon to
view the type.
LDAP Server The LDAP server associated with the FSSO server.
1. In the single sign-on server list, select Create New from the toolbar. The New Single Sign-On Server page
opens.
2. Select the type of server that will be created in the Type field. One of: Poll Active Directory Server, Fortinet
Single Sign-On Agent, or RADIUS Single Sign-On Agent.
Only one RADIUS single sign-on agent can be created on the FortiCache device.
LDAP Server Select an LDAP server from the drop-down list to access the Directory
Service.
Users/Groups If an LDAP server is selected, view or edit the users or groups associated
with the server.
Primary Agent Enter the IP address or name for the primary agent. Then enter the
IP/Name password in the Password field.
Secondary Agent Enter the IP address or name for the secondary agent. Then enter the
Name/IP password in the Password field.
More FSSO Select More FSSO agents to add up to three more FSSO agents.
agents Enter the IP address or name of the Directory Service server where the
collector agent is installed. The maximum number of characters is 63.
Then enter the password for the collector agent. This is required only if you
configured your FSSO agent collector agent to require authenticated
access.
LDAP Server Select an LDAP server from the drop-down list to access the Directory
Service.
Users/Groups If an LDAP server is selected, view or edit the users or groups associated
with the server.
User RADIUS Select to use a RADIUS shared secret, then enter the shared secret in the
Shared Secret Shared Secret field.
1. Select the server you would like to edit, then select Edit from the toolbar, or double-click on the address group.
The Edit Single Sign-On Server window opens.
2. Edit the server information as required and select OK to apply your changes.
LDAP server
LDAP is an Internet protocol used to maintain authentication data that may include departments, people, groups
of people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of
defined operations, and a request/response network.
Name The name that identifies the LDAP server on the Fortinet unit.
The TCP port used to communicate with the LDAP server. By default,
Port
LDAP uses port 389.
Common Name Identifier The common name identifier for the LDAP server.
The base distinguished name for the server using the correct X.500 or
Distinguished Names LDAP format. The unit passes this distinguished name unchanged to the
server.
Ref. Displays the number of times the server is referenced to other objects.
To view the location of the referenced server, select the number in Ref.;
the Object Usage window appears displaying the various locations of the
referenced object.
1. In the LDAP server list, select Create New from the toolbar. The New LDAP Server window opens.
Name Enter the name that identifies the LDAP server on the Fortinet unit.
Server Name/IP Enter the domain name or IP address of the LDAP server.
Server Port Enter the TCP port used to communicate with the LDAP server. By default,
LDAP uses port 389.
If you use a secure LDAP server, the default port changes if you select
Secure Connection.
Common Name Identifier Enter the common name identifier for the LDAP server. The maximum
number of characters is 20.
Distinguished Name Enter the base distinguished name for the server using the correct X.500 or
LDAP format. The unit passes this distinguished name unchanged to the
server. The maximum number of characters is 512.
Query icon View the LDAP server Distinguished Name Query tree for the LDAP server
that you are configuring so that you can cross reference to the
Distinguished Name.
Secure Connection Select to use a secure LDAP server connection for authentication.
Protocol Select a secure LDAP protocol to use for authentication, either LDAPS or
STARTTLS.
Depending on your selection, the server port will change to the default port
for the selected protocol:
1. Select the LDAP server you would like to edit then select Edit from the toolbar, or double-click on the address in
the address table. The Edit LDAP Server window opens.
2. Edit the server information as required and select OK to apply your changes.
RADIUS server
RADIUS is a broadly supported client server protocol that provides centralized authentication, authorization, and
accounting functions. RADIUS clients are built into gateways that allow access to networks such as Virtual Private
Network (VPN) servers, Network Access Servers (NAS), as well as network switches and firewalls that use
authentication. FortiCache units fall into the last category.
RADIUS servers use UDP packets to communicate with the RADIUS clients on the network to:
You must configure the RADIUS server to accept the FortiCache unit as a client. FortiCache units use the
authentication and accounting functions of the RADIUS server.
When a configured user attempts to access the network, the FortiCache unit will forward the authentication
request to the RADIUS server, which will then match the username and password remotely. Once authenticated,
the RADIUS server passes the Authorization Granted message to the FortiCache unit, which then grants the user
permission to access the network.
The RADIUS server uses a “shared secret” key, along with MD5 hashing, to encrypt information passed between
RADIUS servers and clients, including the FortiCache unit. Typically, only user credentials are encrypted.
Name The name that identifies the RADIUS server on the unit.
Server Name/IP The domain name or IP address of the primary and, if applicable,
secondary, RADIUS server.
1. In the RADIUS server list, select Create New from the toolbar. The New RADIUS Server window opens.
Name Enter the name that is used to identify the RADIUS server on the unit.
Primary Server Name/IP Enter the domain name or IP address of the primary RADIUS server.
Primary Server Secret Enter the RADIUS server secret key for the primary RADIUS server. The
primary server secret key length can be up to a maximum of 16 characters.
For security reason, it is recommended that the server secret key be the
maximum length.
Secondary Server Name/IP Enter the domain name or IP address of the secondary RADIUS server, if
applicable.
Secondary Server Secret Enter the RADIUS server secret key for the secondary RADIUS server. The
secondary server secret key can be up to a maximum length of 16
characters.
Authentication Scheme Select Use Default Authentication Scheme to authenticate with the
default method: PAP, MSCHAP-V2, and CHAP, in that order.
Select Specify Authentication Protocol to override the default
authentication method, then choose the protocol from the list: MSCHAP-
V2, MS-CHAP, CHAP, or PAP.
NAS IP/Called Station ID Optionally, enter the NAS IP address (RADIUS Attribute 31, outlined in
RFC 2548).
In this configuration, the FortiCache unit is the NAS and this is how the
RADIUS server registers all valid servers that use its records.
If you do not enter an IP address, the IP address that the Fortinet interface
uses to communicate with the RADIUS server will be applied.
Include in every User Select Enable to have the RADIUS server automatically included in all user
Group groups.
1. Select the RADIUS server you would like to edit then select Edit from the toolbar, or double-click on the address in
the address table. The Edit RADIUS Server window opens.
2. Edit the server information as required and select OK to apply your changes.
TACACS+ server
TACACS+ is a remote authentication protocol that provides access control for routers, network access servers,
and other networked computing devices via one or more centralized servers. TACACS+ allows a client to accept a
username and password and send a query to a TACACS+ authentication server. The server host determines
whether to accept or deny the request and sends a response back that allows or denies the user access to the
network.
TACACS+ offers fully encrypted packet bodies, and supports both IP and AppleTalk protocols. TACACS+ uses
TCP port 49, which is seen as more reliable than RADIUS’s UDP protocol.
There are several different authentication protocols that TACACS+ can use during the authentication process.
Protocol Definition
Protocol Definition
Auto The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP,
in that order.
By default, the TACACS+ Servers option is not visible unless you add a server using
the following CLI command:
Name The name that identifies the TACACS+ server on the unit.
Ref. Displays the number of times the server is referenced to other objects.
To view the location of the referenced server, select the number in Ref.
The Object Usage window appears displaying the various locations of the
referenced object.
1. In the TACACS+ server list, select Create New from the toolbar. The New TACACS+ Server window opens.
Server IP/Name Enter the server domain name or IP address of the TACACS+ server.
Server Secret Enter the key to access the TACACS+ server. The server key can be a
maximum of 16 characters in length.
Authentication Type Select the authentication type to use for the TACACS+ server: Auto,
ASCII, PAP, CHAP, or MSCHAP.
Auto authenticates using PAP, MSCHAP, then CHAP (in that order).
1. Select the TACACS+ server you would like to edit then select Edit from the toolbar, or double-click on the address
in the address table. The Edit TACACS+ Server window opens.
2. Edit the server information as required and select OK to apply your changes.
Settings
This submenu provides settings for configuring authentication timeout, protocol support, and authentication
certificates. When user authentication is enabled within a security policy, the authentication challenge is normally
issued for any of the four protocols (depending on the connection protocol):
When you enable user authentication within a security policy, the security policy user will be challenged to
authenticate. For user ID and password authentication, users must provide their user names and passwords. For
certificate authentication (HTTPS or HTTP redirected to HTTPS only), you can install customized certificates on
the unit, and the users can also have customized certificates installed on their browsers. Otherwise, users will see
a warning message and have to accept a default Fortinet certificate.
Configure the following settings, then select Apply to apply your changes:
Authentication Timeout Enter the amount of time, in minutes, that an authenticated firewall
connection can be idle before the user must authenticate again. From 1 to
480 minutes (default = 5).
l HTTP
Protocol Support l Redirect HTTP Challenge to a Secure Channel (HTTPS)
l HTTPS
l FTP
l Telnet
Monitor
You can go to the Monitor menu to view lists of currently authenticated users, and banned users. For each
authenticated user, the list includes the user name, user group, how long the user has been authenticated
(Duration), how long until the user’s session times out (Time left), and the method of authentication used. The
Banned User list includes users configured by administrators.
Firewall
In some environments, it is useful to determine which users are authenticated by the FortiCache unit and allow
the system administrator to de-authenticate (stop current session) users. With the firewall monitor, you can de-
authenticate all currently authenticated users, or select individual users to de-authenticate. To permanently stop
a user from re-authenticating, change the configuration (disable a user account) and then use the user monitor to
immediately end the user’s current session.
Monitored firewall users can be viewed from User > Monitor > Firewall. This page lists all authenticated firewall
users that are currently authenticated by the unit and active. This page allows you to refresh the information on
the page, as well as filter the information.
Stop authenticated sessions for all selected users in the Firewall user
De-authenticate monitor list. Users must re-authenticate with the firewall to resume their
communication session.
Show all FSSO Logons Select to include all of the FSSO logins in the list.
User Group The group that the remote user is a member of.
Traffic Volume The amount of traffic going through the unit that is generated by the user.
The authentication method used for the user by the unit, such as FSSO
Method
Agent, firewall authentication, or NTLM.
Time-left Shows the amount of time remaining for the user. This column is not visible
by default. Right-click in the column headings to add it.
User Quarantine
The user quaratine shows all IP addresses and interfaces blocked by Network Access Control (NAC) quarantine.
The list also shows all IP addresses, authenticated users, senders, and interfaces blocked by DLP.
The system administrator can selectively release users or interfaces from quarantine, or configure quarantine to
expire after a selected time period.
All sessions started by users or IP addresses on the banned user list are blocked until the user or IP address is
removed from the list. All sessions to an interface on the list are blocked until the interface is removed from the
list.
The user quarantine is viewed from User > Monitor > User Quarantine.
Application Protocol The protocol that was used by the user or IP address.
The Fortinet function that caused the user or IP address to be added to the
Cause or rule
list.
Created The date and time that the user or IP address was added to the list.
The date and time that the user or IP address will be automatically
Expires removed from the list. If Expires is Indefinite, the entry must be manually
removed from the list.
You can use web caching to cache web pages from any web server. All traffic between a client network and one or
more web servers is then intercepted by a web cache policy. This policy causes the FortiCache unit to cache
pages from the web servers on the FortiCache unit and makes the cached pages available to users on the client
network. Web caching can be configured for standard and reverse web caching.
In a standard web caching configuration, the FortiCache unit caches pages for users on a client network. A router
sends HTTP traffic to be cached to the FortiCache unit.
You can also create a reverse proxy web caching configuration where the FortiCache unit is dedicated to
providing web caching for a single web server or server farm. In this second configuration, the one or more
FortiCache units can be installed between the server network and the WAN or Internet or traffic to be cached can
be routed to the FortiCache units.
You can add WAN Optimization to improve traffic performance and efficiency as it crosses the WAN.
FortiCache WAN optimization consists of a number of techniques that you can apply to improve the efficiency of
communication across your WAN. These techniques include protocol optimization, byte caching, SSL offloading,
and secure tunnelling.
Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or MAPI protocol, as
well as general TCP traffic. Byte caching caches files and other data on FortiCache units to reduce the amount of
data transmitted across the WAN. Web caching stores web pages on FortiCache units to reduce latency and
delays between the WAN and web servers. SSL offloading offloads SSL decryption and encryption from web
servers onto FortiCache SSL acceleration hardware. Secure tunnelling secures traffic as it crosses the WAN.
You can apply different combinations of these WAN optimization techniques to a single traffic stream depending
on the traffic type. For example, you can apply byte caching and secure tunneling to any TCP traffic. For HTTP
and HTTPS traffic, you can also apply protocol optimization and web caching.
FortiCacheWAN optimization consists of a number of techniques that you can apply to improve the efficiency of
communication across your WAN. These techniques include protocol optimization, byte caching, web caching,
SSL offloading, and secure tunneling.
Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or MAPI protocol, as
well as general TCP traffic. Byte caching caches files and other data on FortiCache units to reduce the amount of
data transmitted across the WAN. Web caching stores web pages on FortiCache units to reduce latency and
delays between the WAN and web servers. SSL offloading offloads SSL decryption and encryption from web
servers onto FortiCache SSL acceleration hardware. Secure tunneling secures traffic as it crosses the WAN.
You can apply different combinations of these WAN optimization techniques to a single traffic stream depending
on the traffic type. For example, you can apply byte caching and secure tunneling to any TCP traffic. For HTTP
and HTTPS traffic, you can also apply protocol optimization and web caching.
To configure WAN optimization profiles, go to WAN Opt. & Cache > WAN Opt. Profiles > Profiles. The Edit
WAN Optimization Profile page is displayed.
Configure the following settings, then select Apply to apply any changes:
View List View the web filter profile list. See Profile list on page 130.
Authentication Group Enable, then select the authentication group from the drop-down list that
will be applied to the WAN optimization profile.
Select the protocols that are enabled for this profile: CIFS, FTP, HTTP,
Protocol Options
MAPI, TCP.
Specify the port number for the protocol. The default values are:
l CIFS: 445
l FTP: 21
Port
l HTTP: 80
l MAPI: 135
l TCP: 1 - 65535
Profile list
The WAN optimization profile list can be viewed by selecting View List in the Edit WAN Optimization Profile
page toolbar.
Authentication Goup The authentication group used by the profile, if any. See Authentication
groups on page 132.
1. From either the Edit WAN Optimization Profile page or the WAN optimization profile list, select Create New.
2. Enter the required information, then select OK to create the new WAN optimization profile.
1. From the Edit WAN Optimization Profile page, select the profile you need to edit from the profile drop-down list.
From the profile list, either select the profile you would like to edit then select Edit from the toolbar, or
double-click on the profile name in the list.
2. Edit the information as required, then select Apply to apply your changes.
1. From the Edit WAN Optimization Profile page, select the profile you need to clone from the profile drop-down list.
2. Select Clone from the toolbar.
3. Enter a name for the profile in the dialog box, then select OK.
4. Edit the clone as required.
1. From the profile list, select the profile or profiles that you would like to delete.
2. Select Delete from the toolbar.
3. Select OK in the confirmation dialog box to delete the selected profile or profiles.
The client-side and server-side FortiCache units are called WAN optimization peers because all of the FortiCache
units in a WAN optimization network have the same peer relationship with each other. The client and server roles
relate to how a session is started. Any FortiCache unit configured for WAN optimization can be both a client-side
and a server-side FortiCache unit at the same time, depending on the direction of the traffic. Client-side
FortiCache units initiate WAN optimization sessions and server-side FortiCache units respond to the session
requests. Any FortiCache unit can be a client-side FortiCache unit for some sessions and a server-side
FortiCache unit for others.
To identify all of the WAN optimization peers that a FortiCache unit can perform WAN optimization with, host IDs
and IP addresses of all of the peers are added to the FortiCache unit configuration. The peer IP address is
actually the IP address of the peer unit interface that communicates with the FortiCache unit.
Peers
Go to WAN Opt. & Cache > WAN Opt. Peers > Peers to view the WAN optimization peer list
Local Host ID The local host ID. Enter an ID, then select Apply to apply the ID.
Ref. Displays the number of times the peer is referenced to other objects.
To view the location of the referenced peer, select the number in Ref.; the
Object Usage window appears displaying the various locations of the
referenced object.
1. From the peer list, select Create New in the toolbar. The New WAN Optimization Peer window opens.
1. Select the peer you would like to edit then select Edit from the toolbar, or double-click on the peer in the peer list.
The Edit WAN Optimization Peer window opens.
2. Edit the peer as required and select OK to apply your changes.
Authentication groups
You need to add authentication groups to support authentication and secure tunneling between WAN
optimization peers.
To perform authentication, WAN optimization peers use a certificate or a pre-shared key added to an
authentication group so they can identify each other before forming a WAN optimization tunnel. Both peers must
have an authentication group with the same name and settings. The authentication group is added to a peer-to-
peer or active rule on the client-side FortiCache unit. When the server-side FortiCache unit receives a tunnel start
request that includes an authentication group from the client-side unit, the server-side unit finds an authentication
group in its configuration with the same name. If both authentication groups have the same certificate or pre-
shared key, the peers can authenticate and set up the tunnel.
Go to WAN Opt. & Cache > WAN Opt. Peers > Authentication Groups to manage the authentication groups.
Authentication Method The authentication used by the group, either Certificate or Pre-shared key.
Ref. Displays the number of times the group is referenced to other objects.
To view the location of the referenced group, select the number in Ref.; the
Object Usage window appears displaying the various locations of the
referenced object.
1. Select Create New from the toolbar. The New Authentication Group window opens.
Accept Peer(s) Select the peer acceptance method for the authentication group.
l Any: If you do not know the peer host IDs or IP addresses of the peers
that will use this authentication group.
This setting is most often used for WAN optimization with FortiCache
units that do not have static IP addresses, such as units that use DHCP.
l Defined Only: Authenticate with peers that have added to the peer list
only.
l Specify: Select a peer from the drop-down list to authenticate with the
selected peer only. Select Create New from the drop-down list to create a
new peer; see To create a new WAN optimization peer: on page 132.
1. Select the group you would like to edit then select Edit from the toolbar, or double-click on the group in the
authentication group list. The Edit Authentication Group window opens.
2. Edit the group information as required and select OK to apply your changes.
Cache
Web cache settings can be optimized to improve performance and specific URL patterns can be exempt from
caching and/or forwarded to a web proxy server.
Settings
In most cases, the default settings for the WAN optimization web cache are acceptable. However, you may want
to change them to improve performance or optimize the cache for your configuration.
Configure the following settings, then select Apply to apply your changes:
Always Revalidate Always re-validate requested cached objects with content on the server
before serving them to the client.
The maximum size of objects (files) that are cached, from 1 to 4294967KB
(default = 512000KB).
Max Cache Object Size
Objects that are larger than this size are still delivered to the client but are
not stored in the FortiCache web cache.
Negative Response The amount of time, in minutes, that the FortiCache unit caches error
Duration responses from web servers (default = 0 minutes).
The content server might send a client error code (4xx HTTP response) or a
server error code (5xx HTTP response) as a response to some requests. If
the web cache is configured to cache these negative responses, it returns
that response in subsequent requests for that page or image for the
specified number of minutes, regardless of the actual object status.
For cached objects that do not have an expiry time, the web cache
periodically checks the server to see if the objects have expired. The higher
the fresh factor the less often the checks occur (default = 100%).
Fresh Factor For example, if you set Max TTL and Default TTL to 7200 minutes (5 days)
and set Fresh Factor to 20, the web cache check the cached objects 5
times before they expire, but if you set the Fresh Factor to 100, the web
cache will only check once.
Max TTL The maximum amount of time (Time to Live), in minutes, an object can
stay in the web cache without the cache checking to see if it has expired on
the server. From 1 to 5256000 minutes (one year) (default = 7200
minutes).
The minimum amount of time an object can stay in the web cache before
Min TTL the web cache checks to see if it has expired on the server. From 1 to
5256000 minutes (default = 5 minutes).
Default TTL The default expiry time for objects that do not have an expiry time set by
the web server. From 1 to 5256000 minutes (default = 1440 minutes).
Proxy FQDN This option cannot be changed from the default: default.fqdn.
Max HTTP request length This option cannot be changed from the default: 4KB.
Max HTTP message length This option cannot be changed from the default: 32KB.
Ignore
HTTP 1.1 HTTP 1.1 provides additional controls to the client for the behavior of
Conditionals caches toward stale objects. Depending on various cache-control headers,
the FortiCache unit can be forced to consult the OCS before serving the
object from the cache. For more information about the behavior of cache-
control header values, see RFC 2616.
Enable ignoring HTTP 1.1 conditionals to override this behavior.
IE Reload
Enable to cache expired type-1 objects (if all other conditions make the
Cache Expired Objects
object cacheable).
Revalidated Pragma-no- The PNC header in a request can affect how efficiently the device uses
cache bandwidth.
If you do not want to completely ignor PNC in client requests by selecting
Ignore > Pragma-no-cache, you can lower the impact on bandwidth usage
with this option.
When selected, a client's non-conditional PNC-GET request results in a
conditional GET request sent to the OCS, if the object is already in the
cache. This gives the OCS a chance to return the 304 Not Modified
response, which consumes less server-side bandwidth as the OCS has not
been forced to return full content.
By default, Revalidate Pragma-no-cache is disabled and is not affected by
changes in the top-level profile. When the Substitute Get for PNC
configuration is enabled, the revalidate PNC configuration has no effect.
Most download managers make byte-range requests with a PNC header.
To serve such requests from the cache, you should also configure byte-
range support when you configure the Revalidate pragma-no-cache
option.
For example, if your users access websites that are not compatible with FortiCache web caching, you can add the
URLs of these web sites to the web caching exempt list, and all traffic accepted by a web cache policy for these
websites will not be cached.
Monitor
Using the web cache and WAN optimization monitors, you can confirm that the FortiCache unit is accepting and
caching traffic and view web caching and WAN optimization performance. The monitor presents collected log
information in a graphical format to show network traffic and bandwidth optimization information.
To view the WAN optimization monitor, go to WAN Opt. & Cache > Monitor > WAN Opt. Monitor. To view the
web cache monitor, go to WAN Opt. & Cache > Monitor > Cache Monitor.
Traffic Summary This section provides traffic optimization information. It displays how much
traffic has been reduced by web caching by comparing the amount of client
and server traffic.
Period Select a time period to show traffic summary for: Last 10 Minutes,
Last 1 Hour, Last 1 Day, Last 1 Week, or Last 1 Month.
Lists the protocols shown in the pie chart, including: HTTP, MAPI, CIFS,
Protocol
FTP, TCP, and WEBPROXY.
Chart Type Select the chart type: Column Chart or Line Chart.
Peer monitor
The Peer Monitor page under Wan Opt. & Cache > Monitor > Peer Monitor provides peer statistics including
Peer name, IP, Type, and Traffic Reduction.
WCCP can be used to provide web caching with load balancing and fault tolerance. In a WCCP configuration, a
WCCP server receives HTTP requests from user’s web browsers and redirects the requests to one or more WCCP
clients. The clients either return cached content, or request new content from the destination web servers, before
caching it and returning it to the server. The server then returns the content to the original requestor. If a WCCP
configuration includes multiple WCCP clients, the WCCP server load balances traffic among the clients and can
detect when a client fails and failover sessions to still operating clients. WCCP is described by the Web Cache
Communication Protocol internet draft.
FortiCache units can operate as WCCP clients and supports WCCPv2. FortiCache units use UDP port 2048 for
WCCP communication, with user traffic encapsulated in GRE-mode or L2-mode.
A FortiCache unit configured as a WCCP client can include multiple client configurations. Each of these
configurations is called a WCCP service group. A service group consists of one or more FortiGate units configured
as WCCP servers (or routers) and one or more FortiCache WCCP clients working together to cache a specific type
of traffic. The service group configuration includes information about the type of traffic to be cached, the
addresses of the WCCP clients and servers, and other information about the service.
A service group is identified with a numeric WCCP service ID (or service number) in the range 0 to 255. All of the
servers and clients in the same WCCP service group must have service group configurations with the same
WCCP service ID.
The value of the service ID provides some information about the type of traffic to be cached by the service group.
Service IDs in the range 0 to 50 are reserved for well known services. A well known service is any service that is
defined by the WCCP standard as being well known. Since the service is well known, just the service ID is
required to identify the traffic to be cached.
Even though the well known service ID range is 0 to 50, at this time only one well known service has been
defined. Its service ID is 0, which is used for caching HTTP (web) traffic.
To configure WCCP to cache HTTP sessions you can add a service group to the FortiGate WCCP router and
FortiCache WCCP clients with a service ID of 0. No other information about the type of traffic to cache needs to
be added to the service group.
Since service IDs 1 to 50 are reserved for well know services and since these services are not defined yet, you
should not add service groups with IDs in the range 1 to 50.
FortiCache allows you to add service groups with IDs between 1 and 50. However,
since these service groups have not been assigned well known services, they will not
cache any sessions. Service groups with IDs 51 to 255 allow you to set the port
numbers and protocol number of the traffic to be cached. So you can use service
groups with IDs 51 to 255 to cache different kinds of traffic based on port numbers and
protocol number of the traffic. Service groups 1 to 50 however, do not allow you to set
port or protocol numbers, so they cannot be used to cache any traffic.
To cache traffic other than HTTP traffic you must add service groups with IDs in the range 51 to 255. These
service group configurations must include the port numbers and protocol number of the traffic to be cached. It is
the port and protocol number configuration in the service group that determines what traffic will be cached by
WCCP.
To configure WCCP you must create a service group that includes FortiGate units configured as WCCP servers
and FortiCache units configured as WCCP clients. WCCP servers intercept sessions to be cached (for example,
sessions from users browsing the web from a private network). To intercept sessions to be cached, the WCCP
server must include a firewall policy that accepts sessions to be cached and WCCP must be enabled in this
firewall policy.
The server must have an interface configured for WCCP communication with WCCP clients. That interface sends
and receives encapsulated GRE or L2 traffic to and from WCCP clients. The server must also include a WCCP
service group that includes a service ID and the addresses of the WCCP clients, as well as other WCCP
configuration options.
To use a FortiCache unit as a WCCP client, you must configure an interface on the unit for WCCP
communication. The client sends and receives the encapsulated traffic to and from the WCCP server using this
interface.
The client must also include a WCCP service group with a service ID that matches a service ID on the server. The
client service group also includes the IP address of the servers in the service group, and specifies the port
numbers and protocol number of the sessions that will be cached on the FortiCache unit.
When the client receives sessions from the server on its WCCP interface, it either returns cached content over the
WCCP interface or connects to the destination web servers using the appropriate interface, based on the client
routing configuration. Content received from web servers is then cached by the client and returned to the WCCP
server over the WCCP link. The server then returns the received content to the initial requesting user’s web
browser.
Finally, you may also need to configure routing on the FortiGate server unit and FortiCache client units, and
additional firewall policies may have to be added to the server to accept sessions not cached by WCCP.
In this configuration, a FortiGate unit is operating as an Internet firewall for a private network and is also
configured as a WCCP server. The port39 interface of the FortiGate unit is connected to the Internet, and the
port38 interface is connected to the internal network.
All HTTP traffic on port 80 that is received at the port38 interface of the FortiGate unit is accepted by a port39 to
port38 firewall policy with WCCP enabled. All other traffic received at the port2 interface is allowed to connect to
the Internet by adding a general port38 to port39 firewall policy below the HTTP on port 80 firewall policy.
A WCCP service group is added to the FortiGate unit with a service ID of 0 for caching HTTP traffic on port 80.
The port1 interface of the FortiGate unit is configured for WCCP communication.
A FortiCache unit connects to the internet through the FortiGate unit. To allow for this, a port1 to port39 firewall
policy is added to the FortiGate unit.
Note that the WCCP server and client can operate in L2-mode. The WCCP client firewall policy must specify
which ingress interface is receiving the L2-forwarded traffic. This is different from GRE-mode which uses the
w.root interface.
1. Add a port38 to port39 firewall policy that accepts HTTP traffic on port 80 and is configured for WCCP:
config firewall policy
edit 0
set srtintf port38
set dstintf port39
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service HTTP
set wccp enable
set nat enable
end
2. Add another port38 to port39 firewall policy to allow all other traffic to connect to the Internet:
config firewall policy
edit 0
set srtintf port38
set dstintf port39
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
set nat enable
end
3. Move this policy below the WCCP policy in the port38 to port39 policy list.
4. Enable WCCP on the port1 interface:
config system interface
edit port1
set vdom “root”
set ip 192.168.1.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set wccp enable
end
6. Add a firewall policy to allow the WCCP clients to connect to the internet:
config firewall policy
edit 3
set srcintf port1
set dstintf port39
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
set nat enable
end
You cannot enter the wccp-cache-engine enable command if you have already
added a WCCP service group. When you enter this command an interface named
w.root is added to the FortiCache configuration. All traffic redirected from a WCCP
router is considered to be received at this interface of the FortiCache unit operating as
a WCCP client. A default route to this interface with lowest priority is added.
4. Add a port w.root to aggr1 firewall policy that accepts HTTP traffic on port80 and is configured for WCCP:
config firewall policy
edit 1
set srcintf w.root
set dstintf aggr1
set srcaddr all
set dstaddr all
Note that if the FortiCache is operating in L2-mode, the firewall policy must specify the ingress interface
where L2-forwarded traffic is being received, as shown below:
config firewall policy
edit 1
set srcintf <port x>
set dstintf <port y>
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service HTTP
set nat enable
set webcache enable
set transparent disable
end
The following packet flow sequence assumes you have configured a FortiGate unit to be a WCCP server and one
or more FortiCache units to be WCCP clients.
The WCCP forwarding method determines how intercepted traffic is transmitted from the WCCP router to the
WCCP cache engine. FortiCache units use GRE forwarding.
GRE forwarding encapsulates the intercepted packet in an IP GRE header with a source IP address of the WCCP
router and a destination IP address of the target WCCP cache engine. The results is a tunnel that allows the
WCCP router to be multiple hops away from the WCCP cache server.
By default the WCCP communication between the router and cache servers is unencrypted. If you are concerned
about attackers sniffing the information in the WCCP stream you can use the following command to enable hash-
based authentication of the WCCP traffic. You must enable authentication on the router and the cache engines
and all must have the same password.
config system wccp
edit 1
set authentication enable
set password <password>
end
WCCP messages
When the WCCP service is active on a web cache server it periodically sends a WCCP HERE I AM broadcast or
unicast message to the FortiGate unit operating as a WCCP router. This message contains the following
information:
Troubleshooting WCCP
Two types of debug commands are available for debugging or troubleshooting a WCCP connection between a
FortiCache unit operating as a WCCP router and its FortiCache WCCP cache engines.
Application debugging
The following commands display information about WCCP operations:
get test wccpd <integer>
diag test application wccpd <integer>
Sample output from the same command from an unsuccessful WCCP connection (because of a service group
password mismatch):
service-0 in vdom-root: num=0, usable=0
diag debug application wccpd -1
Sample output:
wccp_on_recv()-98: vdom-root recv: num=160, dev=3(3),
172.16.78.8->192.168.11.55
wccp2_receive_pkt()-1124: len=160, type=10, ver=0200,
length=152
wccp2_receive_pkt()-1150: found component:t=0, len=20
wccp2_receive_pkt()-1150: found component:t=1, len=24
wccp2_receive_pkt()-1150: found component:t=3, len=44
wccp2_receive_pkt()-1150: found component:t=5, len=20
wccp2_receive_pkt()-1150: found component:t=8, len=24
wccp2_check_security_info()-326: MD5 check failed
The Log menu provides an interface for viewing and downloading traffic, event, and security logs. Logging,
archiving, and user interface settings can also be configured, see Log settings on page 152.
The log messages are a record of all of the traffic that passes through the FortiCache device, and the actions
taken by the device while scanning said traffic.
After a log message is recorded, it is stored in a log file. The log files can be stored on the FortiCache device
itself, on a connected FortiManager or FortiAnalyzer device, or on a FortiCloud server (you must have a
FortiCloud subscription before you can configure the FortiCache device to send logs to a FortiCloud server). The
FortiCache device’s system memory or local disk can be configured to store logs.
Traffic Log Traffic logs are a record of all of the traffic that passes the FortiCache unit.
Forward traffic logs include log messages for traffic that passes through the
FortiCache device. It includes both traffic and security log messages, so
Forward Traffic
that messages about security events can be viewed alongside messages
about the traffic at the time of the event.
Local traffic logs include messages for traffic that terminates at the
Local Traffic
FortiCache unit allowed or denied by a local policy.
Event Log Event logs record management and activity events within the FortiCache
device, divided into four areas: System, Router, User, and WAN Opt. &
Cache.
HA HA related logs.
Security Log The Security Log records attacks that are detected and prevented by the
FortiGate unit.
Antivirus logs are recorded when, during the antivirus scanning process, the
AntiVirus FortiGate unit finds a match within the antivirus profile, which includes the
presence of a virus or grayware signature.
Web Filter Web filter logs record HTTP log rating errors, including web content
blocking actions that the FortiCache device performs.
Data Leak Data Leak Prevention logs, or DLP logs, provide valuable information about
Prevention the sensitive data trying to get through to your network as well as any
unwanted data trying to get into your network.
Log messages can be viewed from the Log menu in the FortiCache GUI.
Select Download Raw Log to download the raw log file to your local
Download Raw Log
computer. The log file can be viewed in any text editor.
Log Location The location where the displayed logs are stored.
Page navigation Navigated to different pages of the log list. The total number of log
messages is also shown.
Details about the selected log message. The information displayed will
Log Details
vary depending on the type of log message selected.
Log settings
The type and frequency of log messages you intend to save determines the type of log storage to use. For
example, if you want to log traffic and content logs, you need to configure the unit to log to a syslog server. The
FortiCache system disk is unable to log traffic and content logs because of their frequency and large file size.
Storing log messages to one or more locations, such as a syslog server, may be a better solution for your logging
requirements than the FortiCache system disk.
This topic contains information about logging to FortiAnalyzer or FortiManager units, a syslog server, and to disk.
To configure log settings, go to Log > Log Config > Log Settings.
Select to enable event logging, then select the events to log: Enable
Event Logging All, Endpoint event, System activity event, Explicit web proxy event,
User activity event, Router activity event, and HA event.
Display Logs Select where logs are displayed from: Memory, Disk, or
From FortiAnalyzer.
Resolve
Select resolve unknown application using the remote application
Unknown
database.
Applications
When configuring logging to a syslog server, you need to configure the facility and the log file format, which is
either normal or Comma Separated Values (CSV). The CSV format contains commas whereas the normal format
contains spaces. Logs saved in the CSV file format can be viewed in a spread-sheet application, while logs saved
in normal format are viewed in a text editor because they are saved as plain text files.
Configuring a facility easily identifies the device that recorded the log file. You can choose from many different
facility identifiers, such as daemon or local7.
If you are configuring multiple Syslog servers, configuration is available only in the CLI. You can also enable the
reliable delivery option for Syslog log messages in the CLI.
From the CLI, you can enable reliable delivery of syslog messages using the reliable option of the config
log {syslog | syslog2 | syslog3} settings command. The FortiCache unit implements the RAW
profile of RFC 3195 for reliable delivery of log messages. Reliable syslog protects log information through
authentication and data encryption and ensures that the log messages are reliably delivered in the correct order.
This feature is disabled by default.
If more than one syslog server is configured, the syslog servers and their settings
appear on the Log Settings page. You can configure multiple syslog servers in the CLI
using the config log {syslog | syslog2 | syslog3} settings CLI
command.
You can specify the source IP address of self-originated traffic when configuring a
Syslog server; however, this is available only in the CLI.
The following table lists and describes some examples of Perl regular expressions.
Expression Matches
abc “abc” (the exact character sequence, but anywhere in the string).
^abc|abc$ The string “abc” at the beginning or at the end of the string.
ab*c “a” followed by any number (zero or more) of “b”s followed by a “c”.
ab?c “a” followed by an optional “b” followed by a” c”; that is, either “abc” or ”ac”.
[abc]+ Any (nonempty) string of “a”s, “b”s and “c”s (such as “a”, “abba”, ”acbabcacaa”).
[^abc]+ Any (nonempty) string which does not contain any of “a”, “b”, and “c” (such as “defg”).
Makes the pattern case insensitive. For example, /bad language/i blocks any instance of
/i
“bad language” regardless of case.
\w+ A “word”: A nonempty sequence of alphanumeric characters and low lines (underscores),
such as “foo”, “12bar8” and “foo_1”.
Expression Matches
The strings “100” and “mk” optionally separated by any amount of white space (spaces,
100\s*mk
tabs, newlines).
abc\b “abc” when followed by a word boundary (for example, in “abc!” but not in “abcd”).
“perl” when not followed by a word boundary (for example, in “perlert” but not in “perl stuff”).
perl\B
\x Tells the regular expression parser to ignore white space that is neither preceded by a
backslash character nor within a character class.
Use this to break up a regular expression into slightly more readable parts.