FortiWeb
To be able to offload HTTP inspection to a FortiWeb device you should:
1. Go to System > External Security Devices, enable HTTP Service, select FortiWeb and add the IP address of your FortiCache device.
2. Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy and select Web Application Firewall. When you add Web Application Firewall to a firewall policy, web traffic accepted by the policy is offloaded to the FortiWeb device for processing.
Enabling FortiWeb on the External Security Devices page adds the following configuration to the CLI:
config system wccp set service-id 51
set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiWeb)
set group address 0.0.0.0
set server-list 5.5.5.25 255.255.255.255 (the IP address of the FortiWeb)
set authentication disable set forward-method GRE
set return-method GRE
set assignment-method HASH
end
FortiCache
To be able to offload Web Caching to a FortiCache device you should:
1. Go to System > External Security Devices, enable HTTP Service, select FortiCache and add the IP address of your FortiCache device.
2. Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy and select Web Cache.
When you add web caching to a firewall policy, web traffic accepted by the policy is offloaded to the FortiCache device for processing.
Enabling FortiCache on the External Security Devices page adds the following configuration to the CLI:
config system wccp set service-id 51
set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiCache)
set group address 0.0.0.0
set server-list 5.5.5.45 255.255.255.255 (the IP address of the FortiCache)
set authentication disable set forward-method GRE
set return-method GRE
set assignment-method HASH
end
FortiMail
To be able to offload Anti-Spam processing to a FortiMail device you should:
1. Go to System > Feature Select and turn on Anti–Spam Filter.
2. Go to System > External Security Devices, enable SMTP Service – FortiMail and add the IP address of your FortiMail device.
3. Go to Security Profiles > Anti-Spam and edit an Anti-Spam profile and set Inspection Device to External.
4. Go to Policy & Objects > IPv4 Policy, add or edit a Firewall policy, enable Anti–Spam and select the profile for which you set Inspection Device to External.
When you add this Anti-Spam profile to a firewall policy, email traffic accepted by the policy is offloaded to the FortiMail device for processing.
If your FortiGate or VDOM inspection mode is set to flow-based you must use the CLI to set an Anti-Spam profile to external mode and add the Anti-Spam profile to a fire- wall policy.
Enabling FortiMail on the External Security Devices page adds the following configuration to the CLI:
config system wccp set service-id 52
set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiMail)
set group address 0.0.0.0
set server-list 5.5.5.65 255.255.255.255 (the IP address of the FortiMail)
set authentication disable set forward-method GRE
set return-method GRE
set assignment-method HASH
end
Selecting External in the Anti-Spam profile adds the following configuration to the CLI:
config spamfilter profile
edit default
set external enable end
Web Application Firewall
Go to Security Profiles > Web Application Firewall. From here you can customize the default Web Application Firewall profile, or create new profiles, to protect against a variety of web-based threats. Web Application Firewall profiles can be created with a variety of options (Signatures and Constraints), similar to other security profiles.
You can set the Web Application Firewall to use an External Security Device, such as FortiWeb, by setting Inspection Device to External.
Selecting External in the Web Application Firewall profile adds the following configuration to the CLI:
config waf profile edit default
set external enable end
You must add the Web Application Firewall profile to a firewall policy in order for that traffic to be offloaded to the External Security Device for processing.
If your FortiGate or VDOM Inspection mode is set to flow-based you must use the CLI to set a Web Application Firewall profile to external mode and add the Web Applic- ation Firewall profile to a firewall policy.
For more information on this configuration and others, see the FortiWeb Administration Guide.
CPU allocation and tuning commands to survive reboot
CPU affinity, whereby a process will execute on a specific CPU, can be changed so it survives a reboot.
CLI Syntax:
config system global set av-affinity set ips-affinity
set miglog-affinity end
av–affinity: Affinity setting for AV scanning (64-bit hexadecimal value in the format of xxxxxxxx_xxxxxxxx).
ips–affinity: Affinity setting for IPS (64-bit hexadecimal value in the format of xxxxxxxx_xxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons). This option is only available if the FortiGate includes NP6 processors and support NTurbo.
miglog–affinity: Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxx_xxxxxxxx).