Supported log types to FortiAnalyzer, Syslog, and FortiAnalyzer Cloud

This topic describes which log messages are supported by each logging destination.

Log-related diagnose commands

This topic shows commonly used examples of log-related diagnose commands.

Use the following diagnose commands to identify log issues:

• The following commands enable debugging log daemon (miglogd) at the proper debug level:

diagnose debug application miglogd x diagnose debug enable

• The following commands display different status/stats of miglogd at the proper level:

diagnose test application miglogd x diagnose debug enable

To get the list of available levels, press Enter after diagnose test/debug application miglogd. The following are some examples of commonly use levels.

If the debug log display does not return correct entries when log filter is set:

diagnose debug application miglogd 0x1000

For example, use the following command to display all login system event log:

exe log filter device disk exe log filter category event exe log filter field action login exe log display

Files to be searched: file_no=65523, start line=0, end_line=237 file_no=65524, start line=0, end_line=429 file_no=65525, start line=0, end_line=411 file_no=65526, start line=0, end_line=381 file_no=65527, start line=0, end_line=395 file_no=65528, start line=0, end_line=458 file_no=65529, start line=0, end_line=604 file_no=65530, start line=0, end_line=389 file_no=65531, start line=0, end_line=384 session ID=1, total logs=3697

back ground search. process ID=26240, session_id=1

start line=1 view line=10

( action “login” )

ID=1, total=3697, checked=238, found=5

ID=1, total=3697, checked=668, found=13

ID=1, total=3697, checked=1080, found=23

ID=1, total=3697, checked=1462, found=23

ID=1, total=3697, checked=1858, found=23

ID=1, total=3697, checked=2317, found=54

ID=1, total=3697, checked=2922, found=106

ID=1, total=3697, checked=3312, found=111

ID=1, total=3697, checked=3697, found=114

You can check and/or debug FortiGate to FortiAnalyzer connection status.

To show connect status with detailed information:

diagnose test application miglogd 1

faz: global , enabled server=172.18.64.234, realtime=3, ssl=1, state=connected, src=, mgmt_name=FGh_Log_ vdom1_172.18.64.234, reliable=0, sni_prefix_type=none, required_entitlement=none status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y SNs: last sn update:107 seconds ago.

Sn list:

(FL-8HFT718900132,age=107s) queue: qlen=0.

filter: severity=6, sz_exclude_list=0

voip dns ssh ssl cifs subcategory:

traffic: forward local multicast sniffer anomaly: anomaly

server: global, id=0, fd=132, ready=1, ipv6=0, 172.18.64.234/514 oftp-state=5

To collect debug information when FortiAnalyzer is enabled: diagnose debug application miglogd 0x100

FGT-B-LOG (global) # <16208> miglog_start_rmt_conn()-1552: setting epoll_hd:0x7fc364e125e0 to _rmt_connect

<16209> miglog_start_rmt_conn()-1552: setting epoll_hd:0x7f72647715e0 to _rmt_connect <16206> miglog_start_rmt_conn()-1552: setting epoll_hd:0x141f69e0 to _rmt_connect <16209> _rmt_connect()-1433: oftp is ready.

<16209> _rmt_connect()-1435: xfer_status changed from 2 to 2 for global-faz

<16209> _rmt_connect()-1439: setting epoll_hd:0x7f72647715e0 to _rmt_recv

<16209> _check_oftp_certificate()-248: checking sn:FL-8HFT718900132 vs cert sn:FL8HFT718900132

<16209> _check_oftp_certificate()-252: Verified the certificate of peer (172.18.64.234) to match sn=FL-8HFT718900132

<16209> _faz_post_connection()-292: Certificate verification:enabled, Faz verified:1

<16209> _send_queue_item()-518: xfer_status changed from 2 to 1 for global-faz

<16209> _send_queue_item()-523: type=0, cat=0, logcount=0, len=0

<16209> _oftp_send()-487: dev=global-faz type=17 pkt_len=34

<16209> _oftp_send()-487: opt=253, opt_len=10 <16209> _oftp_send()-487: opt=81, opt_len=12 <16208> _rmt_connect()-1433: oftp is ready.

<16208> _rmt_connect()-1435: xfer_status changed from 2 to 2 for global-faz

<16208> _rmt_connect()-1439: setting epoll_hd:0x7fc364e125e0 to _rmt_recv

<16208> _check_oftp_certificate()-248: checking sn:FL-8HFT718900132 vs cert sn:FL8HFT718900132

<16208> _check_oftp_certificate()-252: Verified the certificate of peer (172.18.64.234) to match sn=FL-8HFT718900132

<16208> _faz_post_connection()-292: Certificate verification:enabled, Faz verified:1

<16208> _send_queue_item()-518: xfer_status changed from 2 to 1 for global-faz

<16208> _send_queue_item()-523: type=0, cat=0, logcount=0, len=0

<16208> _oftp_send()-487: dev=global-faz type=17 pkt_len=34

<16208> _oftp_send()-487: opt=253, opt_len=10

<16209> _oftp_recv()-1348: opt=252, opt_len=996

<16208> _oftp_send()-487: opt=81, opt_len=12

<16209> _process_response()-960: checking opt code=252

<16209> _faz_process_oftp_resp()-488: ha nmember:1 nvcluster:0 mode:1

<16209> __is_sn_known()-356: MATCHED: idx:0 sn:FL-8HFT718900132

<16209> _faz_process_oftp_resp()-494: Received SN:FL-8HFT718900132 should update:0

<16208> _oftp_recv()-1348: dev=global-faz type=252 pkt_len=1008

<16208> _oftp_recv()-1348: opt=252, opt_len=996

<16208> _process_response()-960: checking opt code=252

<16208> _faz_process_oftp_resp()-488: ha nmember:1 nvcluster:0 mode:1

<16208> __is_sn_known()-356: MATCHED: idx:0 sn:FL-8HFT718900132

<16208> _faz_process_oftp_resp()-494: Received SN:FL-8HFT718900132 should update:0

<16206> _rmt_connect()-1433: oftp is ready.

<16206> _rmt_connect()-1435: xfer_status changed from 2 to 2 for global-faz

<16206> _rmt_connect()-1439: setting epoll_hd:0x141f69e0 to _rmt_recv

<16206> _check_oftp_certificate()-248: checking sn:FL-8HFT718900132 vs cert sn:FL8HFT718900132

<16206> _check_oftp_certificate()-252: Verified the certificate of peer (172.18.64.234) to match sn=FL-8HFT718900132

<16206> _faz_post_connection()-292: Certificate verification:enabled, Faz verified:1

<16206> _send_queue_item()-518: xfer_status changed from 2 to 1 for global-faz

<16206> _send_queue_item()-523: type=0, cat=0, logcount=0, len=0

<16206> _oftp_send()-487: dev=global-faz type=17 pkt_len=34

<16206> _oftp_send()-487: opt=253, opt_len=10

<16206> _oftp_send()-487: opt=81, opt_len=12

<16206> _oftp_recv()-1348: dev=global-faz type=252 pkt_len=1008

<16206> _oftp_recv()-1348: opt=252, opt_len=996

<16206> _process_response()-960: checking opt code=252

<16206> _faz_process_oftp_resp()-488: ha nmember:1 nvcluster:0 mode:1

<16206> __is_sn_known()-356: MATCHED: idx:0 sn:FL-8HFT718900132

<16206> _faz_process_oftp_resp()-494: Received SN:FL-8HFT718900132 should update:0

<16209> _oftp_recv()-1348: dev=global-faz type=1 pkt_len=985

<16209> _oftp_recv()-1348: opt=12, opt_len=16 ……

<16209> _build_ack()-784: xfer_status changed from 1 to 2 for global-faz <16209> _process_response()-960: checking opt code=81 ……

<16209> _send_queue_item()-523: type=1, cat=0, logcount=0, len=0

<16209> _oftp_send()-487: dev=global-faz type=1 pkt_len=24

<16209> _oftp_send()-487: opt=1, opt_len=12

<16209> _send_queue_item()-523: type=7, cat=0, logcount=0, len=988

<16209> _oftp_send()-487: dev=global-faz type=252 pkt_len=1008

<16209> _oftp_send()-487: opt=252, opt_len=996

<16208> _oftp_recv()-1348: dev=global-faz type=1 pkt_len=58

<16208> _oftp_recv()-1348: opt=12, opt_len=16

<16208> _oftp_recv()-1348: opt=51, opt_len=9

<16208> _oftp_recv()-1348: opt=49, opt_len=12

<16208> _oftp_recv()-1348: opt=52, opt_len=9

<16208> _build_ack()-784: xfer_status changed from 1 to 2 for global-faz

<16208> _process_response()-960: checking opt code=52

<16208> _send_queue_item()-523: type=1, cat=0, logcount=0, len=0

<16208> _oftp_send()-487: dev=global-faz type=1 pkt_len=24

<16208> _oftp_send()-487: opt=1, opt_len=12

<16206> _oftp_recv()-1348: dev=global-faz type=1 pkt_len=985

……

<16208> _send_queue_item()-523: type=3, cat=1, logcount=1, len=301 <16206> _oftp_recv()-1348: opt=78, opt_len=55 ……

<16206> _build_ack()-784: xfer_status changed from 1 to 2 for global-faz <16206> _process_response()-960: checking opt code=81 ……

<16206> _send_queue_item()-523: type=1, cat=0, logcount=0, len=0

<16206> _oftp_send()-487: dev=global-faz type=1 pkt_len=24

<16206> _oftp_send()-487: opt=1, opt_len=12

<16206> _send_queue_item()-523: type=7, cat=0, logcount=0, len=988

<16206> _oftp_send()-487: dev=global-faz type=252 pkt_len=1008

<16206> _oftp_send()-487: opt=252, opt_len=996

<16206> _add_change_notice_queue_item()-269: Change notice packect added to queue. len=145 ……

<16206> _send_queue_item()-523: type=2, cat=0, logcount=0, len=300 <16206> _oftp_send()-487: dev=global-faz type=37 pkt_len=300

……

<16206> _oftp_send()-487: opt=152, opt_len=40

<16206> _oftp_send()-487: opt=74, opt_len=40

<16206> _oftp_send()-487: opt=82, opt_len=93

<16206> _oftp_recv()-1348: dev=global-faz type=1 pkt_len=24

<16206> _oftp_recv()-1348: opt=1, opt_len=12

<16206> _process_response()-960: checking opt code=1 To check FortiGate to FortiGateCloud log server connection status:

diagnose test application miglogd 20

FGT-B-LOG# diagnose test application miglogd 20 Home log server:

Address: 172.16.95.92:514 Alternative log server: Address: 172.16.95.26:514 oftp status: established Debug zone info:

Server IP:     172.16.95.92

Server port: 514

Server status: up

Log quota:     102400MB

Log used:       673MB

Daily volume: 20480MB FDS arch pause: 0 fams archive pause: 0

To check real-time log statistics by log type since miglogd daemon start: diagnose test application miglogd 4

FGT-B-LOG (global) # diagnose test application miglogd 4 info for vdom: root disk

event: logs=1238 len=262534, Sun=246 Mon=247 Tue=197 Wed=0 Thu=55 Fri=246 Sat=247 compressed=163038 dns: logs=4 len=1734, Sun=0 Mon=0 Tue=0 Wed=0 Thu=4 Fri=0 Sat=0 compressed=453

report event: logs=1244 len=225453, Sun=246 Mon=247 Tue=197 Wed=0 Thu=61 Fri=246 Sat=247

faz event: logs=6 len=1548, Sun=0 Mon=0 Tue=6 Wed=0 Thu=0 Fri=0 Sat=0 compressed=5446 info for vdom: vdom1

memory traffic: logs=462 len=389648, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75 event: logs=3724 len=1170237, Sun=670 Mon=700 Tue=531 Wed=0 Thu=392 Fri=747 Sat=684 app-ctrl: logs=16 len=9613, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2 dns: logs=71 len=29833, Sun=0 Mon=0 Tue=0 Wed=0 Thu=71 Fri=0 Sat=0

disk

traffic: logs=462 len=389648, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75 compressed=134638

event: logs=2262 len=550957, Sun=382 Mon=412 Tue=307 Wed=0 Thu=306 Fri=459 Sat=396 compressed=244606 app-ctrl: logs=16 len=9613, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2 compressed=3966 dns: logs=71 len=29833, Sun=0 Mon=0 Tue=0 Wed=0 Thu=71 Fri=0 Sat=0 compressed=1499

report traffic: logs=462 len=375326, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75 event: logs=3733 len=1057123, Sun=670 Mon=700 Tue=531 Wed=0 Thu=401 Fri=747 Sat=684 app-ctrl: logs=16 len=9117, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2

faz

traffic: logs=462 len=411362, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75 compressed=307610

event: logs=3733 len=1348297, Sun=670 Mon=700 Tue=531 Wed=0 Thu=401 Fri=747 Sat=684 compressed=816636 app-ctrl: logs=16 len=10365, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2 compressed=8193 dns: logs=71 len=33170, Sun=0 Mon=0 Tue=0 Wed=0 Thu=71 Fri=0 Sat=0 compressed=0

To check log statistics to local/remote log device since the miglogd daemon start:

diagnose test app miglogd 6 1     <<< 1 means the first child daemon diagnose test app miglogd 6 2     <<<  2 means the second child daemon

FGT-B-LOG (global) # diagnose test application miglogd 6 1 mem=4288, disk=4070, alert=0, alarm=0, sys=5513, faz=4307, webt=0, fds=0 interface-missed=208

Queues in all miglogds: cur:0 total-so-far:36974 global log dev statistics: syslog 0: sent=6585, failed=152, relayed=0 faz 0: sent=13, failed=0, cached=0, dropped=0 , relayed=0 To check miglogd daemon number and increase/decrease miglogd daemon:

diagnose test app miglogd 15     <<<  Show miglog ID diagnose test app miglogd 13     <<<  Increase one miglogd child diagnose test app miglogd 14     <<<  Decrease one miglogd child

FGT-B-LOG (global) # diagnose test application miglogd 15

Main miglogd: ID=0, children=2, active-children=2 ID=1, duration=70465.

ID=2, duration=70465.

FGT-B-LOG (global) # diagnose test application miglogd 13

FGT-B-LOG (global) # diagnose test application miglogd 15

Main miglogd: ID=0, children=3, active-children=3 ID=1, duration=70486.

ID=2, duration=70486. ID=3, duration=1.

FGT-B-LOG (global) # diagnose test application miglogd 14

FGT-B-LOG (global) # diagnose test application miglogd 15

Main miglogd: ID=0, children=2, active-children=2 ID=1, duration=70604.

ID=2, duration=70604.

Back up log files or dump log messages

When a log issue is caused by a particular log message, it is very help to get logs from that FortiGate. This topic provides steps for using exe log backup or dump log messages to USB.

Back up full logs using exe log backup

This command backs up all disk log files and is only available on FortiGates with SSD disk.

Before running exec log backup, we recommend temporarily stopping miglogd and reportd.

To stop and kill miglogd and reportd:

diagnose sys process daemon-auto-restart disable miglogd diagnose sys process daemon-auto-restart disable reportd

fnsysctl killall miglogd fnsysctl killall reportd

To store the log file on USB drive:

1. Plug in a USB drive into the FortiGate.
2. Run this command:

exec log backup /usb/log.tar

To restart miglogd and reportd:

diagnose sys process daemon-auto-restart enable miglogd diagnose sys process daemon-auto-restart enable reportd

Dump log messages

To dump log messages:

1. Enable log dumping for miglogd

FGT-B-LOG (global) # diagnose test application miglogd 26 1 miglogd(1) log dumping is enabled

2. Display all miglogd dumping status.

FGT-B-LOG (global) # diagnose test application miglogd 26 0 255 miglogd(0) log dumping is disabled

miglogd(1) log dumping is enabled miglogd(2) log dumping is disabled

FGT-B-LOG (global) # diagnose test application miglogd 26 2 miglogd(2) log dumping is enabled

FGT-B-LOG (global) # diagnose test application miglogd 26 0 miglogd(0) log dumping is enabled

FGT-B-LOG (global) # diagnose test application miglogd 26 0 255 miglogd(0) log dumping is enabled miglogd(1) log dumping is enabled miglogd(2) log dumping is enabled

3. Let FortiGate run and collect log messages.
4. List log dump files.

FGT-B-LOG (global) # diagnose test application miglogd 33

2019-04-17 15:50:02         20828     log-1-0.dat

2019-04-17 15:48:31           4892     log-2-0.dat

5. Back up log dump files to USB disk.

FGT-B-LOG (global) # diagnose test application miglogd 34 Dumping file miglog1_index0.dat copied to USB disk OK.

Dumping file miglog2_index0.dat copied to USB disk OK.

6. Disable log dumping for miglogd daemon

FGT-B-LOG (global) # diagnose test application miglogd 26 0 miglogd(0) log dumping is disabled

FGT-B-LOG (global) # diagnose test application miglogd 26 1 miglogd(1) log dumping is disabled

FGT-B-LOG (global) # diagnose test application miglogd 26 2 miglogd(2) log dumping is disabled

FGT-B-LOG (global) # diagnose test application miglogd 26 0 255 miglogd(0) log dumping is disabled miglogd(1) log dumping is disabled miglogd(2) log dumping is disabled

General use cases

There are three scenarios in which the FortiOS SIP solution are usually deployed:

1. The SIP server is in a private network, protected from the internet by a FortiOS device.
2. The SIP clients are in a private network, protected from the internet by a FortiOS device.
3. The SIP server is in a private network, such as a corporation’s internal network or an ISP’s network, protected from the Internet by a FortiOS device. The SIP clients are in a remote private network, such as a SOHO network, and behind a NAT device that is not aware of SIP applications.

The following VIP, NAT, and HNT examples show configurations for each of the three common scenarios.

VIP

A FortiGate with SIP Application Layer Gateway (ALG) or SIP Session Helper protects the SIP server from the internet, while SIP phones from the internet need to register to the SIP server and establish calls through it.

A VIP needs to be configured for the SIP server, and the VIP must be applied in a firewall policy for the phones to send REGISTER messages through the FortiGate from port1 to port2.

Only one firewall policy needs to be configured for all SIP phones on both the internet and private network to register to the SIP server through Port1 and set up SIP calls.

Assuming either SIP ALG or SIP Session Helper is enabled, configure the FortiGate with the following CLI commands:

config firewall vip edit “VIP_for_SIP_Server” set extip 172.20.120.50 set extintf “port1” set mappedip “10.11.101.50”

next

end

config firewall policy edit 1 set srcintf “port1”

set dstintf “port2” set srcaddr “all”

set dstaddr “VIP_for_SIP_Server” set action accept set schedule “always” set service “SIP”

next

end

NAT

A FortiGate with SIP ALG or SIP Session Helper protects the SIP phones and the internal network from the internet, while SIP phones in the internal network need to register to the SIP server installed on the internet and establish calls through it.

One firewall policy needs to be configured with NAT enabled for SIP phones to send REGISTER messages through the FortiGate from port2 to port1.

Assuming either SIP ALG or SIP Session Helper is enabled, configure the FortiGate with the following CLI commands:

config firewall policy edit 1 set srcintf “port2” set dstintf “port1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “SIP” set nat enable

next end

HNT

A FortiGate with SIP ALG or SIP Session Helper protects the SIP server from the internet, while SIP phones are in remote private networks behind NAT devices that are not aware of the SIP application.

For example, the SIP server is located in an ISP’s service cloud that is protected by the FortiGate SIP ALG, and the SIP phones are installed in the home networks of the ISP’s customers.

The SIP messages traversing the remote NAT devices might have their IP addresses translated by the NAT device at the network layer, but untranslated at the SIP application layer because those NAT devices are not aware of the SIP applications. This causes problems in a SIP session initiated process. Special configurations for the Hosted NAT Traversal (HNT) are required to resolve this issue.

To configure the FortiGate with HNT support for SIP phones A and B to set up calls with each other:

1. Identify port1 as the external interface:

config system interface edit “port1” set external enable

next

end

2. Configure VIP for the SIP server:

config firewall vip edit “VIP_for_SIP_Server” set extip 10.21.101.10

set extintf “port1” set mappedip “10.30.120.20”

next

end

3. Configure a VoIP profile with HNT enabled:

config voip profile edit “hnt” config sip set hosted-nat-traversal enable set hnt-restrict-source-ip enable

end

next end

hosted-nat-traversal must be enabled.

hnt-restrict-source-ip does not have to be enabled, but can be enabled to restrict the RTP packets’ source IP to be the same as the SIP packets’ source IP.

4. Apply the VoIP profile and VIP in a firewall policy for phone A and B to register and set up SIP calls through the FortiGate and SIP server:

config firewall policy edit 1 set srcintf “port1” set dstintf “port2” set srcaddr “all”

set dstaddr “VIP_for_SIP_Server” set action accept set schedule “always” set service “SIP” set utm-status enable set voip-profile “hnt” set nat enable

SIP message inspection and filtering

SIP ALG provides users with security features to inspect and control SIP messages that are transported through FortiOS devices, including:

l Verifying the SIP message syntax. l Blocking particular types of SIP requests. l Restricting the rate of particular SIP requests.

These features are configured in the VoIP profile:

config voip profile edit <voip_profile_name> config sip set …

The VoIP profile can then be applied to a firewall policy to process the SIP call traffic.

SIP message syntax inspection

For syntax verification, the following attributes are available for configuration in the VoIP profile to determine what action is taken when a specific syntax error or attack based on invalid syntax is detected. For example, the action can be set to pass or discard it.

malformed-request-line malformed-header-via malformed-header-from malformed-header-to malformed-header-call-id malformed-header-cseq malformed-header-rack malformed-header-rseq malformed-header-contact malformed-header-record-route malformed-header-route malformed-header-expires malformed-header-content-type malformed-header-content-length malformed-header-max-forwards malformed-header-allow

malformed-header-p-asserted-identity malformed-header-sdp-v malformed-header-sdp-o malformed-header-sdp-s malformed-header-sdp-i malformed-header-sdp-c malformed-header-sdp-b malformed-header-sdp-z malformed-header-sdp-k malformed-header-sdp-a malformed-header-sdp-t malformed-header-sdp-r malformed-header-sdp-m

SIP message blocking

The following options are available in the VoIP profile to block SIP messages:

block-long-lines block-unknown block-ack block-bye block-cancel block-info block-invite block-message block-notify block-options block-prack block-publish block-refer block-register block-subscribe block-update block-geo-red-options

SIP message rate limiting

The rate of certain types of SIP requests that are passing through the SIP ALG can be restricted :

register-rate invite-rate subscribe-rate message-rate notify-rate refer-rate update-rate options-rate ack-rate prack-rate info-rate publish-rate bye-rate cancel-rate

SIP pinholes

When SIP ALG processes a SIP call, it usually opens pinholes for SIP signaling and RTP/RTCP packets. NAT usually takes place during the process at both the network and SIP application layers. SIP ALG ensures that, with NAT happening, corresponding SIP and RTP/RTCP pinholes are created during the process when it is necessary for call sessions to be established through FortiOS devices.

By default, SIP ALG manages pinholes automatically, but some special configurations can be used to restrict the pinholes if required.

SIP pinhole restriction

By default, the strict-register attribute is enabled. When enabled, after a SIP endpoint registers to the SIP server through a firewall policy on the FortiOS device, only the SIP messages sent from the same IP address as the SIP server are allowed to pass through the SIP pinhole that is created in the FortiOS device to reach the SIP endpoints. If the attribute is disabled, SIP messages from any IP addresses can pass through the pinhole created after the registration.

config voip profile edit “voip-profile-name” config sip set strict-register [enable|disable]

…

end

next

end

RTP/RTCP pinhole restriction

In a SIP call through SIP ALG, the NATed RTP/RTCP port range is 5117 to 65533 by default. If required, the port range can be restricted.

config voip profile edit “voip-profile-name” config sip set nat-port-range <start_port_number>-<end_port_number> …

end

next

end

In a SIP call session, the RTP port number is usually an even number and the RTCP port number is an odd number that is one more than the RTP port number. It is best practice to configure start_port_number to an even number, and end_port_number to an odd number, for example:

config voip profile edit “voip-profile-name” conf sip set nat-port-range 30000-39999

end

next

end

SIP over TLS

Some SIP phones and servers can communicate using TLS to encrypt the SIP signaling traffic. To allow SIP over TLS calls to pass through the FortiGate, the encrypted signaling traffic must be unencrypted and inspected. The FortiGate SIP ALG intercepts, unencrypts , and inspects the SIP packets, which are then re-encrypted and forwarded to their destination.

The SIP ALG only supports full mode TLS. This means that the SIP traffic between SIP phones and the FortiGate, and between the FortiGate and the SIP server, is always encrypted. The highest TLS version supported by SIP ALG is TLS

1.2.

To enable SIP over TLS support, the SSL mode in the VoIP profile must be set to full. The SSL server and client certificates can be provisioned so that the FortiGate can use them to establish connections to SIP phones and servers, respectively.

To configure SIP over TLS:

1. Configure a VoIP profile with SSL enabled:

config voip profile edit “tls” config sip set ssl-mode full set ssl-client-certificate “ssl_client_cert” set ssl-server-certificate “ssl_server_cert”

end

next

end

The ssl_server_cert, ssl_client_cert, and key files can be generated using a certification tool, such as OpenSLL, and imported to the local certificate store of the FortiGate from System > Certificates in the GUI. Existing local certificates in the certificate store can also be used. As always for TLS connections, the certificates used must be verified and trusted at the other end of the connection when required.

For example, the CA certificate of the SIP server’s certificate should be imported to the FortiGate as an external CA certification, such that the FortiGate can use it to verify the SIP server’s certificate when setting up the TLS connection. The CA certificate configured as the ssl_server_cert should be installed as the trusted certificate on the SIP phones. The deployment of the certificates across the network depends on the SIP client and server devices that are used in the system.

2. Apply the profile to the firewall policy:

config firewall policy edit 1 set srcintf “port1” set dstintf “port2” set srcaddr “all” set dstaddr “vip_sip_server” set action accept set schedule “always” set service “SIP” set utm-status enable set voip-profile “tls”

next end

Explicit web proxy

Explicit web proxy can be configured on FortiGate for proxying HTTP and HTTPS traffic.

To deploy explicit proxy, individual client browsers can be manually configured to send requests directly to the proxy, or they can be configured to download proxy configuration instructions from a Proxy Auto-Configuration (PAC) file.

Once explicit proxy is configured on an interface, the interface IP address can be used by client browsers to forward requests directly to the FortiGate. FortiGate also supports PAC file configuration

To configure explicit web proxy in the GUI:

1. Enable and configure explicit web proxy:
   1. Go to Network > Explicit Proxy.
   2. Enable Explicit Web Proxy.
   3. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.
   4. Configure the remaining settings as needed.
   5. Click Apply.
2. Create an explicit web proxy policy:
3. Go to Policy & Objects > Proxy Policy.
4. Click Create New.
5. Set Proxy Type to Explicit Web and Outgoing Interface to port1.
6. Also set Source and Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.
7. Configure a client to use the FortiGate explicit proxy:

Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the PAC file.

To configure explicit web proxy in the CLI:

1. Enable and configure explicit web proxy:

config web-proxy explicit set status enable set ftp-over-http enable set socks enable set http-incoming-port 8080 set ipv6-status enable set unknown-http-version best-effort

end

config system interface

edit “port2” set vdom “vdom1”

set ip 10.1.100.1 255.255.255.0

set allowaccess ping https ssh snmp http telnet set type physical set explicit-web-proxy enable set snmp-index 12

end

next

end

2. Create an explicit web proxy policy:

config firewall proxy-policy edit 1 set uuid 722b6130-13aa-51e9-195b-c4196568d667 set proxy explicit-web set dstintf “port1” set srcaddr “all” set dstaddr “all” set service “webproxy” set action accept set schedule “always” set logtraffic all

next

end

3. Configure a client to use the FortiGate explicit web proxy:

Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the PAC file.

Transparent proxy

In a transparent proxy deployment, the user’s client software, such as a browser, is unaware that it is communicating with a proxy.

Users request Internet content as usual, without any special client configuration, and the proxy serves their requests. FortiGate also allows user to configure in transparent proxy mode.

To configure transparent proxy in the GUI:

1. Configure a regular firewall policy with HTTP redirect:
   1. Go to Policy & Objects > IPv4 Policy.
   2. Click Create New.
   3. Name the policy appropriately, set the Incoming Interface to port2, and set the Outgoing Interface to port1.
   4. Also set Source and Destination to all, Schedule to always, Service to ALL, and Action to ACCEPT.
   5. Set Inspection Mode to Proxy-based and SSL Inspection to deep-inspection.
   6. Configure the remaining settings as needed.
   7. Click OK.
2. Configure a transparent proxy policy:
3. Go to Policy & Objects > Proxy Policy.
4. Click Create New.
5. Set Proxy Type to Transparent Web, set the Incoming Interface to port2, and set the Outgoing Interface to port1.
6. Also set Source and Destination to all, Scheduleto always, Service to webproxy, and Action to ACCEPT.
7. Configure the remaining settings as needed.
8. No special configure is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent proxy policy.

To configure transparent proxy in the CLI:

1. Configure a regular firewall policy with HTTP redirect:

config firewall policy edit 1 set name “1”

set uuid c5c30442-54be-51e9-c17c-4513b1c973c0

set srcintf “port2” set dstintf “port1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set inspection-mode proxy set http-policy-redirect enable

set fsso disable

set ssl-ssh-profile “deep-inspection”

set nat enable

next

end

2. Configure a transparent proxy policy:

config firewall proxy-policy edit 5 set uuid 8fb05036-56fc-51e9-76a1-86f757d3d8dc set proxy transparent-web set srcintf “port2” set dstintf “port1” set srcaddr “all” set dstaddr “all” set service “webproxy” set action accept set schedule “always”

next end

3. No special configure is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent proxy policy.

FTP proxy

FTP proxies can be configured on the FortiGate so that FTP traffic can be proxied. When the FortiGate is configured as an FTP proxy, FTP client applications should be configured to send FTP requests to the FortiGate.

To configure explicit FTP proxy in the GUI:

1. Enable and configure explicit FTP proxy:
   1. Go to Network > Explicit Proxy.
   2. Enable Explicit FTP Proxy.
   3. Select port2 as the Listen on Interfaces and set the HTTP Port to 21.
   4. Configure the Default Firewall Policy Action as needed.
   5. Click Apply.
2. Create an explicit FTP proxy policy:
   1. Go to Policy & Objects > Proxy Policy.
   2. Click Create New.
   3. Set Proxy Type to FTP and Outgoing Interface to port1.
   4. Also set Source and Destination to all, Schedule to always, and Action to ACCEPT.
   5. Configure the FTP client application to use the FortiGate IP address.

To configure explicit FTP proxy in the CLI:

1. Enable and configure explicit FTP proxy:

config ftp-proxy explicit set status enable set incoming-port 21

end

config system interface edit “port2” set vdom “vdom1” set ip 10.1.100.1 255.255.255.0 set allowaccess ping https ssh snmp http telnet set type physical set explicit-ftp-proxy enable set snmp-index 12

end

next end

2. Create an explicit FTP proxy policy:

config firewall proxy-policy edit 4 set uuid 2e945a3a-565d-51e9-4fac-5215d287adc0

set proxy ftp set dstintf “port2” set srcaddr “all” set dstaddr “all” set action accept set schedule “always”

next

end

3. Configure the FTP client application to use the FortiGate IP address.

Proxy policy addresses

Proxy addresses are designed to be used only by proxy policies.

Fast policy match

The fast policy match function improves the performance of IPv4 explicit and transparent web proxies on FortiGate devices.

When enabled, after the proxy policies are configured, the FortiGate builds a fast searching table based on the different proxy policy matching criteria. When fast policy matching is disabled, web proxy traffic is compared to the policies one at a time from the beginning of the policy list.

Fast policy matching is enabled by default, and can be configured with the following CLI command:

config web-proxy global set fast-policy-match {enable | disable} end

Host regex match

In this address type, a user can create a hostname as a regular expression. Once created, the hostname address can be selected on the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the regular expression.

This example creates a host regex match address with the pattern qa.[a-z]*.com.

To create a host regex match address in the GUI:

1. Go to Policy & Objects > Addresses.
2. Click Create New > Address.
3. Set the following:

l Category to Proxy Address, l Name to Host Regex, l Type to Host Regex Match, and l Host Regex Pattern to qa.[a-z]*.com.

4. Click OK.

To create a host regex match address in the CLI:

config firewall proxy-address edit “Host Regex” set uuid 8e374390-57c9-51e9-9353-ee4469629df8

set type host-regex set host-regex “qa.[a-z]*.com”

next

end

URL pattern

In this address type, a user can create a URL path as a regular expression. Once created, the path address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the regular expression.

This example creates a URL pattern address with the pattern /filetypes/.

To create a URL pattern address in the GUI:

1. Go to Policy & Objects > Addresses.
2. Click Create New > Address.
3. Set the following:

l Category to Proxy Address, l Name to URL Regex, l Type to URL Pattern, l Host to all, and l URL Path Regex to /filetypes/.

4. Click OK.

To create a URL pattern address in the CLI:

config firewall proxy-address edit “URL Regex” set uuid 267dc8e4-57cb-51e9-0cfe-27877bff51d3

set type url set host “all” set path “/filetypes/”

next

end

URL category

In this address type, a user can create a URL category based on a FortiGuard URL ID. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the URL category.

The example creates a URL category address for URLs in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.

To create a URL category address in the GUI:

1. Go to Policy & Objects > Addresses.
2. Click Create New > Address.
3. Set the following:

l Category to Proxy Address, l Name to url-category, l Type to URL Category, l Host to all, and l URL Category to Education.

4. Click OK.

To create a URL category address in the CLI:

config firewall proxy-address edit “url-category” set uuid 7a5465d2-57cf-51e9-49fd-0c6b5ad2ff4f

set type category set host “all” set category 30

next

end

To see a list of all the categories and their numbers, when editing the address, enter set category ?.

HTTP method

In this address type, a user can create an address based on the HTTP request methods that are used. Multiple method options are supported, including: CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, and TRACE. Once created, the address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected HTTP method.

The example creates a HTTP method address that uses the GET method.

To create a HTTP method address in the GUI:

1. Go to Policy & Objects > Addresses.
2. Click Create New > Address.
3. Set the following:
   • Category to Proxy Address, l Name to method_get,
   • Type to HTTP Method, l Host to all, and l Request Method to GET.
4. Click OK.

To create a HTTP method address in the CLI:

config firewall proxy-address edit “method_get” set uuid 1e4d1a02-57d6-51e9-a5c4-73387925b7de

set type method set host “all” set method get

next

end

HTTP header

In this address type, a user can create a HTTP header as a regular expression. Once created, the header address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests where the HTTP header matches the regular expression.

This example creates a HTTP header address with the pattern Q[A-B].

To create a HTTP header address in the GUI:

1. Go to Policy & Objects > Addresses.
2. Click Create New > Address.
3. Set the following:
   • Category to Proxy Address, l Name to HTTP-header, l Type to HTTP Header, l Host to all,
   • HeaderName to Header_Test, and l HeaderRegex to Q[A-B].
4. Click OK.

To create a HTTP header address in the CLI:

config firewall proxy-address edit “method_get” set uuid a0f1b806-57e9-51e9-b214-7a1cfafa9bb3

set type header set host “all”

set header-name “Header_Test” set header “Q[A-B]”

next

end

User agent

In this address type, a user can create an address based on the names of the browsers that are used as user agents. Multiple browsers are supported, such as Chrome, Firefox, Internet Explorer, and others. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests from the specified user agent.

This example creates a user agent address for Google Chrome.

To create a user agent address in the GUI:

1. Go to Policy & Objects > Addresses.
2. Click Create New > Address.
3. Set the following:

l Category to Proxy Address, l Name to UA-Chrome, l Type to UserAgent, l Host to all, and l UserAgent to Google Chrome.

4. Click OK.

To create a user agent address in the CLI:

config firewall proxy-address edit “UA-Chrome” set uuid e3550196-57d8-51e9-eed0-115095a7920b

set type ua set host “all” set ua chrome

next

end

Advanced (source)

In this address type, a user can create an address based on multiple parameters, including HTTP method, User Agent, and HTTP header. Once created, the address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected address.

This example creates an address that uses the get method, a user agent for Google Chrome, and an HTTP header with the pattern Q[A-B].

To create an advanced (source) address in the GUI:

1. Go to Policy & Objects > Addresses.
2. Click Create New > Address.
3. Set the following:

l Category to Proxy Address, l Name to advanced_src, l Type to Advanced (Source), l Host to all, l Request Method to GET, l UserAgent to Google Chrome, and l HTTP header to Header_Test : Q[A-B].

4. Click OK.

To create an advanced (source) address in the CLI:

config firewall proxy-address edit “advance_src” set uuid fb9991d0-57e3-51e9-9fed-855e0bca16c3 set type src-advanced set host “all” set method get set ua chrome config header-group edit 1 set header-name “Header_Test” set header “Q[A-B]”

next

end

next

end

Advanced (destination)

In this address type, a user can create an address based on URL pattern and URL category parameters. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected address.

This example creates an address with the URL pattern /about that are in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.

To create an advanced (destination) address in the GUI:

1. Go to Policy & Objects > Addresses.
2. Click Create New > Address.
3. Set the following:

l Category to Proxy Address, l Name to Advanced-dst, l Type to Advanced (Destination), l Host to all, l URL Path Regex to /about, and l URL Category to Education.

4. Click OK.

To create an advanced (destination) address in the CLI:

config firewall proxy-address edit “Advanced-dst” set uuid d9c2a0d6-57e5-51e9-8c92-6aa8b3372198 set type dst-advanced set host “ubc” set path “/about” set category 30

next

end

Proxy policy security profiles

Web proxy policies support most security profile types.

Explicit web proxy policy

The security profiles supported by explicit web proxy policies are:

• AntiVirus, l Web Filter, l Application Control, l IPS, l DLP Sensor, l ICAP,
• Web Application Firewall, and l SSL Inspection.

To configure security profiles on an explicit web proxy policy in the GUI:

1. Go to Policy & Objects > Proxy Policy.
2. Click Create New.
3. Set the following:

4. In the Firewall / Network Options section, set Protocol Options to default.
5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

6. Click OK to create the policy.

To configure security profiles on an explicit web proxy policy in the CLI:

config firewall proxy-policy edit 1 set uuid c8a71a2c-54be-51e9-fa7a-858f83139c70 set proxy explicit-web set dstintf “port1” set srcaddr “all” set dstaddr “all” set service “web” set action accept set schedule “always” set utm-status enable set av-profile “av” set webfilter-profile “urlfilter” set dlp-sensor “dlp” set ips-sensor “sensor-1” set application-list “app” set icap-profile “default” set waf-profile “default” set ssl-ssh-profile “deep-inspection”

next end

Transparent proxy

The security profiles supported by explicit web proxy policies are:

• AntiVirus, l Web Filter, l Application Control, l IPS, l DLP Sensor, l ICAP,
• Web Application Firewall, and l SSL Inspection.

To configure security profiles on a transparent proxy policy in the GUI:

1. Go to Policy & Objects > Proxy Policy.
2. Click Create New.
3. Set the following:

4. In the Firewall / Network Options section, set Protocol Options to default.
5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

6. Click OK to create the policy.

To configure security profiles on a transparent proxy policy in the CLI:

config firewall proxy-policy edit 2 set uuid 8fb05036-56fc-51e9-76a1-86f757d3d8dc set proxy transparent-web set srcintf “port2” set dstintf “port1” set srcaddr “all” set dstaddr “all” set service “webproxy” set action accept set schedule “always” set utm-status enable set av-profile “av” set webfilter-profile “urlfilter” set dlp-sensor “dlp” set ips-sensor “sensor-1” set application-list “app” set icap-profile “default” set waf-profile “default” set ssl-ssh-profile “certificate-inspection”

next

end

FTP proxy

The security profiles supported by explicit web proxy policies are:

l AntiVirus, l Application Control, l IPS, and l DLP Sensor.

To configure security profiles on an FTP proxy policy in the GUI:

1. Go to Policy & Objects > Proxy Policy.
2. Click Create New.
3. Set the following:

4. In the Firewall / Network Options section, set Protocol Options to default.
5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):

6. Click OK to create the policy.

To configure security profiles on an FTP proxy policy in the CLI:

config firewall proxy-policy edit 3 set uuid cb89af34-54be-51e9-4496-c69ccfc4d5d4

set proxy ftp set dstintf “port1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set utm-status enable set av-profile “av” set dlp-sensor “dlp” set ips-sensor “sensor-1” set application-list “app”

next

end

Explicit proxy authentication

FortiGate supports multiple authentication methods. This topic explains using an external authentication server with Kerberos as the primary and NTLM as the fallback.

To configure Explicit Proxy with authentication:

Enable and configure the explicit proxy

To enable and configure explicit web proxy in the GUI:

1. Go to Network > Explicit Proxy.
2. Enable Explicit Web Proxy.
3. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.
4. Configure the remaining settings as needed.
5. Click Apply.

To enable and configure explicit web proxy in the CLI:

config web-proxy explicit set status enable set ftp-over-http enable set socks enable set http-incoming-port 8080 set ipv6-status enable

set unknown-http-version best-effort

end

config system interface edit “port2” set vdom “vdom1”

set ip 10.1.100.1 255.255.255.0

set allowaccess ping https ssh snmp http telnet set type physical set explicit-web-proxy enable set snmp-index 12

end

next

end

Configure the authentication server and create user groups

Since we are using an external authentication server with Kerberos authentication as the primary and NTLM as the fallback, Kerberos authentication is configured first and then FSSO NTLM authentication is configured.

For successful authorization, the FortiGate checks if user belongs to one of the groups that is permitted in the security policy.

To configure an authentication server and create user groups in the GUI:

1. Configure Kerberos authentication:
   1. Go to User& Device > LDAP Servers.
   2. Click Create New.
   3. Set the following:

1. Click OK

2. Define Kerberos as an authentication service. This option is only available in the CLI.
3. Configure FSSO NTLM authentication:

FSSO NTLM authentication is supported in a Windows AD network. FSSO can also provide NTLM authentication service to the FortiGate unit. When a user makes a request that requires authentication, the FortiGate initiates NTLM negotiation with the client browser, but does not process the NTLM packets itself. Instead, it forwards all the NTLM packets to the FSSO service for processing. a. Go to Security Fabric > Fabric Connectors.

1. Click Create New and select Fortinet Single Sign-On Agent from the SSO/Identity
2. Set the Name to FSSO, Primary FSSO Agent to 16.200.220, and enter a password. d. Click OK.

4. Create a user group for Kerberos authentication:
   1. Go to User& Device > UserGroups.
   2. Click Create New.
   3. Set the Name to Ldap-Group, and Type to Firewall.
   4. In the Remote Groups table, click Add, and set the Remote Server to the previously created ldap-kerberos
   5. Click OK.
5. Create a user group for NTLM authentication:
   1. Go to User& Device > UserGroups.
   2. Click Create New.
   3. Set the Name to NTLM-FSSO-Group, Type to Fortinet Single Sign-On (FSSO), and add FORTINETQA/FSSO as a member.
   4. Click OK.

To configure an authentication server and create user groups in the CLI:

1. Configure Kerberos authentication:

config user ldap edit “ldap-kerberos” set server “172.18.62.220” set cnid “cn”

set dn “dc=fortinetqa,dc=local”

set type regular

set username “CN=root,CN=Users,DC=fortinetqa,DC=local” set password ENC

6q9ZE0QNH4tp3mnL83IS/BlMob/M5jW3cAbgOqzTBsNTrGD5Adef8BZTquu46NNZ8KWoIoclAMlrGTR0z1IqT8n 7FIDV/nqWKdU0ehgwlqMvPmOW0+S2+kYMhbEj7ZgxiIRrculJIKoZ2gjqCorO3P0BkumbyIW1jAdPTOQb749n4O cEwRYuZ2odHTwWE8NJ3ejGOg== next

end

2. Define Kerberos as an authentication service:

config user krb-keytab edit “http_service” set pac-data disable

set principal “HTTP/FGT.FORTINETQA.LOCAL@FORTINETQA.LOCAL” set ldap-server “ldap-kerberos” set keytab

“BQIAAABFAAIAEEZPUlRJTkVUUUEuTE9DQUwABEhUVFAAFEZHVC5GT1JUSU5FVFFBLkxPQ0FMAAAAAQAAAAAEAA

EACKLCMonpitnVAAAARQACABBGT1JUSU5FVFFBLkxPQ0FMAARIVFRQABRGR1QuRk9SVElORVRRQS5MT0NBTAAAA

AEAAAAABAADAAiiwjKJ6YrZ1QAAAE0AAgAQRk9SVElORVRRQS5MT0NBTAAESFRUUAAURkdULkZPUlRJTkVUUUEu

TE9DQUwAAAABAAAAAAQAFwAQUHo9uqR9cSkzyxdzKCEXdwAAAF0AAgAQRk9SVElORVRRQS5MT0NBTAAESFRUUAA

URkdULkZPUlRJTkVUUUEuTE9DQUwAAAABAAAAAAQAEgAgzee854Aq1HhQiKJZvV4tL2Poy7hMIARQpK8MCB//BI AAAABNAAIAEEZPUlRJTkVUUUEuTE9DQUwABEhUVFAAFEZHVC5GT1JUSU5FVFFBLkxPQ0FMAAAAAQAAAAAEABEAE

G49vHEiiBghr63Z/lnwYrU=” next

end

3. Configure FSSO NTLM authentication:

config user fsso edit “1” set server “172.18.62.220” set password ENC

4e2IiorhPCYvSWw4DbthmLdpJuvIFXpayG0gk1DHZ6TYQPMLjuiG9k7/+qRneCtztBfbzRr1pcyC6Zj3det2pvW dKchMShyz67v4c7s6sIRf8GooPBRZJtg03cmPg0vd/fT1xD393hiiMecVGCHXOBHAJMkoKmPNjc3Ga/e78rWYeH uWK1lu2Bk64EXxKFt799UgBA== next

end

4. Create a user group for Kerberos authentication:

config user group edit “Ldap-Group” set member “ldap” “ldap-kerberos”

next

end

5. Create a user group for NTLM authentication:

config user group edit “NTLM-FSSO-Group” set group-type fsso-service set member “FORTINETQA/FSSO”

next end

Create an authentication scheme and rules

Explicit proxy authentication is managed by authentication schemes and rules. An authentication scheme must be created first, and then the authentication rule.

To create an authentication scheme and rules in the GUI:

1. Create an authentication scheme:
   1. Go to Policy & Objects > Authentication Rules.
   2. Click Create New > Authentication Schemes.
   3. Set the Name to Auth-scheme-Negotiate and select Negotiate as the Method. Click OK.
2. Create an authentication rule:
   1. Go to Policy & Objects > Authentication Rules.
   2. Click Create New > Authentication Rules.
   3. Set the Name to Auth-Rule, Source Address to all, and Protocol to HTTP.
   4. Enable Authentication Scheme, and select the just created Auth-scheme-Negotiate e. Click OK.

To create an authentication scheme and rules in the CLI:

1. Create an authentication scheme:

config authentication scheme edit “Auth-scheme-Negotiate” set method negotiate      <<< Accepts both Kerberos and NTLM as fallback next

end

2. Create an authentication rule:

config authentication rule edit “Auth-Rule” set status enable set protocol http set srcaddr “all” set ip-based enable

set active-auth-method “Auth-scheme-Negotiate” set comments “Testing”

next

end

Create an explicit proxy policy and assign a user group to the policy

To create an explicit proxy policy and assign a user group to it in the GUI:

1. Go to Policy & Object > Proxy Policy.
2. Click Create New.
3. Set Proxy Type to Explicit Web and Outgoing Interface to port1.
4. Set Source to all, and the just created user groups NTLM-FSSO-Group and Ldap-Group.
5. Also set Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.
6. Click OK.

To create an explicit proxy policy and assign a user group to it in the CLI:

config firewall proxy-policy edit 1 set uuid 722b6130-13aa-51e9-195b-c4196568d667 set proxy explicit-web set dstintf “port1” set srcaddr “all” set dstaddr “all” set service “web” set action accept set schedule “always” set logtraffic all

set groups “NTLM-FSSO-Group” “Ldap-Group” set av-profile “av”

set ssl-ssh-profile “deep-custom”

next

end

Verify the configuration

Log in using a domain and system that would be authenticated using the Kerberos server, then enter the diagnose wad user list CLI command to verify:

# diagnose wad user list

ID: 8, IP: 10.1.100.71, VDOM: vdom1 user name : test1@FORTINETQA.LOCAL

duration : 389 auth_type : IP

auth_method : Negotiate

pol_id     : 1 g_id    : 1 user_based : 0

expire      : no

LAN: bytes_in=4862 bytes_out=11893 WAN: bytes_in=7844 bytes_out=1023

Log in using a system that is not part of the domain. The NTLM fallback server should be used:

# diagnose wad user list

ID: 2, IP: 10.1.100.202, VDOM: vdom1 user name : TEST31@FORTINETQA

duration   : 7 auth_type : IP auth_method : NTLM

pol_id     : 1 g_id    : 5 user_based : 0

expire      : no

LAN:

bytes_in=6156 bytes_out=16149 WAN: bytes_in=7618 bytes_out=1917

What is Sandbox inspection?

Sandbox inspection is a network process that allows files to be sent to a separate device, such as FortiSandbox, to be inspected without risking network security. This allows the detection of threats capable of bypassing other security measures, including zero-day threats.

You can configure your FortiGate device to send suspicious files to FortiSandbox for inspection and analysis. The FortiGate queries scan results and retrieves scan details. The FortiGate can also download malware packages as a complementary AV signature database to block future intrusions by the same malware and download URL packages as complementary web-filtering black lists.

The FortiSandbox uses virtual machines (VMs) running different operating systems to test a file and to determine if it is malicious. If the file exhibits risky behavior, or is found to contain a virus, a new signature can be added to the FortiGuard AntiVirus signature database.

When a FortiGate learns from FortiSandbox that an endpoint is infected, the administrator can quarantine the host, if it is registered to a FortiClient.

FortiSandbox has a VM pool and processes multiple files simultaneously. The amount of time to process a file depends on hardware and the number of sandbox VMs used to scan the file. For example, it can take 60 seconds to five minutes to process a file. FortiSandbox has a robust prefiltering process that, if enabled, reduces the need to inspect every file and reduces processing time. For more information on enabling prefiltering, refer to the FortiSandbox documentation.

FAQ for Sandbox inspection

The following are some frequently asked questions about using sandbox inspection with FortiSandbox and FortiGate.

Why is the FortiSandbox Cloud option not available when sandbox inspection is enabled?

This option is only available if you have created a FortiCloud account. For more information, see the FortiCloud documentation.

Why don’t results from FortiSandbox Cloud appear in the FortiGate GUI?

Go to Log & Report > Log Settings and make sure Send Logs to FortiCloud is enabled and GUI Preferences is set to Display Logs from FortiCloud.

Why are the FortiSandbox Appliance VMs inactive?

Make sure that port 3 on the FortiSandbox has an active Internet connection. This is required in order to activate the FortiSandbox VMs.

Why aren’t files are being scanned by FortiSandbox?

Make sure an AntiVirus profile that sends files to FortiSandbox is enabled for all policies that require sandbox inspection.

Is FortiSandbox supported by FortiGate when in NAT or Transparent mode?

Yes, a FortiGate can be in either NAT or Transparent mode and support FortiSandbox.

Are FortiGates behind a NAT device supported? If so how many?

Yes, multiple FortiGates can be supported in-line with FortiSandbox. Note that the FortiSandbox will see all FortiGates only as one device so there is no way to differentiate reports.

If the FortiGate has a dynamic IP, will the FortiSandbox automatically update the FortiGate?

Yes. Dynamic IPs are supported and the FortiGate will not have to be reconfigured on the FortiSandbox each time.

FortiSandbox Appliance or FortiSandbox Cloud

FortiSandbox is available as a physical or virtual appliance (FortiSandbox Appliance), or as a cloud advanced threat protection service integrated with FortiGate (FortiSandbox Cloud).

To select the settings for Sandbox Inspection, such as the FortiSandbox type, server, and notifier email, go to Security Fabric > Settings.

The table below highlights the supported features of both types of FortiSandbox:

Note that a separate Dynamic Threat Database is maintained for FortiMail. For more information, see the FortiSandbox documentation.

Recipes for Sandbox inspection

AntiVirus

The following recipes provide information about Sandbox inspection with AntiVirus:

Use FortiSandbox Appliance with AntiVirus

Feature overview

AntiVirus can use FortiSandbox to supplement its detection capabilities. In real-world situations, networks are always under the threat of zero-day attacks.

AntiVirus can submit potential zero-day viruses to FortiSandbox for inspection. Based on FortiSandbox’s analysis, the FortiGate can supplement its own antivirus database with FortiSandbox’s database to detect files determined as malicious/risky by FortiSandbox. This helps FortiGate’s AntiVirus to detect zero-day virus and malware whose signatures are not found in the FortiGate’s antivirus Database.

Support and limitations

• FortiSandbox can be used with AntiVirus in both proxy-based and flow-based inspection modes.
• With FortiSandbox enabled, Full Scan mode AntiVirus can do the following:
• Submit only suspicious files to FortiSandbox for inspection. l Submit every file to FortiSandbox for inspection.
• Do not submit anything. l Quick Scan mode AntiVirus cannot submit suspicious files to FortiSandbox. It can only do the following:
• Submit every file to FortiSandbox for inspection. l Do not submit anything.

Network topology example

Configuring the feature

To configure AntiVirus to work with an external block list, the following steps are required:

1. Enable FortiSandbox on the FortiGate.
2. Authorize FortiGate on the FortiSandbox.
3. Enable FortiSandbox inspection.
4. Enable use of the FortiSandbox database.

To enable FortiSandbox on the FortiGate:

1. Go to Global > Security Fabric > Settings.
2. Set the Sandbox Inspection toggle to the On
3. Enter the IP address of the FortiSandbox.
4. Add an optional NotifierEmail if desired.
5. At this point, selecting Test connectivity will return an unreachable status.

This is expected behavior because the FortiGate is not yet authorized by the FortiSandbox.

6. Select Apply to save the settings.

To authorize FortiGate on the FortiSandbox:

1. In the FortiSandbox Appliance GUI, go to Scan Input > Device.
2. Use the FortiGate serial number to quickly locate the desired FortiGate and select the link icon to authorize the FortiGate.
3. Enable the desired VDOM in the same manner.
4. The link icon changes from an open to closed link. This indicates that the FortiSandbox has authorized this FortiGate.
5. In the FortiGate GUI, go to Global > Security Fabric > Settings.
6. Select Test connectivity. FortiGate is now authorized and the status now displays as Connected.
7. FortiSandbox options are now displayed in the AV Profile

To enable FortiSandbox inspection:

1. Go to Security Profiles > AntiVirus.
2. Enable FortiSandbox inspection by selecting either Suspicious Files Only or All Supported Files.
3. Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported file types.
4. Files can also be excluded from being sent to FortiSandbox by using wild card patterns.
5. Select Apply.

To enable use of the FortiSandbox database:

1. Go to Security Profiles > AntiVirus
2. Enable use of the FortiSandbox database by setting the Use FortiSandbox Database toggle to the On
3. Select Apply.

Diagnostics and Debugging

Debug on the FortiGate side l Update daemon:

FGT_PROXY (global) # diagnose debug application quarantined -1 FGT_PROXY (global) # diagnose debug enable

quar_req_fsa_file()-890: fsa ext list new_version (1547781904) quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb5, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb5-172.18.52.154 in vdom-1

[103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca

Fortinet_CA, idx 0 (default)

[551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created

upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000

quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=0

__quar_build_pkt()-408: build req(id=337, type=4) for vdom-vdom1, len=99, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=99

quar_remote_send()-520: req(id=337, type=4) read response, dev=fortisandbox-fsb2, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb2, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb3 xfer-status=0

__quar_build_pkt()-408: build req(id=338, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=338, type=6) read response, dev=fortisandbox-fsb3, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb3, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb5 xfer-status=0

__quar_build_pkt()-408: build req(id=340, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=340, type=6) read response, dev=fortisandbox-fsb5, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb5, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=1 quar_remote_recv()-662: dev(fortisandbox-fsb2) received a packet: len=69, type=1 quar_remote_recv()-718: file-[337] is accepted by server(fortisandbox-fsb2). quar_put_job_req()-332: Job 337 deleted

quar_remote_recv_send()-731: dev=fortisandbox-fsb4 xfer-status=0

__quar_build_pkt()-408: build req(id=339, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=339, type=6) read response, dev=fortisandbox-fsb4, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb4, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0

__quar_build_pkt()-408: build req(id=336, type=4) for vdom-root, len=98, oftp_name= __quar_send()-470: dev buffer — pos=0, len=98 …

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb1, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb1-172.18.52.154 in vdom-1

[103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca

Fortinet_CA, idx 0 (default)

[551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created

upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000

quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0

__quar_build_pkt()-408: build req(id=2, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=2, type=6) read response, dev=fortisandbox-fsb1, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb1, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=1

quar_remote_recv()-662: dev(fortisandbox-fsb1) received a packet: len=767, type=1 quar_store_analytics_report()-590: Analytics-report return

file=/tmp/fsb/83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18.json.gz, buf_sz=735

quar_store_analytics_report()-597: The request

’83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18′ score is 1 quar_remote_recv()-718: file-[2] is accepted by server(fortisandbox-fsb1). quar_put_job_req()-332: Job 2 deleted quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_stop_connection()-1006: close connection to server(fortisandbox-fsb1)

[193] __ssl_data_ctx_free: Done

[805] ssl_free: Done

[185] __ssl_cert_ctx_free: Done

[815] ssl_ctx_free: Done

[796] ssl_disconnect: Shutdown l Appliance FortiSandbox diagnostics:

FGT_PROXY # config global

FGT_PROXY (global) # diagnose test application quarantined 1

Total remote&local devices: 8, any task full? 0 System have disk, vdom is enabled, mgmt=1, ha=2

xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=0, hmac_alg=0

License=0, content_archive=0, arch_pause=0.

global-fas is disabled. forticloud-fsb is disabled. fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb2 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb3 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb4 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb5 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb6 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

global-faz is disabled. global-faz2 is disabled. global-faz3 is disabled. l Checking FortiSandbox analysis statistics:

FGT_PROXY (global) # diagnose test application quarantine 7 Total: 0

Statistics: vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0

vfid: 3, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0 vfid: 4, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0

FGT_PROXY (global) #

Debug on the FortiSandbox side l Appliance FortiSandbox OFTP debug:

> diagnose-debug device FG101E4Q17002429

[2019/01/31 00:48:21] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:48:21] FG101E4Q17002429 VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats START_TIME: 1548290749

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats END_TIME: 1548895549

[2019/01/31 00:48:21] FG101E4Q17002429 opd_data_len=37 clean=2 detected=2 risk_low=0 risk_ med=0 risk_high=0 sus_limit=0

[2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE.

[2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE.

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818

[2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1

[2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 0

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->VERSION: 3 . 1795

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->VERSION: 3 . 595

[2019/01/31 00:48:21] FG101E4Q17002429 VDOM: root

[2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE.

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats START_TIME: 1548290749

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats END_TIME: 1548895549

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818

[2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 4

[2019/01/31 00:48:21] FG101E4Q17002429 opd_data_len=37 clean=0 detected=0 risk_low=0 risk_ med=0 risk_high=0 sus_limit=0

[2019/01/31 00:48:22] FG101E4Q17002429 RETRIEVE->PKG: TYPE: av, ENTRY_VERSION: 1795,

PACKAGE_PATH: /Storage/malpkg/pkg/avsig/avsigrel_1795.pkg

[2019/01/31 00:48:22] FG101E4Q17002429 RETRIEVE->PKG: TYPE: url, ENTRY_VERSION: 595,

PACKAGE_PATH: /Storage/malpkg/pkg/url/urlrel_595.pkg.gz

[2019/01/31 00:48:29] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:48:32] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:48:59] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:49:03] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

Use FortiSandbox Cloud with AntiVirus

Feature overview

FortiCloud Sandbox allows users to take advantage of FortiSandbox features without having to purchase, operate, and maintain a physical appliance.

FortiCloud Sandbox works the same way as the physical FortiSandbox appliance.

Starting from FortiOS 6.2, the FortiCloud Sandbox allows users to control the region where their traffic is sent to for analysis. This allows users to meet their country’s compliances regarding data’s storage location.

Support and limitations

• Starting from FortiOS 6.2, users no longer require a FortiCloud account to use FortiCloud Sandbox. l Without a valid AVDB license, FortiGate devices are limited to 100 FortiCloud submissions per day.
• Unlimited FortiCloud submissions are allowed if the FortiGate has a valid AVDB license.
• There is a limit on how many submissions are sent per minute.
• Per minute submission rate is based on the FortiGate model.
• FortiSandbox can be used with AntiVirus in both proxy-based and flow-based policy inspection modes.
• With FortiSandbox enabled, Full Scan mode AntiVirus can do the following:
• Submit only suspicious files to FortiSandbox for inspection. l Submit every file to FortiSandbox for inspection.
• Do not submit anything. l Quick Scan mode AntiVirus cannot submit suspicious files to FortiSandbox. It can only do the following:
• Submit every file to FortiSandbox for inspection. l Do not submit anything.

Network topology example

Configuring the feature

To configure AntiVirus to work with an external block list, the following steps are required:

1. Through FortiCare/FortinetOne, registerthe FortiGate device and purchase a FortiGuard AntiVirus license.
2. Enable FortiCloud Sandbox on the FortiGate.
3. Enable FortiSandbox inspection.
4. Enable the use of the FortiSandbox database.

To obtain or renew an AVDB license:

1. Please see the video How to Purchase orRenew FortiGuard Services for FortiGuard AntiVirus license purchase instructions.
2. Once a FortiGuard license has been purchased or activated, users will be provided with a paid FortiSandbox Cloud license.
   1. Go to Global > Main Dashboard to view the FortiSandbox Cloud license indicator.
   2. Users can also view this indicator at Global > System > FortiGuard.

Enable FortiCloud Sandbox on the FortiGate:

1. Go to Global > Security Fabric > Settings and set the Sandbox Inspection toggle to the On
2. Select FortiSandbox Cloud and choose a region from the dropdown list.
3. Select Apply to save the settings.
4. When the FortiGate is connected to the FortiSandbox Cloud, FortiSandbox’s current database version is displayed.

Enable FortiSandbox inspection:

1. Go to Security Profiles > AntiVirus.
2. Enable FortiSandbox inspection by selecting either Suspicious Files Only or All Supported Files.
3. Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported file types.
4. Files can also be excluded from being sent to FortiSandbox by using wild card patterns.
5. Select Apply.

Enable the use of the FortiSandbox database:

1. Go to Security Profiles > AntiVirus.
2. Enable use of the FortiSandbox database by setting the Use FortiSandbox Database toggle to the On
3. Select Apply.

Diagnostics and debugging

Debug on FortiGate side

l Checking FortiCloud controller status:

FGT_FL_FULL (global) # diagnose test application forticldd 2

Server: log-controller, task=0/10, watchdog is off

Domain name: logctrl1.fortinet.com

Address of log-controller: 1

172.16.95.168:443

Statistics: total=3, discarded=1, sent=2, last_updated=12163 secs ago http connection: is not in progress

Current address: 172.16.95.168:443

Calls: connect=9, rxtx=12

Current tasks number: 0

Account: name=empty, status=0, type=basic

Current volume: 0B

Current tasks number: 0

Update timer fires in 74240 secs l Checking Cloud APT server status:

FGT_FL_FULL (global) # diagnose test application forticldd 3 Debug zone info:

Domain:

Home log server: 0.0.0.0:0

Alt log server: 0.0.0.0:0

Active Server IP:      0.0.0.0

Active Server status: down

Log quota:      0MB

Log used:       0MB

Daily volume: 0MB

fams archive pause: 0

APTContract : 1                           <====

APT server: 172.16.102.51:514            <====

APT Altserver: 172.16.102.52:514          <====

Active APTServer IP:       172.16.102.51 <====

Active APTServer status: up  <==== l Cloud FortiSandbox diagnostics:

FGT_FL_FULL (global) # diagnose test application quarantine 1

Total remote&local devices: 4, any task full? 0 System have disk, vdom is enabled, mgmt=3, ha=1

xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=1, hmac_alg=0

License=0, content_archive=0, arch_pause=0.

global-fas is disabled. forticloud-fsb is enabled: analytics, realtime=yes, taskfull=no addr=172.16.102.51/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=1, hmac_alg=0 fortisandbox-fsb1 is disabled. fortisandbox-fsb2 is disabled. fortisandbox-fsb3 is disabled. fortisandbox-fsb4 is disabled.

fortisandbox-fsb5 is disabled. fortisandbox-fsb6 is disabled. global-faz is disabled. global-faz2 is disabled. global-faz3 is disabled.

l Checking FortiSandbox Cloud submission statistics:

FGT_FL_FULL (global) # diagnose test application quarantined 2 Quarantine daemon state:

QUAR mem: mem_used=0, mem_limit=97269, threshold=72951

dropped(0 by quard, 0 by callers)

pending-jobs=0, tot-mem=0, last_ipc_run=12353, check_new_req=1 alloc_job_failed=0, job_wrong_type=0, job_wrong_req_len=0, job_invalid_qfd=0 tgz_create_failed=0, tgz_attach_failed=0, qfd_mmap_failed=0, buf_attached=0 xfer-fas:

ips: total=0, handled=0, accepted=0 quar: total=0, handled=0, accepted=0 archive: total=0, handled=0, accepted=0 analytics: total=0, handled=0, accepted=0, local_dups=0 analytics stats: total=0, handled=0, accepted=0 last_rx=0, last_tx=0, error_rx=0, error_tx=0

max_num_tasks=10000, num_tasks=0, mem_used=0, ttl_drops=0, xfer_status=0

forticloud-fsb:

ips: total=0, handled=0, accepted=0 quar: total=0, handled=0, accepted=0 archive: total=0, handled=0, accepted=0

analytics: total=0, handled=0, accepted=0, local_dups=0

num_buffer=0(per-minute:10) last_min_count=0 last_vol_count=0 next_vol_reset_tm=’Sun Feb 17 00:00:00 2019

‘ analytics stats: total=24, handled=24, accepted=24 last_rx=1224329, last_tx=1224329, error_rx=2, error_tx=0 max_num_tasks=200, num_tasks=0, mem_used=0, ttl_drops=0, xfer_status=0

l Checking FortiSandbox analysis statistics:

FGT_FL_FULL (global) # diagnose test application quarantine 7 Total: 0

Statistics: vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0 vfid: 3, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0 vfid: 4, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0

FGT_FL_FULL (global) # l Update Daemon debug:

FGT_FL_FULL (global) # diagnose debug application quarantined -1 FGT_FL_FULL (global) # diagnose debug enable

quar_req_fsa_file()-890: fsa ext list new_version (1547781904) quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb5, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb5-172.18.52.154 in vdom-1 [103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca

Fortinet_CA, idx 0 (default)

[551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created

upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000

quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=0

__quar_build_pkt()-408: build req(id=337, type=4) for vdom-vdom1, len=99, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=99

quar_remote_send()-520: req(id=337, type=4) read response, dev=fortisandbox-fsb2, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb2, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb3 xfer-status=0

__quar_build_pkt()-408: build req(id=338, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=338, type=6) read response, dev=fortisandbox-fsb3, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb3, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb5 xfer-status=0

__quar_build_pkt()-408: build req(id=340, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=340, type=6) read response, dev=fortisandbox-fsb5, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb5, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=1 quar_remote_recv()-662: dev(fortisandbox-fsb2) received a packet: len=69, type=1 quar_remote_recv()-718: file-[337] is accepted by server(fortisandbox-fsb2). quar_put_job_req()-332: Job 337 deleted

quar_remote_recv_send()-731: dev=fortisandbox-fsb4 xfer-status=0

__quar_build_pkt()-408: build req(id=339, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=339, type=6) read response, dev=fortisandbox-fsb4, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb4, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0

__quar_build_pkt()-408: build req(id=336, type=4) for vdom-root, len=98, oftp_name= __quar_send()-470: dev buffer — pos=0, len=98 …

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb1, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb1-172.18.52.154 in vdom-1

[103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca

Fortinet_CA, idx 0 (default)

[551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created

upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000

quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0

__quar_build_pkt()-408: build req(id=2, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=2, type=6) read response, dev=fortisandbox-fsb1, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb1, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=1

quar_remote_recv()-662: dev(fortisandbox-fsb1) received a packet: len=767, type=1 quar_store_analytics_report()-590: Analytics-report return

file=/tmp/fsb/83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18.json.gz, buf_sz=735

quar_store_analytics_report()-597: The request

’83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18’ score is 1 quar_remote_recv()-718: file-[2] is accepted by server(fortisandbox-fsb1). quar_put_job_req()-332: Job 2 deleted quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_stop_connection()-1006: close connection to server(fortisandbox-fsb1)

[193] __ssl_data_ctx_free: Done

[805] ssl_free: Done

[185] __ssl_cert_ctx_free: Done

[815] ssl_ctx_free: Done

[796] ssl_disconnect: Shutdown l Appliance FortiSandbox diagnostics:

FGT_PROXY # config global

FGT_PROXY (global) # diagnose test application quarantined 1

Total remote&local devices: 8, any task full? 0 System have disk, vdom is enabled, mgmt=1, ha=2

xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=0, hmac_alg=0

License=0, content_archive=0, arch_pause=0.

global-fas is disabled. forticloud-fsb is disabled. fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb2 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb3 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb4 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb5 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb6 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

global-faz is disabled. global-faz2 is disabled. global-faz3 is disabled.

General Considerations

1. For security purposes, NAT mode is preferred because all of the internal or DMZ networks can have secure private addresses. NAT mode policies use network address translation to hide the addresses in a more secure zone from users in a less secure zone.
2. Use virtual domains (VDOMs) to group related interfaces or VLAN subinterfaces. Using VDOMs will partition networks and create added security by limiting the scope of threats.
3. Use Transparent mode when a network is complex and does not allow for changes in the IP addressing scheme.

Performance

• Disable any management features you do not need. If you don’t need SSH or SNMP, disable them. SSH also provides another possibility for would-be hackers to infiltrate your FortiGate unit.
• Put the most used firewall rules to the top of the interface list.
• Log only necessary traffic. The writing of logs, especially if to an internal hard disk, slows down performance. l Enable only the required application inspections.
• Keep alert systems to a minimum. If you send logs to a syslog server, you may not need SNMP or email alerts, making for redundant processing.
• Establish scheduled FortiGuard updates at a reasonable rate. Daily updates occurring every 4-5 hours are sufficient for most situations. In more heavy-traffic situations, schedule updates for the evening when more bandwidth can be available.
• Keep security profiles to a minimum. If you do not need a profile on a firewall rule, do not include it. l Keep VDOMs to a minimum. On low-end FortiGate units, avoid using them if possible. l Avoid traffic shaping if you need maximum performance. Traffic shaping, by definition, slows down traffic.

Shutting down

Always shut down the FortiGate operating system properly before turning off the power switch to avoid potentially catastrophic hardware problems.

To power off the FortiGate unit – web-based manager:

1. Go to Dashboard.
2. In the System Resources widget, select Shutdown.

To power off the FortiGate unit – CLI:

execute shutdown

Once this has been done, you can safely turn off the power switch or disconnect the power cables from the power supply.