Administration Guide

FortiOS 7.4.5
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

November 19, 2024

FortiOS 7.4.5 Administration Guide
01-745-902083-20241119
 TABLE OF CONTENTS

Change Log 27
Getting started 28
Summary of steps 29
Setting up FortiGate for management access 30
Completing the FortiGate Setup wizard 31
Configuring basic settings 31
Registering FortiGate 35
Configuring a firewall policy 36
Backing up the configuration 37
Troubleshooting your installation 38
Using the GUI 39
Connecting using a web browser 39
Menus 40
Tables 41
Entering values 45
GUI-based global search 47
Loading artifacts from a CDN 48
Accessing additional support resources 48
Command palette 49
Recovering missing graphical components 51
Using the CLI 53
Connecting to the CLI 53
CLI basics 56
Command syntax 62
Subcommands 64
Permissions 67
Configuration and management 67
Using FortiExplorer Go and FortiExplorer 68
Migrating a configuration with FortiConverter 76
Accessing Fortinet Developer Network 82
Terraform: FortiOS as a provider 86
Product registration with FortiCare 90
FortiCare and FortiGate Cloud login 90
FortiCare Register button 93
Transfer a device to another FortiCloud account 94
Deregistering a FortiGate 96
FortiGate models 97
Differences between models 98
Low encryption models 98
LEDs 98
Proxy-related features not supported on FortiGate 2 GB RAM models 101
Dashboards and Monitors 103
Using dashboards 103
Using widgets 105
Widgets 106

FortiOS 7.4.5 Administration Guide 3

Fortinet Inc.
 Viewing device dashboards in the Security Fabric 109
Creating a fabric system and license dashboard 110
Example 110
Dashboards 111
Resetting the default dashboard template 112
Status dashboard 112
Security dashboard 115
Network dashboard 117
Assets & Identities 124
WiFi dashboard 129
Monitors 135
Non-FortiView monitors 135
FortiView monitors 135
FortiView monitors 136
Adding FortiView monitors 137
Using the FortiView interface 139
Enabling FortiView from devices 143
FortiView sources 145
FortiView Sessions 146
FortiView Top Source and Top Destination Firewall Objects monitors 148
Viewing top websites and sources by category 150
Cloud application view 152
Network 162
Interfaces 162
Interface settings 164
Physical interface 193
VLAN 194
Aggregation and redundancy 208
Loopback interface 217
Software switch 218
Hardware switch 220
Zone 226
Virtual wire pair 228
Enhanced MAC VLAN 235
VXLAN 237
DNS 272
Important DNS CLI commands 273
DNS domain list 276
FortiGate DNS server 278
DDNS 285
DNS latency information 289
DNS over TLS and HTTPS 291
Transparent conditional DNS forwarder 295
Interfaces in non-management VDOMs as the source IP address of the DNS
conditional forwarding server 299
DNS session helpers 301
DNS troubleshooting 302
Explicit and transparent proxies 304

FortiOS 7.4.5 Administration Guide 4

Fortinet Inc.
 Explicit web proxy 305
FTP proxy 309
Transparent proxy 312
Proxy policy addresses 315
Proxy policy security profiles 322
Explicit proxy authentication 326
Transparent web proxy forwarding 333
Transparent web proxy forwarding over IPv6 336
Upstream proxy authentication in transparent proxy mode 338
Multiple dynamic header count 339
Restricted SaaS access 342
Explicit proxy and FortiGate Cloud Sandbox 350
Proxy chaining 352
WAN optimization SSL proxy chaining 357
Agentless NTLM authentication for web proxy 365
Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers 368
Learn client IP addresses 369
Explicit proxy authentication over HTTPS 370
mTLS client certificate authentication 372
CORS protocol in explicit web proxy when using session-based, cookie-enabled, and
captive portal-enabled SAML authentication 377
Display CORS content in an explicit proxy environment 381
HTTP connection coalescing and concurrent multiplexing for explicit proxy 383
Secure explicit proxy 385
Secure explicit proxy with client certificates 388
Explicit proxy logging 390
Configuring fast fallback for explicit proxy 395
Forward HTTPS requests to a web server without the need for an HTTP CONNECT
message 398
DHCP servers and relays 400
Default DHCP server for entry-level FortiGates 400
Basic configuration 400
DHCP options 404
DHCP addressing mode on an interface 411
VCI pattern matching for DHCP assignment 414
DHCP shared subnet 415
Multiple DHCP relay servers 417
DHCP smart relay on interfaces with a secondary IP 419
FortiGate DHCP works with DDNS to allow FQDN connectivity to leased IP
addresses 421
Static routing 421
Routing concepts 422
Policy routes 436
Equal cost multi-path 438
Dual internet connections 442
Dynamic routing 448
RIP 449
OSPF 468
BGP 485

FortiOS 7.4.5 Administration Guide 5

Fortinet Inc.
 BFD 536
Routing objects 544
Multicast 554
Multicast routing and PIM support 554
Configuring multicast forwarding 555
Using IPS inspection for multicast UDP traffic 561
FortiExtender 564
WAN extension mode 564
LAN extension mode 564
Maximum FortiExtender devices supported per mode 564
Adding a FortiExtender 565
Direct IP support for LTE/4G 567
Sample LTE interface 568
Limitations 569
Cellular interface support for IPv6 570
Example 570
Active SIM card switching 573
Example 1 575
Example 2 576
Example 3 578
Airplane mode and LTE/BLE 580
Example 580
Upgrade LTE modem firmware directly from FortiGuard 582
LLDP reception 583
Virtual routing and forwarding 586
Implementing VRF 586
VRF routing support 587
Route leaking between VRFs with BGP 596
Route leaking between multiple VRFs 599
VRF with IPv6 609
IBGP and EBGP support in VRF 613
Support cross-VRF local-in and local-out traffic for local services 615
NetFlow 617
Verification and troubleshooting 619
NetFlow templates 619
NetFlow on FortiExtender and tunnel interfaces 631
Allow multiple Netflow collectors 635
sFlow 640
Configuring sFlow 641
Link monitor 646
Link monitor with route updates 647
Enable or disable updating policy routes when link health monitor fails 648
Add weight setting on each link health monitor server 650
SLA link monitoring for dynamic IPsec and SSL VPN tunnels 653
IPv6 656
IPv6 overview 656
IPv6 quick start 657
Neighbor discovery proxy 661

FortiOS 7.4.5 Administration Guide 6

Fortinet Inc.
 IPv6 address assignment 663
NAT66, NAT46, NAT64, and DNS64 675
DHCPv6 relay 687
IPv6 tunneling 687
IPv6 Simple Network Management Protocol 698
Dynamic routing in IPv6 701
IPv6 configuration examples 703
FortiGate LAN extension 746
Example CLI configuration 747
Example GUI configuration 753
DHCP client mode for inter-VDOM links 758
FortiGate secure edge to FortiSASE 759
WiFi access point with internet connectivity 762
SCTP packets with zero checksum on the NP7 platform 770
Industrial Connectivity 771
Sample configuration to convert IEC 60870-5-101 serial to IEC 60870-5-104 TCP/IP
transport 772
Sample configuration to convert Modbus serial to Modbus TCP 774
Diagnostics 775
Using the packet capture tool 775
Using the debug flow tool 781
SD-WAN 785
SD-WAN overview 785
SD-WAN components and design principles 785
SD-WAN designs and architectures 788
SD-WAN quick start 789
Configuring the SD-WAN interface 789
Adding a static route 791
Selecting the implicit SD-WAN algorithm 792
Configuring firewall policies for SD-WAN 792
Link monitoring and failover 793
Results 794
Configuring SD-WAN in the CLI 797
SD-WAN members and zones 799
Topology 800
Configuring SD-WAN member interfaces 800
Configuring SD-WAN zones 802
Using SD-WAN zones 803
Specify an SD-WAN zone in static routes and SD-WAN rules 805
Defining a preferred source IP for local-out egress interfaces on SD-WAN members 810
Performance SLA 811
Performance SLA overview 812
Link health monitor 817
Monitoring performance SLA 819
Passive WAN health measurement 824
Passive health-check measurement by internet service and application 829
Mean opinion score calculation and logging in performance SLA health checks 834
Embedded SD-WAN SLA information in ICMP probes 836

FortiOS 7.4.5 Administration Guide 7

Fortinet Inc.
 SD-WAN application monitor using FortiMonitor 845
Classifying SLA probes for traffic prioritization 849
SD-WAN rules 854
SD-WAN rules overview 854
Implicit rule 862
Automatic strategy 866
Manual strategy 867
Best quality strategy 870
Lowest cost (SLA) strategy 874
Load balancing strategy 880
SD-WAN traffic shaping and QoS 881
SDN dynamic connector addresses in SD-WAN rules 886
Application steering using SD-WAN rules 888
DSCP tag-based traffic steering in SD-WAN 901
ECMP support for the longest match in SD-WAN rule matching 908
Override quality comparisons in SD-WAN longest match rule matching 910
Internet service and application control steering 913
Use maximize bandwidth to load balance traffic between ADVPN shortcuts 922
Use SD-WAN rules to steer multicast traffic 929
Use SD-WAN rules for WAN link selection with load balancing 943
Advanced routing 949
Local out traffic 950
Using BGP tags with SD-WAN rules 955
BGP multiple path support 959
Controlling traffic with BGP route mapping and service rules 961
Applying BGP route-map to multiple BGP neighbors 968
Using multiple members per SD-WAN neighbor configuration 974
VPN overlay 980
ADVPN 2.0 edge discovery and path management 980
ADVPN and shortcut paths 994
Active dynamic BGP neighbor triggered by ADVPN shortcut 1007
SD-WAN monitor on ADVPN shortcuts 1017
Hold down time to support SD-WAN service strategies 1018
Adaptive Forward Error Correction 1020
Dual VPN tunnel wizard 1024
Duplicate packets on other zone members 1025
Duplicate packets based on SD-WAN rules 1028
Interface based QoS on individual child tunnels based on speed test results 1030
SD-WAN in large scale deployments 1033
Keeping sessions in established ADVPN shortcuts while they remain in SLA 1044
SD-WAN multi-PoP multi-hub large scale design and failover 1050
Using a single IKE elector in ADVPN to match all SD-WAN control plane traffic 1069
SD-WAN Overlay-as-a-Service 1076
Advanced configuration 1079
SD-WAN with FGCP HA 1079
Configuring SD-WAN in an HA cluster using internal hardware switches 1086
SD-WAN configuration portability 1089
SD-WAN segmentation over a single overlay 1095
SD-WAN segmentation over a single overlay using IPv6 1110

FortiOS 7.4.5 Administration Guide 8

Fortinet Inc.
 Matching BGP extended community route targets in route maps 1117
Copying the DSCP value from the session original direction to its reply direction 1122
SD-WAN cloud on-ramp 1125
Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM 1126
Configuring the VPN overlay between the HQ FortiGate and AWS native VPN
gateway 1131
Configuring the VIP to access the remote servers 1135
Configuring the SD-WAN to steer traffic between the overlays 1137
Verifying the traffic 1141
SD-WAN Network Monitor service 1148
CLI speed test 1149
GUI speed test 1150
Scheduled interface speed test 1151
Hub and spoke speed tests 1152
Running speed tests from the hub to the spokes in dial-up IPsec tunnels 1156
Running speed tests from spokes to the hub in dial-up IPsec tunnels 1161
Speed test usage 1169
Speed test examples 1171
Troubleshooting SD-WAN 1177
Tracking SD-WAN sessions 1177
Understanding SD-WAN related logs 1177
SD-WAN related diagnose commands 1180
Using SNMP to monitor health check 1185
Zero Trust Network Access 1189
Zero Trust Network Access introduction 1189
ZTNA application gateway and IP/MAC based access control 1189
ZTNA telemetry, tags, and policy enforcement 1190
Application gateway 1190
Basic ZTNA configuration components 1191
Basic ZTNA configuration 1192
Establish device identity and trust context with FortiClient EMS 1203
SSL certificate based authentication 1211
Full versus simple ZTNA policies 1213
ZTNA advanced configurations 1219
Access control of unmanageable and unknown devices 1219
HTTP2 connection coalescing and concurrent multiplexing for ZTNA 1225
Fabric integration with FortiGSLB 1228
ZTNA configuration examples 1232
ZTNA HTTPS access proxy example 1232
ZTNA HTTPS access proxy with basic authentication example 1243
ZTNA TCP forwarding access proxy example 1250
ZTNA TCP forwarding access proxy with FQDN example 1257
ZTNA SSH access proxy example 1260
ZTNA application gateway with SAML authentication example 1267
ZTNA application gateway with SAML and MFA using FortiAuthenticator example 1271
Secure LDAP connection from FortiAuthenticator with zero trust tunnel example 1288
ZTNA IP MAC based access control example 1288
ZTNA IPv6 examples 1295

FortiOS 7.4.5 Administration Guide 9

Fortinet Inc.
 ZTNA Zero Trust application gateway example 1301
ZTNA inline CASB for SaaS application access control 1302
ZTNA application gateway with KDC to access shared drives 1306
Custom replacement message for ZTNA virtual hosts 1312
ZTNA troubleshooting and debugging commands 1314
Troubleshooting usage and output 1315
ZTNA troubleshooting scenarios 1319
ZTNA access control 1319
IP/MAC based access control 1321
Other useful CLI commands 1323
Policy and Objects 1324
Policies 1324
Firewall policy 1325
NGFW policy 1347
Local-in policy 1363
DoS policy 1368
Access control lists 1375
Interface policies 1376
Source NAT 1377
Destination NAT 1400
Examples and policy actions 1424
Address objects 1469
Address Types 1469
Address Group 1471
Subnet 1472
Dynamic policy — Fabric devices 1473
IP range 1475
FQDN addresses 1475
Using wildcard FQDN addresses in firewall policies 1476
Geography based addresses 1479
IPv6 geography-based addresses 1481
Wildcard addressing 1483
Interface subnet 1484
Address group 1486
Address folders 1487
Allow empty address groups 1488
Address group exclusions 1489
FSSO dynamic address subtype 1490
ClearPass integration for dynamic address objects 1493
FortiNAC tag dynamic address 1496
FortiVoice tag dynamic address 1500
MAC addressed-based policies 1503
ISDB well-known MAC address list 1505
IPv6 MAC addresses and usage in firewall policies 1507
Protocol options 1508
Log oversized files 1508
RPC over HTTP 1508
Protocol port mapping 1509

FortiOS 7.4.5 Administration Guide 10

Fortinet Inc.
 Common options 1509
Web options 1510
Email options 1510
Stripping the X-Forwarded-For value in the HTTP header 1511
Traffic shaping 1514
Configuration methods 1514
Traffic shaping policy 1516
Traffic shaping policies 1516
Traffic shaping profiles 1526
Traffic shapers 1536
Global traffic prioritization 1552
DSCP matching and DSCP marking 1555
Examples 1562
Internet Services 1579
Using Internet Service in a policy 1580
Using custom Internet Service in policy 1583
Using extension Internet Service in policy 1585
Global IP address information database 1588
IP reputation filtering 1590
Internet service groups in policies 1591
Allow creation of ISDB objects with regional information 1595
Internet service customization 1597
Look up IP address information from the Internet Service Database page 1598
Internet Service Database on-demand mode 1599
Enabling the ISDB cache in the FortiOS kernel 1602
Security Profiles 1604
Inspection modes 1604
Flow mode inspection (default mode) 1605
Proxy mode inspection 1605
Inspection mode feature comparison 1606
Antivirus 1609
Antivirus introduction 1609
Advanced configurations 1633
Configuration examples 1656
Web filter 1665
Web filter introduction 1665
Advanced CLI configuration 1694
Configuration examples 1704
Video filter 1712
Configuring a video filter profile 1712
YouTube API key 1713
Filtering based on FortiGuard categories 1713
Filtering based on YouTube channel 1717
Filtering based on title 1719
Filtering based on description 1720
Configuring a video filter keyword list 1722
Replacement messages displayed in blocked videos 1724
DNS filter 1725

FortiOS 7.4.5 Administration Guide 11

Fortinet Inc.
 DNS filter behavior in proxy mode 1726
FortiGuard DNS rating service 1726
Configuring a DNS filter profile 1727
FortiGuard category-based DNS domain filtering 1732
Botnet C&C domain blocking 1735
DNS safe search 1738
Local domain filter 1740
DNS translation 1745
Applying DNS filter to FortiGate DNS server 1748
DNS inspection with DoT and DoH 1749
DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS modes 1752
Troubleshooting for DNS filter 1758
Application control 1760
Configuring an application sensor 1761
Basic category filters and overrides 1762
Excluding signatures in application control profiles 1766
Port enforcement check 1768
Protocol enforcement 1768
SSL-based application detection over decrypted traffic in a sandwich topology 1770
Matching multiple parameters on application control signatures 1771
Application signature dissector for DNP3 1774
Inline CASB 1774
Inline CASB examples 1775
Intrusion prevention 1794
Signature-based defense 1796
Configuring an IPS sensor 1799
IPS configuration options 1802
SCTP filtering capabilities 1807
Diameter protocol inspection 1810
IPS signature filter options 1814
IPS with botnet C&C IP blocking 1818
IPS signatures for the operational technology security service 1821
IPS sensor for IEC 61850 MMS protocol 1823
File filter 1824
Configuring a file filter profile 1826
Supported file types 1830
Email filter 1833
Protocol comparison between email filter inspection modes 1833
Configuring an email filter profile 1834
Local-based filters 1834
FortiGuard-based filters 1841
Third-party-based filters 1843
Filtering order 1844
Protocols and actions 1845
Configuring webmail filtering 1847
VoIP solutions 1847
General use cases 1848
NAT46 and NAT64 for SIP ALG 1852

FortiOS 7.4.5 Administration Guide 12

Fortinet Inc.
 SIP message inspection and filtering 1860
SIP ALG and SIP session helper 1865
SIP pinholes 1870
SIP over TLS 1872
Voice VLAN auto-assignment 1874
Scanning MSRP traffic 1875
ICAP 1879
ICAP configuration example 1880
ICAP response filtering 1882
Secure ICAP clients 1884
ICAP scanning with SCP and FTP 1885
Domain name in XFF with ICAP 1888
Web application firewall 1892
Protecting a server running web applications 1892
Data loss prevention 1895
Protocol comparison between DLP inspection modes 1896
Archiving 1896
Logging and blocking files by file name 1896
DLP techniques 1897
Basic DLP settings 1898
Advanced DLP configurations 1903
DLP fingerprinting 1906
FortiGuard DLP service 1910
Sensitivity labels 1914
Exact data matching 1918
DLP examples 1926
Virtual patching 1952
Virtual patching profiles 1952
Virtual patching signatures 1954
License and entitlement information 1955
OT virtual patching basic examples 1956
OT and IoT virtual patching on NAC policies 1962
SSL & SSH Inspection 1965
Configuring an SSL/SSH inspection profile 1966
Certificate inspection 1969
Deep inspection 1971
Protecting an SSL server 1974
Handling SSL offloaded traffic from an external decryption device 1975
SSH traffic file scanning 1977
Redirect to WAD after handshake completion 1979
HTTP/2 support in proxy mode SSL inspection 1980
Define multiple certificates in an SSL profile in replace mode 1981
Disabling the FortiGuard IP address rating 1983
Block or allow ECH TLS connections 1984
Custom signatures 1993
Configuring custom signatures 1994
Blocking applications with custom signatures 1995
Filters for application control groups 1998

FortiOS 7.4.5 Administration Guide 13

Fortinet Inc.
 Application groups in traffic shaping policies 2001
Overrides 2005
Web rating override 2005
Using local and remote categories 2014
Web profile override 2016
IP ban 2020
IP ban using the CLI 2021
IP ban using security profiles 2022
Configuring the persistency for a banned IP list 2024
Profile groups 2025
IPsec VPN 2029
General IPsec VPN configuration 2029
Network topologies 2029
Phase 1 configuration 2030
Phase 2 configuration 2047
VPN security policies 2052
Blocking unwanted IKE negotiations and ESP packets with a local-in policy 2054
Configurable IKE port 2056
IPsec VPN IP address assignments 2059
Renaming IPsec tunnels 2062
Site-to-site VPN 2064
FortiGate-to-FortiGate 2064
FortiGate-to-third-party 2092
Remote access 2117
FortiGate as dialup client 2118
FortiClient as dialup client 2124
Add FortiToken multi-factor authentication 2128
Add LDAP user authentication 2129
iOS device as dialup client 2130
IKE Mode Config clients 2134
IPsec VPN with external DHCP service 2138
L2TP over IPsec 2142
Tunneled Internet browsing 2146
Dialup IPsec VPN with certificate authentication 2151
SAML-based authentication for FortiClient remote access dialup IPsec VPN clients 2161
Enhancing IPsec security using EMS SN verification 2179
IPsec split DNS 2180
Aggregate and redundant VPN 2181
Manual redundant VPN configuration 2181
OSPF with IPsec VPN for network redundancy 2184
IPsec VPN in an HA environment 2191
Packet distribution and redundancy for aggregate IPsec tunnels 2197
Packet distribution for aggregate dial-up IPsec tunnels using location ID 2208
Packet distribution for aggregate static IPsec tunnels in SD-WAN 2212
Packet distribution for aggregate IPsec tunnels using weighted round robin 2217
Redundant hub and spoke VPN 2218
ADVPN 2224
IPsec VPN wizard hub-and-spoke ADVPN support 2224

FortiOS 7.4.5 Administration Guide 14

Fortinet Inc.
 ADVPN with BGP as the routing protocol 2228
ADVPN with OSPF as the routing protocol 2238
ADVPN with RIP as the routing protocol 2247
UDP hole punching for spokes behind NAT 2255
Fabric Overlay Orchestrator 2258
Prerequisites 2259
Network topology 2259
Using the Fabric Overlay Orchestrator 2260
Other VPN topics 2278
VPN and ASIC offload 2278
Encryption algorithms 2288
Fragmenting IP packets before IPsec encapsulation 2296
Configure DSCP for IPsec tunnels 2296
Defining gateway IP addresses in IPsec with mode-config and DHCP 2298
FQDN support for remote gateways 2300
Windows IKEv2 native VPN with user certificate 2302
IPsec IKE load balancing based on FortiSASE account information 2315
IPsec SA key retrieval from a KMS server using KMIP 2317
IPsec key retrieval with a QKD system using the ETSI standardized API 2328
Securely exchange serial numbers between FortiGates connected with IPsec VPN 2332
Multiple interface monitoring for IPsec 2336
Encapsulate ESP packets within TCP headers 2342
Cross-validation for IPsec VPN 2348
Resuming sessions for IPsec tunnel IKE version 2 2350
VPN IPsec troubleshooting 2353
Understanding VPN related logs 2353
IPsec related diagnose commands 2355
SSL VPN 2361
SSL VPN to dial-up VPN migration 2361
SSL VPN best practices 2362
Tunnel mode 2363
Web mode 2364
Security best practices 2365
SSL VPN security best practices 2365
SSL VPN settings 2365
Authentication 2367
Authorization 2369
SSL VPN quick start 2371
SSL VPN split tunnel for remote user 2371
Connecting from FortiClient VPN client 2375
Set up FortiToken multi-factor authentication 2377
Connecting from FortiClient with FortiToken 2378
SSL VPN tunnel mode 2379
SSL VPN full tunnel for remote user 2379
SSL VPN tunnel mode host check 2382
SSL VPN split DNS 2386
Split tunneling settings 2388
Augmenting VPN security with ZTNA tags 2389

FortiOS 7.4.5 Administration Guide 15

Fortinet Inc.
 Enhancing VPN security using EMS SN verification 2403
SSL VPN web mode 2403
Web portal configurations 2405
Quick Connection tool 2408
SSL VPN bookmarks 2409
SSL VPN web mode for remote user 2412
Customizing the RDP display size 2416
Showing the SSL VPN portal login page in the browser's language 2419
SSL VPN custom landing page 2420
SSL VPN authentication 2424
SSL VPN with LDAP user authentication 2425
SSL VPN with LDAP user password renew 2429
SSL VPN with certificate authentication 2434
SSL VPN with LDAP-integrated certificate authentication 2440
SSL VPN for remote users with MFA and user sensitivity 2445
SSL VPN with FortiToken mobile push authentication 2452
SSL VPN with RADIUS on FortiAuthenticator 2457
SSL VPN with RADIUS and FortiToken mobile push on FortiAuthenticator 2462
SSL VPN with RADIUS password renew on FortiAuthenticator 2466
SSL VPN with RADIUS on Windows NPS 2471
SSL VPN with multiple RADIUS servers 2475
SSL VPN with local user password policy 2484
Dynamic address support for SSL VPN policies 2489
SSL VPN multi-realm 2498
NAS-IP support per SSL-VPN realm 2503
SSL VPN with Okta as SAML IdP 2505
SSL VPN with Microsoft Entra SSO integration 2511
SSL VPN to IPsec VPN 2511
Sample topology 2512
Sample configuration 2512
Troubleshooting 2518
SSL VPN protocols 2518
TLS 1.3 support 2519
SMBv2 support 2520
DTLS support 2520
Configuring OS and host check 2523
Verifying remote user OS 2523
Host check 2524
Replacing the host check error message 2525
MAC address check 2525
Creating a custom host check list 2525
Troubleshooting 2528
FortiGate as SSL VPN Client 2529
Example 2530
Verification 2537
Dual stack IPv4 and IPv6 support for SSL VPN 2538
Example 2538
Disable the clipboard in SSL VPN web mode RDP connections 2549

FortiOS 7.4.5 Administration Guide 16

Fortinet Inc.
 Example 2549
SSL VPN IP address assignments 2554
Example 2554
Using SSL VPN interfaces in zones 2556
Example 2556
SSL VPN troubleshooting 2560
Debug commands 2560
Troubleshooting common issues 2561
User & Authentication 2564
User definition, groups, and settings 2564
Users 2565
User groups 2567
Authentication settings 2574
Retail environment guest access 2578
Customizing complexity options for the local user password policy 2581
Basic authentication with cached client certificates 2584
LDAP servers 2587
Configuring an LDAP server 2587
Enabling Active Directory recursive search 2590
Configuring LDAP dial-in using a member attribute 2591
Configuring wildcard admin accounts 2593
Configuring least privileges for LDAP admin account authentication in Active
Directory 2594
Tracking users in each Active Directory LDAP group 2595
Tracking rolling historical records of LDAP user logins 2598
Configuring client certificate authentication on the LDAP server 2601
RADIUS servers 2604
Configuring a RADIUS server 2605
Using multiple RADIUS servers 2608
RADIUS AVPs and VSAs 2610
RADIUS VSAs for captive portal redirects 2612
Restricting RADIUS user groups to match selective users on the RADIUS server 2614
Configuring RADIUS SSO authentication 2615
RSA ACE (SecurID) servers 2621
Support for Okta RADIUS attributes filter-Id and class 2625
Sending multiple RADIUS attribute values in a single RADIUS Access-Request 2627
Traffic shaping based on dynamic RADIUS VSAs 2628
RADIUS Termination-Action AVP in wired and wireless scenarios 2635
Configuring a RADSEC client 2639
RADIUS integrated certificate authentication for SSL VPN 2643
SAML 2646
Usage 2647
Identity providers 2647
Configuring SAML SSO 2647
SSL VPN with FortiAuthenticator as a SAML IdP 2652
Using a browser as an external user-agent for SAML authentication in an SSL VPN
connection 2657
IPsec VPN with SAML IdP 2661

FortiOS 7.4.5 Administration Guide 17

Fortinet Inc.
 Outbound firewall authentication with Microsoft Entra ID as a SAML IdP 2661
SAML authentication in a proxy policy 2672
TACACS+ servers 2676
FortiTokens 2677
FortiToken Mobile quick start 2679
FortiToken Cloud 2687
Registering hard tokens 2687
Managing FortiTokens 2689
FortiToken Mobile Push 2691
Synchronizing LDAP Active Directory users to FortiToken Cloud using the two-
factor filter 2693
Enable the FortiToken Cloud free trial directly from the FortiGate 2696
FortiGuard distribution of updated Apple certificates for push notifications 2701
Troubleshooting and diagnosis 2702
PKI 2706
Configuring a PKI user 2706
Using the SAN field for LDAP-integrated certificate authentication 2710
FSSO 2713
FSSO polling connector agent installation 2715
FSSO using Syslog as source 2718
Configuring the FSSO timeout when the collector agent connection fails 2721
Configuring FSSO firewall authentication 2723
Include usernames in logs 2729
Install and configure FSSO Agent 2730
Configure the FortiGate 2732
Log, monitor, and report examples 2734
Wireless configuration 2738
Switch Controller 2739
System 2740
Basic system settings 2740
Advanced system settings 2740
Operating modes 2741
Administrators 2743
Local authentication 2743
Remote authentication for administrators 2744
Administrator account options 2747
REST API administrator 2749
SSO administrators 2751
FortiCloud SSO 2751
Allowing the FortiGate to override FortiCloud SSO administrator user permissions 2752
Password policy 2757
Public key SSH access 2759
Separating the SSHD host key from the administration server certificate 2760
Restricting SSH and Telnet jump host capabilities 2761
Remote administrators with TACACS+ VSA attributes 2762
Administrator profiles 2766
super_admin profile 2767

FortiOS 7.4.5 Administration Guide 18

Fortinet Inc.
 Creating customized profiles 2767
Controlling CLI system permissions 2768
Displaying execute commands for custom system permissions 2768
Editing profiles 2769
Deleting profiles 2769
Firmware & Registration 2770
About firmware installations 2771
Firmware labels 2772
Upgrading individual devices 2778
Upgrading Fabric or managed devices 2780
Enabling automatic firmware upgrades 2785
One-time upgrade prompt when a critical vulnerability is detected upon login 2789
Authorizing devices 2790
Firmware upgrade notifications 2792
Downloading a firmware image 2793
Testing a firmware version 2793
Installing firmware from system reboot 2794
Restoring from a USB drive 2797
Using controlled upgrades 2797
Downgrading individual device firmware 2798
Downloading the EOS support package for supported Fabric devices 2800
How the FortiGate firmware license works 2803
Settings 2805
Default administrator password 2806
Changing the host name 2807
Setting the system time 2808
Configuring ports 2811
Setting the idle timeout time 2812
Setting the password policy 2813
Changing the view settings 2813
Setting the administrator password retries and lockout time 2814
TLS configuration 2814
Controlling return path with auxiliary session 2815
Email alerts 2819
Using configuration save mode 2823
Trusted platform module support 2825
Using the default certificate for HTTPS administrative access 2827
Configure TCP NPU session delay globally NEW 2831
Virtual Domains 2832
VDOM overview 2833
General configurations 2838
Configuring global profiles 2845
Backing up and restoring configurations in multi-VDOM mode 2846
Inter-VDOM routing configuration example: Internet access 2850
Inter-VDOM routing configuration example: Partial-mesh VDOMs 2859
High Availability 2873
FortiGate Clustering Protocol (FGCP) 2873
FortiGate Session Life Support Protocol (FGSP) 2873
VRRP 2874

FortiOS 7.4.5 Administration Guide 19

Fortinet Inc.
 FGCP 2874
FGSP 2966
Standalone configuration synchronization 3016
VRRP 3021
Session failover 3034
SNMP 3041
Basic configuration 3041
MIB files 3044
Access control for SNMP 3045
Important SNMP traps 3047
SNMP examples 3050
Replacement messages 3057
Modifying replacement messages 3057
Replacement message images 3059
Replacement message groups 3060
FortiGuard 3064
License Information widget 3064
Licenses widget 3066
Anycast 3067
Configuring FortiGuard updates 3069
Using a proxy server to connect to the FortiGuard Distribution Network 3070
Manual updates 3070
Automatic updates 3071
Scheduled updates 3072
Sending malware statistics to FortiGuard 3073
Update server location 3074
Filtering 3075
Online security tools 3076
Anycast and unicast services 3076
Using FortiManager as a local FortiGuard server 3077
Cloud service communication statistics 3080
IoT detection service 3082
FortiAP query to FortiGuard IoT service to determine device details 3086
FortiGate Cloud / FDN communication through an explicit proxy 3087
FDS-only ISDB package in firmware images 3088
Licensing in air-gap environments 3089
License expiration 3091
Feature visibility 3093
Certificates 3094
Automatically provision a certificate 3095
Generate a new certificate 3098
Regenerate default certificates 3099
Import a certificate 3100
Generate a CSR 3102
CA certificate 3105
Remote certificate 3105
Certificate revocation list 3106
Export a certificate 3107

FortiOS 7.4.5 Administration Guide 20

Fortinet Inc.
 Uploading certificates using an API 3107
Procuring and importing a signed SSL certificate 3112
Microsoft CA deep packet inspection 3114
Administrative access using certificates 3119
Creating certificates with XCA 3119
Enrollment over Secure Transport for automatic certificate management 3127
Security 3137
BIOS-level signature and file integrity checking 3138
Real-time file system integrity checking 3143
Running a file system check automatically 3146
Built-in entropy source 3147
FortiGate VM unique certificate 3149
Configuration scripts 3149
Workspace mode 3150
Custom languages 3152
RAID 3153
FortiGate encryption algorithm cipher suites 3156
HTTPS access 3156
SSH access 3157
SSL VPN 3159
Additional features 3162
Other Products 3164
Conserve mode 3166
Proxy inspection in conserve mode 3166
Flow inspection in conserve mode 3167
Diagnostics 3167
Using APIs 3168
Token-based authentication 3168
Best Practices 3169
Making an API call to retrieve information from the FortiGate 3169
Configuration backups and reset 3173
Backing up and restoring configurations from the GUI 3174
Backing up and restoring configurations from the CLI 3177
Configuration revision 3180
Restore factory defaults 3182
Secure file copy 3182
Fortinet Security Fabric 3183
Components 3183
Security Fabric connectors 3187
Configuring the root FortiGate and downstream FortiGates 3188
Configuring logging and analytics 3196
Configuring FortiClient EMS 3207
Synchronizing FortiClient ZTNA tags 3225
Configuring LAN edge devices 3227
Configuring central management 3229
Configuring sandboxing 3234
Configuring supported connectors 3241

FortiOS 7.4.5 Administration Guide 21

Fortinet Inc.
 Using the Security Fabric 3264
Dashboard widgets 3264
Topology 3266
Asset Identity Center page 3272
OT asset visibility and network topology 3277
WebSocket for Security Fabric events 3284
Deploying the Security Fabric 3285
Deploying the Security Fabric in a multi-VDOM environment 3293
Other Security Fabric topics 3298
Configuring the Security Fabric with SAML 3318
Configuring single-sign-on in the Security Fabric 3318
CLI commands for SAML SSO 3323
SAML SSO with pre-authorized FortiGates 3324
Navigating between Security Fabric members with SSO 3324
Integrating FortiAnalyzer management using SAML SSO 3327
Integrating FortiManager management using SAML SSO 3330
Advanced option - FortiGate SP changes 3332
Security rating 3333
Security rating notifications 3335
Security rating check scheduling 3340
Logging the security rating 3341
Multi-VDOM mode 3341
Security Fabric score 3342
Automation stitches 3343
Creating automation stitches 3344
Triggers 3358
Actions 3382
Public and private SDN connectors 3444
Getting started with public and private SDN connectors 3446
AliCloud SDN connector using access key 3450
AWS SDN connector using access keys 3452
Azure SDN connector using service principal 3457
Cisco ACI SDN connector using a standalone connector 3459
Retrieve IPv6 dynamic addresses from Cisco ACI SDN connector 3461
ClearPass endpoint connector via FortiManager 3463
GCP SDN connector using service account 3466
IBM Cloud SDN connector using API keys 3468
Kubernetes (K8s) SDN connectors 3472
Nuage SDN connector using server credentials 3488
Nutanix SDN connector using server credentials 3490
OCI SDN connector using certificates 3492
OpenStack SDN connector using node credentials 3494
SAP SDN connector 3498
VMware ESXi SDN connector using server credentials 3501
VMware NSX-T Manager SDN connector using NSX-T Manager credentials 3503
Multiple concurrent SDN connectors 3506
Filter lookup in SDN connectors 3510
Support for wildcard SDN connectors in filter configurations 3512
Endpoint/Identity connectors 3514

FortiOS 7.4.5 Administration Guide 22

Fortinet Inc.
 Fortinet single sign-on agent 3514
Poll Active Directory server 3515
Symantec endpoint connector 3516
RADIUS single sign-on agent 3523
Exchange Server connector 3526
Threat feeds 3529
External resources file format 3530
External resource entry limit 3532
Configuring a threat feed 3533
FortiGuard category threat feed 3540
IP address threat feed 3544
Domain name threat feed 3547
MAC address threat feed 3549
Malware hash threat feed 3551
Threat feed connectors per VDOM 3554
STIX format for external threat feeds 3557
Using the AusCERT malicious URL feed with an API key 3559
Monitoring the Security Fabric using FortiExplorer for Apple TV 3563
NOC and SOC example 3564
Troubleshooting 3574
Viewing a summary of all connected FortiGates in a Security Fabric 3575
Diagnosing automation stitches 3577
Log and Report 3581
Viewing event logs 3581
System Events log page 3584
Security Events log page 3589
Reports page 3592
FortiAnalyzer 3592
FortiGate Cloud 3594
Local 3595
Log settings and targets 3596
Global Settings 3596
Local Logs 3597
Threat Weight 3597
Configuring logs in the CLI 3599
Email alerts 3600
Logging to FortiAnalyzer 3601
FortiAnalyzer log caching 3601
Configuring multiple FortiAnalyzers (or syslog servers) per VDOM 3604
Configuring multiple FortiAnalyzers on a FortiGate in multi-VDOM mode 3605
Switching to an alternate FortiAnalyzer if the main FortiAnalyzer is unavailable 3608
Advanced and specialized logging 3611
Logs for the execution of CLI commands 3612
Log buffer on FortiGates with an SSD disk 3613
Source and destination UUID logging 3615
Configuring and debugging the free-style filter 3617
Logging the signal-to-noise ratio and signal strength per client 3619
RSSO information for authenticated destination users in logs 3621

FortiOS 7.4.5 Administration Guide 23

Fortinet Inc.
 Destination user information in UTM logs 3624
Log fields for long-live sessions 3627
Generate unique user name for anonymized logs 3628
Sample logs by log type 3633
Troubleshooting 3654
Log-related diagnostic commands 3654
Backing up log files or dumping log messages 3659
SNMP OID for logs that failed to send 3661
WAN optimization 3665
Features 3665
Protocol optimization 3665
Byte caching 3665
SSL offloading 3665
WAN optimization and HA 3666
Secure tunneling 3666
Prerequisites 3666
Disk usage 3666
Overview 3668
Client/server architecture 3668
Profiles 3668
Peers and authentication groups 3669
Tunnels 3670
Transparent mode 3672
Protocol optimization 3673
Cache service and video caching 3674
Manual and active-passive 3674
Monitoring performance 3676
System and feature operation with WAN optimization 3676
Best practices 3679
Example topologies 3679
In-path WAN optimization topology 3679
Out-of-path WAN optimization topology 3680
Topology for multiple networks 3680
Configuration examples 3681
Manual (peer-to-peer) WAN optimization configuration example 3682
Active-passive WAN optimization configuration example 3686
Secure tunneling configuration example 3691
Testing and troubleshooting the configuration 3696
VM 3700
Amazon Web Services 3700
Microsoft Azure 3700
Google Cloud Platform 3700
OCI 3701
AliCloud 3701
Private cloud 3701
VM license 3701
Uploading a license file 3702

FortiOS 7.4.5 Administration Guide 24

Fortinet Inc.
 VM license types 3703
Applying a FortiFlex token 3703
Consuming a new vCPU 3704
CLI troubleshooting 3704
Customizing the FortiFlex license token activation retry parameters 3706
Permanent trial mode for FortiGate-VM 3708
Adding VDOMs with FortiGate v-series 3711
PF and VF SR-IOV driver and virtual SPU support 3713
Using OCI IMDSv2 3715
FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs 3718
Cloud-init 3720
TPM support for FortiGate-VM 3722
Hyperscale firewall 3733
Troubleshooting 3734
Troubleshooting methodologies 3735
Verify user permissions 3735
Establish a baseline 3735
Create a troubleshooting plan 3737
Connectivity Fault Management 3738
Example 3740
Troubleshooting scenarios 3741
Checking the system date and time 3742
Checking the hardware connections 3743
Checking FortiOS network settings 3744
Troubleshooting CPU and network resources 3747
Troubleshooting high CPU usage 3748
Checking the modem status 3752
Running ping and traceroute 3753
Checking the logs 3758
Verifying routing table contents in NAT mode 3759
Verifying the correct route is being used 3759
Verifying the correct firewall policy is being used 3760
Checking the bridging information in transparent mode 3760
Checking wireless information 3762
Performing a sniffer trace or packet capture 3762
Debugging the packet flow 3764
Testing a proxy operation 3768
Displaying detail Hardware NIC information 3768
Performing a traffic trace 3771
Using a session table 3771
Finding object dependencies 3775
Diagnosing NPU-based interfaces 3776
Identifying the XAUI link used for a specific traffic stream 3776
Date and time settings 3777
Running the TAC report 3778
Using the process monitor 3778
Computing file hashes 3780

FortiOS 7.4.5 Administration Guide 25

Fortinet Inc.
 Other commands 3783
FortiGuard troubleshooting 3786
View open and in use ports 3789
IPS and AV engine version 3790
CLI troubleshooting cheat sheet 3790
CLI error codes 3790
Additional resources 3791
Fortinet Document Library 3791
Release notes 3791
Fortinet Video Library 3791
Fortinet Community 3792
Fortinet Training Institute 3792
Fortinet Support 3792

FortiOS 7.4.5 Administration Guide 26

Fortinet Inc.
Change Log

Date Change Description

2024-09-17 Initial release.

2024-09-19 Updated Static URL filter on page 1681.

2024-09-23 Added Configuring SDN connector proxy via FortiManager on page 3458.

2024-10-10 Updated Firmware upgrades in FGSP on page 2986.

2024-10-16 Updated VM license on page 3701.

2024-10-25 Updated HTTPS sessions and active-active load balancing on page 2894.

2024-10-29 Updated Block or allow ECH TLS connections on page 1984.

2024-11-06 Updated Configuring FortiClient EMS on page 3207.

Added FortiClient multi-tenancy on page 3210, FortiClient EMS capabilities on page 3215, and
FortiClient troubleshooting on page 3223.

2024-11-14 Updated Basic ZTNA configuration on page 1192, Configuring a DNS filter profile on page 1727,
and Configuration backups and reset on page 3173.

2024-11-19 Updated PF and VF SR-IOV driver and virtual SPU support on page 3713.

FortiOS 7.4.5 Administration Guide 27

Fortinet Inc.
Getting started

FortiOS is the operating system that runs on Fortinet’s FortiGate Next-Generation Firewall (NGFW). It supports different
platforms, including:
l Physical appliances
l Hypervisors
l Cloud computing platforms
FortiOS delivers security as a hybrid mesh firewall that spans a meshed topology of on-prem and cloud environments.
With FortiGuard's AI-powered security services, FortiOS provides protection across the attack surface with IPS,
advanced malware protection, web security, inline malware prevention, data loss prevention, and more.
In addition, FortiOS is central to the SD-WAN solution by providing SD-WAN functionality and intelligence in a single
FortiGate, a mesh of FortiGates, or integrated into a SASE environment. It is also central to the Zero Trust Network
Access (ZTNA) solution by making policy decisions and applying policy enforcement based on security posture input.
Use the following resources to get started with FortiOS:

Task Documentation links

Follow the steps to set up a new See Summary of steps on page 29.
FortiGate If you are migrating a configuration from another vendor to FortiGate, see the
Migration section of the Best Practices guide or use the FortiConverter service.

Learn about best practices for Review Basic configuration in the Best Practices guide.
FortiOS

Learn about new See FortiOS New Features and FortiOS Release Notes > New Features section.
FortiOS features

Learn about standard practices Go to Best Practices | 4-D Resources and review the document categories.
for deploying a solution or an
architecture

Review information about See FortiOS Release Notes.

FortiOS releases, including
resolved and known issues

For the latest information about FortiOS 7.4, see the latest patch version of the Administration
Guide.

FortiOS 7.4.5 Administration Guide 28

Fortinet Inc.
Getting started

Summary of steps

These steps summarize how to get your FortiGate up and running by using the GUI. For information about the Command
Line Interface (CLI), see Using the CLI on page 53.
1. Set up your FortiGate for initial management access with the GUI. See Setting up FortiGate for management
access on page 30.

For more information Go to

Physical appliances, such as Go to FortiGate/FortiOS Hardware Guides to view QuickStart Guides for all
FortiGate supported FortiGate models.

Hypervisors, such as FortiGate- Go to FortiGate Public Cloud or FortiGate Private Cloud and follow the
VM on ESXi, KVM, Hyper-V, deployment section of the administration guide for your hypervisor, for
and so on. example, Microsoft Hyper-V Administration Guide > Deployment.

Depending on the topology and FortiGate model, internet access may not yet be configured for the FortiGate. If no
internet access, you cannot yet register the FortiGate with Fortinet until later in the setup.
2. In the GUI, follow the FortiGate Setup wizard to change the hostname, change the password, and specify a default
layout for the FortiOS dashboards. See Completing the FortiGate Setup wizard on page 31.
3. Complete the basic configuration steps for FortiOS. After this step, all FortiGate models should have internet
access. See Configuring basic settings on page 31.
4. Register FortiGate with Fortinet by using your FortiCare/FortiCloud account with Fortinet Technical Support
(https://support.fortinet.com). See Registering FortiGate on page 35.
5. Configure a policy for the FortiGate to give clients behind FortiGate access to the internet. See Configuring a firewall
policy on page 36.
6. Back up the configuration. See Backing up the configuration on page 37.
7. If necessary, troubleshoot the installation. See Troubleshooting your installation on page 38.

After completing the Getting started section, next steps can include:
l Getting familiar with the FortiOS GUI and CLI:
l See Using the GUI on page 39.
l See Using the CLI on page 53.
l Configuring FortiOS features. The following table lists a few of the features available with FortiOS. Many additional
features are available:

For Go to

Security profiles See antivirus, IPS, web filter, and application control.

VPN See IPsec VPN on page 2029.

Fortinet Security Fabric See Fortinet Security Fabric on page 3183.

User & Authentication See User & Authentication on page 2564.

Software-defined wide area See SD-WAN on page 785.

network (SD-WAN)

Zero Trust Network Access See Zero Trust Network Access on page 1189.
(ZTNA)

FortiOS 7.4.5 Administration Guide 29

Fortinet Inc.
 Getting started

Setting up FortiGate for management access

After you receive your FortiGate, open the box, connect the cables for management and internet access, and use a
management computer to access the FortiOS GUI.
For information about setting up FortiGate on hypervisors, such as FortiGate-VM on ESXi, KVM, Hyper-V, and so on, go
to FortiGate Public Cloud or FortiGate Private Cloud and follow the deployment section of the administration guide for
your hypervisor and cloud computing platform, for example, Microsoft Hyper-V Administration Guide > Deployment.

To set up FortiGate for initial management access:

1. Unpack the FortiGate box, and locate the following items:

l FortiGate device
l Power cable
l Ethernet cable
You will also need to provide the following items:
l Second Ethernet cable. Only one Ethernet cable is provided to connect the FortiGate to a management
computer. Locate a second Ethernet cable to connect the FortiGate to a port for internet access.
l Management computer to access the FortiOS GUI
2. Use the power cable to connect the FortiGate to a power source.
3. Use one Ethernet cable to connect the management port on the FortiGate to a management computer.
The default interface used for management differs from model to model. On most units with a single dedicated
management port, the port is named MGMT. On units with multiple management ports, the names MGMT1 and
MGMT2 are used. On units without dedicated management ports, port1 is used for initial management access, and
the port can be part of a virtual switch group.
The following example is for a FortiGate 80F, which uses port1 for initial management access. For information about
your FortiGate hardware model, go to FortiGate/FortiOS Hardware Guides.

4. Use a second Ethernet cable to connect the WAN on the FortiGate to an upstream router, switch, or modem with
access to the internet.
On some FortiGate models, dedicated WAN interface(s) labeled WAN1, WAN2, and so on are available. If no
dedicated WAN interfaces are present, select an interface of your choice for the WAN connection.
Internet access is available when the FortiGate model has addressing mode set to DHCP by default on the WAN
interface, and the WAN interface is connected to a network with a DHCP server assigning the correct IP and
gateway for internet access. If these conditions are not met, then internet access is not available after connecting
your WAN interface. See Configuring basic settings on page 31.
5. On the management computer, assign an address in the 192.168.1.0/24 network.
6. In a web browser, go to https://192.168.1.99 and enter the default user name, admin, and leave the password field
blank.

FortiOS 7.4.5 Administration Guide 30

Fortinet Inc.
 Getting started

By default, the management interface or the internal interface is configured to allow HTTPS access with the IP
address 192.168.1.99.
The GUI is displayed in your browser.
7. Watch the video and complete the FortiGate Setup wizard. See Completing the FortiGate Setup wizard on page 31.

Completing the FortiGate Setup wizard

After logging in to FortiOS, you can access a FortiOS video as well as a FortiGate Setup wizard to help you get familiar
with the product.

To complete the FortiGate Setup wizard:

1. After logging in to the FortiOS GUI, a FortiOS 7.4 What's new video is presented. Watch the video, and then click
OK to proceed.
The FortiGate Setup wizard is displayed to help you set up the FortiGate by completing the following steps:
l Register with FortiCare
l Specify a hostname
l Set up the FortiOS dashboard
l Change your password
2. Click Begin to start the wizard.
The Register with FortiCare page is displayed.
3. If the FortiGate has internet access, register with FortiCare, and click OK.
If internet access is not yet set up for the FortiGate, you cannot complete registration. Click Later to skip this step
and proceed to the next step.
The Specify Hostname page is displayed.
4. Specify a name for the FortiGate, and click OK.
The Change your Password page is displayed.
5. Change the password for the admin account for the FortiGate, and click OK.
The Dashboard Setup page is displayed.
6. Choose what dashboards to display by default in FortiOS, and click OK.
The FortiGate Setup is complete, and the FortiOS GUI is displayed.

Configuring basic settings

Complete the following basic settings on the FortiGate to get the device up and running
1. Plan interface usage for MGMT, WAN, and LAN access, and configure the interfaces. See Planning and configuring
the MGMT, WAN, and LAN interfaces on page 32.
2. Configure the default route. See Configuring the default route on page 34.
3. Configure the hostname if not done when completing the FortiGate Setup wizard. See Configuring the hostname on
page 34.
4. Ensure internet and FortiGuard connectivity. See Ensuring internet and FortiGuard connectivity on page 35.
5. Use the default certificate for HTTPs administrative access. See Using the default certificate for HTTPS
administrative access on page 35.

FortiOS 7.4.5 Administration Guide 31

Fortinet Inc.
Getting started

After configuring the basic settings, the FortiGate can access the internet and communicate with FortiGuard. Next, you
can register the FortiGate with Fortinet. See Registering FortiGate on page 35. Firewall policies are also ready to be
configured using the WAN and LAN interfaces.

Planning and configuring the MGMT, WAN, and LAN interfaces

On a typical deployment where the FortiGate NGFW is configured as an edge firewall, the administrator typically sets up
access control between the LAN and WAN interface, and permanent management access either through in-band
management or out-of-band management. The following sections outline steps to plan and configure your management,
WAN, and LAN interfaces

Management access

So far the new FortiGate setup has been completed over a management interface, which is either a dedicated MGMT
port named MGMT or MGMT1 or a port on the internal switch interface.
What interface to use for FortiGate management can depend on the FortiGate model. Some FortiGate models have a
dedicated MGMT interface and some do not:
l Mid-size and high-end FortiGate models typically have a dedicated MGMT interface, and you can use the MGMT
interface for FortiGate management. There is also a separate management network for accessing the FortiGate
and other devices on the network. This is called out-of-band management.
l Desktop FortiGate models typically do not have a dedicated MGMT interface. In this case, you might be using the
Internal or LAN interface for FortiGate management. There is no dedicated management network, and the
management traffic is shared with internal traffic. This is called in-band management.
Following is a summary of what FortiGate models typically support in-band and out-of-band management:

FortiGate model MGMT interface In-band management Out-of-band

management

Desktop models No Recommended Not supported*

Mid-size models Yes Supported Recommended

High-end models Yes Supported Recommended

*Although natively the FortiGate does not support out-of-band management, you can pick an unused interface and
configure it as a dedicated interface for out-of-band management.

WAN interface

Similar to the management interface, some models have an interface labelled WAN, WAN1, or WAN2, and other models
do not. On models with dedicated WAN interface(s), the interfaces are also configured as DHCP clients. Therefore, if a
DHCP server is present in the WAN network that points to the correct internet gateway, then internet access is available
without further configuration.
On models without dedicated WAN interfaces, or in situations where you choose to configure the WAN interface
statically, select an interface for WAN access. Connect the interface to your upstream router, L3 switch, or modem. Then
use the following steps to configure your WAN interface.

FortiOS 7.4.5 Administration Guide 32

Fortinet Inc.
Getting started

To configure a WAN interface in the GUI:

1. Go to Network > Interfaces. Select an interface and click Edit.

2. (Optional) Enter an Alias, such as WAN.
3. In the Address section, enter the IP/Netmask.
4. In Administrative Access section, select the access options as needed. For a WAN interface, it is recommended to
only allow PING.
5. Click OK.

To configure a WAN interface in the CLI:

config system interface

edit "port2"
set ip 203.0.113.99 255.255.255.0
set allowaccess ping
set alias "WAN"
next
end

LAN interface

On desktop and some mid-range models, a set of ports are grouped together by default in virtual switch mode for LAN
access. The virtual switch interface may be called internal or lan, and it helps facilitate connecting endpoints directly to
the FortiGate on the same L2 switching network.
Endpoints connected this way will also share the same access control configured for the internal or lan interface.
On models that lack a default LAN interface, or when you choose to configure a LAN interface manually, select an
interface for LAN access. Connect this interface to an internal switch that connects to your LAN network. Then use the
following steps to configure your LAN interface.

To configure a LAN interface in the GUI:

1. Go to Network > Interfaces. Select an interface and click Edit.

2. (Optional) Enter an Alias, such as LAN.
3. In the Address section, enter the IP/Netmask.
4. In Administrative Access section, select the access options as needed, such as PING. For in-band management,
you may also want to allow administrative access for HTTPS and SSH.
5. Optionally, enable DHCP Server and configure as needed.
6. Click OK.

To configure a LAN interface in the CLI:

config system interface

edit "port1"
set ip 192.168.10.99 255.255.255.0
set allowaccess ping https ssh
set alias "LAN"
next
end
config system dhcp server
edit 1

FortiOS 7.4.5 Administration Guide 33

Fortinet Inc.
Getting started

set dns-service default

set default-gateway 192.168.10.99
set netmask 255.255.255.0
set interface "port1"
config ip-range
edit 1
set start-ip 192.168.10.2
set end-ip 192.168.10.254
next
end
next
end

Configuring the default route

Setting the default route enables the FortiGate to route traffic through this interface and default gateway when no specific
routes are found for a particular destination. The gateway address should be your upstream router or L3 switch that the
FortiGate is connected to. Set the interface to be the WAN interface that the gateway is connected to.
If the WAN interface uses DHCP for address assignment, the default route may already be learned from the DHCP
server, and this step is not needed.

To configure the default route in the GUI:

1. Go to Network > Static Routes and click Create New.

2. Leave the destination subnet as 0.0.0.0/0.0.0.0. This is known as a default route, since it would match any IPv4
address.
3. Enter the Gateway Address.
4. Select an Interface.
5. Click OK.

To configure the default route in the CLI:

config router static

edit 0
set gateway 203.0.113.1
set device port2
next
end

Configuring the hostname

Setting the FortiGate’s hostname assists with identifying the device, and it is especially useful when managing multiple
FortiGates. Choose a meaningful hostname as it is used in the CLI console, SNMP system name, device name for
FortiGate Cloud, and to identify a member of an HA cluster.

To configure the hostname in the GUI:

1. Go to System > Settings.

2. Enter a name in the Host name field.

FortiOS 7.4.5 Administration Guide 34

Fortinet Inc.
 Getting started

3. Click Apply.

To configure the hostname in the CLI:

config system global

set hostname 200F_YVR
end

Ensuring internet and FortiGuard connectivity

This step is not necessary for the configuration; however, it is necessary in order to keep your FortiGate up to date
against the latest threats. Updates are provided to FortiGates that are registered and make a request to the FortiGuard
network to verify if there are any more recent definitions.
Use execute ping <domain.tld> to ensure the DNS resolution is able to resolve the following FortiGuard servers:
l fds1.fortinet.com
l service.fortiguard.net
l update.fortiguard.net
You also need to ensure the necessary ports are permitted outbound in the event your FortiGate is behind a filtering
device. Refer to the Ports and Protocols document for more information.

Using the default certificate for HTTPS administrative access

By default, the FortiGate uses the Fortinet_GUI_Server certificate for HTTPS administrative access. Administrators
should download the CA certificate and install it on their PC to avoid warnings in their browser. See Using the default
certificate for HTTPS administrative access on page 2827 for more information.

Registering FortiGate

The FortiGate, and then its service contract, must be registered to have full access to Fortinet Customer Service and
Support, and FortiGuard services. The FortiGate can be registered in either the FortiGate GUI or the FortiCloud support
portal. The service contract can be registered from the FortiCloud support portal.

The service contract number is needed to complete registrations on the FortiCloud support
portal. You can find this 12-digit number in the email that contains your service registration
document (sent from [email protected]) in the service entitlement summary.

To register your FortiGate in the GUI:

1. Connect to the FortiGate GUI. A dialog box appears, which indicates the steps you should take to complete the
setup of your FortiGate. These steps include:
a. Register with FortiCare
b. Migrate Config with FortiConverter
c. Specify Hostname
d. Change Your Password

FortiOS 7.4.5 Administration Guide 35

Fortinet Inc.
 Getting started

e. Dashboard Setup
f. Upgrade Firmware
If you completed the Configuring basic settings on page 31, the hostname and password steps are already marked
as complete (checkmark). If you chose to deploy the latest firmware, the Upgrade Firmware step is marked as
complete.
2. Click Begin to complete the dashboard setup. Two options appear (Optimal and Comprehensive).

3. Select the desired setting and click OK. The Dashboard > Status page opens. Note that the licenses are grayed out
because the device or virtual machine is not registered.
4. Go to System > FortiGuard and click Enter Registration Code.

5. Enter the contract registration code from your service registration document.
6. Click OK.

To register the FortiGate on the FortiCloud support portal:

FortiGates can be registered with the Register More button in the Products views. For details, see Registering assets in
the FortiCloud Account Services Asset Management guide.

Configuring a firewall policy

When devices are behind FortiGate, you must configure a firewall policy on FortiGate to grant the devices access to the
internet. In other words, a firewall policy must be in place for any traffic that passes through a FortiGate.

To create a firewall policy in the GUI:

1. Go to Policy & Objects > Firewall Policy.

2. Click Create New. The New Policy pane is displayed.

FortiOS 7.4.5 Administration Guide 36

Fortinet Inc.
 Getting started

3. Enter a Name and configure the following necessary settings:

Incoming Interface LAN (port1)

Outgoing Interface WAN (port2)

Source Source IPv4 address name and address group names

Destination Destination IPv4 address name and address group names

Schedule Always

Service All

Action Accept

4. Click Save.

Backing up the configuration

Once you successfully configure the FortiGate, it is extremely important that you back up the configuration. In some
cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase
the existing configuration. In these instances, the configuration on the device must be recreated, unless a backup can be
used to restore it.
You can back up the configuration in FortiOS or YAML format. You have the option to save the configuration file in
FortiOS format to various locations including the local PC and USB key.

To back up the configuration in FortiOS format using the GUI:

1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
2. Direct the backup to your Local PC or to a USB Disk.
The USB Disk option will not be available if no USB drive is inserted in the USB port. You can also backup to the
FortiManager using the CLI.
3. If VDOMs are enabled, indicate whether the scope of the backup is the entire FortiGate configuration (Global) or
only a specific VDOM configuration (VDOM).
If backing up a VDOM configuration, select the VDOM name from the list.
4. Enable Encryption.

This is recommended to secure your backup configurations and prevent unauthorized

parties from reloading your configuration.

5. Enter a password, and enter it again to confirm it. This password will be required to restore the configuration.
6. Click OK.
7. When prompted, select a location on the PC or USB disk to save the configuration file. The configuration file will
have a .conf extension.

To back up the configuration in YAML format using the GUI:

1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
2. Direct the backup to your Local PC or to a USB Disk.

FortiOS 7.4.5 Administration Guide 37

Fortinet Inc.
 Getting started

3. Select YAML for the File format.

4. Click OK.

Troubleshooting your installation

If your FortiGate does not function as desired after installation, try the following troubleshooting tips:
1. Check for equipment issues
Verify that all network equipment is powered on and operating as expected. Refer to the QuickStart Guide for
information about connecting your FortiGate to the network.
2. Check the physical network connections
Check the cables used for all physical connections to ensure that they are fully connected and do not appear
damaged, and make sure that each cable connects to the correct device and the correct Ethernet port on that
device.
3. Verify that you can connect to the internal IP address of the FortiGate
Connect to the GUI from the FortiGate’s internal interface by browsing to its IP address. From the PC, try to ping the
internal interface IP address; for example, ping 192.168.1.99. If you cannot connect to the internal interface,
verify the IP configuration of the PC. If you can ping the interface but can't connect to the GUI, check the settings for
administrative access on that interface. Alternatively, use SSH to connect to the CLI, and then confirm that HTTPS
has been enabled for Administrative Access on the interface.
4. Check the FortiGate interface configurations
Check the configuration of the FortiGate interface connected to the internal network (under Network > Interfaces)
and check that Addressing mode is set to the correct mode.
5. Verify the security policy configuration
Go to Policy & Objects > Firewall Policy and verify that the internal interface to Internet-facing interface security
policy has been added and is located near the top of the policy list. Check the Active Sessions column to ensure that
traffic has been processed (if this column does not appear, right-click on the table header and select Active
Sessions). If you are using NAT mode, check the configuration of the policy to make sure that NAT is enabled and
that Use Outgoing Interface Address is selected.
6. Verify the static routing configuration
Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor and verify
that the default route appears in the list as a static route. Along with the default route, you should see two routes
shown as Connected, one for each connected FortiGate interface.
7. Verify that you can connect to the Internet-facing interface’s IP address
Ping the IP address of the Internet-facing interface of your FortiGate. If you cannot connect to the interface, the
FortiGate is not allowing sessions from the internal interface to Internet-facing interface. Verify that PING has been
enabled for Administrative Access on the interface.
8. Verify that you can connect to the gateway provided by your ISP
Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact
your ISP to verify that you are using the correct gateway.
9. Verify that you can communicate from the FortiGate to the Internet
Access the FortiGate CLI and use the command execute ping 8.8.8.8. You can also use the execute
traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.
10. Verify the DNS configurations of the FortiGate and the PCs
Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping
www.fortinet.com.

FortiOS 7.4.5 Administration Guide 38

Fortinet Inc.
 Getting started

If the name cannot be resolved, the FortiGate or PC cannot connect to a DNS server and you should confirm that
the DNS server IP addresses are present and correct.
11. Confirm that the FortiGate can connect to the FortiGuard network
Once the FortiGate is on your network, you should confirm that it can reach the FortiGuard network. First, check the
Licenses widget to make sure that the status of all FortiGuard services matches the services that you have
purchased. Go to System > FortiGuard, and, in the Filtering section, click Test Connectivity. After a few minutes, the
GUI should indicate a successful connection. Verify that your FortiGate can resolve and reach FortiGuard at
service.fortiguard.net by pinging the domain name. If you can reach this service, you can then verify the
connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of
FortiGuard IP gateways you can connect to, as well as the following information:
lWeight: Based on the difference in time zone between the FortiGate and this server
lRTT: Return trip time
l Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)

l TZ: Server time zone

l Curr Lost: Current number of consecutive lost packets

l Total Lost: Total number of lost packets

12. Use FortiExplorer if you cannot connect to the FortiGate over Ethernet
If you cannot connect to the FortiGate GUI or CLI, you may be able to connect using FortiExplorer. Refer to the
QuickStart Guide or see the section on FortiExplorer for more details.
13. Contact Fortinet Support for assistance
If you require further assistance, visit the Fortinet Support website.

Using the GUI

This section presents an introduction to the graphical user interface (GUI) on your FortiGate.
The following topics are included in this section:
l Connecting using a web browser
l Menus
l Tables
l Entering values
l GUI-based global search
l Loading artifacts from a CDN on page 48
l Accessing additional support resources on page 48
l Command palette on page 49
l Recovering missing graphical components on page 51
For information about using the dashboards, see Dashboards and Monitors on page 103.

Connecting using a web browser

In order to connect to the GUI using a web browser, an interface must be configured to allow administrative access over
HTTPS or over both HTTPS and HTTP. By default, an interface has already been set up that allows HTTPS access with
the IP address 192.168.1.99.

FortiOS 7.4.5 Administration Guide 39

Fortinet Inc.
Getting started

Browse to https://192.168.1.99 and enter your username and password. If you have not changed the admin account’s
password, use the default user name, admin, and leave the password field blank.
The GUI will now display in your browser, and you will be required to provide a password for the administrator account.

To use a different interface to access the GUI:

1. Go to Network > Interfaces and edit the interface you wish to use for access. Take note of its assigned IP address.
2. In Administrative Access, select HTTPS, and any other protocol you require. You can also select HTTP, although
this is not recommended as the connection is insecure.
3. Click OK.
4. Browse to the IP address using your chosen protocol.
The GUI will now be displayed in your browser.

Menus

If you believe your FortiGate model supports a menu that does not appear in the GUI, go to
System > Feature Visibility and ensure the feature is enabled. For more information, see
Feature visibility on page 3093.

The GUI contains the following main menus, which provide access to configuration options for most FortiOS features:

Dashboard The dashboard displays various widgets and monitors that display important
system information and allow you to configure some system options.
For more information, see Dashboards and Monitors on page 103.

Network Options for networking, including configuring system interfaces and routing
options.
For more information, see Network on page 162.

Policy & Objects Configure firewall policies, protocol options, and supporting content for policies,
including schedules, firewall addresses, and traffic shapers.
For more information, see Policy and Objects on page 1324.

Security Profiles Configure your FortiGate's security features, including Antivirus, Web Filter, and
Application Control.
For more information, see Security Profiles on page 1604.

VPN Configure options for IPsec and SSL virtual private networks (VPNs).
For more information, see IPsec VPN on page 2029 and SSL VPN on page 2361.

User & Authentication Configure user accounts, groups, and authentication methods, including external
authentication and single sign-on (SSO).

WiFi & Switch Controller Configure the unit to act as a wireless network controller, managing the wireless
Access Point (AP) functionality of FortiWiFi and FortiAP units.
On certain FortiGate models, this menu has additional features allowing for
FortiSwitch units to be managed by the FortiGate.

FortiOS 7.4.5 Administration Guide 40

Fortinet Inc.
 Getting started

For more information, see Wireless configuration on page 2738 and Switch
Controller on page 2739.

System Configure system settings, such as administrators, HA, FortiGuard, and

certificates.
For more information, see System on page 2740.

Security Fabric Access the physical topology, logical topology, automation, and settings of the
Fortinet Security Fabric.
For more information, see Fortinet Security Fabric on page 3183.

Log & Report Configure logging and alert email as well as reports.
For more information, see Log and Report on page 3581.

Tables

Many GUI pages contain tables of information that can be filtered and customized to display specific information in a
specific way. Some tables allow content to be edited directly on that table, or rows to be copied and pasted.

Filters

Filters are used to locate a specific set of information or content in a table. They can be particularly useful for locating
specific log entries. The filtering options vary, depending on the type of information in the log.
Depending on the table content, filters can be applied using the filter bar, using a column filter, or based on a cell's
content. Some tables allow filtering based on regular expressions.
Administrators with read and write access can define filters. Multiple filters can be applied at one time.

To manually create a filter:

1. Click the add filter button, , in the table search bar. A list of the fields available for filtering is shown.
2. Select the field to filter by.
3. Enter the value to filter by, adding modifiers as needed.

FortiOS 7.4.5 Administration Guide 41

Fortinet Inc.
Getting started

4. Click Apply.

To create a column filter:

1. Click the filter icon on the right side of the column header.

2. Choose a filter type from the available options.

3. Enter the filter text, or select from the available values.
4. Click Apply.

To create a filter based on a cell's content:

1. Right click on a cell in the table.

2. Select Filter by [column name] and configure a filtering option from the menu.

FortiOS 7.4.5 Administration Guide 42

Fortinet Inc.
Getting started

To remove all filters:

1. Right a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Select Remove All Filters.

Column settings

Columns can be rearranged, resized, and added or removed from tables.

To add or remove columns:

1. Right a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.

2. Select columns to add or remove.

3. Click Apply.

FortiOS 7.4.5 Administration Guide 43

Fortinet Inc.
Getting started

To rearrange the columns in a table:

1. Click and drag the column header.

To resize a column:

1. Click and drag the right border of the column header.

To resize a column to fit its contents:

1. Click the dots or filter icon on the right side of the column header and select Resize to Contents.

To resize all of the columns in a table to fit their content:

1. Right a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Click Best Fit All Columns.

To reset a table to its default view:

1. Right a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Click Reset Table.

Editing objects

In some tables, parts of a configuration can be edited directly in the table. For example, security profiles can be added to
an existing firewall policy by clicking the edit icon in a cell in the Security Profiles column.

Copying rows

In some tables, rows can be copied and pasted using the right-click menu. For example, a policy can be duplicated by
copying and pasting it.

FortiOS 7.4.5 Administration Guide 44

Fortinet Inc.
 Getting started

Entering values

Numerous fields in the GUI and CLI require text strings or numbers to be entered when configuring the FortiGate. When
entering values in the GUI, you will be prevented from entering invalid characters, and a warning message will be shown
explaining what values are not allowed. If invalid values are entered in a CLI command, the setting will be rejected when
you apply it.
l Text strings on page 45
l Numbers on page 46

Text strings

Text strings are used to name entities in the FortiGate configuration. For example, the name of a firewall address,
administrator, or interface are all text strings.
The following characters cannot be used in text strings, as they present cross-site scripting (XSS) vulnerabilities:
l “ - double quotes
l ' - single quote
l > - greater than
l < - less than
Most GUI text fields prevent XSS vulnerable characters from being added.

VDOM names and hostnames can only use numbers (0-9), letters (a-z and A-Z), dashes, and
underscores.

The tree CLI command can be used to view the number of characters allowed in a name field. For example, entering
the following commands show that a firewall address name can contain up to 79 characters, while its FQDN can contain
255 characters:
# tree firewall address
-- [address] --*name (79)
|- uuid
|- subnet
|- type
|- route-tag (0,4294967295)
|- sub-type
|- clearpass-spt

FortiOS 7.4.5 Administration Guide 45

Fortinet Inc.
Getting started

|- [macaddr] --*macaddr (127)

|- start-ip
|- end-ip
|- fqdn (255)
|- country (2)
|- wildcard-fqdn (255)
|- cache-ttl (0,86400)
|- wildcard
|- sdn (35)
|- [fsso-group] --*name (511)
|- interface (35)
|- tenant (35)
|- organization (35)
|- epg-name (255)
|- subnet-name (255)
|- sdn-tag (15)
|- policy-group (15)
|- obj-tag (255)
|- obj-type
|- tag-detection-level (15)
|- tag-type (63)
|- dirty
|- hw-vendor (35)
|- hw-model (35)
|- os (35)
|- sw-version (35)
|- comment
|- associated-interface (35)
|- color (0,32)
|- filter
|- sdn-addr-type
|- node-ip-only
|- obj-id
|- [list] --*ip (35)
|- obj-id (127)
+- net-id (127)
|- [tagging] --*name (63)
|- category (63)
+- [tags] --*name (79)
|- allow-routing
+- fabric-object

Numbers

Numbers are used to set sizes, rates, addresses, port numbers, priorities, and other such numeric values. They can be
entered as a series of digits (without commas or spaces), in a dotted decimal format (such as IP addresses), or
separated by colons (such as MAC addresses). Most numeric values use base 10 numbers, while some use
hexadecimal values.
Most GUI and CLI fields prevent invalid numbers from being entered. The CLI help text includes information about the
range of values allowed for applicable settings.

FortiOS 7.4.5 Administration Guide 46

Fortinet Inc.
 Getting started

GUI-based global search

The global search option in the GUI allows users to search for keywords appearing in objects and navigation menus to
quickly access the object and configuration page. Click the magnifying glass icon in the top-left corner of the banner to
access the global search.
The global search includes the following features:
l Keep a history of frequent and recent searches
l Sort results by relevance (by search weight), or alphabetically in increasing or decreasing order
l Search by category
l Search in Security Fabric members (accessed by the Security Fabric members dropdown menu in the banner)
l Search for dashboard widgets and monitors, and preview the widget or go directly to the monitor dashboard if it
exists.

Examples

In this example, searching for the word ZTNA yields the following results:
l A ZTNA server, user group, and SAML SSO server that have the ZTNA in the Name field.
l Various ZTNA tag.
l ZTNA navigation tree items: Policy & Objects > ZTNA and Log & Report > ZTNA Traffic.
l The FortiView ZTNA Servers dashboard widget.
CMDB objects have a higher search weight (50) than navigation objects (20), so the navigation menus and widgets
appears at the bottom of the results when sorting by relevance.

In this example, searching for the address 10.100.88.5 yields the following results:
l Various address objects that have a subnet of 10.100.88.5.
l A Virtual IP/Server object, EMS, that has a mapped IP address/range with 10.100.88.5.

FortiOS 7.4.5 Administration Guide 47

Fortinet Inc.
 Getting started

l Address objects that have IP subnets of 0.0.0.0/0, which the search term falls into.
l Address group objects that contains members addresses that have IP subnets of 0.0.0.0/0.
Sorting by Relevance displays address objects that are more closely matched at the top (10.100.88.5), and more loosely
matched at the bottom (0.0.0.0).

Loading artifacts from a CDN

To improve GUI performance, loading static GUI artifacts cached in CDN (content delivery network) servers closer to the
user instead of the FortiGate can be enabled. This allows the GUI to load more quickly with less latency for
administrators who are accessing the FortiGate remotely. Upon failure, the files fall back to loading from the FortiGate.
The CDN is only used after successful administrator logins.

To configure loading static GUI files from a CDN:

config system global

set gui-cdn-usage {enable | disable}
end

Accessing additional support resources

Additional support resources can be accessed from the GUI to troubleshoot issues and get the most out of FortiOS.
Online guides, FortiOS documentation, and additional support can now be accessed straight from the help menu.

FortiOS 7.4.5 Administration Guide 48

Fortinet Inc.
 Getting started

To access support resources:

1. Click Help in the top menu. A dropdown menu is displayed.

2. Select the support resource you are looking for:

l Online Guides lists resources for help documentation and videos.
l FortiOS <version> contains release information.
l Additional Support contains a link to download the FortiCare Debug Report.

Command palette

The command palette is a keyboard shortcut menu that can be used to quickly navigate to GUI pages or run specific
actions, such as opening the CLI console or restoring a system configuration.

To navigate to a new GUI page using the command palette:

1. Press ctrl+p (or cmd+p for Mac). The command palette is displayed with available navigation links.

2. Enter the required destination.

FortiOS 7.4.5 Administration Guide 49

Fortinet Inc.
Getting started

3. Press Enter to jump to the select GUI page.

To activate an action using the command palette:

1. Press ctrl+p (or cmd+p for Mac) and then enter a >. On supported browsers, ctrl+shift+p (or cmd+shift+p
for Mac) can be used.
The command palette is displayed with a runnable command list.

2. Enter the command key word.

FortiOS 7.4.5 Administration Guide 50

Fortinet Inc.
 Getting started

3. Press Enter to run the action.

Recovering missing graphical components

Errors can sometimes cause the application icons, or other minor graphical components, to no longer show up in the
GUI.
For example, in the FortiView Applications monitor, the icons could be missing from the Application column.

The diagnose fortiguard-resources update command can be used to delete cached files and force
downloads of the FortiGuard resource, including icons.

Command Downloaded resource

diagnose fortiguard-resources update sprite-map Application icon sprite map (CSS & PNG).
diagnose fortiguard-resources update sprite-isdb Application icon sprite ISDB (CSS & PNG).
diagnose fortiguard-resources update app-info <id> Application info for a given ID.
diagnose fortiguard-resources update ips-information IPS information for a given ID.
<id>
diagnose fortiguard-resources update wf-categories Web filter categories.
diagnose fortiguard-resources update app-categories Application categories.
diagnose fortiguard-resources update prefix-links Prefix links.
diagnose fortiguard-resources update static-links Static links.
diagnose fortiguard-resources update fortigate-end- FortiGate product life cycle information.
of-support

FortiOS 7.4.5 Administration Guide 51

Fortinet Inc.
Getting started

Command Downloaded resource

diagnose fortiguard-resources update fortiswitch-end- FortiSwitch product life cycle information.
of-support
diagnose fortiguard-resources update fortiap-end-of- FortiAP product life cycle information.
support
diagnose fortiguard-resources update fortiextender- FortiExtender product life cycle information.
end-of-support

To recover missing application icons:

1. Run the update command:

# diagnose fortiguard-resources update sprite-isdb
Deleted cached resource file: sprite-isdb.css
Deleted cached resource file: sprite-isdb.png
Deleted cached resource file: sprite_map_front.css
Request URL: "https://globalproductapi.fortinet.net/v1/ref?key=spritemap&f=fos&v=2"
Host "globalproductapi.fortinet.net" resolved to "209.52.38.140"

Performing HTTP request...

Response identified resource location as

"https://filestore.fortinet.com/fortiguard/isdb_logos96/sprite.tar.gz"
Host "filestore.fortinet.com" resolved to "209.52.38.129"

Performing HTTP request...

Successfully downloaded sprite-isdb.css:

Size: 18142 bytes
ETag: "5d9814eb50b0a9f8c7b0271e8c5baf39"
MD5: a0474459f96edabbc61bfae9b40a9aec
Successfully downloaded sprite-isdb.png:
Size: 294937 bytes
ETag: "5d9814eb50b0a9f8c7b0271e8c5baf39"
MD5: c98ce9dc8d3c2ae174233798f7124937

2. Refresh the browser window. You might also need to clear your browser cache.

FortiOS 7.4.5 Administration Guide 52

Fortinet Inc.
 Getting started

Using the CLI

The Command Line Interface (CLI) can be used in lieu of the GUI to configure the FortiGate. Some settings are not
available in the GUI, and can only be accessed using the CLI.
This section briefly explains basic CLI usage. For information about the CLI config commands, see the FortiOS CLI
Reference.
l Connecting to the CLI on page 53
l CLI basics on page 56
l Command syntax on page 62
l Subcommands on page 64
l Permissions on page 67

Connecting to the CLI

You can connect to the CLI using a direct console connection, SSH, the FortiExplorer app, or the CLI console in the GUI.
You can access the CLI outside of the GUI in three ways:
l Console connection: Connect your computer directly to the console port of your FortiGate.
l SSH access: Connect your computer through any network interface attached to one of the network ports on your
FortiGate.
l FortiExplorer: Connect your device to the FortiExplorer app on your device to configure, manage, and monitor your
FortiGate. See Using FortiExplorer Go and FortiExplorer on page 68 for details.
To open a CLI console, click the _> icon in the top right corner of the GUI. The console opens on top of the GUI. It can be
minimized and multiple consoles can be opened. On many GUI pages, the CLI console can be opened with that pages
specific commands already shown by clicking Edit in CLI in the right-side gutter.
To edit policies and objects directly in the CLI, right-click on the element and select Edit in CLI.

Console connection

A direct console connection to the CLI is created by directly connecting your management computer or console to the
FortiGate using its DB-9 or RJ-45 console port.
Direct console access to the FortiGate may be required if:
l You are installing the FortiGate for the first time and it is not configured to connect to your network.
l You are restoring the firmware using a boot interrupt. Network access to the CLI will not be available until after the
boot process has completed, making direct console access the only option.
To connect to the FortiGate console, you need:
l A console cable to connect the console port on the FortiGate to a communications port on the computer. Depending
on your device, this is one of:
l null modem cable (DB-9 to DB-9)
l DB-9 to RJ-45 cable (a DB-9-to-USB adapter can be used)
l USB to RJ-45 cable

FortiOS 7.4.5 Administration Guide 53

Fortinet Inc.
Getting started

l A computer with an available communications port

l Terminal emulation software

To connect to the CLI using a direct console connection:

1. Using the console cable, connect the FortiGate unit’s console port to the serial communications (COM) port on your
management computer.
2. Start a terminal emulation program on the management computer, select the COM port, and use the following
settings:

Bits per second 9600

Data bits 8

Parity None

Stop bits 1

Flow control None

3. Press Enter on the keyboard to connect to the CLI.

4. Log in to the CLI using your username and password (default: admin and no password).
You can now enter CLI commands, including configuring access to the CLI through SSH.

SSH access

SSH access to the CLI is accomplished by connecting your computer to the FortiGate using one of its network ports. You
can either connect directly, using a peer connection between the two, or through any intermediary network.

If you do not want to use an SSH client and you have access to the GUI, you can access the
CLI through the network using the CLI console in the GUI.

SSH must be enabled on the network interface that is associated with the physical network port that is used.
If your computer is not connected either directly or through a switch to the FortiGate, you must also configure the
FortiGate with a static route to a router that can forward packets from the FortiGate to the computer. This can be done
using a local console connection, or in the GUI.
To connect to the FortiGate CLI using SSH, you need:
l A computer with an available serial communications (COM) port and RJ-45 port
l An appropriate console cable
l Terminal emulation software
l A network cable
l Prior configuration of the operating mode, network interface, and static route.

To enable SSH access to the CLI using a local console connection:

1. Using the network cable, connect the FortiGate unit’s port either directly to your computer’s network port, or to a
network through which your computer can reach the FortiGate.

FortiOS 7.4.5 Administration Guide 54

Fortinet Inc.
Getting started

2. Note the number of the physical network port.

3. Using direct console connection, connect and log into the CLI.
4. Enter the following command:
config system interface
edit <interface_str>
append allowaccess ssh
next
end

Where <interface_str> is the name of the network interface associated with the physical network port, such as
port1.
5. Confirm the configuration using the following command to show the interface’s settings:
show system interface <interface_str>

For example:
show system interface port1
config system interface
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh
set type hard-switch
set stp enable
set role lan
set snmp-index 6
next
end

Connecting using SSH

Once the FortiGate is configured to accept SSH connections, use an SSH client on your management computer to
connect to the CLI.
The following instructions use PuTTy. The steps may vary in other terminal emulators.

To connect to the CLI using SSH:

1. On your management computer, start PuTTy.

2. In the Host Name (or IP address) field, enter the IP address of the network interface that you are connected to and
that has SSH access enabled.
3. Set the port number to 22, if it is not set automatically.
4. Select SSH for the Connection type.
5. Click Open. The SSH client connect to the FortiGate.
The SSH client may display a warning if this is the first time that you are connecting to the FortiGate and its SSH key
is not yet recognized by the SSH client, or if you previously connected to the FortiGate using a different IP address
or SSH key. This is normal if the management computer is connected directly to the FortiGate with no network hosts
in between.
6. Click Yes to accept the FortiGate's SSH key.
The CLI displays the log in prompt.
7. Enter a valid administrator account name, such as admin, then press Enter.

FortiOS 7.4.5 Administration Guide 55

Fortinet Inc.
 Getting started

8. Enter the administrator account password, then press Enter.

The CLI console shows the command prompt (FortiGate hostname followed by a #). You can now enter
CLI commands.

If three incorrect log in or password attempts occur in a row, you will be disconnected. If this
occurs, wait for one minute, then reconnect and attempt to log in again.

CLI basics

Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.

Help

Press the question mark (?) key to display command help and complete commands.
l Press the question mark (?) key at the command prompt to display a list of the commands available and a
description of each command.
l Enter a command followed by a space and press the question mark (?) key to display a list of the options available
for that command and a description of each option.
l Enter a command followed by an option and press the question mark (?) key to display a list of additional options
available for that command option combination and a description of each option.
l Enter a question mark after entering a portion of a command to see a list of valid complete commands and their
descriptions. If there is only one valid command, it will be automatically filled in.

Shortcuts and key commands

Shortcut key Action

? List valid complete or subsequent commands.

If multiple commands can complete the command, they are listed with their
descriptions.

Tab Complete the word with the next available match.

Press multiple times to cycle through available matches.

Up arrow or Ctrl + P Recall the previous command.

Command memory is limited to the current session.

Down arrow, or Ctrl + N Recall the next command.

Left or Right arrow Move the cursor left or right within the command line.

Ctrl + A Move the cursor to the beginning of the command line.

Ctrl + E Move the cursor to the end of the command line.

Ctrl + B Move the cursor backwards one word.

FortiOS 7.4.5 Administration Guide 56

Fortinet Inc.
Getting started

Shortcut key Action

Ctrl + F Move the cursor forwards one word.

Ctrl + D Delete the current character.

Ctrl + C Abort current interactive commands, such as when entering multiple lines.
If you are not currently within an interactive command such as config or edit,
this closes the CLI connection.

\ then Enter Continue typing a command on the next line for a multiline command.
For each line that you want to continue, terminate it with a backslash ( \ ). To
complete the command, enter a space instead of a backslash, and then press
Enter.

Command tree

Enter tree to display the CLI command tree. To capture the full output, connect to your device using a terminal
emulation program and capture the output to a log file. For some commands, use the tree command to view all
available variables and subcommands.

Command abbreviation

You can abbreviate words in the command line to their smallest number of non-ambiguous characters.
For example, the command get system status could be abbreviated to g sy stat.

Adding and removing options from lists

When configuring a list, the set command will remove the previous configuration.
For example, if a user group currently includes members A, B, and C, the command set member D will remove
members A, B, and C. To avoid removing the existing members from the group, the command set members A B C D
must be used.
To avoid this issue, the following commands are available:

append Add an option to an existing list.

For example, append member D adds user D to the user group without removing any of the
existing members.

select Clear all of the options except for those specified.

For example, select member B removes all member from the group except for member B.

unselect Remove an option from an existing list.

For example, unselect member C removes only member C from the group, without
affecting the other members.

FortiOS 7.4.5 Administration Guide 57

Fortinet Inc.
Getting started

Environment variables

The following environment variables are support by the CLI. Variable names are case-sensitive.

$USERFROM The management access type (ssh, jsconsole, and so on) and the IPv4 address of the
administrator that configured the item.

$USERNAME The account name of the administrator that configured the item.

$SerialNum The serial number of the FortiGate.

For example, to set a FortiGate device's host name to its serial number, use the following CLI command:
config system global
set hostname $SerialNum
end

Special characters

The following characters cannot be used in most CLI commands: <, >, (, ), #, ', and "
If one of those characters, or a space, needs to be entered as part of a string, it can be entered by using a special
command, enclosing the entire string in quotes, or preceding it with an escape character (backslash, \).
To enter a question mark (?) or a tab, Ctrl + V or Ctrl + Shift + - (depending on the method being used to access the CLI)
must be entered first.

Question marks and tabs cannot be copied into the CLI Console or some SSH clients. They
must be typed in.

Character Keys

? Ctrl + V or Ctrl + Shift + - then ?

Tab Ctrl + V then Tab

Space Enclose the string in single or double quotation marks: "Security

(as part of a string value, not to end the string) Administrator" or 'Security Administrator'.
Precede the space with a backslash: Security\ Administrator.

' \'
(as part of a string value, not to begin or end
the string)

" \"
(as part of a string value, not to begin or end
the string)

\ \\

FortiOS 7.4.5 Administration Guide 58

Fortinet Inc.
Getting started

Using grep to filter command output

The get, show, and diagnose commands can produce large amounts of output. The grep command can be used to
filter the output so that it only shows the required information.
The grep command is based on the standard UNIX grep, used for searching text output based on regular expressions.
For example, the following command displays the MAC address of the internal interface:
get hardware nic internal | grep Current_HWaddr
Current_HWaddr 00:09:0f:cb:c2:75

The following command will display all TCP sessions that are in the session list, including the session list line number in
the output:
get system session list | grep -n tcp

The following command will display all of the lines in the HTTP replacement message that contain URL or url:
show system replacemsg http | grep -i url

The following options can also be used:

-A <num> After
-B <num> Before
-C <num> Context

The -f option is available to support contextual output, in order to show the complete configuration. The following
example shows the difference in the output when -f is used versus when it is not used:

Without -f: With -f:

show | grep ldap-group1 show | grep -f ldap-group1
edit "ldap-group1" config user group
set groups "ldap-group1" edit "ldap-group1"
set member "pc40-LDAP"
next
end
config firewall policy
edit 2
set srcintf "port31"
set dstintf "port32"
set srcaddr "all"
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set groups "ldap-group1"
set dstaddr "all"
set service "ALL"
next
end
next

FortiOS 7.4.5 Administration Guide 59

Fortinet Inc.
Getting started

end

Language support and regular expressions

Characters such as ñ and é, symbols, and ideographs are sometimes acceptable input. Support varies depending on the
type of item that is being configured. CLI commands, objects, field names, and options must use their exact ASCII
characters, but some items with arbitrary names or values can be input using your language of choice. To use other
languages in those cases, the correct encoding must be used.
Input is stored using Unicode UTF-8 encoding, but is not normalized from other encodings into UTF-8 before it is stored.
If your input method encodes some characters differently than in UTF-8, configured items may not display or operate as
expected.
Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regular
expression using a different encoding, or if an HTTP client sends a request in a different encoding, matches may not be
what is expected.
For example, with Shift-JIS, backslashes could be inadvertently interpreted as the symbol for the Japanese yen ( ¥ ), and
vice versa. A regular expression intended to match HTTP requests containing monetary values with a yen symbol may
not work it if the symbol is entered using the wrong encoding.
For best results:
l use UTF-8 encoding, or
l use only characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters
that are encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS, and other encoding
methods, or
l for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients.

HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary
based on the client’s operating system or input language. If the client's encoding method
cannot be predicted, you might only be able to match the parts of the request that are in
English, as the values for English characters tend to be encoded identically, regardless of the
encoding method.

If the FortiGate is configured to use an encoding method other than UTF-8, the management computer's language may
need to be changed, including the web browse and terminal emulator. If the FortiGate is configured using non-ASCII
characters, all the systems that interact with the FortiGate must also support the same encoding method. If possible, the
same encoding method should be used throughout the configuration to avoid needing to change the language settings
on the management computer.
The GUI and CLI client normally interpret output as encoded using UTF-8. If they do not, configured items may not
display correctly. Exceptions include items such as regular expression that may be configured using other encodings to
match the encoding of HTTP requests that the FortiGate receives.

To enter non-ASCII characters in a terminal emulator:

1. On the management computer, start the terminal client.

2. Configure the client to send and receive characters using UTF-8 encoding.
Support for sending and receiving international characters varies by terminal client.
3. Log in to the FortiGate.

FortiOS 7.4.5 Administration Guide 60

Fortinet Inc.
Getting started

4. At the command prompt, type your command and press Enter.

Words that use encoded characters may need to be enclosed in single quotes ( ' ).
Depending on your terminal client’s language support, you may need to interpret the characters into character
codes before pressing Enter. For example, you might need to enter: edit '\743\601\613\743\601\652'
5. The CLI displays the command and its output.

Screen paging

By default, the CLI will pause after displaying each page worth of text when a command has multiple pages of output.
this can be useful when viewing lengthy outputs that might exceed the buffer of terminal emulator.
When the display pauses and shows --More--, you can:
l Press Enter to show the next line,
l Press Q to stop showing results and return to the command prompt,
l Press an arrow key, Insert, Home, Delete, End, Page Up, or Page Down to show the next few pages,
l Press any other key to show the next page, or
l Wait for about 30 seconds for the console to truncate the output and return to the command prompt.
When pausing the screen is disabled, press Ctrl + C to stop the output and log out of the FortiGate.

To disable pausing the CLI output:

config system console

set output standard
end

To enable pausing the CLI output:

config system console

set output more
end

Changing the baud rate

The baud rate of the local console connection can be changed from its default value of 9600.

To change the baud rate:

config system console

set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
end

Editing the configuration file

The FortiGate configuration file can be edited on an external host by backing up the configuration, editing the
configuration file, and then restoring the configuration to the FortiGate.
Editing the configuration file can save time is many changes need to be made, particularly if the plain text editor that you
are using provides features such as batch changes.

FortiOS 7.4.5 Administration Guide 61

Fortinet Inc.
Getting started

To edit the configuration file:

1. Backup the configuration. See Configuration backups and reset on page 3173 for details.
2. Open the configuration file in a plain text editor that supports UNIX-style line endings.
3. Edit the file as needed.

Do not edit the first line of the configuration file.

This line contains information about the firmware version and FortiGate model. If you
change the model number, the FortiGate will reject the configuration when you attempt to
restore it.

4. Restore the modified configuration to the FortiGate. See Configuration backups and reset on page 3173 for details.
The FortiGate downloads the configuration file and checks that the model information is correct. If it is correct, the
configuration file is loaded and each line is checked for errors. If a command is invalid, that command is ignored. If
the configuration file is valid, the FortiGate restarts and loads the downloaded configuration.

Command syntax

When entering a command, the CLI console requires that you use valid syntax and conform to expected input
constraints. It rejects invalid commands. Indentation is used to indicate the levels of nested commands.
Each command line consists of a command word, usually followed by configuration data or a specific item that the
command uses or affects.

Notation

Brackets, vertical bars, and spaces are used to denote valid syntax. Constraint notations, such as <address_ipv4>,
indicate which data types or string patterns are acceptable value input.
All syntax uses the following conventions:

Angle brackets < > Indicate a variable of the specified data type.

Curly brackets { } Indicate that a variable or variables are mandatory.

Square brackets [ ] Indicate that the variable or variables are optional.

For example:
show system interface [<name_str>]
To show the settings for all interfaces, you can enter show system interface
To show the settings for the Port1 interface, you can enter show system interface
port1.

Vertical bar | A vertical bar separates alternative, mutually exclusive options.

For example:
set protocol {ftp | sftp}
You can enter either set protocol ftp or set protocol sftp.

Space A space separates non-mutually exclusive options.

For example:

FortiOS 7.4.5 Administration Guide 62

Fortinet Inc.
Getting started

set allowaccess {ping https ssh snmp http fgfm radius-acct probe-
response capwap ftm}
You can enter any of the following:
set allowaccess ping
set allowaccess https ping ssh
set allowaccess http https snmp ssh ping
In most cases, to make changes to lists that contain options separated by spaces, you need to
retype the entire list, including all the options that you want to apply and excluding all the
options that you want to remove.

Optional values and ranges

Any field that is optional will use square-brackets. The overall config command will still be valid whether or not the option
is configured.
Square-brackets can be used is to show that multiple options can be set, even intermixed with ranges. The following
example shows a field that can be set to either a specific value or range, or multiple instances:
config firewall service custom
set iprange <range1> [<range2> <range3> ...]
end

next

The next command is used to maintain a hierarchy and flow to CLI commands. It is at the same indentation level as the
preceding edit command, to mark where a table entry finishes.
The following example shows the next command used in the subcommand entries:

After configuring table entry <2> then entering next, the <2> table entry is saved and the console returns to the
entries prompt:

You can now create more table entries as needed, or enter end to save the table and return to the filepattern table
element prompt.

FortiOS 7.4.5 Administration Guide 63

Fortinet Inc.
Getting started

end

The end command is used to maintain a hierarchy and flow to CLI commands.
The following example shows the same command and subcommand as the next command example, except end has
been entered instead of next after the subcommand:

Entering end will save the <2> table entry and the table, and exit the entries subcommand entirely. The console
returns to the filepattern table element prompt:

Subcommands

Subcommands are available from within the scope of some commands. When you enter a subcommand level, the
command prompt changes to indicate the name of the current command scope. For example, after entering:
config system admin

the command prompt becomes:

(admin)#

Applicable subcommands are available until you exit the command, or descend an additional level into another
subcommand. Subcommand scope is indicated by indentation.
For example, the edit subcommand is only available in commands that affects tables, and the next subcommand is
available only in the edit subcommand:
config system interface
edit port1
set status up
next
end

The available subcommands vary by command. From a command prompt under the config command, subcommands
that affect tables and fields could be available.

FortiOS 7.4.5 Administration Guide 64

Fortinet Inc.
Getting started

Table subcommands

edit <table_row> Create or edit a table value.

In objects such as security policies, <table_row> is a sequence number. To
create a new table entry without accidentally editing an existing entry, enter edit
0. The CLI will confirm that creation of entry 0, but will assign the next unused
number when the entry is saved after entering end or next.
For example, to create a new firewall policy, enter the following commands:
config firewall policy
edit 0
...
next
end

To edit an existing policy, enter the following commands:

config firewall policy
edit 27
...
next
end

The edit subcommand changes the command prompt to the name of the table
value that is being edited, such as (27) #.

delete <table_row> Delete a table value.

For example, to delete firewall policy 27, enter the following commands:
config firewall policy
delete 27
end

purge Clear all table values.

The purge command cannot be undone. To restore purged table values, the
configuration must be restored from a backup.

move Move an ordered table value.

In the firewall policy table, this is equivalent to dragging a policy into a new
position. It does not change the policy's ID number.
For example, to move policy 27 to policy 30, enter the following commands:
config firewall policy
move 27 to 30
end

The move subcommand is only available in tables where the order of the table
entries matters.

clone <table_row> to <table_ Make a clone of a table entry.

row> For example, to create firewall policy 30 as a clone of policy 27, enter the following
commands:

FortiOS 7.4.5 Administration Guide 65

Fortinet Inc.
Getting started

config firewall policy

clone 27 to 30
end

The clone subcommand may not be available for all tables.

rename <table_row> to Rename a table entry.

<table_row> For example to rename an administrator from Fry to Leela, enter the following
commands:
config system admin
rename Fry to Leela
end

The rename subcommand is only available in tables where the entries can be
renamed.

get List the current table entries.

For example, to view the existing firewall policy table entries, enter the following
commands:
config firewall policy
get

show Show the configuration. Only table entries that are not set to default values are
shown.

end Save the configuration and exit the current config command.

Purging the system interface or system admin tables does not reset default table
values. This can result in being unable to connect to or log in to the FortiGate, requiring the
FortiGate to be formatted and restored.

Field subcommands

set <field> <value> Modify the value of a field.

For example, the command set fsso enable sets the fsso field to the value
enable.

unset Set the field to its default value.

select Clear all of the options except for those specified.

For example, if a group contains members A, B, C, and D, to remove all members
except for B, use the command select member B.

unselect Remove an option from an existing list.

For example, if a group contains members A, B, C, and D, to remove only member
B, use the command unselect member B.

append Add an option to an existing multi-option table value.

clear Clear all the options from a multi-option table value.

FortiOS 7.4.5 Administration Guide 66

Fortinet Inc.
 Getting started

get List the configuration of the current table entry, including default and customized
values.

show Show the configuration. Only values that are not set to default values are shown.

next Save changes to the table entry and exit the edit command so that you can
configure the next table entry.

abort Exit the command without saving.

end Save the configuration and exit the current config command.

Permissions

Administrator (or access) profiles control what CLI commands an administrator can access by assigning read, write, or
no access to each area of FortiOS. For information, see Administrator profiles on page 2766.
Read access is required to view configurations. Write access is required to make configuration changes. Depending on
your account's profile, you may not have access to all CLI commands. To have access to all CLI commands, an
administrator account with the super_admin profile must be used, such as the admin account.
Accounts assigned the super_admin profile are similar to the root administrator account. They have full permission to
view and change all FortiGate configuration options, including viewing and changing other administrator accounts.
To increase account security, set strong passwords for all administrator accounts and change the passwords regularly.
See Default administrator password on page 2806 and Password policy on page 2757 for more information.

Configuration and management

FortiOS can be managed through the graphical user interface (GUI) or the Command Line Interface (CLI) as well as
other tools.

For Use

Direct or individual configuration FortiOS GUI and CLI. See Using the GUI on page 39 and Using the CLI on page
53.
FortiExplorer Go and FortiExplorer. See Using FortiExplorer Go and FortiExplorer
on page 68.

Mass provisioning, management, FortiManager and FortiGate Cloud. See the FortiManager page and the FortiGate
and orchestration Cloud page on the Fortinet Document Library.

Automation REST API accessible through Fortinet Developer Network (FNDN). See
Accessing Fortinet Developer Network on page 82 and REST API administrator.
Automation tools, such as Terraform and Ansible. See Terraform: FortiOS as a
provider on page 86.

Other tools and FortiConverter The FortiConverter service helps you migrate a configuration from one FortiGate
to another FortiGate, or from a third-party firewall to a FortiGate. See Migrating a
configuration with FortiConverter on page 76.

FortiOS 7.4.5 Administration Guide 67

Fortinet Inc.
 Getting started

Using FortiExplorer Go and FortiExplorer

FortiExplorer Go

FortiExplorer Go is a free mobile application that provisions and deploys BLE capable FortiGates with the BLE
Autodiscovery feature. You can also use FortiExplorer Go to remotely manage FortiGates registered to your FortiCare
account and deployed in FortiGate Cloud.
FortiExplorer Go is available on both iOS and Android devices. For more information, refer to the FortiExplorer Go User
Guide for your respective device OS.

FortiExplorer management

FortiExplorer for iOS is a user-friendly application that helps you to rapidly provision, deploy, and monitor Security Fabric
components from your iOS device.

FortiExplorer for iOS requires iOS 10.0 or later and is compatible with iPhone, iPad, and Apple TV. It is supported by
FortiOS 5.6 and later, and is available on the App Store for iOS devices.
Up to six members can use this app with 'Family Sharing' enabled in the App Store.

Firmware upload requires a valid firmware license. Users can download firmware for models
with a valid support contract.

Getting started with FortiExplorer

If your FortiGate is accessible on a wireless network, you can connect to it using FortiExplorer provided that your
iOS device is on the same network. See Connecting FortiExplorer to a FortiGate with WiFi. If your 200F series or 80F
series FortiGate is in close proximity, you can connect to it using FortiExplorer using Bluetooth Low Energy (BLE). See
Configure FortiGate with FortiExplorer using BLE on page 72. Otherwise, you will need to physically connect your iOS
device to the FortiGate using a USB cable.

FortiOS 7.4.5 Administration Guide 68

Fortinet Inc.
Getting started

To connect and configure a FortiGate with FortiExplorer using a USB connection:

1. Connect your iOS device to your FortiGate USB A port. If prompted on your iOS device, Trust this computer.
2. Open FortiExplorer and select your FortiGate from the FortiGate Devices list . A blue USB icon will indicate that you
are connected over a USB connection.

3. On the Login screen, select USB.

4. Enter the default Username (admin) and leave the Password field blank.
5. Optionally, select Remember Password.
6. Tap Done when you are ready.
FortiExplorer opens the FortiGate management interface to the Device Status page:

7. Go to Network > Interfaces and configure the WAN interface or interfaces.

8. The wan1 interface Address mode is set to DHCP by default. Set it to Manual and enter its Address, Netmask, and
Default Gateway, and then Apply your changes.

FortiOS 7.4.5 Administration Guide 69

Fortinet Inc.
Getting started

9. Optionally, configure Administrative Access to allow HTTPS access. This will allow administrators to access the
FortiGate GUI using a web browser.

10. Go to Network > Interfaces and configure the local network (internal) interface.
11. Set the Address mode as before and configure Administrative Access if required.
12. Configure a DHCP Server for the internal network subnet.

13. Return to the internal interface using the < button at the top of the screen.
14. Go to Network > Static Routes and configure the static route to the gateway.

FortiOS 7.4.5 Administration Guide 70

Fortinet Inc.
Getting started

15. Go to Policy & Objects > Firewall Policy and edit the Internet access policy. Enter a Name for the policy, enable the
required Security Profiles, configure Logging Options, then tap OK.

Connecting FortiExplorer to a FortiGate with WiFi

You can wirelessly connect to the FortiGate if your iOS device and the FortiGate are both connected to the same
wireless network.

FortiOS 7.4.5 Administration Guide 71

Fortinet Inc.
Getting started

To connect and configure a FortiGate with FortiExplorer wirelessly:

1. Open the FortiExplorer app and tap Add on the Devices page.
2. On the Add Device By page, tap HTTPS.

3. Enter the Host information, Username, and Password.

4. If required, change the default Port number, and optionally enable Remember Password.

5. Tap Done.
6. If the FortiGate device identity cannot be verified, tap Connect at the prompt.
FortiExplorer opens the FortiGate management interface to the Device Status page.

Configure FortiGate with FortiExplorer using BLE

FortiGate 200F series and 80F series devices can be initially configured in FortiExplorer using Bluetooth Low Energy
(BLE).

FortiOS 7.4.5 Administration Guide 72

Fortinet Inc.
Getting started

The state of the status LED on the device shows if BLE is enabled. See the device QuickStart guides for more
information about LED states: FortiGate 200F Series QuickStart Guide and FortiGate 80F Series QuickStart Guide.

When the status LED is flashing green, pressing and holding the reset button for five seconds
or longer will reset the device to factory default settings.

BLE is enabled or disabled in the following scenarios after the FortiGate boots up:
l In factory default settings:
l After the FortiGate has finished booting up (when the console login prompt is shown), the status LED will be
flashing amber or red to indicate that BLE is enabled.
l If the FortiGate is configured without using BLE, BLE will immediately be disabled and the status LED will turn
solid green.
l If the FortiGate is configured using BLE, the LED will continue flashing until the configuring device disconnects
from BLE, after which BLE is disabled and the status LED turns sold green.
l Not in factory default configuration:
l One minute after the FortiGate has finished booting up (when the console login prompt is shown), the status
LED will turn solid green. Press and hold the reset button for one second. The status LED will start flashing to
indicate that BLE is enabled.
l If no BLE connection is made with the FortiGate, BLE will be disabled after one minute and the status LED will
turn solid green.
l If the FortiGate is configured without using BLE, BLE will immediately be disabled and the status LED will turn
solid green.
l If the FortiGate is configured using BLE, the LED will continue flashing until the configuring device disconnects
from BLE, after which BLE is disabled and the status LED turns sold green.

To enable BLE for one minute when the FortiGate is running and not in factory default configuration:

# diagnose bluetooth enable 1

To connect to and configure a FortiGate with FortiExplorer using BLE:

1. Ensure that BLE is enabled on the FortiGate device.

2. Enable Bluetooth on your iOS device and open the FortiExplorer app.
If the app has detected the FortiGate device, the device's serial number will be shown.

FortiOS 7.4.5 Administration Guide 73

Fortinet Inc.
Getting started

3. Log into the FortiGate in the app using the default credentials: admin and no password.
4. If this is the first time logging into the device, set a password.
5. Optionally, register with FortiCare.
6. Configure the FortiGate, including the WAN and internal interfaces, static routes, and other required settings.

FortiOS 7.4.5 Administration Guide 74

Fortinet Inc.
Getting started

After configuring the FortiGate and disconnecting, BLE is disabled.

To check the status of BLE on the FortiGate:

# diagnose hardware test ble

# diagnose bluetooth status

# diagnose bluetooth get_bt_version

# diagnose bluetooth clean_bt_mode

Running a security rating

After configuring your network, run a security rating check to identify vulnerabilities and highlight best practices that
could improve your network's security and performance.
Go to Security Fabric > Security Rating and follow the steps to determine the score. See Security rating on page 3333 for
more information.

FortiOS 7.4.5 Administration Guide 75

Fortinet Inc.
 Getting started

Migrating a configuration with FortiConverter

A configuration can be migrated from an older FortiGate device to a new FortiGate device directly from the FortiGate
GUI, without having to access the FortiConverter portal.
Both the source and target FortiGates must be registered under the same FortiCare account and have internet
connectivity to reach the FortiConverter server. The target FortiGate must also have a valid FortiConverter license.
In this example, FortiGate A (FGTA) is replacing FortiGate B (FGTB). The configuration is migrated using
FortiConverter, but without accessing the FortiConverter portal.

To migrate the configuration from FGTB to FGTA in the GUI:

1. On FGTB, go to System > Settings, enable Allow FortiConverter to obtain config file once, then click Apply.

FortiOS 7.4.5 Administration Guide 76

Fortinet Inc.
Getting started

2. Log in to FGTA and on the GUI startup menu click Begin to start Migrate Config with FortiConverter.

3. Click Convert to start the conversion process.

If the device does not have a FortiConverter license, a warning will be shown and the Convert button will be
unclickable. The license status is shown in the GUI on the System > FortiGuard page in the License Information
table.

You can toggle the Don't show again option and click Later to turn off reminders about the migration process.
4. Enter the user contact information, then click Save and continue.

The FortiConverter ticket is created.

5. The source configuration can be uploaded from a file, or from another FortiGate. In this example, the configuration
is uploaded from FGTB.

FortiOS 7.4.5 Administration Guide 77

Fortinet Inc.
Getting started

l To upload from a file, set Source config to Upload then click Browse to locate the file.

l To import from FGTB, set Source config to Import from source FortiGate then select the FGTB. Allow
FortiConverter to obtain config file once must be enabled in System > Settings on FGTB.

6. Click Save and continue, then wait for the FGTB configuration file to be uploaded to FortiConverter and processed.
After the configuration is uploaded, the Allow FortiConverter to obtain config file once is automatically disabled on
FGTB.

FortiOS 7.4.5 Administration Guide 78

Fortinet Inc.
Getting started

7. Define the interface mapping between the source and target configuration, then click Save and continue. The target
interfaces are prepopulated.

8. Optionally, configure management access on the target FortiGate (FGTA), then click Save and continue.

FortiOS 7.4.5 Administration Guide 79

Fortinet Inc.
Getting started

9. Enter conversion notes in the Comments field, then click Save and continue.

10. Review the content, then click Submit.

FortiOS 7.4.5 Administration Guide 80

Fortinet Inc.
Getting started

The conversion request is sent, an email is sent to confirm that the conversion process has started in
FortiConverter, and the ticket status is shown. The estimated conversion time is one business day.

11. Click Done.

When the conversion process completes, you will receive an email and a notifications in the FortiGate GUI.
12. In the GUI, click your administrator name and select Configurations> FortiConverter. The migrated configuration is
shown for review, and can be downloaded.

FortiOS 7.4.5 Administration Guide 81

Fortinet Inc.
 Getting started

13. Click Apply migrated config to apply the converted configuration to the FortiGate. This will cause the FortiGate to
reboot. The existing configuration will be backed up before the converted configuration is applied.
14. To manually load to configuration file:
a. Click your administrator name and select Configuration > Restore.

b. Upload the converted configuration file, then click OK. This will cause the FortiGate to reboot.

To see the visibility status of the FortiConverter wizard:

diagnose sys forticonverter get-prompt-visibility

To set the visibility status of the FortiConverter wizard:

diagnose sys forticonverter set-prompt-visibility {visible | hidden}

Accessing Fortinet Developer Network

The Fortinet Developer Network (FNDN) is a subscription-based community that helps administrators enhance and
increase the effectiveness of Fortinet products. Administrators can access the FortiAPI forum in FNDN to help create
applications that interact with Fortinet products, such as custom web portals, automated deployment and provisioning
systems, and scripted tasks. FNDN makes it easy for administrators and Fortinet professionals to interact, share sample
code, and upload their own tools. The FortiOS REST API documentation is available within the FortiAPI forum.
All FNDN users must be sponsored by two Fortinet employees. The sponsors must be able to confirm the user’s identity
and need for access. Approvals from both sponsors are required before access is granted to new users. The sponsors'
email addresses are required to create a new FNDN account.
Basic and licensed access options are available. Refer to the Fortinet Developer Network data sheet for more
information.

FortiOS 7.4.5 Administration Guide 82

Fortinet Inc.
Getting started

To create an FNDN account:

1. Obtain sponsorship from two Fortinet employees.

2. Go to the FNDN website, https://fndn.fortinet.net/. The log in page appears.

3. Click Create a new account. The Sign Up page appears.

FortiOS 7.4.5 Administration Guide 83

Fortinet Inc.
Getting started

4. Enter the information in the form fields and agree to the Terms of Use.

FortiOS 7.4.5 Administration Guide 84

Fortinet Inc.
Getting started

FortiOS 7.4.5 Administration Guide 85

Fortinet Inc.
 Getting started

5. Click Create my Account.

New accounts are reviewed and approved by an FNDN administrator. After both sponsors approve the request, an
FNDN administrator reviews the request and approves account access in around one business day if all
requirements are met.

Terraform: FortiOS as a provider

Fortinet's Terraform support provides customers with more ways to efficiently deploy, manage, and automate security
across physical FortiGate appliances and virtual environments. You can use Terraform to automate various IT
infrastructure needs, thereby diminishing mistakes from repetitive manual configurations.
For example, if Fortinet is releasing a new FortiOS version, your organization may require you to test a new functionality
to determine how it may impact the environment before globally deploying the new version. In this case, the ability to
rapidly stand up environments and test these functions prior to production environment integration provides a resource-
efficient and fault-tolerant approach.
The following example demonstrates how to use the Terraform FortiOS provider to perform simple configuration
changes on a FortiGate unit. It requires the following:
l FortiOS 6.0 or later
l FortiOS Provider: This example uses terraform-provider-fortios 1.0.0.
l Terraform: This example uses Terraform 0.11.14.
l REST API administrator created on the FortiGate with the API key
For more information, see the Terraform FortiOS Provider at https://www.terraform.io/docs/providers/fortios/index.html.

To create a REST API administrator:

1. On the FortiGate, go to System > Administrators and click Create New > REST API Admin.
2. Enter the Username and, optionally, enter Comments.
3. Select an Administrator Profile.
4. We recommend that you create a new profile with minimal privileges for this terraform script:
a. In the Administrator Profile drop down click Create New.
b. Enter a name for the profile.
c. Configure the Access Permissions:
l None: The REST API is not permitted access to the resource.

l Read: The REST API can send read requests (HTTP GET) to the resource.

l Read/Write: The REST API can send read and write requests (HTTP GET/POST/PUT/DELETE) to the

resource.
d. Click OK.
5. Enter Trusted Hosts to specify the devices that are allowed to access this FortiGate.
6. Click OK.
An API key is displayed. This key is only shown once, so you must copy and store it securely.

To configure FortiGate with Terraform Provider module support:

1. Download the terraform-provider-fortios file to a directory on the management computer.

2. Create a new file with the .tf extension for configuring your FortiGate:
root@mail:/home/terraform# ls
terraform-provider-fortios_v1.0.0_x4 test.tf

FortiOS 7.4.5 Administration Guide 86

Fortinet Inc.
Getting started

3. Edit the test.tf Terraform configuration file:

In this example, the FortiGate's IP address is 10.6.30.5, and the API user token is 17b********************63ck. Your
provider information must also be changed.
# Configure the FortiOS Provider
provider "fortios" {
hostname = "10.6.30.5"
token = "17b********************63ck"
}

4. Create the resources for configuring your DNS object and adding a static route:
resource "fortios_system_setting_dns" "test1" {
primary = "172.16.95.16"
secondary = "8.8.8.8"
}
resource "fortios_networking_route_static" "test1" {
dst = "110.2.2.122/32"
gateway = "2.2.2.2"
blackhole = "disable"
distance = "22"
weight = "3"
priority = "3"
device = "port2"
comment = "Terraform test"
}

5. Save your Terraform configuration file.

6. In the terminal, enter terraform init to initialize the working directory.
It reads the provider if the name follows the convention terraform-provider-[name]:
root@mail:/home/terraform# terraform init
Initializing the backend...
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

7. Run terraform -v to verify the version of loaded provider module:

root@mail:/home/terraform# terraform -v
Terraform v0. 11.14
+ provider.fortios v1.0.0

8. Enter terraform plan to parse the configuration file and read from the FortiGate configuration to see what
Terraform changes:
This example create a static route and updates the DNS address. You can see that Terraform reads the DNS
addresses from the FortiGate and then lists them.
root@mail:/home/terraform# terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
fortios_networking_route_static.test1: Refreshing state... (ID: 2)
fortios_system_setting_dns.test1: Refreshing state... (ID: 96.45.45.45)

FortiOS 7.4.5 Administration Guide 87

Fortinet Inc.
Getting started

------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
+ fortios_networking_route_static.test1
id: <computed>
blackhole: "disable"
comment: "Terraform test"
device: "port2"
distance: "22"
dst: "110.2.2.122/32"
gateway: "2.2.2.2"
priority: "3"
weight: "3"
~ fortios_system_setting_dns.test1
primary: "96.45.45.45" => "172.16.95.16"
secondary: "208.91.112.22" => "8.8.8.8"
Plan: 1 to add, 1 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

If you are running terraform-provider-fortios 1.1.0, you may see the following error:
Error: Error getting CA Bundle, CA Bundle should be set when
insecure is false.
In this case, add the following line to the FortiOS provider configuration in the test.tf file:
insecure = "true"

9. Enter terraform apply to continue the configuration:

root@mail:/home/terraform# terraform apply
fortios_system_setting_dns.test1: Refreshing state... (ID: 96.45.45.45)
fortios_networking_route_static.test1: Refreshing state... (ID: 2)
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
+ fortios_networking_route_static.test1
id: <computed>
blackhole: "disable"
comment: "Terraform test"
device: "port2"
distance: "22"
dst: "110.2.2.122/32"
gateway: "2.2.2.2"
priority: "3"
weight: "3"
~ fortios_system_setting_dns.test1
primary: "96.45.45.45" => "172.16.95.16"
secondary: "208.91.112.22" => "8.8.8.8"
Plan: 1 to add, 1 to change, 0 to destroy.

FortiOS 7.4.5 Administration Guide 88

Fortinet Inc.
Getting started

Do you want to perform these actions?

Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
fortios_networking_route_static.test1: Creating...
blackhole: "" => "disable"
comment: "" => "Terraform test"
device: "" => "port2"
distance: "" => "22"
dst: "" => "110.2.2.122/32"
gateway: "" => "2.2.2.2"
priority: "" => "3"
weight: "" => "3"
fortios_system_setting_dns.test1: Modifying... (ID: 96.45.45.45)
primary: "96.45.45.45" => "172.16.95.16"
secondary: "208.91.112.22" => "8.8.8.8"
fortios_networking_route_static.test1: Creation complete after 0s (ID: 2)
fortios_system_setting_dns.test1: Modifications complete after 0s (ID: 172.16.95.16)
Apply complete! Resources: 1 added, 1 changed, 0 destroyed.

The FortiGate is now configured according to the configuration file.

10. To change or delete something in the future, edit the configuration file and then apply it again. In supported cases, it
deletes, adds, or updates new entries as configured. For instance, in this example you can remove the static route
and revert the DNS address to its original configuration by changing the .tf file:
a. Edit the configuration file:
# Configure the FortiOS Provider
provider "fortios" {
hostname = "10.6.30.5"
token = "17b********************63ck"
}
resource "fortios_system_setting_dns" "test1" {
primary = "96.45.45.45"
secondary = "208.91.112.22"
}
#resource "fortios_networking_route_static" "test1" {
# dst = "110.2.2.122/32"
# gateway = "2.2.2.2"
# blackhole = "disable"
# distance = "22"
# weight = "3"
# priority = "3"
# device = "port2"
# comment = "Terraform test"
#}

b. Entering terraform apply deletes the static route that is commented out of the configuration file, and
reverts the DNS address to the old address:
root@mail:/home/terraform# terraform apply
fortios_system_setting_dns.test1: Refreshing state... (ID: 172.16.95.16)
fortios_networking_route_static.test1: Refreshing state... (ID: 2)
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
- destroy
Terraform will perform the following actions:

FortiOS 7.4.5 Administration Guide 89

Fortinet Inc.
 Getting started

- fortios_networking_route_static.test1
~ fortios_system_setting_dns.test1
primary: "172.16.95.16" => "96.45.45.45"
secondary: "8.8.8.8" => "208.91.112.22"
Plan: 0 to add, 1 to change, 1 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
fortios_networking_route_static.test1: Destroying... (ID: 2)
fortios_system_setting_dns.test1: Modifying... (ID: 172.16.95.16)
primary: "172.16.95.16" => "96.45.45.45"
secondary: "8.8.8.8" => "208.91.112.22"
fortios_networking_route_static.test1: Destruction complete after 0s
fortios_system_setting_dns.test1: Modifications complete after 0s (ID: 96.45.45.45)
Apply complete! Resources: 0 added, 1 changed, 1 destroyed.

Troubleshooting

Use the HTTPS daemon debug to begin troubleshooting why a configuration was not accepted:
# diagnose debug enable
# diagnose debug application httpsd -1

The REST API 403 error means that your administrator profile does not have sufficient
permissions.
The REST API 401 error means that you do not have the correct token or trusted host.

Product registration with FortiCare

It is recommended to register your product with Fortinet. A FortiCare/FortiCloud account with Fortinet Technical Support
(https://support.fortinet.com) is required to register products. This section describes how to register the product and
includes information about other tasks performed with a FortiCare/FortiCloud account.
l FortiCare and FortiGate Cloud login on page 90
l FortiCare Register button on page 93
l Transfer a device to another FortiCloud account on page 94
l Deregistering a FortiGate on page 96

FortiCare and FortiGate Cloud login

With FortiCloud, FortiOS supports a unified login to FortiCare and FortiGate Cloud. The FortiGate Cloud setup is a
subset of the FortiCare setup.
l If the FortiGate is not registered, activating FortiGate Cloud will force you to register with FortiCare.
l If a FortiGate is registered in FortiCare using a FortiCloud account, then only that FortiCloud account can be used to
activate FortiGate Cloud.

FortiOS 7.4.5 Administration Guide 90

Fortinet Inc.
Getting started

l If a different FortiCloud account was already used to activate FortiGate Cloud, then a notification asking you to
migrate to FortiCloud is shown in the GUI after upgrading FortiOS.
The CLI can be used to activate FortiGate Cloud without registration, or with a different FortiCloud account.

To activate FortiGate Cloud and register with FortiCare at the same time:

1. Go to Dashboard > Status.

2. In the FortiGate Cloud widget, click Not Activated > Activate.
You must register with FortiCare before activating FortiGate Cloud.

3. Enter your FortiCare Email address and Password.

4. Select your Country/Region, Reseller, and End-user type.
5. Enable Sign in to FortiGate Cloud using the same account.
6. Click OK.

To activate FortiGate Cloud on an already registered FortiGate:

1. Go to Dashboard > Status.

2. In the FortiGate Cloud widget, click Not Activated > Activate.

3. Enter the password for the account that was used to register the FortiGate.

FortiOS 7.4.5 Administration Guide 91

Fortinet Inc.
Getting started

4. Click OK.
The FortiGate Cloud widget now shows the activated FortiCloud account.

To migrate from the activated FortiGate Cloud account to the registered FortiCloud account:

1. Go to System > FortiGuard.

2. In the FortiCare Support row, click Actions > Transfer FortiGate to Another Account.

3. Enter the Password of the current FortiCloud account.

4. Enter the target FortiCloud Account name and Password, then click Next.
5. Review the information in the From and To fields, then click Transfer.

To activate FortiGate Cloud using an account that is not used for registration:

1. Enter the following with the credentials for the account being used to activate FortiGate Cloud:
# execute fortiguard-log login <account_id> <password>

FortiOS 7.4.5 Administration Guide 92

Fortinet Inc.
 Getting started

2. Check the account type:

# diagnose fdsm contract-controller-update
Protocol=2.0|Response=202|Firmware=FAZ-4K-FW-2.50-
100|SerialNumber=FAMS000000000000|Persistent=false|ResponseItem=HomeServer:172.16.95.151
:443*AlterServer:172.16.95.151:443*Contract:20200408*NextRequest:86400*UploadConfig:Fals
e*ManagementMode:Local*ManagementID:737941253*AccountType:multitenancy

Result=Success

A FortiCloud account that is not used for the support portal account cannot be used to register
FortiGate. Attempting to activate FortiGate Cloud with this type of account will fail.

FortiCare Register button

The FortiCare Register button is displayed in the GUI on various Fabric and device related pages and widgets.
l To access the Register button on a topology page, click on or hover over the FortiGate device:

l To access the button from the System > Firmware & Registration or System > HA page, right-click on the device
name.

The Register button is also accessible from tooltips for devices on the Managed FortiAPs and
Managed FortiSwitches pages.

Clicking Register opens the Device Registration pane. If a device is already registered, the pane still opens and displays
the device information.

FortiOS 7.4.5 Administration Guide 93

Fortinet Inc.
 Getting started

Primary and secondary HA members can be registered to FortiCare at the same time from the primary unit by using the
Register button. The secondary unit will register through the HA proxy.
In this example, a HA member is registered from the Physical Topology page.

To register a HA member to FortiCare:

1. On the primary unit, go to Security Fabric > Physical Topology, or expand the Security Fabric widget on the Status
dashboard.
2. Hover over the HA member and click Register. The Device Registration pane opens.
3. Select the device and click Register.
4. Enter the required FortiCloud account information (password, country or region, reseller) and click Submit.
5. Once the registration is complete, click Close.

Transfer a device to another FortiCloud account

Master account users can transfer a device from one FortiCloud/FortiCare account to another. Users can transfer a
device up to three times within a twelve-month time period. If more transfers are required within the twelve-month time
period, contact Technical Support to request the transfer.

Requirements:

To transfer an account, you must:

l Have access to the FortiGate, as well as both the FortiCloud and FortiCare accounts.
l Be a master account user.
To verify if you are the master account user, log in to support.fortinet.com. Click the username, then select My
Account.

The Account Profile page opens.

FortiOS 7.4.5 Administration Guide 94

Fortinet Inc.
Getting started

To transfer an account in the GUI:

1. Go to Dashboard > Status.

2. In the Licenses widget, click the Support link, then click Transfer FortiGate to Another Account.

You can also transfer an account from System > FortiGuard.

3. In the Current FortiCloud Account fields, enter the username and password for the current account. In the Target
FortiCloud Account fields, enter the new username and password.
4. Click Next.

FortiOS 7.4.5 Administration Guide 95

Fortinet Inc.
 Getting started

5. Review the information, then click Transfer.

After the transfer is complete, the new the FortiCloud account is displayed in the Licenses widget.

Deregistering a FortiGate

An administrator can deregister a FortiGate if the device has been registered for three or more years, using the GUI or
CLI, without having to contact FortiCare administration. After the device is deregistered, all associated contracts are also
deregistered, and all of the administrator's information is wiped.

To deregister the FortiGate in the GUI:

1. Go to System > FortiGuard and in the FortiCare Support row select Actions > Deregister FortiGate.
The FortiCare Deregistration pane opens.

2. Enter your password then click Next.

3. Confirm the FortiGate deregistration then click Submit.

FortiOS 7.4.5 Administration Guide 96

Fortinet Inc.
Getting started

If the FortiGate has been registered for less then three years, the deregistration will fail.

To deregister the FortiGate in the CLI:

# diagnose forticare direct-registration product-deregister <accountID> <password>

If the FortiGate has been registered for less then three years, the deregistration will fail:
forticare_product_deregister:1335: Failed to get response (rc = 0, http_code = 403)
Unit deregistration unsuccessful.

FortiGate models

Not all FortiGates have the same features, and some models support low encryption. This section also describes typical
LEDs found on FortiGate models.
l Differences between models on page 98
l Low encryption models on page 98
l LEDs on page 98
l Proxy-related features not supported on FortiGate 2 GB RAM models on page 101

FortiOS 7.4.5 Administration Guide 97

Fortinet Inc.
 Getting started

Differences between models

Not all FortiGates have the same features, particularly entry-level models (models 30 to 90). A number of features on
these models are only available in the CLI.

Consult your model's QuickStart Guide, hardware manual, or the Feature / Platform Matrix for
further information about features that vary by model.

FortiGate models differ principally by the names used and the features available:
l Naming conventions may vary between FortiGate models. For example, on some models the hardware switch
interface used for the local area network is called lan, while on other units it is called internal.
l Certain features are not available on all models. Additionally, a particular feature may be available only through the
CLI on some models, while that same feature may be viewed in the GUI on other models.
If you believe your FortiGate model supports a feature that does not appear in the GUI, go to System > Feature
Visibility and confirm that the feature is enabled. For more information, see Feature visibility on page 3093.

Low encryption models

Some FortiGate models support a low encryption (LENC) license. With an LENC license, FortiGate devices are
considered low encryption models and are identified by LENC, for example FG-100E-LENC.
LENC models cannot use or inspect high encryption protocols, such as 3DES and AES. LENC models only use 56-bit
DES encryption to work with SSL VPN and IPsec VPN, and they are unable to perform SSL inspection.
For a list of FortiGate models that support an LENC license, see FortiGate LENC Models.

LEDs

Check your device's QuickStart guide for specific LED information: FortiGate QuickStart
Guides.

The following faceplates show where the LEDs are typically found on FortiGate models:

FortiOS 7.4.5 Administration Guide 98

Fortinet Inc.
Getting started

LED State Description

Green or Blue The unit is on

Logo
Off The unit is off

Green The unit is on and/or both power supplies are functioning

Amber or Red Only one power supply is functional

Power (PWR)
Flashing Amber or Red Power failure

Off The unit is off

Green Normal

Flashing Green Booting up

Amber Major or minor alarm

Status (STA)
Red Major alarm

Flashing Amber or Red BLE is on

Off The unit is off

Amber Bypass Port Pair is active

Bypass (BYP)
Off Bypass Port Pair is off

Red Major alarm

Alarm Amber Minor alarm

Off No alarms

FortiOS 7.4.5 Administration Guide 99

Fortinet Inc.
Getting started

LED State Description

Green Operating in an HA cluster

HA Amber or Red HA failover

Off HA disabled

Green, Amber, or Red Maximum PoE power allocated

Max PoE
Off PoE power available or normal

Green Power delivered

PoE Flashing Green Error or PoE device requesting power

Off No PoE device connected or no power delivered

Green SVC is on

SVC Flashing Green SVC activity

Off SVC is off

Green 3G / 4G service is on

3G / 4G Flashing Green 3G / 4G activity

Off 3G / 4G service is off

Green WiFi connected

WiFi Flashing Green WiFi activity

Off WiFi is off

See your device's QuickStart guide for power supply and fan LED information:
Power supplies and fans
FortiGate QuickStart Guides.

Port LEDs

LED State Description

Solid color Connected

Ethernet and SFP Flashing color Transmitting and receiving data

Off No link established

Green PoE power on or PoE device receiving power

Amber Providing power

PoE
Red Connected but not powered

Off PoE power off or no device receiving power

FortiOS 7.4.5 Administration Guide 100

Fortinet Inc.
 Getting started

Alarm levels

Minor alarm

Also called an IPMI non-critical (NC) alarm, it indicates a temperature or power level outside of the normal operating
range that is not considered a problem. For a minor temperature alarm, the system could respond by increasing the fan
speed. A non-critical threshold can be an upper non-critical (UNC) threshold (for example, a high temperature or a high
power level) or a lower non-critical (LNC) threshold (for example, a low power level).

Major alarm

Also called an IPMI critical or critical recoverable (CR) alarm, it indicates that the system is unable to correct the cause of
the alarm, and that intervention is required. For example, the cooling system cannot provide enough cooling to reduce
the temperature. It can also mean that the conditions are approaching the outside limit of the allowed operating range. A
critical threshold can also be an upper critical (UC) threshold (such as a high temperature or high power level) or a lower
critical (LC) threshold (such as a low power level).

Critical alarm

Also called an IPMI non-recoverable (NR) alarm, it indicates that the system has detected a temperature or power level
that is outside of the allowed operating range and physical damage is possible.

Proxy-related features not supported on FortiGate 2 GB RAM models

As part of improvements to enhance performance and optimize memory usage on FortiGate models with 2 GB RAM or
less, starting from version 7.4.4, FortiOS no longer supports proxy-related features. This change impacts the
FortiGate/FortiWiFi 40F, 60E, 60F, 80E, and 90E series of devices and their variants, and FortiGate-Rugged 60F (2 GB
versions only).

FortiGate VMs are not affected by the size of the memory and will continue to support proxy-
related features after upgrading to FortiOS 7.4.4. However, it is recommended to have at least
4 GB of RAM for proper operation.

After upgrade to FortiOS 7.4.4 or later, the following proxy features are no longer supported on impacted devices:
l Zero Trust Network Access (ZTNA)
This includes all ZTNA objects and functionalities, including applying ZTNA tags in IP/MAC based access control.
For example, ztna-status can no longer be enabled, and ztna-ems-tag and ztna-geo-tag can no longer be
used.
l UTM profile with proxy-based inspection mode
l Firewall policy with proxy-based inspection mode
l Explicit and transparent proxies
l Layer 7 Virtual server types (HTTP/HTTPS/IMAPS/POP3S/SMTPS/SSL)
l Proxy-only UTM profiles:
l Video Filter
l Inline CASB
l ICAP

FortiOS 7.4.5 Administration Guide 101

Fortinet Inc.
Getting started

l Web application firewall (WAF)

l SSH Filter
l DNS filter profile for scanning DoT and DoH
l WAN optimization
To confirm whether your FortiGate model has 2 GB RAM or less, enter diagnose hardware sysinfo conserve in
the CLI. If the total RAM value is below 2000 MB (1000 MB = 1 GB), then your device has 2 GB RAM or less.

Upgrading from previous firmware versions

Before starting the upgrade from a firmware version that supports proxy-related features to FortiOS 7.4.4 or later that no
longer supports proxy-related features on FortiGate 2 GB RAM models, it is crucial that you carefully review the following
upgrade scenarios. The scenarios provide important information about the upgrade process and its potential impacts.
Please proceed with the upgrade only after you fully understand and are comfortable with the conditions and potential
outcomes outlined in these upgrade scenarios.

Previous version Upon upgrade to FortiOS 7.4.4 or later

Proxy-based inspection mode is Inspection mode is converted to flow mode.

enabled on a firewall policy.

Proxy-based inspection mode is Inspection mode is converted to flow mode, and the proxy-only UTM profiles are
enabled on a firewall policy with removed. Proxy-only UTM profiles are no longer supported.
proxy-only UTM profiles, such as
WAF applied.

Proxy-related settings are The security profile is converted to flow-based, and the proxy-related setting is no
configured on a security profile, longer available.
such as Content Disarm on an
AntiVirus Profile.

A proxy-only feature, such as The proxy-only configuration is removed.

ZTNA, explicit proxy or WAN
optimization, is enabled.

Before initiating the firmware upgrade process, it is crucial to create a backup of the current
working configuration. This step ensures that you have a fallback option in case of any
unforeseen issues during the upgrade.
Once you have secured a backup, you can proceed with the upgrade process. After the
upgrade has been successfully completed, it is highly recommended to thoroughly review all
your policies.
This review process lets you confirm that all the policies that you expect to be in place are
present and will function as intended. Ensure any settings that are removed do not impact the
security of your firewall policy. See the Best Practices guide for more information.

FortiOS 7.4.5 Administration Guide 102

Fortinet Inc.
Dashboards and Monitors

FortiOS includes predefined dashboards so administrators can easily monitor device inventory, security threats, traffic,
and network health. You can customize the appearance of a default dashboard to display data pertinent to your Security
Fabric or combine widgets to create custom dashboards. Many dashboards also allow you to switch views between
Fabric devices.
Each dashboard contains a set of widgets that allow you to view drilldown data and take actions to prevent threats. Use
widgets to perform tasks such as viewing device inventory, creating and deleting DHCP reservations, and disconnecting
dial-up users. You can add or remove widgets in a dashboard or save a widget as a standalone monitor.
Monitors display information in both text and visual format. Use monitors to change views, search for items, view
drilldown information, or perform actions such as quarantining an IP address. FortiView monitors for the top categories
are located below the dashboards. All of the available widgets can be added to the tree menu as a monitor.

Using dashboards

You can combine widgets to create custom dashboards. You can also use the dropdown in the tree menu to switch to
another device in the Security Fabric.

FortiOS 7.4.5 Administration Guide 103

Fortinet Inc.
Dashboards and Monitors

To create a new dashboard:

1. Under Dashboard, click the Add Dashboard button. The Add Dashboard window opens.

2. Enter a name in the Name field and click OK. The new dashboard opens.

To add a widget to a dashboard:

1. In the tree menu, select a dashboard.

2. In the banner, click Add Widget. The Add Dashboard Widget pane opens.
3. Click the Add button next to the widget. You can use the Search field to search for a widget. Enable Show More to
view more widgets in a category.
4. Configure the widget settings, then click Add Widget.
5. Click Close.
6. (Optional) Click and drag the widget to the desired location in the dashboard.

To edit a dashboard:

1. Click the Actions menu next to the dashboard and selectEdit Dashboard.

2. Edit the dashboard and click OK.

To delete a dashboard:

1. Click the Actions menu next to the dashboard and select Delete Dashboard.

2. Click Delete Dashboard . The Confirm dialog opens.

3. Click OK.

You cannot delete the Status dashboard.

FortiOS 7.4.5 Administration Guide 104

Fortinet Inc.
Dashboards and Monitors

To switch to another device in the Security Fabric:

1. In the tree menu, click the device name and select a Fabric device from dropdown.

Using widgets

You can convert a widget to a standalone monitor, change the view type, configure tables, and filter data.

To save a dashboard widget as a monitor:

1. Hover over the widget and click Expand to full screen.

Full screen mode is not supported in all widgets.

2. In the widget, click Save as Monitor. The Add Monitor window opens.

3. (Optional) Enter a new name for the monitor in the Name field.
4. Click OK.

To view the widget settings:

1. Click the menu dropdown at the right side of the widget and select Settings.

2. Configure the widget settings and click OK.

FortiOS 7.4.5 Administration Guide 105

Fortinet Inc.
 Dashboards and Monitors

The settings will vary depending on the widget.

To configure a table in the widget:

1. Hover over the left side of the table header and click Configure Table.

2. Configure the table options:

Option Description

Best Fit All Columns Resizes all of the columns in a table to fit their content.

Reset Table Resets the table to the default view.

Select Columns Adds or removes columns from the view.

3. Click Apply.

To filter or configure a column in a table:

1. Hover over a column heading, and click Filter/Configure Column.

2. Configure the column options.

Option Description

Resize to Contents Resizes the column to fit the content.

Group by this Column Groups the table rows by the contents in the selected column.

3. Click Apply.
4. To filter a column, enter a value in the Filter field, and click Apply.

Filtering is not supported in all widgets.

Widgets

Dashboards are created per VDOM when VDOM mode is enabled. For information about VDOM mode, see Virtual
Domains on page 2832.

FortiOS 7.4.5 Administration Guide 106

Fortinet Inc.
Dashboards and Monitors

Some dashboards and widgets are not available in Multi-VDOM mode.

The following table lists the available widgets in VDOM mode:

Category Widgets

FortiView l FortiView Application Bandwidth

l FortiView Applications
l FortiView Cloud Applications
l FortiView Destination Interfaces
l FortiView Destination Owners
l FortiView Destinations
l FortiView Policies
l FortiView Proxy Destinations
l FortiView Proxy Policies
l FortiView Proxy Sessions
l FortiView Proxy Sources
l FortiView Sessions
l FortiView Source Interfaces
l FortiView Sources
l FortiView VPN
l FortiView Web Categories
l FortiView Web Sites
l FortiView ZTNA Servers
l FortiView Countries/Regions
l FortiView Destination Firewall Objects
l FortiView Interface Pairs
l FortiView Search Phrases
l FortiView Servers
l FortiView Source Firewall Objects
l FortiView Sources - WAN
l FortiView Traffic Shaping

Security Fabric l FortiGate Cloud

l Security Fabric Status

Network l DHCP
l DNS
l Interface Bandwidth
l IP Pool Utilization
l IPsec
l Load Balance

FortiOS 7.4.5 Administration Guide 107

Fortinet Inc.
Dashboards and Monitors

Category Widgets
l Routing
l SD-WAN
l SSL-VPN
l Top IP Pools by Assigned IPs

The Interface Bandwidth widget can monitor a maximum of 25 interfaces.

System l Administrators
l Botnet Activity
l HA Status
l License Status
l System Information
l Top System Events
l Virtual Machine

Resource Usage l CPU Usage

l Disk Usage
l Log Rate
l Logs Sent
l Memory Usage
l Session Rate
l Sessions

Security l Advanced Threat Protection Statistics

l Assets - Vulnerabilities
l Compromised Hosts
l FortiSandbox Files
l Quarantine
l Top Endpoint Vulnerabilities
l Top Failed Authentication
l Top Threats
l Top Threats - WAN

User & l Assets

Authentication l Assets - FortiClient
l Firewall Users
l FortiGuard Quota
l Identities
l Matched NAC Devices
l Top Admin Logins
l Top Cloud Users

FortiOS 7.4.5 Administration Guide 108

Fortinet Inc.
Dashboards and Monitors

Category Widgets

WiFi l Channel Utilization

l Clients By FortiAP
l FortiAP Status
l Historical Clients
l Interfering SSIDs
l Login Failures
l Rogue APs
l Signal Strength
l Top WiFi Clients

Viewing device dashboards in the Security Fabric

Use the device dropdown to view the dashboards in downstream Fabric devices. You can also create dedicated device
dashboards or log in and configure Fabric devices.
To view the dashboards in Fabric devices, click the device dropdown at the left side of the page, and select a device from
the list.

The device dropdown is available in the Status, Security, Network, Assets & Identities, and
WiFi dashboards. You can also enable the dropdown when you create a dashboard.

To log in to or configure a Fabric device, hover over the device name until the device dialog opens and then select Login
or Configure.

FortiOS 7.4.5 Administration Guide 109

Fortinet Inc.
Dashboards and Monitors

Creating a fabric system and license dashboard

Create a dashboard summary page to monitor all the Fabric devices in a single view. You can use this dashboard to
monitor aspects of the devices such as system information, VPN and routing.

Example

The following image is an example of a Fabric System & License dashboard to monitor the System Information,
Licenses, and Memory usage for Branch_Office_01 and Branch_Office_02.

To create a system dashboard:

1. Click the Add Dashboard button. The Add Dashboard window opens.

2. In the Name field, enter a name such as Fabric System & Licenses, and click OK. The new dashboard appears.
3. In the banner, click Add Widget. The Add Dashboard Widget window opens. You can use the Search field to search
for a specific widget (for example, License Status, System Information, and Memory Usage).
4. Click the Add button next to widget. The Add Dashboard Widget window opens.

FortiOS 7.4.5 Administration Guide 110

Fortinet Inc.
Dashboards and Monitors

5. In the Fabric member area, select Specify and select a device in the Security Fabric.

6. Click Add Widget. The widget is added to the dashboard.

Repeat this step for all the devices you want to view in the dashboard.
7. (Optional) Arrange the widgets in the dashboard by Fabric device.

Dashboards

A dashboard is a collection of widgets that show the status of your devices, network, and Security Fabric at a glance.
Widgets are condensed monitors that display a summary of the key details about your FortiGate pertaining to routing,
VPN, DHCP, devices, users, quarantine, and wireless connections.
The following dashboards are included in the dashboard templates:

Dashboard Default Template Use these widgets to:

Status l Comprehensive l View the device serial number, licenses, and administrators
l Optimal l View the status of devices in the security fabric
l Monitor CPU and Memory usage
l Monitor IPv4 and IPv6 sessions
l View VMs and Cloud devices

Security l Optimal l View compromised hosts and host scan summary

l View top threats and vulnerabilities

Network l Optimal l Monitor DHCP clients

l Monitor IPsec VPN connections
l Monitor current routing table
l Monitor SD-WAN status
l Monitor SSL-VPN connections

Assets & Identities l Optimal l View users and devices connected to the network
l Identify threats from individual users and devices
l View FortiGuard and FortiClient data
l Monitor traffic bandwidth over time

WiFi l Comprehensive l View FortiAP status, channel utilization, and clients

l Optimal l View login failures and signal strength
l View the number of WiFi clients

FortiOS 7.4.5 Administration Guide 111

Fortinet Inc.
 Dashboards and Monitors

Resetting the default dashboard template

You can use the GUI to change the default dashboard template. The Optimal template contains a set of popular default
dashboards and FortiView monitors. The Comprehensive template contains a set of default dashboards as well as all of
the FortiView monitors.

Resetting the default template will delete any custom dashboards and monitors, and reset the
widget settings.

To reset all dashboards:

1. Click the Actions menu next to Add Dashboard or Add Monitor and click Reset All Dashboards. The Dashboard
Setup window opens.

2. Select Optimal or Comprehensive and click OK.

Status dashboard

The Status dashboard provides an overview of your FortiGate device and the devices in your Security Fabric. If your
FortiGate is a virtual machine, information about the virtual machine is also displayed in the dashboard.

FortiOS 7.4.5 Administration Guide 112

Fortinet Inc.
Dashboards and Monitors

Updating system information

The System Information widget contains links to the Settings module where you can update the System Time, Uptime,
and WAN IP.
A notification will appear in the Firmware field when a new version of FortiOS is released. Click Update firmware in
System > Firmware & Registration to view the available versions and update FortiOS.

Viewing Fabric devices

The Security Fabric widget provides a visual overview of the devices connected to the Fabric and their connection
status. Hover of a device icon to view more information about the device.
Click a device in the Fabric to:
l View the device in the physical or logical topology
l Register, configure, deauthorize, or log in to the device
l Open Diagnostics and Tools
l View the FortiClient Monitor
These options will vary depending on the device.
Click Expand & Pin hidden content to view all the devices in the Fabric at once.

Viewing administrators

The Administrators widget displays the active administrators and their access interface. Click the username to view the
Active Administrator Sessions monitor. You can use the monitor to end an administrator's session.

FortiOS 7.4.5 Administration Guide 113

Fortinet Inc.
Dashboards and Monitors

If the GUI is using the default HTTPS certificate, a warning is shown where you can download the HTTPS CA certificate
or change the HTTPS server certificate.

Viewing logs sent for remote logging source

The Logs Sent widget displays chart for remote logging sources (FortiAnalyzer, FortiGate Cloud, and FortiAnalyzer
Cloud) sent daily.

Resource widgets

The resource widgets show the current usage statistics for CPU, Memory, and Sessions.
Click the CPU monitor to show the per core CPU usage.

FortiOS 7.4.5 Administration Guide 114

Fortinet Inc.
 Dashboards and Monitors

You can switch between IPv4, IPv6, or IPv4+IPv6 in the Sessions monitor.

Security dashboard

The widgets in the Security dashboard provide a snapshot of the current threats and vulnerabilities targeting your
Security Fabric.
The Security dashboard contains the following widgets:

Widget Description

Compromised Hosts by Shows the session information for a compromised host. See Viewing session
Verdict information for a compromised host on page 116.

Top Threats by Threat Level Shows the top traffic sessions aggregated by threat.
You can expand the widget to view drilldown information about the Threat, Threat
Category, Threat Level, Threat Score and Sessions.

Assets - Vulnerabilities Shows a summary of asset vulnerabilities.

FortiOS 7.4.5 Administration Guide 115

Fortinet Inc.
Dashboards and Monitors

Viewing session information for a compromised host

You can use the Compromised Hosts by Verdict widget to view the session information for a compromised host.

To view session information for a compromised host in the GUI:

1. Go to Dashboard > Security and expand the Compromised Hosts by Verdict widget.

2. Double-click a compromised host to view the session information.

FortiOS 7.4.5 Administration Guide 116

Fortinet Inc.
 Dashboards and Monitors

3. Select a session then click View session logs to view the session logs.

Network dashboard

The widgets in the Network dashboard show information related to networking for this FortiGate and other devices
connected to your Security Fabric. Use this dashboard to monitor the status of Routing, DHCP, SD-WAN, IPsec and SSL
VPN tunnels. All of the widgets in the Network dashboard can be expanded to full screen and saved as a monitor.
The Network dashboard contains the following widgets:

Widget Description

Static & Dynamic Routing Shows the static and dynamic routes currently active in your routing table. The
widget also includes policy routes, BGP neighbors and paths, and OSPF
neighbors.
See Static & Dynamic Routing monitor on page 117.

DHCP Shows the addresses leased out by FortiGate's DHCP servers. See DHCP
monitor on page 120.

SD-WAN Shows a summary of the SD-WAN status, including ADVPN shortcut information.

IPsec Shows the connection statuses of your IPsec VPN site to site and dial-up tunnels.
See IPsec monitor on page 122.

SSL-VPN Shows a summary of remote active users and the connection mode. See SSL-
VPN monitor on page 124.

IP Pool Utilization Shows IP pool utilization.

Static & Dynamic Routing monitor

The Static & Dynamic Routing monitor displays the routing table on the FortiGate, including all static and dynamic
routing protocols in IPv4 and IPv6. You can also use this monitor to view policy routes, BGP neighbors and paths, and
OSPF neighbors.

FortiOS 7.4.5 Administration Guide 117

Fortinet Inc.
Dashboards and Monitors

To view the routing monitor in the GUI:

1. Go to Dashboard > Network.

2. Hover over the Routing widget, and click Expand to Full Screen. The Routing monitor is displayed.
3. To view policy routes, click the monitors dropdown at the top of the page and select Policy.

4. To view neighbors and paths, click the monitors dropdown and select the required neighbor or path type.
For example:
l BGP Neighbors

FortiOS 7.4.5 Administration Guide 118

Fortinet Inc.
Dashboards and Monitors

l BGP Paths

5. To filter a column:
a. Hover over the column heading, and click the Filter/Configure Column icon.

b. Configure the filter, then click Apply.

6. (Optional) Click the Save as Monitor button to save the widget as monitor.

To look up a route in the GUI:

1. Click Route Lookup.

2. Enter an IP address in the Destination field.

3. Configure the remaining options as needed, then click OK.
The matching route is highlighted on the Routing monitor.

To view the routing table in the CLI:

# get route info routing-table all

Sample output:

FortiOS 7.4.5 Administration Guide 119

Fortinet Inc.
Dashboards and Monitors

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0

S* 0.0.0.0/0 [1/0] via 10.0.10.1, To-HQ-A
[1/0] via 10.0.12.1, To-HQ-MPLS
[1/0] via 10.10.11.1, To-HQ-B
[1/0] via 10.100.67.1, port1
[1/0] via 10.100.67.9, port2
C 10.0.10.0/24 is directly connected, To-HQ-A
C 10.0.10.2/32 is directly connected, To-HQ-A
C 10.0.11.0/24 is directly connected, To-HQ-B
C 10.0.11.2/32 is directly connected, To-HQ-B
C 10.0.12.0/24 is directly connected, To-HQ-MPLS
C 10.0.12.2/32 is directly connected, To-HQ-MPLS
C 10.1.0.0/24 is directly connected, port3
C 10.1.0.2/32 is directly connected, port3
C 10.1.0.3/32 is directly connected, port3
C 10.1.100.0/24 is directly connected, vsw.port6

To look up a firewall route in the CLI:

# diagnose firewall proute list

Sample output:
list route policy info(vf=root):

id=1(0x01) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=15

(Branch-HQ-A) dport=0-65535 path(1) oif=15(Branch-HQ-A)
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 0.0.0.0/0.0.0.0
hit_count=0 last_used=2023-05-10 13:04:05

id=2(0x02) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=16

(Branch-HQ-B) dport=0-65535 path(1) oif=16(Branch-HQ-B)
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 0.0.0.0/0.0.0.0
hit_count=0 last_used=2023-05-10 13:04:05

id=3(0x03) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-0 iif=17

(HQ-MPLS) dport=0-65535 path(1) oif=17(HQ-MPLS)
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 0.0.0.0/0.0.0.0
hit_count=0 last_used=2023-05-10 13:04:05

DHCP monitor

The DHCP monitor shows all the addresses leased out by FortiGate's DHCP servers. You can use the monitor to revoke
an address for a device, or create, edit, and delete address reservations.

FortiOS 7.4.5 Administration Guide 120

Fortinet Inc.
Dashboards and Monitors

To view the DHCP monitor:

1. Go to Dashboard > Network.

2. Hover over the DHCP widget, and click Expand to Full Screen.

To filter or configure a column in the table, hover over the column heading and click the
Filter/Configure Column button.

To revoke a lease:

1. Select a device in the table.

2. In the toolbar, click Revoke, or right-click the device, and click Revoke Lease(s). The Confirm page is displayed.
3. Click OK.

A confirmation window opens only if there is an associated address reservation. If there is

no address, the lease will be removed immediately upon clicking Revoke.

To create a DHCP reservation:

1. Select a server in the table.

2. In the toolbar, click Reservation > Create DHCP Reservation, or right-click the device and click Create DHCP
Reservation. The Create New DHCP Reservation page is displayed.
3. Configure the DHCP reservation settings.

4. Click OK.

To view top sources by bytes:

1. Right-click a device in the table and click Show in FortiView. The FortiView Sources by Bytes widget is displayed.

FortiOS 7.4.5 Administration Guide 121

Fortinet Inc.
Dashboards and Monitors

To view the DHCP lease list in the CLI:

# execute dhcp lease-list

IPsec monitor

The IPsec monitor displays all connected Site to Site VPN, Dial-up VPNs, and ADVPN shortcut tunnel information. You
can use the monitor to bring a phase 2 tunnel up or down or disconnect dial-up users. A notification appears in the
monitor when users have not enabled two-factor authentication.

To view the IPsec monitor in the GUI:

1. Go to Dashboard > Network.

2. Hover over the IPsec widget, and click Expand to Full Screen. A warning appears when an unauthenticated user is
detected.

To filter or configure a column in the table, hover over the column heading and click the
Filter/Configure Column button.

3. Hover over a record in the table. A tooltip displays the Phase 1 and Phase 2 interfaces. A warning appears next to a
user who has not enabled two-factor authentication.

To reset statistics:

1. Select a tunnel in the table.

2. In the toolbar, click Reset Statistics or right-click the tunnel, and click Reset Statistics. The Confirm dialog is
displayed.
3. Click OK.

To bring a tunnel up:

1. Select a tunnel in the table.

2. Click Bring Up, or right-click the tunnel, and click Bring Up. The Confirm dialog is displayed.
3. Click OK.

To bring a tunnel down:

1. Select a tunnel in the table.

2. Click Bring Down, or right-click the tunnel, and click Bring Down. The Confirm dialog is displayed.

FortiOS 7.4.5 Administration Guide 122

Fortinet Inc.
Dashboards and Monitors

3. Click OK.

To locate a tunnel on the VPN Map:

1. Select a tunnel in the table.

2. Click Locate on VPN Map, or right-click the tunnel, and click Locate on VPN Map. The VPN Location Map is
displayed.

To view the IPsec monitor in the CLI:

# diagnose vpn tunnel list

Sample output:
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Branch-HQ-B_1 ver=2 serial=8 10.100.65.101:0->10.100.67.13:0 tun_id=10.0.11.2 tun_
id6=::10.0.0.8 dst_mtu=1500 dpd-link=on weight=1
bound_if=7 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/74408 options[122a8]=npu rgwy-
chg frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

parent=Branch-HQ-B index=1
proxyid_num=1 child_num=0 refcnt=5 ilast=0 olast=0 ad=s/1
stat: rxp=1000472 txp=869913 rxb=184682116 txb=40548952
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=1
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=Branch-HQ-B proto=0 sa=1 ref=6 serial=1 ads
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=20a03 type=00 soft=0 mtu=1438 expire=414/0B replaywin=2048
seqno=1bcc esn=0 replaywin_lastseq=0000201a qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=1790/1800
dec: spi=b4d54183 esp=aes key=16 6735d235de02f37d26809c0e8be44bbf
ah=sha1 key=20 17261a0387d9c9a33a00a47bcf260fc59150535e
enc: spi=28572715 esp=aes key=16 48b8a72ae69eee58699b43692ce1ccf1
ah=sha1 key=20 3e7a219f4da33c785302ae7b935a6c15c4cc2a2a
dec:pkts/bytes=16434/3317744, enc:pkts/bytes=14230/1299224
npu_flag=00 npu_rgwy=10.100.67.13 npu_lgwy=10.100.65.101 npu_selid=3 dec_npuid=0 enc_
npuid=0
------------------------------------------------------
name=Branch-HQ-A ver=2 serial=1 10.100.64.101:0->0.0.0.0:0 tun_id=10.0.0.1 tun_
id6=::10.0.0.1 dst_mtu=0 dpd-link=on weight=1
bound_if=3 lgwy=static/1 tun=intf mode=dialup/2 encap=none/552 options[0228]=npu frag-rfc
role=primary accept_traffic=1 overlay_id=0

proxyid_num=0 child_num=2 refcnt=4 ilast=43124593 olast=43124593 ad=/0

stat: rxp=1860386 txp=1598633 rxb=215561858 txb=71724716
dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
run_tally=0
------------------------------------------------------
name=Branch-HQ-B ver=2 serial=2 10.100.65.101:0->0.0.0.0:0 tun_id=10.0.0.2 tun_
id6=::10.0.0.2 dst_mtu=0 dpd-link=on weight=1
...

FortiOS 7.4.5 Administration Guide 123

Fortinet Inc.
 Dashboards and Monitors

SSL-VPN monitor

The SSL-VPN monitor displays remote user logins and active connections. You can use the monitor to disconnect a
specific connection. The monitor will notify you when VPN users have not enabled two-factor authentication.

To view the SSL-VPN monitor in the GUI:

1. Go Dashboard > Network.

2. Hover over the SSL-VPN widget, and click Expand to Full Screen.The Duration and Connection Summary charts
are displayed at the top of the monitor.

To filter or configure a column in the table, hover over the column heading and click the
Filter/Configure Column button.

To disconnect a user:

1. Select a user in the table.

2. In the table, right-click the user, and click End Session. The Confirm window opens.
3. Click OK.

To monitor SSL-VPN users in the CLI:

# get vpn ssl monitor

Sample output
SSL VPN Login Users:
Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out
0 amitchell TAC 1(1) 296 10.100.64.101 3838502/11077721 0/0
1 mmiles Dev 1(1) 292 10.100.64.101 4302506/11167442 0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP

Assets & Identities

The Assets & Identities dashboard shows the current status of users and devices connected to your network. All of the
widgets can be expanded to view as monitor. In monitor view, you can create firewall addresses, deauthenticate users,
add IP addresses, ban IP addresses, quarantine hosts, and other such tasks.
The Assets & Identities dashboard includes the following widgets:

FortiOS 7.4.5 Administration Guide 124

Fortinet Inc.
Dashboards and Monitors

Widget Description

Assets Shows information from detected addresses, devices, and users on a single
page. Information is grouped by device. For more information see Assets on page
125.

Identities Shows information from detected addresses, devices, and users on a single
page. Information is grouped by user.

Firewall Users Monitor users that are logged into the network.

Quarantine Monitor quarantined devices.

Matched NAC Devices Monitor VLANs assigned to devices by FortiSwitch NAC policies.

See also Asset Identity Center page on page 3272.

Assets

You can enable device detection to allow FortiOS to monitor your networks and gather information about devices
operating on those networks, including:
l MAC address
l IP address
l Operating system
l Hostname
l Username
l Endpoint tags
l When FortiOS detected the device and on which interface
You can enable device detection separately on each interface in Network > Interfaces.
Device detection is intended for devices directly connected to your LAN and DMZ ports. The widget is only available
when your Interface Role is LAN, DMZ or Undefined. It is not available when the role is WAN.

To view the assets monitor:

1. Go to Dashboard > Assets & Identities.

2. Hover over the Assets widget, and click Expand to Full Screen. The Assets monitor opens.
If you are using the Comprehensive dashboard template, go to Device Inventory Monitor.

To filter or configure a column in the table, hover over the column heading, and click
Filter/Configure Column. See Assets and filtering on page 126.

FortiOS 7.4.5 Administration Guide 125

Fortinet Inc.
Dashboards and Monitors

Assets and filtering

The Assets widget contains a series of summary charts that provide an overview of the operating system, vulnerability
level, status, and interfaces. You can use these clickable charts to simplify filtering among your devices.

To view the device inventory and apply a filter:

1. Go to Dashboard > Assets & Identities.

2. Hover over the Assets widget, and click Expand to Full Screen. The Assets monitor opens.
If you are using the Comprehensive dashboard template, go to Device Inventory Monitor.
3. To filter a chart, click an item in the legend or chart area. The table displays the filter results.
4. To combine filters, hover over a column heading and click Filter/Configure Column.

5. Click the filter icon in the top-right corner of the chart to remove the filter.

Filter examples

To filter all offline devices:

1. In the Status chart, click Offline in the legend or on the chart itself.

FortiOS 7.4.5 Administration Guide 126

Fortinet Inc.
Dashboards and Monitors

To filter all devices discovered on port2:

1. In the Interfaces chart, click port2.

Adding MAC-based addresses to devices

Assets detected by device detection appear in the Assets widget. You can manage policies around devices by adding a
new device object (MAC-based address) to a device. Once you add the MAC-based address, the device can be used in
address groups or directly in policies.

To add a MAC-based address to a device:

1. Go to Dashboard > Assets & Identities.

2. Hover over the Assets widget, and click Expand to Full Screen. The Assets monitor opens.
If you are using the Comprehensive dashboard template, go to Device Inventory Monitor.
3. Click a device, then click Firewall Address > Create Firewall IP Address. The New Address pane opens.

4. In the Name field, give the device a descriptive name so that it is easy to find it in the Device column.
5. Configure the MAC Address.

FortiOS 7.4.5 Administration Guide 127

Fortinet Inc.
Dashboards and Monitors

6. Click OK, then refresh the page. The MAC address icon appears in the Address column next to the device name.

Firewall Users monitor

The Firewall Users monitor displays all currently logged in firewall and proxy users. You can use the monitor to diagnose
user-related logons or to highlight and deauthenticate a user.

To view the firewall monitor:

1. Go to Dashboard > Assets & Identities.

2. Hover over the Firewall Users widget, and click Expand to Full Screen.
If you are using the Comprehensive dashboard template, go to Firewall User Monitor.
3. To show FSSO logons, click Show all FSSO Logons at the top right of the page.
4. To switch to the proxy user view, click Proxy (next to the search bar). Proxy user view shows used that
authenticated over ZTNA and explicit proxy.

FortiOS 7.4.5 Administration Guide 128

Fortinet Inc.
 Dashboards and Monitors

To filter or configure a column in the table, hover over the column heading and click the
Filter/Configure Column button.

To deauthenticate a user in the GUI:

1. Go to Dashboard > Assets & Identities.

2. Hover over the Firewall Users widget, and click Expand to Full Screen.
3. (Optional) Use the Search field to search for a specific user.
4. In the toolbar, click Deauthenticate, or right-click the user, and click Deauthenticate. The Confirm dialog is
displayed.
5. Click OK.

To view and deauthenticate firewall users in the CLI:

# diagnose firewall auth list

# diagnose firewall auth filter <parameters>
# diagnose firewall auth clear

To view and deauthenticate proxy users in the CLI:

# diagnose wad user list

# diagnose wad user clear <ID> <IP|IPv6> <VDOM>

or
# diagnose wad user clear

WiFi dashboard

The WiFi dashboard provides an overview of your WiFi network's performance, including FortiAP status, channel
utilization, WiFi clients and associated information, login failures, and signal strength.
To access the WiFi dashboard, go to Dashboard > WiFi.

FortiOS 7.4.5 Administration Guide 129

Fortinet Inc.
Dashboards and Monitors

The WiFi dashboard can be customized per your requirements. To learn more about using and modifying dashboards
and widgets, see Dashboards and Monitors on page 103.
This section describes the following monitors available for the WiFi Dashboard:
l FortiAP Status monitor on page 130
l Clients by FortiAP monitor on page 132

FortiAP Status monitor

The FortiAP Status monitor displays the status and the channel utilization of the radios of FortiAP devices connected to a
FortiGate. It also provides access to tools to diagnose and analyze connected APs.

To view the FortiAP Status monitor:

1. Go to Dashboard > WiFi.

2. Hover over the FortiAP Status widget, and click Expand to Full Screen. The FortiAP Status monitor opens.
3. (Optional) Click Save as Monitor to save the widget as monitor.

FortiOS 7.4.5 Administration Guide 130

Fortinet Inc.
Dashboards and Monitors

To view the Diagnostics and Tools menu:

1. Right-click an Access Point in the table, and click Diagnostics and Tools. The Diagnostics and Tools dialog opens.

2. To monitor and analyze the FortiAP device, click on the tabs in the Diagnostics and Tools dialog, such as Clients,
Spectrum Analysis, VLAN Probe, and so on.

The Diagnostics and Tools dialog is similar to the device dialog from WiFi & Switch Controller > Managed FortiAPs. To
learn more about the various tabs and their functions, see Spectrum analysis of FortiAP E models, VLAN probe report,
and Standardize wireless health metrics.

FortiOS 7.4.5 Administration Guide 131

Fortinet Inc.
Dashboards and Monitors

Clients by FortiAP monitor

The Clients by FortiAP monitor allows you to view detailed information about the health of individual WiFi connections in
the network. It also provides access to tools to diagnose and analyze connected wireless devices.

To view the Clients by FortiAP monitor:

1. Go to Dashboard > WiFi.

2. Hover over the Clients by FortiAP widget, and click Expand to Full Screen. The Clients by FortiAP monitor opens.
3. (Optional) Click Save as Monitor to save the widget as monitor.

To view the summary page for a wireless client:

1. Right-click a client in the table and select Diagnostics and Tools. The Diagnostics and Tools - <device> page is
displayed.

FortiOS 7.4.5 Administration Guide 132

Fortinet Inc.
Dashboards and Monitors

2. (Optional) Click Quarantine to quarantine the client,

3. (Optional) Click Disassociate to disassociate the client.

Health status

The Status section displays the overall health for the wireless connection. The overall health of the connection is:
l Good if the value range for all three conditions are Good
l Fair or poor if one of the three conditions is Fair or Poor respectively.

Condition Value Range

Signal Strength l Good > -56dBm

l -56dBm > Fair > -75dBm
l Poor < -75dBm

Signal Strength/Noise l Good > 39dBm

l 20dBm < Fair < 39dBm
l Poor < 20dBm

Band l Good = 5G band

l Fair = 2.4G band

The summary page also has the following FortiView tabs:

l Performance

FortiOS 7.4.5 Administration Guide 133

Fortinet Inc.
Dashboards and Monitors

l Applications

l Destinations

l Policies

l Logs

FortiOS 7.4.5 Administration Guide 134

Fortinet Inc.
 Dashboards and Monitors

Monitors

FortiGate supports both FortiView and Non-FortiView monitors. FortiView monitors are driven by traffic information
captured from logs and real-time data. Non-FortiView monitors capture information from various real-time state tables on
the FortiGate.

Non-FortiView monitors

Non-FortiView monitors capture information on various state tables, such as the routes in the routing table, devices in
the device inventory, DHCP leases in the DHCP lease table, connected VPNs, clients logged into the wireless network,
and much more. These monitors are useful when troubleshooting the current state of the FortiGate, and to identify
whether certain objects are in the state table or not. For more information, see Dashboards on page 111.

FortiView monitors

FortiView is the FortiOS log view tool and comprehensive monitoring system for your network. FortiView integrates real-
time and historical data into a single view on your FortiGate. It can log and monitor network threats, keep track of
administration activities, and more.
Use FortiView monitors to investigate traffic activity such as user uploads and downloads, or videos watched on
YouTube. You can view the traffic on the whole network by user group or by individual. FortiView displays the
information in both text and visual format, giving you an overall picture of your network traffic activity so that you can
quickly decide on actionable items.
FortiView is integrated with many UTM functions. For example, you can quarantine an IP address directly in FortiView or
create custom devices and addresses from a FortiView entry.

The logging range and depth will depend on the FortiGate model.

The Optimal template contains a set of popular default dashboards and FortiView monitors. The Comprehensive
template contains a set of default dashboards as well as all of the FortiView monitors. See Dashboards on page 111.

Template Monitors

Optimal l FortiView Sources

l FortiView Destinations
l FortiView Applications
l FortiView Web Sites
l FortiView Policies
l FortiView Sessions

Comprehensive l FortiView Sources

l FortiView Destinations
l FortiView Applications
l FortiView Web Sites

FortiOS 7.4.5 Administration Guide 135

Fortinet Inc.
 Dashboards and Monitors

Template Monitors
l FortiView Threats
l FortiView Compromised Hosts
l FortiView Policies
l FortiView Sessions
l Device Inventory Monitor
l Routing Monitor
l DHCP Monitor
l SD-WAN Monitor
l FortiGuard Quota Monitor
l IPsec Monitor
l SSL-VPN Monitor
l Firewall User Monitor
l Quarantine Monitor
l FortiClient Monitor
l FortiAP Clients Monitor
l Rogue APs Monitor

FortiView monitors

FortiView monitors are available in the tree menu under Dashboards. The menu contains several default monitors for the
top categories. Additional FortiView monitors are available as widgets that can be added to the dashboards. You can
also add FortiView monitors directly to the tree menu with the Add (+) button.

Core FortiView monitors

The following default monitors are available in the tree menu:

FortiOS 7.4.5 Administration Guide 136

Fortinet Inc.
 Dashboards and Monitors

Dashboard Usage

FortiView Sources Displays Top Sources by traffic volume and drilldown by Source.

FortiView Destinations Displays Top Destinations by traffic volume and drilldown by Destination.

FortiView Applications Displays Top Applications by traffic volume and drilldown by Application.

FortiView Web Sites Displays Top Websites by session count and drilldown by Domain.

FortiView Policies Displays Top Policies by traffic volume and drilldown by Policy number

FortiView Sessions Displays Top Sessions by traffic source and can be used to end sessions.

Usage is based on default settings. The pages may be customized further and sorted by other fields.

You can quarantine a host and ban an IP from all of the core FortiView monitors.

Adding FortiView monitors

Non-core FortiView monitors are available in the Add monitor pane. You can add a FortiView widget to a dashboard or
the tree menu as a monitor.

To add a monitor to the tree menu:

1. In the tree menu, under the monitors section, click Add Monitor (+).

2. Click Add next to a monitor. You can use the Search field to search for a specific monitor.
3. In the FortiGate area, select All FortiGates or Specify to select a FortiGate device in the security fabric.
4. (Optional) In the Data Source area, select Specify and select a source device.
5. From the Time Period dropdown, select the time period. This option is not available in all monitors.
6. From the Sort By dropdown, select the sorting method.
7. Click Add Monitor. The monitor is added to the tree menu.

Monitors by category

Usage is based on the default settings. The monitors may be customized further and sorted by other fields.

FortiOS 7.4.5 Administration Guide 137

Fortinet Inc.
Dashboards and Monitors

LANDMARK

Widget Sort by Usage

Applications Bytes/Sessions/Bandwidth/Packets Displays top applications and drilldown by

application.

Application Bytes/Bandwidth Displays bandwidth for top applications and

Bandwidth drilldown by application.

Cloud Applications Bytes/Sessions/Files(Up/Down) Displays top cloud applications and drilldown

by application.

Cloud Users Bytes/Sessions/Files(Up/Down) Displays top cloud users and drilldown by

cloud user.

Compromised Hosts Verdict Displays compromised hosts and drilldown

by source.

Countries/Regions Bytes/Sessions/Bandwidth/Packets Displays top countries/regions and drilldown

by countries/regions.

Destination Firewall Bytes/Sessions/Bandwidth/Packets Displays top destination firewall objects and

Objects drilldown by destination objects.

Destination Owners Bytes/Sessions/Bandwidth/Packets Displays top destination owners and

drilldown by destination.

Destinations Bytes/Sessions/Bandwidth/Packets Displays top destinations and drilldown by

destination.

Search Phrases Count Displays top search phrases and drilldown

by search phrase.

Source Firewall Bytes/Sessions/Bandwidth/Packets Displays top search phrases and drilldown

Objects by source object.

Sources Bytes/Sessions/Bandwidth/Packets Displays top sources and drilldown by

source.

Threats Threat level/Threat Score/Sessions Displays top threats and drilldown by threat.

Traffic Shaping Dropped Displays top traffic shaping and drilldown by

Bytes/Bytes/Sessions/Bandwidth/Packets shaper.

Web Categories Bytes/Sessions/Bandwidth/Packets Displays top web categories and drilldown

by category.

Web Sites Bytes/Sessions/Bandwidth/Packets Displays top web sites and drilldown by

domain.

WiFi Clients Bytes/Sessions Displays top WiFi clients and drilldown by

source.

FortiOS 7.4.5 Administration Guide 138

Fortinet Inc.
 Dashboards and Monitors

WAN

Widget Sort by Usage

Servers Bytes/Sessions/Bandwidth/Packets Displays top servers and drilldown by server address.

Sources Bytes/Sessions/Bandwidth/Packets Displays top sources and drilldown by device.

Threats Threat Level/Threat Score/Sessions Displays top threats and drilldown by threat.

All Segments

Widget Sort by Usage

Admin Logins Configuration Changes/Logins/Failed Displays top admin logins by username.

Logins

Destination Bytes/Sessions/Bandwidth/Packets Displays top destination interfaces by destination

Interfaces interface.

Endpoint Severity Displays top endpoint vulnerabilities by vulnerability

Vulnerabilities name.

Failed Failed Attempts Displays top failed authentications by failed

Authentication authentication source.

FortiSandbox Submitted Displays top FortiSandbox files by file name.

Files

Interface Pairs Bytes/Sessions/Bandwidth/Packets Displays top interface pairs by source interface.

Policies Bytes/Sessions/Bandwidth/Packets Displays top policies by policy.

Source Interfaces Bytes/Sessions/Bandwidth/Packets Displays top source interfaces by source interface.

System Events Level/Events Displays top system events by event name.

VPN Connections/Bytes Displays top VPN connections by user.

Vulnerable Detected Vulnerabilities Displays top vulnerable endpoint devices by device.

Endpoint Devices

A maximum of 25 interfaces can be monitored at one time on a device.

Using the FortiView interface

Use the FortiView interface to customize the view and visualizations within a monitor to find the information you are
looking for. The tools in the top menu bar allow you to change the time display, refresh or customize the data source, and
filter the results. You can also right-click a table in the monitor to view drilldown information for an item.

FortiOS 7.4.5 Administration Guide 139

Fortinet Inc.
Dashboards and Monitors

Real-time and historical charts

Use the Time Display dropdown to select the time period to display on the current monitor. Time display options vary
depending on the monitor and can include real-time information (now) and historical information (1 hour, 24 hours, and 7
days).

Disk logging or remote logging must be enabled to view historical information.

You can create a custom time range by selecting an area in table with your cursor.

The icon next to the time period identifies the data source (FortiGate, FortiAnalyzer, or FortiGate Cloud). Hover over its
icon to see a description of the chart, as well as links to the requirements.

Data source

FortiView gathers information from a variety of data sources. If there are no log disk or remote logging configured, the
data will be drawn from the FortiGate's session table, and the Time Period is set to Now.

FortiOS 7.4.5 Administration Guide 140

Fortinet Inc.
Dashboards and Monitors

Other data sources that can be configured are:

l FortiGate
l FortiAnalyzer
l FortiGate Cloud

When Data Source is set to Best Available Device, FortiAnalyzer is selected when available,
then FortiGate Cloud, and then FortiGate.

Drilldown information

Double-click or right-click an entry in a FortiView monitor and select Drill Down to Details to view additional details about
the selected traffic activity. Click the Back icon in the toolbar to return to the previous view.
You can group drilldown information into different drilldown views. For example, you can group the drilldown information
in the FortiView Destinations monitor by Sources, Applications, Threats, and Policies.

Select an entry, then click View session logs to view the session logs.

FortiOS 7.4.5 Administration Guide 141

Fortinet Inc.
Dashboards and Monitors

Graph l The graph shows the bytes sent/received in the time frame. real time does not include a
chart.
l Users can customize the time frame by selecting a time period within the graph.

Summary of l Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total
for the time period.
l Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or
FortiAP.
l Can ban IP addresses, adds the source IP address into the quarantine list.

Tabs l Drilling down entries in any of these tabs (except sessions tab) will take you to the
underlying traffic log in the sessions tab.
l Applications shows a list of the applications attributed to the source IP. This can include
scanned applications using Application Control in a firewall policy or unscanned
applications.
config log gui-display
set fortiview-unscanned-apps enable
end
l Destinations shows destinations grouped by IP address/FQDN.
l Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, Web
Filter, Application Control, etc.
l Web Sites contains the websites which were detected either with webfilter, or through
FQDN in traffic logs.
l Web Categories groups entries into their categories as dictated by the Web Filter
Database.
l Policies groups the entries into which polices they passed through or were blocked by.
l View session logs shows the underlying logs (historical) or sessions (real time).
Drilldowns from other tabs end up showing the underlying log located in this tab.
l Search Phrases shows entries of search phrases on search engines captured by a Web
Filter UTM profile, with deep inspection enabled in firewall policy.
l More information can be shown in a tooltip while hovering over these entries.

To view matching logs or download a log, click the Security tab in the Log Details .

FortiOS 7.4.5 Administration Guide 142

Fortinet Inc.
 Dashboards and Monitors

Enabling FortiView from devices

You can enable FortiView from SSD disk, FortiAnalyzer and FortiGate Cloud.

FortiView from disk

FortiView from disk is available on all FortiGates with an SSD disk.

Restrictions

Model Supported view

Entry-level models with SSD Five minutes and one hour

Mid-range models with SSD Up to 24 hours

High-end models with SSD Up to seven days

To enable seven days view:
config log setting
set fortiview-weekly-data enable
end

Configuration

A firewall policy needs to be in place with traffic logging enabled. For optimal operation with FortiView, internal interface
roles should be clearly defined as LAN. DMZ and internet facing or external interface roles should be defined as WAN.

To configure logging to disk:

config log disk setting

set status enable
end

To include sniffer traffic and local-deny traffic when FortiView from Disk:

config report setting

set report-source forward-traffic sniffer-traffic local-deny-traffic
end

FortiOS 7.4.5 Administration Guide 143

Fortinet Inc.
Dashboards and Monitors

This feature is only supported through the CLI.

Troubleshooting

Use execute report flush-cache and execute report recreate-db to clear up any irregularities that may
be caused by upgrading or cache issues.

Traffic logs

To view traffic logs from disk:

1. Go to Log & Report, and select either the Forward Traffic, Local Traffic, Sniffer Traffic, or ZTNA Traffic views.
2. In the toolbar, select Disk for the log location dropdown.

FortiView from FortiAnalyzer

Connect FortiGate to a FortiAnalyzer to increase the functionality of FortiView. Adding a FortiAnalyzer is useful when
adding monitors such as the Compromised Hosts. FortiAnalyzer also allows you to view historical information for up to
seven days.

Requirements
l A FortiGate or FortiOS
l A compatible FortiAnalyzer (see Compatibility with FortiOS)
To configure logging to the FortiAnalyzer, see Configuring FortiAnalyzer on page 3197

To enable FortiView from FortiAnalyzer:

1. Go to Dashboard > FortiView Sources.

2. Select a time range other than Now from the dropdown list to view historical data.
3. In top menu, click the dropdown, and select Settings. The Edit Dashboard Widget dialog is displayed.
a. In the Data Source area, click Specify.
b. From the dropdown, select FortiAnalyzer, and click OK.

All the historical information now comes from the FortiAnalyzer.

FortiOS 7.4.5 Administration Guide 144

Fortinet Inc.
 Dashboards and Monitors

When Data Source is set to Best Available Device, FortiAnalyzer is selected when
available, then FortiGate Cloud, and then FortiGate.

FortiView from FortiGate Cloud

This function requires a FortiGate that is registered and logged into a compatible FortiGate Cloud. When using FortiGate
Cloud, the Time Period can be set to up to 24 hours.
To configure logging to FortiGate Cloud, see Configuring cloud logging on page 3200.

To enable FortiView with log source as FortiGate Cloud:

1. Go to Dashboard > FortiView Sources.

2. In the top menu, click the dropdown, and select Settings. The Edit Dashboard Widget window opens.
a. In the Data Source area, click Specify.
b. From the dropdown, select FortiGate Cloud, then click OK.

You can select FortiGate Cloud as the data source for all available FortiView pages and
widgets.

FortiView sources

The FortiView Sources monitor displays top sources sorted by Bytes, Sessions or Threat Score. The information can be
displayed in real time or historical views. You can use the monitor to create or edit a firewall device address or IP address
definitions, quarantine hosts, and temporarily or permanently ban IPs.

To add a firewall device or IP address:

1. In the table, hover over the source or device MAC address. An information window opens.

2. Click Firewall Address > Create Firewall Device Address or Firewall Address > Create Firewall IP Address. The
New Address pane opens.
3. Configure the address settings as needed, then click OK.

FortiOS 7.4.5 Administration Guide 145

Fortinet Inc.
 Dashboards and Monitors

Use the Name field to assign a descriptive name to a device so it is easier to find it in the
Device column. After you finish configuring the device, refresh the page to see the new
name in the monitor.

To quarantine a host:

1. In the table, hover over the source or device MAC address. An information window opens.
2. Click Quarantine > Quarantine Host. The Quarantine Host dialog is displayed.
3. Configure the quarantine settings, then click OK.

To ban an IP address:

1. In the table, hover over the source or device MAC address. An information window opens.
2. Click Quarantine > Ban IP . The Ban IP dialog is displayed.
3. Configure the ban IP settings, then click OK.

FortiView Sessions

The FortiView Sessions monitor displays Top Sessions by traffic source and can be used to end sessions.
To view the FortiView Sessions dashboard, go to Dashboard > FortiView Sessions.

FortiOS 7.4.5 Administration Guide 146

Fortinet Inc.
Dashboards and Monitors

The session table displayed on the FortiView Sessions monitor is useful when verifying open connections. For example,
if you have a web browser open to browse the Fortinet website, you would expect a session entry from your computer on
port 80 to the IP address for the Fortinet website. You can also use a session table to investigate why there are too many
sessions for FortiOS to process.
You can filter the sessions displayed in the session table by setting up the available filtering options.

To filter sessions in the session table:

1. Click on the Add Filter button at the top of the session table.
2. Select the required filtering option. The session table updates to the filter selection.

3. You may add one or more filters depending upon your requirements. To add more filters, repeat the above steps for
a different set of filters.

FortiOS 7.4.5 Administration Guide 147

Fortinet Inc.
 Dashboards and Monitors

You can be very specific with how you use filters and target sessions based on different filter combinations. For example,
you may want to view all sessions from a device with a particular IP by adding the Source IP filter. Similarly, you may
need to target all the sessions having a particular Destination IP and Destination Port, and so on.
You may also view the session data in the CLI.

To view session data using the CLI:

# diagnose sys session list

The session table output in the CLI is very large. You can use the supported filters in the CLI to show only the data you
need.

To view session data with filters using the CLI:

# diagnose sys session filter <option>

See to learn more about using the supported filters in the CLI.
You may also decide to end a particular session or all sessions for administrative purposes.

To end sessions from the GUI:

1. Select the session you want to end. To select multiple sessions, hold the Ctrl or Shift key on your keyboard while
clicking the sessions.

2. Click on End Session(s) to end the selected sessions, or End All Sessions to end all active sessions.
3. Click OK in the confirmation dialog.

FortiView Top Source and Top Destination Firewall Objects monitors

The FortiView Source Firewall Objects and FortiView Destination Firewall Objects monitors leverage UUID to resolve
firewall object address names for improved usability.

Requirements

To have a historical Firewall Objects-based view, address objects' UUIDs need to be logged.

To enable address object UUID logging in the CLI:

config system global

set log-uuid-address enable
end

FortiOS 7.4.5 Administration Guide 148

Fortinet Inc.
Dashboards and Monitors

To add a firewall object monitor in the GUI:

1. Click Add Monitor. The Add Monitor window opens.

2. In the Search field, type Destination Firewall Objects and click the Add button next to the dashboard name.
3. In the FortiGate area, select the FortiGate(s) from the dropdown.
4. In the Data Source area, select Best Available Device or Specify. For information, see Using the FortiView interface
on page 139.
5. From the Time Period dropdown, select the time period. Select now for real-time information, or (1 hour, 24 hours,
and 7 days) for historical information.
6. From the Sort By dropdown, select Bytes, Sessions, Bandwidth, or Packets.
7. Click OK. The monitor is added to the tree menu.

To drill down Firewall Objects:

1. Open the FortiView Source Firewall Objects or FortiView Destination Firewall Objects monitor.
2. Select any source or destination object and click Drill down.
3. Click the tabs to sort the sessions.

4. Select an entry, then click View session logs to view the session logs.

FortiOS 7.4.5 Administration Guide 149

Fortinet Inc.
 Dashboards and Monitors

Viewing top websites and sources by category

You can use FortiGuard web categories to populate the category fields in various FortiView monitors such as FortiView
Web Categories, FortiView Websites or FortiView Sources. To view the categories in a monitor, the web filter profile
must be configured to at least monitor for a FortiGuard category based on a web filter and applied to a firewall policy for
outbound traffic.

To verify the web filter profile is monitor-only:

1. Go to Security Profiles > Web Filter.

2. Double-click a web filter that is applied to an outbound traffic firewall policy. The Edit Web Filter Profile window
opens.
3. Ensure FortiGuard Category Based Filter is enabled.
In this example, the General Interest - Business categories are monitor-only.

To create a Web categories monitor:

1. Click Add Monitor. The Add Monitor window opens.

2. In the Search field, type FortiView Web Categories and click the Add button next to the monitor name.

3. In the FortiGate area, select the FortiGate(s) from the dropdown.

4. In the Data Source area, click Best Available Device or Specify to select a device in the security fabric.
5. From the Time Period dropdown, select a time period greater than Now.

FortiOS 7.4.5 Administration Guide 150

Fortinet Inc.
Dashboards and Monitors

6. From the Sort By dropdown, select Browsing Time, Threat Score, Bytes, or Sessions.
7. Click OK. The widget is added to the tree menu.

Viewing the web filter category

The web filter category name appears in the Category column of the dashboard.

Drill down an entry in the table.

Click the Web Sites tab. The category name appears in the Category column.

FortiOS 7.4.5 Administration Guide 151

Fortinet Inc.
 Dashboards and Monitors

Click View session logs to a view a list of the session logs. The category name appears in the Category column.

The category name also appears in the Category column in the FortiView Websites monitor and when drilling down in
the FortiView Sources monitor.

Cloud application view

To see different cloud application views, set up the following:

l A FortiGate with a firewall policy that uses the Application Control security profile.
l A FortiGate with log data from the local disk or FortiAnalyzer.
l Optional but highly recommended: SSL Inspection set to deep-inspection in the related firewall policies.

Viewing cloud applications

All cloud applications require SSL Inspection set to deep-inspection on the firewall policy. For example, Facebook_
File.Download can monitor Facebook download behavior which requires SSL deep-inspection to parse the deep
information in the network packets.

To view cloud applications:

1. Go to Security Profiles > Application Control.

2. Select an Application Control profile that is used by the firewall policy and click Edit.

FortiOS 7.4.5 Administration Guide 152

Fortinet Inc.
Dashboards and Monitors

3. On the Edit Application Sensor page, click View Application Signatures.

4. Hover over a column heading or the Application Signature bar. On the right, click the filter icon to filter the
applications.
Cloud applications have a cloud icon next to them. The lock icon indicates that the application requires SSL deep
inspection.

5. Hover over an item to see its details.

This example shows Gmail_Attachment.Download, a cloud application signature based sensor which requires SSL
deep inspection. If any local network user behind the firewall logs into Gmail and downloads a Gmail attachment,
that activity is logged.

Applications with cloud behavior

Applications with cloud behavior is a superset of cloud applications.

Some applications do not require SSL deep inspection, such as Facebook, Gmail, and YouTube. This means that if any
traffic trigger application sensors for these applications, there is a FortiView cloud application view for that traffic.
Other applications require SSL deep inspection, such as Gmail attachment, Facebook_Workplace, and so on.

FortiOS 7.4.5 Administration Guide 153

Fortinet Inc.
Dashboards and Monitors

To view applications with cloud behavior:

1. In the Application Signature page, ensure the Behavior column is displayed. If necessary, add the Behavior column.
a. Hover over the left side of the table column headings to display the Configure Table icon.
b. Click Configure Table and select Behavior.
c. Click Apply.

2. Click the filter icon in the Behavior column and select Cloud to filter by Cloud. Then click Apply.

3. The Application Signature page displays all applications with cloud behavior.

4. Use the Search box to search for applications. For example, you can search for youtube.

FortiOS 7.4.5 Administration Guide 154

Fortinet Inc.
Dashboards and Monitors

5. Hover over an item to see its details.

This example shows an application sensor with no lock icon which means that this application sensor does not
require SSL deep inspection. If any local network user behind the firewall tries to navigate to the YouTube website,
that activity is logged.

Configuring the Cloud Applications monitor

Go to Security Profiles > Application Control and edit a profile. On the Edit Application Sensor page in the Categories
section, the eye icon next to a category means that category is monitored and logged.

FortiOS 7.4.5 Administration Guide 155

Fortinet Inc.
Dashboards and Monitors

To add the Cloud Applications monitor in the GUI:

1. Click Add Monitor. The Add monitor window opens.

2. In the Search field, enter FortiView Cloud Applications and click the Add button next to the monitor.

3. In the FortiGate area, select the FortiGate(s) from the dropdown.

4. In the Data Source area, click Best Available Device or Specify to select a device in the security fabric.
5. From the Time Period dropdown, select a time period greater than Now.
6. From the Sort By dropdown, select Bytes, Sessions, Files (Up/Down), or Videos Played.
7. Click OK. The monitor is added to the tree menu.
8. Open the monitor. If SSL deep inspection is enabled in the related firewall policy, then the monitor shows the
additional details that are logged, such as Files (Up/Down) and Videos Played.
l For YouTube, the Videos Played column is triggered by the YouTube_Video.Play cloud application sensor.
This shows the number of local network users who logged into YouTube and played YouTube videos.
l For Dropbox, the Files (Up/Down) column is triggered by Dropbox_File.Download and Dropbox_File.Upload
cloud application sensors. This shows the number of local network users who logged into Dropbox and
uploaded or downloaded files.

FortiOS 7.4.5 Administration Guide 156

Fortinet Inc.
Dashboards and Monitors

Using the Cloud Applications monitor

To see additional information in the Cloud Applications monitor:

1. In the tree menu, click the FortiView Cloud Applications monitor to open it.

2. For details about a specific entry, double-click the entry or right-click the entry and select Drill Down to Details.
3. To see all the sessions for an application, click Sessions.
In this example, the Application Name column shows all applications related to YouTube.

4. To view log details, double-click a session to display the Log Details pane.

FortiOS 7.4.5 Administration Guide 157

Fortinet Inc.
Dashboards and Monitors

Sessions monitored by SSL deep inspection (in this example, Youtube_Video.Play) captured deep information such
as Application User, Application Details, and so on. The Log Details pane also shows additional deep information
such as application ID, Message, and so on.
Sessions not monitored by SSL deep inspection (YouTube) did not capture the deep information.

5. To display a specific time period, select and drag in the timeline graph to display only the data for that time period.

Top application: YouTube example

Monitoring network traffic with SSL deep inspection

This example describes how to monitor network traffic for YouTube using FortiView Applications view with SSL deep
inspection.

To monitor network traffic with SSL deep inspection:

1. Create a firewall policy with the following settings:

l Application Control is enabled.
l SSL Inspection is set to deep-inspection.

FortiOS 7.4.5 Administration Guide 158

Fortinet Inc.
Dashboards and Monitors

l Log Allowed Traffic is set to All Sessions.

2. Go to Security Profiles > Application Control.

3. Select a related Application Control profile used by the firewall policy and click Edit.
4. Because YouTube cloud applications are categorized into Video/Audio, ensure the Video/Audio category is
monitored. Monitored categories are indicate by an eye icon.
5. Click View Application Signatures and hover over YouTube cloud applications to view detailed information about
YouTube application sensors.
6. Expand YouTube to view the Application Signatures associated with the application.

Application Signature Description Application

ID

YouTube_Video.Access An attempt to access a video on YouTube. 16420

YouTube_Channel.ID An attempt to access a video on a specific channel on 44956

YouTube.

YouTube_Comment.Posting An attempt to post comments on YouTube. 31076

YouTube_HD.Streaming An attempt to watch HD videos on YouTube. 33104

YouTube_Messenger An attempt to access messenger on YouTube. 47858

YouTube_Video.Play An attempt to download and play a video from YouTube. 38569

YouTube_Video.Upload An attempt to upload a video to YouTube. 22564

YouTube An attempt to access YouTube. 31077

This application sensor does not depend on SSL deep
inspection so it does not have a cloud or lock icon.

YouTube_Channel.Access An attempt to access a video on a specific channel on 41598

YouTube.

To view the application signature description, click the ID link in the information window.

7. On the test PC, log into YouTube and play some videos.

FortiOS 7.4.5 Administration Guide 159

Fortinet Inc.
Dashboards and Monitors

8. On the FortiGate, go to Log & Report > Security Events, select Application Control, and look for log entries for
browsing and playing YouTube videos.
In this example, note the Application User and Application Details. Also note that the Application Control ID is 38569
showing that this entry was triggered by the application sensor YouTube_Video.Play.

9. Go to Dashboard > FortiView Applications.

10. In the FortiView Applications monitor, double-click YouTube to view the drilldown information.
11. Click View session logs to see all the entries for the videos played. Check the sessions for YouTube_Video.Play
with the ID 38569.

Monitoring network traffic without SSL deep inspection

This example describes how to monitor network traffic for YouTube using FortiView cloud application view without SSL
deep inspection.

To monitor network traffic without SSL deep inspection:

1. Create a firewall policy with the following settings.

l Application Control is enabled.
l SSL Inspection is set to certificate-inspection.
l Log Allowed Traffic is set to All Sessions.

2. On the test PC, log into YouTube and play some videos.

FortiOS 7.4.5 Administration Guide 160

Fortinet Inc.
Dashboards and Monitors

3. On the FortiGate, go to Log & Report > Security Events and look for log entries for browsing and playing YouTube
videos in the Application Control card.
In this example, the log shows only applications with the name YouTube. The log cannot show YouTube application
sensors which rely on SSL deep inspection.

4. Go to Dashboard > FortiView Applications.

The FortiView Application by Bytes monitor shows the YouTube cloud application without the video played
information that requires SSL deep inspection.
5. Double-click YouTube and click View session logs.
These sessions were triggered by the application sensor YouTube with the ID 31077. This is the application sensor
with cloud behavior which does not rely on SSL deep inspection.

FortiOS 7.4.5 Administration Guide 161

Fortinet Inc.
Network

The following topics provide information about network settings:

l Interfaces on page 162
l DNS on page 272
l Explicit and transparent proxies on page 304
l SD-WAN on page 785
l DHCP servers and relays on page 400
l Static routing on page 421
l Dynamic routing on page 448
l Multicast on page 554
l FortiExtender on page 564
l Direct IP support for LTE/4G on page 567
l Cellular interface support for IPv6 on page 570
l Active SIM card switching on page 573
l Airplane mode and LTE/BLE on page 580
l Upgrade LTE modem firmware directly from FortiGuard on page 582
l LLDP reception on page 583
l Virtual routing and forwarding on page 586
l NetFlow on page 617
l sFlow on page 640
l Link monitor on page 646
l IPv6 on page 656
l FortiGate LAN extension on page 746
l SCTP packets with zero checksum on the NP7 platform on page 770
l Diagnostics on page 775

Interfaces

Physical and virtual interfaces allow traffic to flow between internal networks, and between the internet and internal
networks. FortiOS has options for configuring interfaces and groups of sub-networks that can scale as your organization
grows. The following table lists commonly used interface types.

Interface type Description

Physical A physical interface can be connected to with either Ethernet or optical cables.
Depending on the FortiGate model, there is a varying number of Ethernet or
optical physical interfaces. Some FortiGates have a grouping of interfaces labeled
as lan that have a built-in switch functionality.
See Physical interface on page 193 for more information.

FortiOS 7.4.5 Administration Guide 162

Fortinet Inc.
Network

Interface type Description

VLAN A virtual local area network (VLAN) logically divides a local area network (LAN)
into distinct broadcast domains using IEEE 802.1Q VLAN tags. A VLAN interface
supports VLAN tagging and is associated with a physical interface that can be
connected to a device, such as a switch or a router that supports these tags.
VLANs can be used on a FortiGate in NAT or transparent mode, and the
FortiGate functions differently depending on the operation mode
See VLAN on page 194 for more information.

Aggregate An aggregate interface uses a link aggregation method to combine multiple

physical interfaces to increase throughput and to provide redundancy. FortiOS
supports a link aggregation (LAG) interface using the Link Aggregation Control
Protocol (LACP) based on IEEE 802.3ad/802.1ax.
See Aggregation and redundancy on page 208 for more information.

Redundant A redundant interface combines multiple physical interfaces where traffic only
uses one of the interfaces at a time. Its primary purpose is to provide redundancy.
This interface is typically used with a fully-meshed HA configuration.
See Aggregation and redundancy on page 208 for more information.

Loopback A loopback interface is a logical interface that is always up because it has no

physical link dependency, and the attached subnet is always present in the
routing table. It can be accessed through several physical or VLAN interfaces.
See Loopback interface on page 217 for more information.

Software switch A software switch is a virtual switch interface implemented in firmware that allows
member interfaces to be added to it. Devices connected to member interfaces
communicate on the same subnet, and packets are processed by the FortiGate’s
CPU. A software switch supports adding a wireless SSID as a member interface.
See Software switch on page 218 for more information.

Hardware switch A hardware switch is a virtual switch interface implemented at the hardware level
that allows member interfaces to be added to it. Devices connected to member
interfaces communicate on the same subnet. A hardware switch relies on specific
hardware to optimize processing and supports the Spanning Tree Protocol (STP).
See Hardware switch on page 220 for more information.

Zone A zone is a logical group containing one or more physical or virtual interfaces.
Grouping interfaces in zones can simplify firewall policy configurations.
See Zone on page 226 for more information.

Virtual wire pair A virtual wire pair (VWP) is an interface that acts like a virtual wire consisting of
two interfaces, with an interface at each of the wire. No IP addressing is
configured on a VWP, and communication is restricted between the two interfaces
using firewall policies.
See Virtual wire pair on page 228 for more information.

FortiExtender WAN extension A FortiExtender WAN extension is a managed interface that allows a connected
FortiExtender to provide WAN connectivity to the FortiGate.
See FortiExtender on page 564 for more information.

FortiOS 7.4.5 Administration Guide 163

Fortinet Inc.
 Network

Interface type Description

FortiExtender LAN extension A FortiExtender LAN extension is a managed interface that allows a connected
FortiExtender to provide LAN connectivity to the FortiGate.
See FortiExtender on page 564 for more information.

Enhanced MAC VLAN An enhanced media access control (MAC) VLAN, or EMAC VLAN, interface
allows a physical interface to be virtually subdivided into multiple virtual interfaces
with different MAC addresses. In FortiOS, the EMAC VLAN functionality acts like
a bridge.
See Enhanced MAC VLAN on page 235 for more information.

VXLAN A Virtual Extensible LAN (VXLAN) interface encapsulates layer 2 Ethernet frames
within layer 3 IP packets and is used for cloud and data center networks.
See VXLAN on page 237 for more information.

Tunnel A tunnel virtual interface is used for IPsec interface-based or GRE tunnels and are
created when configuring IPsec VPN and GRE tunnels, respectively. The tunnel
interface can be configured with IP addresses on both sides of the tunnel since
this is a requirement when using a tunnel interface with a dynamic routing
protocol.
See OSPF with IPsec VPN for network redundancy on page 2184, GRE over
IPsec on page 2081, and Cisco GRE-over-IPsec VPN on page 2111 for more
information.

WiFi SSID A WiFi SSID interface is used to control wireless network user access to a
wireless local radio on a FortiWiFi or to a wireless access point using a FortiAP.
The SSID is created using the WiFi & Switch Controller > SSIDs page, and it
appears in the Network > Interfaces page once it is created.
See Defining a wireless network interface (SSID) in the FortiWiFi and FortiAP
Configuration Guide for more information.

VDOM link A VDOM link allows VDOMs to communicate internally without using additional
physical interfaces.
See Inter-VDOM routing for more information.

Interface settings

Administrators can configure both physical and virtual FortiGate interfaces in Network > Interfaces. There are different
options for configuring interfaces when FortiGate is in NAT mode or transparent mode.
The available options will vary depending on feature visibility, licensing, device model, and other factors. The following
list is not comprehensive.

To configure an interface in the GUI:

1. Go to Network > Interfaces.

2. Click Create New > Interface.
3. Configure the interface fields:

FortiOS 7.4.5 Administration Guide 164

Fortinet Inc.
Network

Interface Name Physical interface names cannot be changed.

Alias Enter an alternate name for a physical interface on the FortiGate unit. This
field appears when you edit an existing physical interface. The alias does not
appear in logs.
The maximum length of the alias is 25 characters.

Type The configuration type for the interface, such as VLAN, Software Switch,
802.3ad Aggregate, and others.

Interface This field is available when Type is set to VLAN.

Select the name of the physical interface that you want to add a VLAN
interface to. Once created, the VLAN interface is listed below its physical
interface in the Interface list.
You cannot change the physical interface of a VLAN interface.

VLAN ID This field is available when Type is set to VLAN.

Enter the VLAN ID. The VLAN ID can be any number between 1 and 4094 and
must match the VLAN ID added by the IEEE 802.1Q-compliant router or
switch that is connected to the VLAN subinterface.
The VLAN ID can be edited after the interface is added.

VRF ID Virtual Routing and Forwarding (VRF) allows multiple routing table instances
to coexist on the same router. One or more interface can have a VRF, and
packets are only forwarded between interfaces with the dame VRF.

Virtual Domain Select the virtual domain to add the interface to.
Only administrator accounts with the super_admin profile can change the
Virtual Domain.

Interface Members This section can have different formats depending on the Type.
Members can be selected for some interface types:
l Software Switch or Hardware Switch: Specify the physical and wireless

interfaces joined into the switch.

l 802.3ad Aggregate or Redundant Interface: This field includes the
available and selected interface lists.

Role Set the role setting for the interface. Different settings will be shown or hidden
when editing an interface depending on the role:
l LAN: Used to connected to a local network of endpoints. It is default role

for new interfaces.

l WAN: Used to connected to the internet. When WAN is selected, the
Estimated bandwidth setting is available, and the following settings are
not: DHCP server, Create address object matching subnet, Device
detection, Security mode, One-arm sniffer, Dedicate to extension/fortiap
modes, and Admission Control.and will show Estimated Bandwidth
settings.
l DMZ: Used to connected to the DMZ. When selected, DHCP server and
Security mode are not available.
l Undefined: The interface has no specific role. When selected, Create
address object matching subnet is not available.

FortiOS 7.4.5 Administration Guide 165

Fortinet Inc.
Network

Estimated bandwidth The estimated WAN bandwidth.

The values can be entered manually, or saved from a speed test executed on
the interface. The values can be used in SD-WAN rules that use the Maximize
Bandwidth or Best Quality strategy.

Traffic mode This option is only available when Type is WiFi SSID.
l Tunnel: Tunnel to wireless controller

l Bridge: Local bridge with FortiAP's interface

l Mesh: Mesh downlink

Address

Addressing mode Select the addressing mode for the interface.

l Manual: Add an IP address and netmask for the interface. If IPv6

configuration is enabled, you can add both an IPv4 and an IPv6 address.
l DHCP: Get the interface IP address and other network settings from a
DHCP server.
l Auto-managed by IPAM: Assign subnets to prevent duplicate
IP addresses from overlapping within the same Security Fabric. See
Configure IPAM locally on the FortiGate on page 170.
l PPPoE: Get the interface IP address and other network settings from a
PPPoE server. This option is only available on entry-level FortiGate
models.
l One-Arm Sniffer: Set the interface as a sniffer port so it can be used to
detect attacks. See One-arm sniffer on page 180.

IP/Netmask If Addressing Mode is set to Manual, enter an IPv4 address and subnet mask
for the interface. FortiGate interfaces cannot have multiple IP addresses on
the same subnet.

IPv6 addressing mode Select the addressing mode for the interface:
l Manual: Add an IP address and netmask for the interface.

l DHCP: Get the interface IP address and other network settings from a
DHCP server.
l Delegated: Select an IPv6 upstream interface that has DHCPv6 prefix
delegation enabled, and enter an IPv6 subnet if needed. The interface will
get the IPv6 prefix from the upstream DHCPv6 server that is connected to
the IPv6 upstream interface, and form the IPv6 address with the subnet
configured on the interface.

IPv6 Address/Prefix If Addressing Mode is set to Manual and IPv6 support is enabled, enter an
IPv6 address and subnet mask for the interface. A single interface can have an
IPv4 address, IPv6 address, or both.

Auto configure IPv6 address Automatically configure an IPv6 address using Stateless Address Auto-
configuration (SLAAC).
This option is available when IPv6 addressing mode is set to Manual.

DHCPv6 prefix delegation Enable/disable DHCPv6 prefix delegation, which can be used to delegate IPv6
prefixes from an upstream DHCPv6 server to another interface or downstream
device.

FortiOS 7.4.5 Administration Guide 166

Fortinet Inc.
Network

When enabled, there is an option to enable a DHCPv6 prefix hint that helps the
DHCPv6 server provide the desired prefix.

Create address object This option is available and automatically enabled when Role is set to LAN or
matching subnet DMZ.
This creates an address object that matches the interface subnet and
dynamically updates the object when the IP/Netmask changes.
See Interface subnet on page 1484 for more information.

Secondary IP Address Add additional IPv4 addresses to this interface.

Administrative Access

IPv4 Administrative Access Select the types of administrative access permitted for IPv4 connections to this
interface. See Configure administrative access to interfaces on page 168.

IPv6 Administrative Access Select the types of administrative access permitted for IPv6 connections to this
interface. See Configure administrative access to interfaces on page 168.

DHCP Server Enable a DHCP server for the interface. See DHCP servers and relays on
page 400.

Stateless Address Auto- Enable to provide IPv6 addresses to connected devices using SLAAC.
configuration (SLAAC)

DHCPv6 Server Select to enable a DHCPv6 server for the interface.

When enabled, you can configure DNS service settings: Delegated (delegate
the DNS received from the upstream server), Same as System DNS, or
Specify (up to four servers).
You can also enable Stateful serverto configure the DHCPv6 server to be
stateful. Manually enter the IP range, or use Delegated mode to delegate IP
prefixes from an upstream DHCPv6 server connected to the upstream
interface.

Network

Device Detection Enable/disable passively gathering device identity information about the
devices on the network that are connected to this interface.

Security Mode Enable/disable captive portal authentication for this interface. After enabling
captive portal authentication, you can configure the authentication portal, user
and group access, custom portal messages, exempt sources and
destinations/services, and redirect after captive portal.

DSL Settings

Physical mode Set to ADSL or VDSL.

Transfer mode Set to PTM or ATM.

If the Transfer mode is set to ATM, the Virtual channel identification, Virtual
path identification, ATM protocol, and MUX type can be configured.

Traffic Shaping

FortiOS 7.4.5 Administration Guide 167

Fortinet Inc.
Network

Outbound shaping profile Enable/disable traffic shaping on the interface. This allows you to enforce
bandwidth limits on individual interfaces. See Interface-based traffic shaping
profile on page 1562 for more information.

Miscellaneous

Comments Enter a description of the interface of up to 255 characters.

Status Enable/disable the interface.

l Enabled: The interface is active and can accept network traffic.

l Disabled: The interface is not active and cannot accept traffic.

4. Click OK.

To configure an interface in the CLI:

config system interface

edit <name>
set vdom <VDOM_name>
set mode {static | dhcp | pppoe}
set ip <IP_address/netmask>
set security-mode {none | captive-portal | 802.1X}
set egress-shaping-profile <profile>
set device-identification {enable | disable}
set allowaccess {ping https ssh http snmp telnet fgfm radius-acct probe-response
fabric ftm}
set eap-supplicant {enable | disable}
set eap-method {peap | tls}
set eap-identity <identity>
set eap-password <password>
set eap-ca-cert <CA_cert>
set eap-user-cert <user_cert>
set secondary-IP enable
config secondaryip
edit 1
set ip 9.1.1.2 255.255.255.0
set allowaccess ping https ssh snmp http
next
end
next
end

Configure administrative access to interfaces

You can configure the protocols that administrators can use to access interfaces on the FortiGate. This helps secure
access to the FortiGate by restricting access to a limited number of protocols. It helps prevent users from accessing
interfaces that you don't want them to access, such as public-facing ports.
As a best practice, you should configure administrative access when you're setting the IP address for a port.

To configure administrative access to interfaces in the GUI:

1. Go to Network > Interfaces.

2. Create or edit an interface.

FortiOS 7.4.5 Administration Guide 168

Fortinet Inc.
Network

3. In the Administrative Access section, select which protocols to enable for IPv4 and IPv6 Administrative Access.

Industrial Connectivity Allow Industrial Connectivity service access to proxy traffic between serial port and
TCP/IP.
Available with FortiGate Rugged models equipped with a serial RS-232 (DB9/RJ45)
interface and when Role is set to Undefined or WAN. See Industrial Connectivity on
page 771.

Speed Test Allow this interface to listen to speed test sender requests.
To allow the FortiGate to be configured as speed test server, configure the following:
config system global
set speedtest-server {enable | disable}
end

For more detail, see Running speed tests from the hub to the spokes in dial-up
IPsec tunnels on page 1156.

HTTPS Allow secure HTTPS connections to the FortiGate GUI through this interface. If
configured, this option is enabled automatically.

HTTP Allow HTTP connections to the FortiGate GUI through this interface. This option can
only be enabled if HTTPS is already enabled.

PING The interface responds to pings. Use this setting to verify your installation and for
testing.

FMG-Access Allow FortiManager authorization automatically during the communication

exchanges between FortiManager and FortiGate devices.

SSH Allow SSH connections to the CLI through this interface.

SNMP Allow a remote SNMP manager to request SNMP information by connecting to this
interface.

FTM Allow FortiToken Mobile Push (FTM) access.

RADIUS Accounting Allow RADIUS accounting information on this interface.

Security Fabric Allow Security Fabric access. This enables FortiTelemetry and CAPWAP.
Connection

FEC implementations on 10G, 25G, 40G, and 100G interfaces

Only supported FEC (forward error correction) implementations are allowed to be configured on 10G, 25G, 40G, and
100G interfaces based on the speed that is selected.
l For 1000M, 10G, or 40G interfaces, FEC is not supported and the option is disabled.
l For 25G and 100G interfaces, FEC is automatically set to cl91-rs-fec by default.

To configure an interface for FEC:

config system interface

edit <name>
set speed {10000full | 1000full | 100Gauto | 100Gfull | 25000auto | 25000full |

FortiOS 7.4.5 Administration Guide 169

Fortinet Inc.
Network

40000full}
set mediatype {sr4 | lr4 | cr4}
set forward-error-correction {disable | cl91-rs-fec | cl74-fc-fec}
next
end

speed {10000full | Set the interface speed:

1000full | 100Gauto l 10000full: 10G full-duplex
| 100Gfull |
25000auto | l 1000full: 1000M full-duplex
25000full | l 100Gauto: 100G auto-negotiation
40000full}
l 100Gfull: 100G full-duplex
l 25000auto: 25G auto-negotiation
l 25000full: 25G full-duplex
l 40000full: 40G full-duplex
mediatype {sr4 | lr4 | Set the media type to use:
cr4} l sr4: short-range transceiver (4-lane)

l lr4: long-range transceiver (4-lane)

l cr4: copper transceiver (4-lane)
forward-error-correction Set the forward error correction type:
{disable | cl91-rs- l disable: disable forward error correction
fec | cl74-fc-fec}
l cl91-rs-fec: Reed-Solomon (FEC CL91)
l cl74-fc-fec: Firecode (FEC CL74)

To change the interface speed from 40G to 100G:

config system interface

edit port26
set speed 100Gfull
next
end

The speed/mediatype/FEC of port26 will be changed from 40000full/sr4/disable to

100Gfull/sr4/cl91-rs-fec.
Do you want to continue? (y/n) y

Since the speed changed to 100G, the mediatype setting automatically changes to sr4, and the forward-error-
correction setting automatically changes to cl91-rs-fec. When the speed was 40G, the forward-error-
correction setting was disabled.

Configure IPAM locally on the FortiGate

IPAM (IP address management) is available locally on the FortiGate. A standalone FortiGate, or a Fabric root in the
Security Fabric, can act as the IPAM server. Interfaces configured to be auto-managed by IPAM will receive an address
from the IPAM server's address/subnet pool. DHCP Server is automatically enabled in the GUI, and the address range is
populated by IPAM. Users can customize the address pool subnet and the size of a subnet that an interface can request.
Interfaces with a LAN role, wireless network interfaces (vap-switch type), and FortiExtender LAN extension interfaces
(lan-extension type) can receive an IP address from an IPAM server without any additional configuration at the
interface level (see Interfaces on page 162 for more information).

FortiOS 7.4.5 Administration Guide 170

Fortinet Inc.
Network

IPAM detects and resolves any IP conflicts that may occur on the interfaces that it manages. Users have the option to
manually edit the interface or reallocate the IP.
IPAM can be configured on the Network > IPAM page using the IPAM Settings, IPAM Rules, IPAM Interfaces, and IPAM
Subnets tabs.

To configure IPAM settings in the GUI:

1. Go to Network > IPAM and select the IPAM Settings tab.

2. Enable or disable the following settings:
a. Status
b. Auto-resolve conflicts
c. Interfaces with LAN role
d. FortiAP SSIDs
e. FortiExtender LAN extensions
3. Click OK.

To configure IPAM settings in the CLI:

config system ipam

set pool-subnet <class IP and netmask>
set status {enable | disable}
set automatic-conflict-resolution {enable | disable}
set manage-lan-addresses {enable | disable}
set manage-lan-extension-addresses {enable | disable}
set manage-ssid-addresses {enable | disable}
config pools
edit <pool_name>
set subnet <IP address/netmask>
next
end
config rules
edit <rule_name>
set device <name1> <name2> ...
set interface <name1> <name2> ...
set pool <pool_name>
next
end
end

FortiOS 7.4.5 Administration Guide 171

Fortinet Inc.
Network

pool-subnet <class IP and Set the IPAM pool subnet, class A or class B subnet.
netmask>
status {enable | disable} Enable/disable IP address management services.
automatic-conflict- Enable/disable automatic conflict resolution.
resolution {enable |
disable} When automatic-conflict-resolution is enabled, IPAM will periodically
check and validate the addresses of all interfaces. In case of any conflicts, IPAM
will automatically attempt to obtain a new address for the affected interface
managed by IPAM, ensuring no address duplication.
manage-lan-addresses Enable/disable default management of LAN interface addresses.
{enable | disable}*
manage-lan-extension- Enable/disable default management of FortiExtender LAN extension interface
addresses {enable | addresses.
disable}*
manage-ssid-addresses Enable/disable default management of FortiAP SSID addresses.
{enable | disable}*
config pools Set the subnet for the IP pool.
config rules Set the device, interface, and IP pool for IPAM rules.

*
When a manage- option is enabled, any interface that meets the specified criteria will automatically receive an IP
address from IPAM. However, if this option is disabled, interfaces that meet the criteria will not be configured by IPAM.
All manage- options are disabled by default. The central FortiIPAM configuration can be overridden at the interface
level.

To override the central FortiIPAM configuration at the interface level:

config system interface

edit <name>
set ip-managed-by-fortiipam {enable | disable | inherit-global}
next
end

The default setting is to inherit from the global configuration (inherit-global) through the
relevant manage- option under config system ipam.

The following options are available for allocating the subnet size:
config system interface
set managed-subnetwork-size {32 | 64 | 128 | 256 |512 | 1024 | 2048 | 4096 | 8192 |
16384 | 32768 | 65536}
end

Example 1: physical interfaces

In this example, FGT_AA is the Security Fabric root with IPAM enabled. FGT_BB and FGT_CC are downstream Fabric
devices and retrieve IPAM information from FGT_AA. The Fabric interface on all FortiGates is port2. FGT_AA acts as
the DHCP server, and FGT_BB acts as the DHCP client.

FortiOS 7.4.5 Administration Guide 172

Fortinet Inc.
Network

To configure IPAM locally in the Security Fabric:

1. On the root FortiGate, go to Network > Interfaces and edit port3.

2. For Addressing Mode, select Auto-Managed by IPAM. DHCP Server is automatically enabled.

3. In this example, IPAM is not enabled yet. Click Enable IPAM. The Subnets Managed by IPAM pane opens.

4. Select Enabled, enter the Pool subnet (only class A and B are allowed) and click OK. The root FortiGate is now the
IPAM server in the Security Fabric.

FortiOS 7.4.5 Administration Guide 173

Fortinet Inc.
Network

The following is configured in the backend:

config system interface
edit "port3"
set vdom "root"
set ip 172.31.0.1 255.255.0.0
set type physical
set device-identification enable
set snmp-index 5
set ip-managed-by-fortiipam enable
end
next
end

config system ipam

set status enable
end

IPAM is managing a 172.31.0.0/16 network and assigned port3 a /24 network by default.
The IP/Netmask field in the Address section has been automatically assigned a class C IP by IPAM. The Address
range and Netmask fields in the DHCP Server section have also been automatically configured by IPAM.

5. Click OK.

FortiOS 7.4.5 Administration Guide 174

Fortinet Inc.
Network

6. Log in to FGT-BB and set the Addressing Mode of port4 to Auto-Managed by IPAM. The subnet assigned from the
pool on the root is 172.31.1.1/24.
7. Log in to FG_CC and set the Addressing Mode of port34 to Auto-Managed by IPAM. The subnet assigned from the
pool on the root is 172.31.2.1/24.

Any interface on a downstream FortiGate can be managed by the IPAM server. The interface
does not have to be directly connected to the Fabric root FortiGate.

To edit the IPAM subnet:

1. Go to Network > IPAM > IPAM Settings.

2. Edit the pool subnet if needed.

3. Click OK.
On downstream FortiGates, the settings on the Network > IPAM > IPAM Settings tab cannot be changed if IPAM is
enabled on the root FortiGate.

Go to Network > IPAM > IPAM Interfaces to view the subnet allocations (port34, port3, and
port3) and DHCP lease information. On FGT_BB, port3 is a DHCP client and the DHCP server
interface (FGT_AA port3) is managed by IPAM, so it is displayed in the Manually Configured
section.

Example 2: wireless network and FortiExtender LAN extension interfaces

In this example, the FortiGate serves as the Security Fabric root and has two interfaces: test-ssid (vap-switch type)
and FG019TM22004646 (lan-extension type). Currently, neither interface has an IP address assigned to it.

FortiOS 7.4.5 Administration Guide 175

Fortinet Inc.
Network

To configure IPAM on the root FortiGate:

1. Go to Network > IPAM and select the IPAM Settings tab.

2. Enable the Status, Auto-resolve conflicts, Interfaces with LAN role, FortiAP SSIDs, and FortiExtender LAN
extensions settings.

IPAM is disabled by default, so all these options are disabled by default. Each option must
be activated individually to function, and they do not depend on one another.

3. Click OK.
After enabling IPAM on the root FortiGate with the specified settings, FortiGates that are part of the Security Fabric
and have an interface set to either the LAN role, vap-switch type, or lan-extension type will automatically
receive an IP assignment from the IPAM server without requiring any additional configuration at the interface level.
4. Verify the list of IPAM entries:
# diagnose sys ipam list entries
Entries: (sn, vdom, interface, subnet/mask, conflict)

IPAM Entries:
FGVM08TM22004645 root FG019TM22004646 192.168.4.254/24
FGVM08TM22004645 root test-ssid 192.168.2.254/24

When a downstream FortiGate joins the Security Fabric, the port7 interface is configured with a static IP
(192.168.4.254/24), and port8 is set to a LAN role with no IP address assigned. The IPAM server assigns an IP to port8
of the downstream FortiGate since its role was set to LAN. It is observed that the FG019TM22004646 interface of the
root FortiGate conflicts with port7 of the downstream FortiGate.

To verify the IP address conflict resolution:

1. On the root FortiGate, go to Network > IPAM and select the IPAM Interfaces tab.

FortiOS 7.4.5 Administration Guide 176

Fortinet Inc.
Network

There is a conflict marker (warning icon) beside the IP address of FG019TM22004646 due to a conflict between the
IPAM-assigned interface FG019TM22004646 of the root FortiGate and the manually configured interface of the
downstream FortiGate.
a. Verify the list of IPAM entries in the CLI:
# diagnose sys ipam list entries
Entries: (sn, vdom, interface, subnet/mask, conflict)

IPAM Entries:
FGVM08TM22004645 root test-ssid 192.168.2.254/24
FGVM08TM22004647 root port8 192.168.3.254/24
FGVM08TM22004645 root FG019TM22004646 192.168.4.254/24 C

2. After some time, since Auto-resolve conflicts is enabled in the IPAM settings, the conflict is resolved automatically.

FG019TM22004646 has been assigned a new IP address of 192.168.1.254/24.

If Auto-resolve conflicts is disabled in the IPAM settings, mouse over the conflict marker and select Reallocate IP to
manually reallocate the IP address.

a. Verify the list of IPAM entries in the CLI:

# diagnose sys ipam list entries
Entries: (sn, vdom, interface, subnet/mask, conflict)

IPAM Entries:
FGVM08TM22004645 root FG019TM22004646 192.168.1.254/24
FGVM08TM22004645 root test-ssid 192.168.2.254/24
FGVM08TM22004647 root port8 192.168.3.254/24

Diagnostics

Use the following commands to view IPAM related diagnostics.

FortiOS 7.4.5 Administration Guide 177

Fortinet Inc.
Network

To view the largest available subnet size:

# diagnose sys ipam largest-available-subnet

Largest available subnet is a /17.

To verify IPAM allocation information:

# diagnose sys ipam list entries

IPAM Entries: (sn, vdom, interface, subnet/mask, flag)
F140EP4Q17000000 root port34 172.31.2.1/24 0
FG5H1E5818900001 root port3 172.31.0.1/24 0
FG5H1E5818900002 root port4 172.31.1.1/24 0
FG5H1E5818900003 root port3 172.31.0.2/24 1

To verify the available subnets:

# diagnose sys ipam list subnets

IPAM free subnets: (subnet/mask)
172.31.3.0/24
172.31.4.0/22
172.31.8.0/21
172.31.16.0/20
172.31.32.0/19
172.31.64.0/18
172.31.128.0/17

To remove a device from IPAM in the Security Fabric:

# diagnose sys ipam delete device F140EP4Q17000000

Successfully removed device F140EP4Q17000000 from ipam

Interface MTU packet size

Changing the maximum transmission unit (MTU) on FortiGate interfaces changes the size of transmitted packets. Most
FortiGate device's physical interfaces support jumbo frames that are up to 9216 bytes, but some only support 9000 or
9204 bytes.
To avoid fragmentation, the MTU should be the same as the smallest MTU in all of the networks between the FortiGate
and the destination. If the packets sent by the FortiGate are larger than the smallest MTU, then they are fragmented,
slowing down the transmission. Packets with the DF flag set in the IPv4 header are dropped and not fragmented .
On many network and endpoint devices, the path MTU is used to determine the smallest MTU and to transmit packets
within that size.
l ASIC accelerated FortiGate interfaces, such as NP6, NP7, and SOC4 (np6xlite), support MTU sizes up to 9216
bytes.
l FortiGate VMs can have varying maximum MTU sizes, depending on the underlying interface and driver.
l Virtual interfaces, such as VLAN interfaces, inherit their MTU size from their parent interface.

To verify the supported MTU size:

config system interface

edit <interface>

FortiOS 7.4.5 Administration Guide 178

Fortinet Inc.
Network

set mtu-override enable

set mtu <integer>
next
end

To change the MTU size:

config system interface

edit <interface>
set mtu-override enable
set mtu <max bytes>
next
end

Maximum MTU size on a path

To manually test the maximum MTU size on a path, you can use the ping command on a Windows computer.
For example, you can send ICMP packets of a specific size with a DF flag, and iterate through increasing sizes until the
ping fails.
l The -f option specifies the Do not Fragment (DF) flag.
l The -l option specifies the length, in bytes, of the Data field in the echo Request messages. This does not include
the 8 bytes for the ICMP header and 20 bytes for the IP header. Therefore, if the maximum MTU is 1500 bytes, then
the maximum supported data size is: 1500 - 8 - 20 = 1472 bytes.

To determine the maximum MTU size on a path:

1. In Windows command prompt, try a likely MTU size:

>ping 4.2.2.1 -l 1472 -f
Pinging 4.2.2.1 with 1472 bytes of data:
Reply from 4.2.2.1: bytes=1472 time=41ms TTL=52
Reply from 4.2.2.1: bytes=1472 time=42ms TTL=52
Reply from 4.2.2.1: bytes=1472 time=103ms TTL=52
Reply from 4.2.2.1: bytes=1472 time=38ms TTL=52

Ping statistics for 4.2.2.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 38ms, Maximum = 103ms, Average = 56ms

2. Increase the size and try the ping again:

>ping 4.2.2.1 -l 1473 -f
Pinging 4.2.2.1 with 1473 bytes of data:
Request timed out.

Ping statistics for 4.2.2.1:

Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

The second test fails, so the maximum MTU size on the path is 1472 bytes + 8-byte ICMP header + 20-byte IP
header = 1500 bytes

FortiOS 7.4.5 Administration Guide 179

Fortinet Inc.
Network

Maximum segment size

The TCP maximum segment size (MSS) is the maximum amount of data that can be sent in a TCP segment. The MSS is
the MTU size of the interface minus the 20 byte IP header and 20 byte TCP header. By reducing the TCP MSS, you can
effectively reduce the MTU size of the packet.
The TCP MSS can be configured in a firewall policy (see Configurations in the CLI on page 1331), or directly on an
interface.

To configure the MSS on an interface:

config system interface

edit "wan2"
set vdom "root"
set mode dhcp
set allowaccess ping fgfm
set type physical
set tcp-mss 1448
set role wan
next
end

One-arm sniffer

You can use a one-arm sniffer to configure a physical interface as a one-arm intrusion detection system (IDS). Traffic
sent to the interface is examined for matches to the configured security profile. The matches are logged, and then all
received traffic is dropped. Sniffing only reports on attacks; it does not deny or influence traffic.
You can also use the one-arm sniffer to configure the FortiGate to operate as an IDS appliance to sniff network traffic for
attacks without actually processing the packets. To configure a one-arm IDS, enable sniffer mode on a physical interface
and connect the interface to the SPAN port of a switch or a dedicated network tab that can replicate the traffic to the
FortiGate.
If the one-arm sniffer option is not available, this means the interface is in use. Ensure that the interface is not selected in
any firewall policies, routes, virtual IPs, or other features where a physical interface is specified. The option also does not
appear if the role is set to WAN. Ensure the role is set to LAN, DMZ, or undefined.
One-arm sniffer supports VLAN, VXLAN, and GRE interfaces.
The following table lists some of the one-arm sniffer settings you can configure:

Field Description

Security Profiles The following profiles are configurable in the GUI and CLI:
l Antivirus

l Web filter
l Application control
l IPS
l File filter
The following profiles are only configurable in the CLI:
l Email filter

l DLP

FortiOS 7.4.5 Administration Guide 180

Fortinet Inc.
Network

Field Description
l IPS DoS

Each security profile has a predefined profile for One-Arm Sniffer called sniffer-profile. The
sniffer-profile can be viewed or edited from the GUI through the Edit Interface page only.
Please refer to the Example configuration on page 181 for a demonstration.

CPU usage and packet loss

Traffic scanned on the one-arm sniffer interface is processed by the CPU, even if there is an SPU, such as NPU or CP,
present. The one-arm sniffer may cause higher CPU usage and perform at a lower level than traditional inline scanning,
which uses NTurbo or CP to accelerate traffic when present.
The absence of high CPU usage does not indicate the absence of packet loss. Packet loss may occur due to the
capacity of the TAP devices hitting maximum traffic volume during mirroring, or on the FortiGate when the kernel buffer
size is exceeded and it is unable to handle bursts of traffic.

Example configuration

The following example shows how to configure a file filter profile that blocks PDF and RAR files used in a one-arm sniffer
policy.

To configure a one-arm sniffer policy in the GUI:

1. Go to Network > Interfaces and double-click a physical interface to edit it.

2. For Role, select either LAN, DMZ, or Undefined.
3. For Addressing Mode, select One-Arm Sniffer.

FortiOS 7.4.5 Administration Guide 181

Fortinet Inc.
Network

4. In the Security Profiles section, enable File Filter and click Edit. The Edit File Filter Profile pane opens.
5. In the Rules table, click Create New.

FortiOS 7.4.5 Administration Guide 182

Fortinet Inc.
Network

6. Configure the rule:

a. For File types, click the + and select pdf and rar.
b. For Action, select Block.
c. Click OK to save the rule.
7. Click OK to save the file filter profile.

FortiOS 7.4.5 Administration Guide 183

Fortinet Inc.
Network

8. Click OK to save the interface settings.

9. Go to Log & Report > Security Events to view the File Filter logs.

To configure a one-arm sniffer policy in the CLI:

1. Configure the interface:

config system interface
edit "s1"
set vdom "root"
set ips-sniffer-mode enable
set type physical
set role undefined
set snmp-index 31
next
end

2. Configure the file filter profile:

config file-filter profile
edit "sniffer-profile"
set comment "File type inspection."
config rules
edit "1"
set protocol http ftp smtp imap pop3 cifs

FortiOS 7.4.5 Administration Guide 184

Fortinet Inc.
Network

set action block

set file-type "pdf" "rar"
next
end
next
end

3. Configure the firewall sniffer policy:

config firewall sniffer
edit 1
set interface "s1"
set file-filter-profile-status enable
set file-filter-profile "sniffer-profile"
next
end

4. View the log:

# execute log filter category 19
# execute log display
1 logs found.
1 logs returned.

1: date=2020-12-29 time=09:14:46 eventtime=1609262086871379250 tz="-0800"

logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter"
level="warning" vd="root" policyid=1 sessionid=792 srcip=172.16.200.55 srcport=20
srcintf="s1" srcintfrole="undefined" dstip=10.1.100.11 dstport=56745 dstintf="s1"
dstintfrole="undefined" proto=6 service="FTP" profile="sniffer-profile"
direction="outgoing" action="blocked" rulename="1" filename="hello.pdf" filesize=9539
filetype="pdf" msg="File was blocked by file filter."

Interface migration wizard

The Integrate Interface option on the Network > Interfaces page helps migrate a physical port into another interface or
interface type such as aggregate, software switch, redundant, zone, or SD-WAN zone. The FortiGate will migrate object
references either by replacing the existing instance with the new interface, or deleting the existing instance based on the
user's choice. Users can also change the VLAN ID of existing VLAN sub-interface or FortiSwitch VLANs.

The interface migration wizard does not support turning an aggregate, software switch,
redundant, zone, or SD-WAN zone interface back into a physical interface.

Integrating an interface

In this example, a DHCP server interface is integrated into a newly created redundant interface, which transfers the
DHCP server to a redundant interface.

To integrate an interface:

1. Go to Network > Interfaces and select an interface in the list.

2. Click Integrate Interface. The wizard opens.

FortiOS 7.4.5 Administration Guide 185

Fortinet Inc.
Network

Alternatively, select an interface in the list. Then right-click and select Integrate Interface.

3. Select Migrate to Interface and click Next.

4. Select Create an Interface. Enter a name (rd1) and set the Type to Redundant.

5. Click Next. The References sections lists the associated services with options to Replace Instance or Delete Entry.
6. For the DHCP server Action, select Replace Instance and click Create.

FortiOS 7.4.5 Administration Guide 186

Fortinet Inc.
Network

7. The migration occurs automatically and the statuses for the object and reference change to Updated entry. Click
Close.

Changing the VLAN ID

In this example, the VLAN ID of InternalVLAN is changed from 11 to 22.

To change the VLAN ID:

1. Go to Network > Interfaces and edit an existing interface.

2. Beside the VLAN ID field, click Edit. The Update VLAN ID window opens.

3. Enter the new ID (22) and click Next.

FortiOS 7.4.5 Administration Guide 187

Fortinet Inc.
Network

4. Verify the changes, then click Update and OK.

5. The target object status changes to Updated entry. Click Close.

In the interface settings, the ID displays as 22.

FortiOS 7.4.5 Administration Guide 188

Fortinet Inc.
Network

Captive portals

A captive portal is used to enforce authentication before web resources can be accessed. Until a user authenticates
successfully, any HTTP request returns the authentication page. After successfully authenticating, a user can access the
requested URL and other web resources, as permitted by policies. The captive portal can also be configured to only
allow access to members of specific user groups.
Captive portals can be hosted on the FortiGate or an external authentication server. They can be configured on any
network interface, including VLAN and WiFi interfaces. On a WiFi interface, the access point appears open, and the
client can connect to access point with no security credentials, but then sees the captive portal authentication page. See
Captive Portal Security, in the FortiWiFi and FortiAP Configuration Guide for more information.
All users on the interface are required to authenticate. Exemption lists can be created for devices that are unable to
authenticate, such as a printer that requires access to the internet for firmware upgrades.

To configure a captive portal in the GUI:

1. Go to Network > Interfaces and edit the interface that the users connect to. The interface Role must be LAN or
Undefined.
2. Enable Security mode.

3. Configure the following settings, then click OK.

Authentication Portal Configure the location of the portal:

l Local: the portal is hosted on the FortiGate unit.

FortiOS 7.4.5 Administration Guide 189

Fortinet Inc.
Network

l External: enter the FQDN or IP address of external portal.

User access Select if the portal applies to all users, or selected user groups:
l Restricted to Groups: restrict access to the selected user groups. The

Login page is shown when a user tries to log in to the captive portal.
l Allow all: all users can log in, but access will be defined by relevant
policies. The Disclaimer page is shown when a user tried to log in to the
captive portal.

Customize portal messages Enable to use custom portal pages, then select a replacement message
group. See Custom captive portal pages on page 191.

Exempt sources Select sources that are exempt from the captive portal.
Each exemption is added as a rule in an automatically generated exemption
list.

Exempt Select destinations and services that are exempt from the captive portal.
destinations/services Each exemption is added as a rule in an automatically generated exemption
list.

Redirect after Captive Portal Configure website redirection after successful captive portal authentication:
l Original Request: redirect to the initially browsed to URL .

l Specific URL: redirect to the specified URL.

To configure a captive portal in the CLI:

1. If required, create a security exemption list:

config user security-exempt-list
edit <list>
config rule
edit 1
set srcaddr <source(s)>
set dstaddr <source(s)>
set service <service(s)>
next
edit 2
set srcaddr <source(s)>
set dstaddr <source(s)>
set service <service(s)>
next
end
next
end

2. Configure captive portal authentication on the interface:

config system interface
edit <interface>
set security-mode {none | captive-portal}
set security-external-web <string>
set replacemsg-override-group <group>
set security-redirect-url <string>
set security-exempt-list <list>
set security-groups <group(s)>

FortiOS 7.4.5 Administration Guide 190

Fortinet Inc.
Network

next
end

Custom captive portal pages

Portal pages are HTML files that can be customized to meet user requirements.
Most of the text and some of the HTML in the message can be changed. Tags are enclosed by double percent signs
(%%); most of them should not be changed because they might carry information that the FortiGate unit needs. For
information about customizing replacement messages, see Modifying replacement messages on page 3057.
The images on the pages can be replaced. For example, your organization's logo can replace the Fortinet logo. For
information about uploading and using new images in replacement messages, see Replacement message images on
page 3059.
The following pages are used by captive portals:

Login Page Requests user credentials.

The %%QUESTION%% tag provides the Please enter the required information to
continue. text.
This page is shown to users that are trying to log in when User access is set to
Restricted to Groups.

Login Failed Page Reports that incorrect credentials were entered, and requests correct credentials.
The %%FAILED_MESSAGE%% tag provides the Firewall authentication failed.
Please try again. text.

Disclaimer Page A statement of the legal responsibilities of the user and the host organization that
the user must agree to before proceeding. This page is shown users that are
trying to log in when User access is set to Allow all.

Declined Disclaimer Page Shown if the user does not agree to the statement on the Disclaimer page. Access
is denied until the user agrees to the disclaimer.

Configuring a FortiGate interface to act as an 802.1X supplicant

A FortiGate interface can be configured to act as a 802.1X supplicant. The settings can be enabled on the network
interface in the CLI. The EAP authentication method can be either PEAP or TLS using a user certificate.
config system interface
edit <interface>
set eap-supplicant {enable | disable}
set eap-method {peap | tls}
set eap-identity <identity>
set eap-password <password>
set eap-ca-cert <CA_cert>
set eap-user-cert <user_cert>
next
end

FortiOS 7.4.5 Administration Guide 191

Fortinet Inc.
Network

Example

In this example, the FortiGate connects to an L3 switch that is not physically secured. All devices that connect to the
internet through the L3 switch must be authenticated with 802.1X on the switch port by either a username and password
(PEAP), or a user certificate (TLS). Configuration examples for both EAP authentication methods on port33 are shown.

To configure EAP authentication with PEAP:

1. Configure the interface:

config system interface
edit "port33"
set vdom "vdom1"
set ip 7.7.7.2 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response
fabric
set stpforward enable
set type physical
set snmp-index 42
set eap-supplicant enable
set eap-method peap
set eap-identity "test1"
set eap-password **********
next
end

2. Verify the interface's PEAP authentication details:

# diagnose test app eap_supp 2
Interface: port33
status:Authorized
method: PEAP
identity: test1
ca_cert:
client_cert:
private_key:
last_eapol_src =70:4c:a5:3b:0b:c6

Traffic is able to pass because the status is authorized.

To configure EAP authentication with TLS:

1. Configure the interface:

config system interface
edit "port33"
set vdom "vdom1"
set ip 7.7.7.2 255.255.255.0

FortiOS 7.4.5 Administration Guide 192

Fortinet Inc.
 Network

set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response
fabric
set stpforward enable
set type physical
set snmp-index 42
set eap-supplicant enable
set eap-method tls
set eap-identity "[email protected]"
set eap-ca-cert "root_G_CA_Cert_1.cer"
set eap-user-cert "root_eap_client_global.cer"
next
end

2. Verify the interface's TLS authentication details:

# diagnose test application eap_supp 2
Interface: port33
status:Authorized
method: TLS
identity: [email protected]
ca_cert: /etc/cert/ca/root_G_CA_Cert_1.cer
client_cert: /etc/cert/local/root_eap_client_global.cer
private_key: /etc/cert/local/root_eap_client_global.key
last_eapol_src =70:4c:a5:3b:0b:c6

Traffic is able to pass because the status is authorized.

Physical interface

A FortiGate has several physical interfaces that can connect to Ethernet or optical cables. Depending on the FortiGate
model, it can have a varying combination of Ethernet, small form-factor pluggable (SFP), and enhanced small form-
factor pluggable (SFP+) interfaces.
The port names, as labeled on the FortiGate, appear in the interfaces list on the Network > Interfaces page. Hover the
cursor over a port to view information, such as the name and the IP address.
Refer to Configuring an interface for basic GUI and CLI configuration steps.

Displaying transceiver status information for SFP and SFP+ interfaces

Transceiver status information for SFP and SFP+ interfaces installed on the FortiGate can be displayed in the GUI and
CLI. For example, the type, vendor name, part number, serial number, and port name. The CLI output includes additional
information that can be useful for diagnosing transmission problems, such as the temperature, voltage, and optical
transmission power.

To view transceiver status information in the GUI:

1. Go to Network > Interfaces. The Transceiver column is visible in the table, which displays the transceiver vendor
name and part number.
2. Hover the cursor over a transceiver to view more information.

FortiOS 7.4.5 Administration Guide 193

Fortinet Inc.
Network

To view transceiver status information in the CLI:

# get system interface transceiver

Interface port9 - SFP/SFP+
Vendor Name : FINISAR CORP.
Part No. : FCLF-8521-3
Serial No. : PMS***
Interface port10 - Transceiver is not detected.
Interface port11 - SFP/SFP+
Vendor Name : QNC
Part No. : LCP-1250RJ3SRQN
Serial No. : QNDT****
Interface port12 - SFP/SFP+
Vendor Name : QNC
Part No. : LCP-1250RJ3SRQN
Serial No. : QNDT****
Interface s1 - SFP/SFP+
Vendor Name : JDSU
Part No. : PLRXPLSCS4322N
Serial No. : CB26U****
Interface s2 - SFP/SFP+
Vendor Name : JDSU
Part No. : PLRXPLSCS4321N
Serial No. : C825U****
Interface vw1 - Transceiver is not detected.
Interface vw2 - Transceiver is not detected.
Interface x1 - SFP/SFP+
Vendor Name : Fortinet
Part No. : LCP-10GRJ3SRFN
Serial No. : 19090910****
Interface x2 - Transceiver is not detected.
Optical Optical Optical
SFP/SFP+ Temperature Voltage Tx Bias Tx Power Rx Power
Interface (Celsius) (Volts) (mA) (dBm) (dBm)
------------ ------------ ------------ ------------ ------------ ------------
port9 N/A N/A N/A N/A N/A
port11 N/A N/A N/A N/A N/A
port12 N/A N/A N/A N/A N/A
s1 38.3 3.35 6.80 -2.3 -3.2
s2 42.1 3.34 7.21 -2.3 -3.0
x1 N/A N/A N/A N/A N/A
++ : high alarm, + : high warning, - : low warning, -- : low alarm, ? : suspect.

VLAN

Virtual local area networks (VLANs) multiply the capabilities of your FortiGate and can also provide added network
security. VLANs use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller
domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network
security.

FortiOS 7.4.5 Administration Guide 194

Fortinet Inc.
Network

VLANs in NAT mode

In NAT mode, the FortiGate unit functions as a layer-3 device. In this mode, the FortiGate unit controls the flow of
packets between VLANs and can also remove VLAN tags from incoming VLAN packets. The FortiGate unit can also
forward untagged packets to other networks such as the Internet.
In NAT mode, the FortiGate unit supports VLAN trunk links with IEEE 802.1Q-compliant switches or routers. The trunk
link transports VLAN-tagged packets between physical subnets or networks. When you add VLAN subinterfaces to the
FortiGate's physical interfaces, the VLANs have IDs that match the VLAN IDs of packets on the trunk link. The FortiGate
unit directs packets with VLAN IDs to subinterfaces with matching IDs.
You can define VLAN subinterfaces on all FortiGate physical interfaces. However, if multiple virtual domains are
configured on the FortiGate unit, you only have access to the physical interfaces on your virtual domain. The FortiGate
unit can tag packets leaving on a VLAN subinterface. It can also remove VLAN tags from incoming packets and add a
different VLAN tag to outgoing packets.
Normally in VLAN configurations, the FortiGate unit's internal interface is connected to a VLAN trunk, and the external
interface connects to an Internet router that is not configured for VLANs. In this configuration, the FortiGate unit can
apply different policies for traffic on each VLAN interface connected to the internal interface, which results in less
network traffic and better security.

Sample topology

In this example, two different internal VLAN networks share one interface on the FortiGate unit and share the connection
to the Internet. This example shows that two networks can have separate traffic streams while sharing a single interface.
This configuration can apply to two departments in a single company or to different companies.
There are two different internal network VLANs in this example. VLAN_100 is on the 10.1.1.0/255.255.255.0 subnet, and
VLAN_200 is on the 10.1.2.0/255.255.255.0 subnet. These VLANs are connected to the VLAN switch.
The FortiGate internal interface connects to the VLAN switch through an 802.1Q trunk. The internal interface has an IP
address of 192.168.110.126 and is configured with two VLAN subinterfaces (VLAN_100 and VLAN_200). The external
interface has an IP address of 172.16.21.2 and connects to the Internet. The external interface has no VLAN
subinterfaces.
When the VLAN switch receives packets from VLAN_100 and VLAN_200, it applies VLAN ID tags and forwards the
packets of each VLAN both to local ports and to the FortiGate unit across the trunk link. The FortiGate unit has policies
that allow traffic to flow between the VLANs, and from the VLANs to the external network.

Sample configuration

In this example, both the FortiGate unit and the Cisco 2950 switch are installed and connected and basic configuration
has been completed. On the switch, you need access to the CLI to enter commands. No VDOMs are enabled in this

FortiOS 7.4.5 Administration Guide 195

Fortinet Inc.
Network

example.
General configuration steps include:
1. Configure the external interface.
2. Add two VLAN subinterfaces to the internal network interface.
3. Add firewall addresses and address ranges for the internal and external networks.
4. Add security policies to allow:
l the VLAN networks to access each other.
l the VLAN networks to access the external network.

To configure the external interface:

config system interface

edit external
set mode static
set ip 172.16.21.2 255.255.255.0
next
end

To add VLAN subinterfaces:

config system interface

edit VLAN_100
set vdom root
set interface internal
set type vlan
set vlanid 100
set mode static
set ip 10.1.1.1 255.255.255.0
set allowaccess https ping
next
edit VLAN_200
set vdom root
set interface internal
set type vlan
set vlanid 200
set mode static
set ip 10.1.2.1 255.255.255.0
set allowaccess https ping
next
end

To add the firewall addresses:

config firewall address

edit VLAN_100_Net
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit VLAN_200_Net
set type ipmask
set subnet 10.1.2.0 255.255.255.0

FortiOS 7.4.5 Administration Guide 196

Fortinet Inc.
Network

next
end

To add security policies:

Policies 1 and 2 do not need NAT enabled, but policies 3 and 4 do need NAT enabled.
config firewall policy
edit 1
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf VLAN_200
set dstaddr VLAN_200_Net
set schedule always
set service ALL
set action accept
set nat disable
set status enable
next
edit 2
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf VLAN_100
set dstaddr VLAN_100_Net
set schedule always
set service ALL
set action accept
set nat disable
set status enable
next
edit 3
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
edit 4
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
end

FortiOS 7.4.5 Administration Guide 197

Fortinet Inc.
Network

VLANs in transparent mode

In transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide services such as antivirus
scanning, web filtering, spam filtering, and intrusion protection to traffic. Some limitations of transparent mode is that you
cannot use SSL VPN, PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in transparent mode
apply to IEEE 802.1Q VLAN trunks passing through the unit.
You can insert the FortiGate unit operating in transparent mode into the VLAN trunk without making changes to your
network. In a typical configuration, the FortiGate unit internal interface accepts VLAN packets on a VLAN trunk from a
VLAN switch or router connected to internal network VLANs. The FortiGate external interface forwards VLAN-tagged
packets through another VLAN trunk to an external VLAN switch or router and on to external networks such as the
Internet. You can configure the unit to apply different policies for traffic on each VLAN in the trunk.
To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces with the same VLAN ID, one to the
internal interface and the other to the external interface. You then create a security policy to permit packets to flow from
the internal VLAN interface to the external VLAN interface. If required, create another security policy to permit packets to
flow from the external VLAN interface to the internal VLAN interface. Typically in transparent mode, you do not permit
packets to move between different VLANs. Network protection features such as spam filtering, web filtering, and anti-
virus scanning, are applied through the UTM profiles specified in each security policy, enabling very detailed control over
traffic.
When the FortiGate unit receives a VLAN-tagged packet on a physical interface, it directs the packet to the VLAN
subinterface with the matching VLAN ID. The VLAN tag is removed from the packet and the FortiGate unit then applies
security policies using the same method it uses for non-VLAN packets. If the packet exits the FortiGate unit through a
VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the packet is sent to the corresponding
physical interface.

Sample topology

In this example, the FortiGate unit is operating in transparent mode and is configured with two VLANs: one with an ID of
100 and the other with ID 200. The internal and external physical interfaces each have two VLAN subinterfaces, one for
VLAN_100 and one for VLAN_200.
The IP range for the internal VLAN_100 network is 10.100.0.0/255.255.0.0, and for the internal VLAN_200 network is
10.200.0.0/255.255.0.0.
The internal networks are connected to a Cisco 2950 VLAN switch which combines traffic from the two VLANs onto one
in the FortiGate unit's internal interface. The VLAN traffic leaves the FortiGate unit on the external network interface,
goes on to the VLAN switch, and on to the Internet. When the FortiGate units receives a tagged packet, it directs it from
the incoming VLAN subinterface to the outgoing VLAN subinterface for that VLAN.
In this example, we create a VLAN subinterface on the internal interface and another one on the external interface, both
with the same VLAN ID. Then we create security policies that allow packets to travel between the VLAN_100_int
interface and the VLAN_100_ext interface. Two policies are required: one for each direction of traffic. The same is
required between the VLAN_200_int interface and the VLAN_200_ext interface, for a total of four security policies.

FortiOS 7.4.5 Administration Guide 198

Fortinet Inc.
Network

Sample configuration

There are two main steps to configure your FortiGate unit to work with VLANs in transparent mode:
1. Add VLAN subinterfaces.
2. Add security policies.
You can also configure the protection profiles that manage antivirus scanning, web filtering, and spam filtering.

To add VLAN subinterfaces:

config system interface

edit VLAN_100_int
set type vlan
set interface internal
set vlanid 100
next
edit VLAN_100_ext
set type vlan
set interface external
set vlanid 100
next
edit VLAN_200_int
set type vlan
set interface internal
set vlanid 200
next
edit VLAN_200_ext
set type vlan
set interface external
set vlanid 200
next
end

To add security policies:

config firewall policy

edit 1
set srcintf VLAN_100_int
set srcaddr all
set dstintf VLAN_100_ext
set dstaddr all
set action accept
set schedule always

FortiOS 7.4.5 Administration Guide 199

Fortinet Inc.
Network

set service ALL

next
edit 2
set srcintf VLAN_100_ext
set srcaddr all
set dstintf VLAN_100_int
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 3
set srcintf VLAN_200_int
set srcaddr all
set dstintf VLAN_200_ext
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 4
set srcintf VLAN_200_ext
set srcaddr all
set dstintf VLAN_200_int
set dstaddr all
set action accept
set schedule always
set service ALL
next
end

Virtual VLAN switch

The hardware switch ports on FortiGate models that support virtual VLAN switches can be used as a layer 2 switch.
Virtual VLAN switch mode allows 802.1Q VLANs to be assigned to ports, and the configuration of one interface as a
trunk port.
The following FortiGate series are supported in FortiOS 7.4: 40F, 60F, 70F, 80F, 90G, 100E, 100F, 120G, 140E, 200F,
300E, 400E, 400F, 600F, 1100E, 1800F, 2600F, 3000F, 3500F, 4200F, and 4400F.
The virtual-switch-vlan option must be enabled in the CLI to configure VLAN switch mode from the GUI or CLI.

To enable VLAN switches:

config system global

set virtual-switch-vlan enable
end

After this setting is enabled, any previously configured hardware switches will appear in the Network > Interfaces page
under VLAN Switch.

To enable VLAN switch mode in the GUI:

1. Go to System > Settings.

2. In the View Settings section, enable VLAN switch mode.

FortiOS 7.4.5 Administration Guide 200

Fortinet Inc.
Network

3. Click Apply.

Basic configurations

Hardware switch ports can be configured as either a VLAN switch port or a trunk port. The available interfaces and
allowable VLAN IDs that can be used depend on the FortiGate model. It is recommended to remove ports from the
default VLAN switch before you begin configurations.

To create a new VLAN and assign ports in the GUI:

1. Go to Network > Interfaces and click Create New > Interface.

2. Enter a name and configure the following:
a. Set the Type to VLAN Switch.
b. Enter a VLAN ID.
c. Click the + and add the Interface Members.
d. Configure the Address and Administrative Access settings as needed.
3. Click OK.

To create a new VLAN and assign ports in the CLI:

1. Configure the VLAN:

config system virtual-switch
edit "VLAN10"
set physical-switch "sw0"
set vlan 10
config port
edit "internal1"
next
edit "internal2"
next
end
next
end

2. Configure the VLAN switch interface addressing:

config system interface
edit "VLAN10"
set vdom "root"
set ip 192.168.10.99 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type hard-switch
next
end

To designate an interface as a trunk port:

config system interface

edit internal5
set trunk enable
next
end

FortiOS 7.4.5 Administration Guide 201

Fortinet Inc.
Network

Example 1: HA using a VLAN switch

In this example, two FortiGates in an HA cluster are connected to two ISP routers. Instead of connecting to external L2
switches, each FortiGate connects to each ISP router on the same hardware switch port on the same VLAN. A trunk port
connects the two FortiGates to deliver the 802.1Q tagged traffic to the other. A full mesh between the FortiGate cluster
and the ISP routers is achieved where no single point of failure will cause traffic disruptions.

This example assumes that the HA settings are already configured. The interface and VLAN switch settings are identical
between cluster members and synchronized. See HA using a hardware switch to replace a physical switch on page 2923
for a similar example that does not use a VLAN switch.

To configure the VLAN switches:

1. Configure the ISP interfaces with the corresponding VLAN IDs:

config system virtual-switch
edit "ISP1"
set physical-switch "sw0"
set vlan 2951
config port
edit "port1"
next
end
next
edit "ISP2"
set physical-switch "sw0"
set vlan 2952
config port
edit "port2"
next
end
next
end

2. Configure the VLAN switch interface addressing:

config system interface
edit "ISP1"
set vdom "root"
set ip 192.168.10.99 255.255.255.0
set allowaccess ping
set type hard-switch
next
edit "ISP2"
set vdom "root"

FortiOS 7.4.5 Administration Guide 202

Fortinet Inc.
Network

set ip 192.168.20.99 255.255.255.0

set allowaccess ping
set type hard-switch
next
end

3. Designate port15 as the trunk port:

config system interface
edit port15
set trunk enable
next
end

4. Configure firewall policies to allow outgoing traffic on the ISP1 and ISP2 interfaces:
config firewall policy
edit 1
set srcintf "port11"
set dstintf "ISP1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set srcintf "port11"
set dstintf "ISP2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

Example 2: LAN extension

In this example, two hardware switch ports are assigned VLAN10, and two ports are assigned VLAN20 on FortiGate B.
The wan2 interface is designated as the trunk port, and is connected to the upstream FortiGate A. The corresponding
VLAN subinterfaces VLAN10 and VLAN20 on the upstream FortiGate allow further access to other networks.

FortiOS 7.4.5 Administration Guide 203

Fortinet Inc.
Network

The available interfaces and VLAN IDs varies between FortiGate models. The FortiGate B in
this example is a 60F model.

To configure FortiGate B:

1. Configure the VLAN interfaces:

config system virtual-switch
edit "VLAN10"
set physical-switch "sw0"
set vlan 10
config port
edit "internal1"
next
edit "internal2"
next
end
next
edit "VLAN20"
set physical-switch "sw0"
set vlan 20
config port
edit "internal3"
next
edit "internal4"
next
end
next
end

2. Configure the VLAN switch interface addressing:

config system interface
edit "VLAN10"
set vdom "root"
set ip 192.168.10.99 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type hard-switch
next
edit "VLAN20"
set vdom "root"
set ip 192.168.20.99 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type hard-switch
next
end

3. Designate wan2 as the trunk port:

config system interface
edit wan2
set trunk enable
next
end

FortiOS 7.4.5 Administration Guide 204

Fortinet Inc.
Network

To configure FortiGate A:

1. Configure the VLAN subinterfaces:

config system interface
edit "VLAN10"
set ip 192.168.10.98 255.255.255.0
set allowaccess ping https ssh
set role lan
set interface "dmz"
set vlanid 10
next
edit "VLAN20"
set ip 192.168.20.98 255.255.255.0
set allowaccess ping https ssh
set role lan
set interface "dmz"
set vlanid 20
next
end

2. Configure the DHCP server on VLAN10:

config system dhcp server
edit 0
set dns-service default
set default-gateway 192.168.10.98
set netmask 255.255.255.0
set interface "VLAN10 "
config ip-range
edit 1
set start-ip 192.168.10.100
set end-ip 192.168.10.254
next
end
set timezone-option default
next
end

3. Configure firewall policies that allow traffic from the VLAN10 and VLAN20 interfaces to the internet:
config firewall policy
edit 0
set name "VLAN10-out"
set srcintf "VLAN10"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 0
set name "VLAN20-out"
set srcintf "VLAN20"
set dstintf "wan1"
set srcaddr "all"

FortiOS 7.4.5 Administration Guide 205

Fortinet Inc.
Network

set dstaddr "all"

set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

To test the connection:

1. Connect a PC to internal1 on FortiGate B.

2. Verify that it receives an IP address from FortiGate A’s DHCP server.
3. From the PC, ping FortiGate B on 192.168.10.99.
4. Ping FortiGate A on 192.168.10.98.
5. Connect to the internet. Traffic is allowed by the VLAN10-out policy.

QinQ 802.1Q in 802.1ad

QinQ (802.1ad) allows multiple VLAN tags to be inserted into a single frame, and can be configured on supported
FortiGate devices.
In this example, the customer connects to a provider that uses 802.1ad double-tagging to separate their customer
VLANs. The FortiGate connecting to the provider double-tags its frames with an outer provider-tag (S-Tag) and an inner
customer-tag (C-Tag).

The customer identifies itself with the provider-tag (S-Tag) 232 and uses the customer-tag (C-Tag) 444 for traffic to its
VLAN.

To configure the interfaces:

1. Configure the interface to the provider that uses the outer tag (S-Tag):
config system interface
edit "vlan-8021ad"
set vdom "root"
set vlan-protocol 8021ad
set device-identification enable
set role lan
set snmp-index 47
set interface "PORT"
set vlanid 232
next
end

2. Configure a dynamic VLAN interface that uses the inner tag (C-Tag):
config system interface
edit "DVLAN"
set vdom "vdom1"
set device-identification enable

FortiOS 7.4.5 Administration Guide 206

Fortinet Inc.
Network

set role lan

set snmp-index 48
set interface "vlan-8021ad"
set vlanid 444
next
end

QinQ 802.1Q in 802.1Q

QinQ (802.1Q in 802.1Q) is supported for FortiGate VM models, where multiple VLAN tags can be inserted into a single
frame.

In this example, the FortiGate VM is connected to a provider vSwitch and then a customer switch. The FortiGate
encapsulates the frame with an outer 802.1Q tag of VLAN 100 and an inner 802.1Q tag of VLAN 200; port5 is used as
the physical port. The provider vSwitch strips the outer tag and forwards traffic to the appropriate customer. Then the
customer switch strips the inner tag and forwards the packet to the appropriate customer VLAN.

To configure the interfaces:

1. Configure the interface to the provider that uses the outer tag:
config system interface
edit "vlan-8021q"
set vdom "root"
set device-identification enable
set role lan
set interface "port5"
set vlan-protocol 8021q
set vlanid 100
next
end

2. Configure the interface to the provider that uses the inner tag:
config system interface
edit "vlan-qinq8021q"
set vdom "root"
set ip 1.1.1.71 255.255.255.0
set allowaccess ping https ssh snmp http
set device-identification enable
set role lan
set interface "vlan-8021q"
set vlanid 200
next
end

FortiOS 7.4.5 Administration Guide 207

Fortinet Inc.
 Network

To verify the traffic:

1. From the FortiGate, ping 1.1.1.72:

# execute ping 1.1.1.72
PING 1.1.1.72 (1.1.1.72): 56 data bytes
64 bytes from 1.1.1.72: icmp_seq=0 ttl=255 time=0.2 ms
64 bytes from 1.1.1.72: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 1.1.1.72: icmp_seq=2 ttl=255 time=0.1 ms
64 bytes from 1.1.1.72: icmp_seq=3 ttl=255 time=0.1 ms
^C
--- 1.1.1.72 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms

2. Verify the packet capture frame header output captured from the FortiGate's port5:
Frame 2: 106 bytes on wire (848 bits), 106 bytes captured (848 bits)
Ethernet II, Src: VMware_93:ae:8f (00:50:56:93:ae:8f), Dst: VMware_93:e3:72
(00:50:56:93:e3:72)
Destination: VMware_93:e3:72 (00:50:56:93:e3:72)
Source: VMware_93:ae:8f (00:50:56:93:ae:8f)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 100
000. .... .... .... = Priority: Best Effort (default) (0)
...0 .... .... .... = DEI: Ineligible
.... 0000 0110 0100 = ID: 100
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 200
000. .... .... .... = Priority: Best Effort (default) (0)
...0 .... .... .... = DEI: Ineligible
.... 0000 1100 1000 = ID: 200
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 1.1.1.71, Dst: 1.1.1.72
Internet Control Message Protocol

The outer tag (first tag) is an 802.1Q tag with VLAN ID 100. The inner tag (second tag) is also an 802.1Q tag with
VLAN ID 200.

Aggregation and redundancy

Link aggregation (IEEE 802.3ad/802.1ax) enables you to bind two or more physical interfaces together to form an
aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is
transferred automatically to the remaining interfaces. The only noticeable effect is reduced bandwidth.
This feature is similar to redundant interfaces. The major difference is a redundant interface group only uses one link at a
time, where an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).
An interface is available to be an aggregate interface if:
l It is a physical interface and not a VLAN interface or subinterface.
l It is not already part of an aggregate or redundant interface.
l It is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs.
l It does not have an IP address and is not configured for DHCP or PPPoE.
l It is not referenced in any security policy, VIP, IP Pool, or multicast policy.

FortiOS 7.4.5 Administration Guide 208

Fortinet Inc.
Network

l It is not an HA heartbeat interface.

l It is not one of the FortiGate-5000 series backplane interfaces.
When an interface is included in an aggregate interface, it is not listed on the Network > Interfaces page. Interfaces still
appear in the CLI although configuration for those interfaces do not take affect. You cannot configure the interface
individually and it is not available for inclusion in security policies, VIPs, IP pools, or routing.

Example configuration

This example creates an aggregate interface on a FortiGate-140D POE using ports 3-5 with an internal IP address of
10.1.1.123, as well as the administrative access to HTTPS and SSH.

To create an aggregate interface in the GUI:

1. Go to Network > Interfaces and select Create New > Interface.

2. Set Name to aggregate.
3. Set Type to 802.3ad Aggregate.
4. Set Interface members to port4, port5, and port6.
5. Set Addressing mode to Manual.
6. Set IP/Netmask to 10.1.1.123/24.
7. For Administrative Access, select HTTPS and SSH.
8. Click OK.

To create an aggregate interface in the CLI:

config system interface

edit "aggregate"
set vdom "root"
set ip 10.1.1.123 255.255.255.0
set allowaccess https ssh
set type aggregate
set member "port4" "port5" "port6"
set snmp-index 45
next
end

Redundancy

In a redundant interface, traffic only goes over one interface at any time. This differs from an aggregated interface where
traffic goes over all interfaces for increased bandwidth. This difference means redundant interfaces can have more
robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.
An interface is available to be in a redundant interface if:
l It is a physical interface and not a VLAN interface.
l It is not already part of an aggregated or redundant interface.
l It is in the same VDOM as the redundant interface.
l It does not have an IP address and is not configured for DHCP or PPPoE.
l It has no DHCP server or relay configured on it.
l It does not have any VLAN subinterfaces.

FortiOS 7.4.5 Administration Guide 209

Fortinet Inc.
Network

l It is not referenced in any security policy, VIP, or multicast policy.

l It is not monitored by HA.
l It is not one of the FortiGate-5000 series backplane interfaces.
When an interface is included in a redundant interface, it is not listed on the Network > Interfaces page. You cannot
configure the interface individually and it is not available for inclusion in security policies, VIPs, or routing.

Example configuration

To create a redundant interface in the GUI:

1. Go to Network > Interfaces and select Create New > Interface.

2. Set Name to redundant.
3. Set Type to Redundant Interface.
4. Set Interface members to port4, port5, and port6.
5. Set Addressing mode to Manual.
6. Set IP/Netmask to 10.13.101.100/24.
7. For Administrative Access, select HTTPS and SSH.
8. Click OK.

To create a redundant interface in the CLI:

config system interface

edit "redundant"
set vdom "root"
set ip 10.13.101.100 255.255.255.0
set allowaccess https http
set type redundant
set member "port4" "port5" "port6"
set snmp-index 9
next
end

Enhanced hashing for LAG member selection

FortiGate models that have an internal switch that supports modifying the distribution algorithm can use enhanced
hashing to help distribute traffic evenly, or load balance, across links on the Link Aggregation (LAG) interface.
The enhanced hashing algorithm is based on a 5-tuple of the IP protocol, source IP address, destination IP address,
source port, and destination port.
Different computation methods allow for more variation in the load balancing distribution, in case one algorithm does not
distribute traffic evenly between links across different XAUIs. The available methods are:

xor16 Use the XOR operator to make a 16 bit hash.

xor8 Use the XOR operator to make an 8 bit hash.

xor4 Use the XOR operator to make a 4 bit hash.

crc16 Use the CRC-16-CCITT polynomial to make a 16 bit hash.

FortiOS 7.4.5 Administration Guide 210

Fortinet Inc.
Network

The following NP6 non-service FortiGate models support this feature: 1500D, 1500DT,
3000D, 3100D, 3200D, 3700D, and 5001D.

To configure the enhanced hashing:

config system npu

set lag-out-port-select {enable | disable}
config sw-eh-hash
set computation {xor4 | xor8 | xor16 | crc16}
set ip-protocol {include | exclude}
set source-ip-upper-16 {include | exclude}
set source-ip-lower-16 {include | exclude}
set destination-ip-upper-16 {include | exclude}
set destination-ip-lower-16 {include | exclude}
set source-port {include | exclude}
set destination-port {include | exclude}
set netmask-length {0 - 32}
end
end

For example, to use XOR16 and include all of the fields in the 5-tuple to compute the link in the LAG interface that the
packet is distributed to:
config system npu
set lag-out-port-select enable
config sw-eh-hash
set computation xor16
set ip-protocol include
set source-ip-upper-16 include
set source-ip-lower-16 include
set destination-ip-upper-16 include
set destination-ip-lower-16 include
set source-port include
set destination-port include
set netmask-length 32
end
end

LAG interface status signals to peer device

FortiGate can signal LAG (link aggregate group) interface status to the peer device. If the number of available links in the
LAG on the FortiGate falls below the configured minimum number of links (min-links), the LAG interface goes down
on both the FortiGate and the peer device.
When the minimum number of links is satisfied again, the LAG interface automatically resumes operation on both the
FortiGate and the peer device. While the LAG interface is down, interface members are in the Link Aggregation Control
Protocol (LACP) MUX state of Waiting.

Example

In this example, the LAG interface is configured on FGT_A and peered with FGT_B.

FortiOS 7.4.5 Administration Guide 211

Fortinet Inc.
Network

To verify the configuration:

1. On FGT_A, check the minimum number of links for the LAG interface named test_agg1.
In the following example, set min-links 1 indicates that a minimum of one alive interface member is required to
keep the LAG interface up.
# show
config system interface
edit "test_agg1"
set vdom "vdom1"
set ip 11.1.1.1 255.255.255.0
set allowaccess ping https
set type aggregate
set member "port7" "port8" "port9"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 41
set min-links 1
next
end

2. Change the status of port9 to down.

config system interface
edit port9
set status down
next
end

3. On FGT_A, test the LAG interface named test_agg1.

The status is up for test_agg1 interface because two interface members (port7 and port8) are up, and only one
interface member (port9) is down.
# diagnose netlink aggregate name test_agg1
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled

status: up
npu: y
flush: n
asic helper: y
oid: 72
ports: 3
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 1

FortiOS 7.4.5 Administration Guide 212

Fortinet Inc.
Network

actor key: 17
actor MAC address: d4:76:a0:01:e0:44
partner key: 17
partner MAC address: d4:76:a0:01:e8:1e

member: port7
index: 0
link status: up
link failure count: 1
permanent MAC addr: d4:76:a0:01:e0:44
LACP state: established
LACPDUs RX/TX: 4/17
actor state: ASAIEE
actor port number/key/priority: 1 17 255
partner state: ASAIEE
partner port number/key/priority: 1 17 255
partner system: 1 d4:76:a0:01:e8:1e
aggregator ID: 1
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4

member: port8
index: 1
link status: up
link failure count: 2
permanent MAC addr: d4:76:a0:01:e0:45
LACP state: established
LACPDUs RX/TX: 216/222
actor state: ASAIEE
actor port number/key/priority: 2 17 255
partner state: ASAIEE
partner port number/key/priority: 2 17 255
partner system: 1 d4:76:a0:01:e8:1e
aggregator ID: 1
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4

member: port9
index: 2
link status: down
link failure count: 0
permanent MAC addr: d4:76:a0:01:e0:46

4. On FGT_A, change the minimum number of links to 3.

config system interface
edit "test_agg1"
set vdom "vdom1"
set ip 11.1.1.1 255.255.255.0
set allowaccess ping https
set type aggregate
set member "port7" "port8" "port9"
set device-identification enable
set lldp-transmission enable
set role lan

FortiOS 7.4.5 Administration Guide 213

Fortinet Inc.
Network

set snmp-index 41
set min-links 3
next
end

5. On FGT_A, check the LAG interface named test_agg1:

The status is down for test_agg1 interface because only two of the three required interface members are up.
Interface members port7 and port8 are up, but interface member port9 is down.
# diagnose netlink aggregate name test_agg1
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled

status: down
npu: y
flush: n
asic helper: y
oid: 230
ports: 3
link-up-delay: 50ms
min-links: 3
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 1
actor key: 17
actor MAC address: e8:1c:ba:b3:d0:df
partner key: 17
partner MAC address: e8:1c:ba:df:a0:ba

member: port7
index: 0
link status: up
link failure count: 1
permanent MAC addr: e8:1c:ba:b3:d0:df
LACP state: negotiating
LACPDUs RX/TX: 10/23
actor state: ASAODD
actor port number/key/priority: 1 17 255
partner state: ASAIDD
partner port number/key/priority: 1 17 255
partner system: 61440 e8:1c:ba:df:a0:ba
aggregator ID: 1
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: WAITING 2

member: port8
index: 1

FortiOS 7.4.5 Administration Guide 214

Fortinet Inc.
Network

link status: up
link failure count: 1
permanent MAC addr: e8:1c:ba:b3:d0:e0
LACP state: negotiating
LACPDUs RX/TX: 222/228
actor state: ASAODD
actor port number/key/priority: 2 17 255
partner state: ASAIDD
partner port number/key/priority: 65 17 255
partner system: 61440 e8:1c:ba:df:a0:ba
aggregator ID: 1
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: WAITING 2

member: port9
index: 2
link status: down
link failure count: 0
permanent MAC addr: e8:1c:ba:b3:d0:ed

6. On the peer FortiGate (FGT_B), check the LAG interface status.

The status is down for test_agg2 interface due to FortiGate's ability to signal LAG interface status to the peer device.
While interface members port7 and port8 are up, interface member port9 is down.
# diagnose netlink aggregate name test_agg2
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled

status: down
npu: y
flush: n
asic helper: y
oid: 72
ports: 3
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 1
actor key: 17
actor MAC address: d4:76:a0:01:e8:1e
partner key: 17
partner MAC address: d4:76:a0:01:e0:44

member: port7
index: 0
link status: up

FortiOS 7.4.5 Administration Guide 215

Fortinet Inc.
Network

link failure count: 1

permanent MAC addr: d4:76:a0:01:e8:1e
LACP state: negotiating
LACPDUs RX/TX: 13/14
actor state: ASAIDD
actor port number/key/priority: 1 17 255
partner state: ASAODD
partner port number/key/priority: 1 17 255
partner system: 44237 d4:76:a0:01:e0:44
aggregator ID: 1
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: ATTACHED 3

member: port8
index: 1
link status: up
link failure count: 1
permanent MAC addr: d4:76:a0:01:e8:1f
LACP state: negotiating
LACPDUs RX/TX: 15/14
actor state: ASAIDD
actor port number/key/priority: 2 17 255
partner state: ASAODD
partner port number/key/priority: 2 17 255
partner system: 44237 d4:76:a0:01:e0:44
aggregator ID: 1
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: ATTACHED 3

member: port9
index: 2
link status: down
link failure count: 0
permanent MAC addr: d4:76:a0:01:e8:20

Failure detection for aggregate and redundant interfaces

When an aggregate or redundant interface goes down, the corresponding fail-alert interface changes to down. When an
aggregate or redundant interface comes up, the corresponding fail-alert interface changes to up.

Fail-detect for aggregate and redundant interfaces can be configured using the CLI.

To configure an aggregate interface so that port3 goes down with it:

config system interface

edit "agg1"
set vdom "root"
set fail-detect enable

FortiOS 7.4.5 Administration Guide 216

Fortinet Inc.
 Network

set fail-alert-method link-down

set fail-alert-interfaces "port3"
set type aggregate
set member "port1" "port2"
next
end

To configure a redundant interface so that port4 goes down with it:

config system interface

edit "red1"
set vdom "root"
set fail-detect enable
set fail-alert-method link-down
set fail-alert-interfaces "port4"
set type redundant
set member "port1" "port2"
next
end

Loopback interface

A loopback interface is a logical interface that is always up. Its IP address does not depend on one specific physical port,
and the attached subnet is always present in the routing table. Therefore, it can be accessed through several physical or
VLAN interfaces.
Typically, a loopback interface can be used with management access, BGP peering, PIM rendezvous points, and SD-
WAN.
A loopback interface requires appropriate firewall policies to allow traffic to the interface. For example, see IPsec tunnel
terminated on a loopback interface on page 217.
Multiple loopback interfaces can be configured in either non-VDOM mode or in each VDOM.
Dynamic routing protocols can be enabled on loopback interfaces. For example, loopback interfaces are a good practice
for OSPF. To make it easier to troubleshoot OSPF, set the OSPF router ID to the same value as the loopback IP address
to access a specific FortiGate using that IP address and SSH.
A loopback interface is configured using similar steps as a physical interface (see Configuring an interface).

IPsec tunnel terminated on a loopback interface

As mentioned above, a loopback interface requires appropriate firewall policies to allow traffic to the interface. In other
words, traffic ingressing on an interface that is destined for the IP address associated with a loopback interface requires
an appropriate firewall policy from that interface to the loopback interface otherwise the traffic will be dropped.
For example, consider the following topology where an IPsec tunnel is terminated on a loopback interface, VPN_LO, on
the FortiGate FGT-1 and on a WAN interface on the FortiGate FGT-2.

We will focus on the configuration required for FortiGate FGT-1.

FortiOS 7.4.5 Administration Guide 217

Fortinet Inc.
 Network

IPsec tunnel terminates on a loopback interface, VPN_LO, which has an associated IP address that the remote peer will
use as its IPsec remote gateway address.
The IPsec tunnel uses wan1 as its underlay interface.
In this scenario, the administrator of the FortiGate FGT-1 device must configure a firewall policy from the wan1 interface
to the VPN_LO interface that allows incoming traffic from the remote peer to reach the VPN_LO interface for proper
IPsec tunnel connectivity.
For example:
config firewall policy
edit 4
set name "Loopback-In"
set srcintf "wan1"
set dstintf "VPN_LO"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
end

Software switch

A software switch is a virtual switch that is implemented at the software or firmware level and not at the hardware level. A
software switch can be used to simplify communication between devices connected to different FortiGate interfaces. For
example, a software switch lets you place the FortiGate interface connected to an internal network on the same subnet
as your wireless interfaces. Then devices on the internal network can communicate with devices on the wireless network
without any additional configuration on the FortiGate unit, such as additional security policies.
A software switch can also be useful if you require more hardware ports for the switch on a FortiGate unit. For example, if
your FortiGate unit has a 4-port switch, WAN1, WAN2, and DMZ interfaces, and you need one more port, you can create
a soft switch that can include the four-port switch and the DMZ interface, all on the same subnet. These types of
applications also apply to wireless interfaces, virtual wireless interfaces, and physical interfaces such as those in
FortiWiFi and FortiAP units.
Similar to a hardware switch, a software switch functions like a single interface. It has one IP address, and all the
interfaces in the software switch are on the same subnet. Traffic between devices connected to each interface is not
regulated by security policies, and traffic passing in and out of the switch is controlled by the same policy.
When setting up a software switch, consider the following:
l Ensure that you have a back up of the configuration.
l Ensure that you have at least one port or connection, such as the console port, to connect to the FortiGate unit. If
you accidentally combine too many ports, you need a way to undo errors.
l The ports that you include must not have any link or relation to any other aspect of the FortiGate unit, such as DHCP
servers, security policies, and so on.
l Ensure the Create address object matching subnet option is disabled, if any port Role is set to either LAN or DMZ.
l For increased security, you can create a captive portal for the switch to allow only specific user groups access to the
resources connected to the switch.
Some of the difference between software and hardware switches are:

FortiOS 7.4.5 Administration Guide 218

Fortinet Inc.
Network

Feature Software switch Hardware switch

Processing Packets are processed in software by the Packets are processed in hardware by the
CPU. hardware switch controller, or SPU where
applicable.

STP Not Supported Supported

Wireless SSIDs Supported Not Supported

Intra-switch traffic Allowed by default. Can be explicitly set to Allowed by default.

require a policy.

Active-active HA load Not supported Supported

balancing

To create a software switch in the GUI:

1. Go to Network > Interfaces.

2. Click Create New > Interface.
3. Set Type to Software Switch.
4. Configure the Name, Interface members, and other fields as required.
To add an interface to a software switch, it cannot be referenced by an existing, configuration and its IP address
must be set to 0.0.0.0/0.0.0.0.
5. Click OK.

To create a software switch in the CLI:

config system switch-interface

edit <interface>
set vdom <vdom>
set member <interface_list>
set type switch
next
end
config system interface
edit <interface>
set vdom <vdom>
set type switch
set ip <ip_address>
set allowaccess https ssh ping
next
end

To add an interface to a software switch, it cannot be referenced by an existing configuration and its IP address must be
set to 0.0.0.0/0.0.0.0.

Example

For this example, the wireless interface (WiFi) needs to be on the same subnet as the DMZ1 interface to facilitate
wireless synchronization between an iPhone and a local computer. Because synchronization between two subnets is

FortiOS 7.4.5 Administration Guide 219

Fortinet Inc.
 Network

problematic, putting both interfaces on the same subnet allows synchronization to work. The software switch will
accomplish this.
1. Clear the interfaces and back up the configuration:
a. Ensure the interfaces are not used for other security policy or for other use on the FortiGate unit.
b. Check the WiFi and DMZ1 ports to ensure that DHCP is disabled and that there are no other dependencies on
these interfaces.
c. Save the current configuration so that it can be recovered if something goes wrong.
2. Merge the WiFi port and DMZ1 port to create a software switch named synchro with an IP address of 10.10.21.12
and administrative access for HTTPS, SSH and PING:
config system switch-interface
edit synchro
set vdom "root"
set type switch
set member dmz1 wifi
next
end
config system interface
edit synchro
set ip 10.10.21.12 255.255.255.0
set allowaccess https ssh ping
next
end

After the switch is set up, add security policies, DHCP servers, and any other settings that are required.

Hardware switch

A hardware switch is a virtual switch interface that groups different ports together so that the FortiGate can use the group
as a single interface. Supported FortiGate models have a default hardware switch called either internal or lan. The
hardware switch is supported by the chipset at the hardware level.
Ports that are connected to the same hardware switch behave like they are on the same physical switch in the same
broadcast domain. Ports can be removed from a hardware switch and assigned to another switch or used as standalone
interfaces.
Some of the difference between hardware and software switches are:

Feature Hardware switch Software switch

Processing Packets are processed in hardware by the Packets are processed in software by the
hardware switch controller, or SPU where CPU.
applicable.

STP Supported Not Supported

802.1x Supported on the following NP6 Not Supported

platforms: FG-30xE, FG-40xE, and FG-
110xE

Wireless SSIDs Not Supported Supported

Intra-switch traffic Allowed by default. Allowed by default. Can be explicitly set to

require a policy.

FortiOS 7.4.5 Administration Guide 220

Fortinet Inc.
Network

After ports are added to a virtual switch with STP or 802.1x enabled, you can enable or disable STP or 802.1x for each
member port.

To change the ports in a hardware switch in the GUI:

1. Go to Network > Interface and edit the hardware switch.

2. Click inside the Interface members field.

3. Select interfaces to add or remove them from the hardware switch, then click Close.
To add an interface to a hardware switch, it cannot be referenced by an existing configuration and its IP address
must be set to 0.0.0.0/0.0.0.0.
4. Click OK.
Removed interfaces will now be listed as standalone interfaces in the Physical Interface section.

To remove ports from a hardware switch in the CLI:

config system virtual-switch

edit "internal"
config port
delete internal2
delete internal7
...
end
next
end

To add ports to a hardware switch in the CLI:

config system virtual-switch

edit "internal"
set physical-switch "sw0"
config port
edit "internal3"
next
edit "internal5"
next
edit "internal4"
next
edit "internal6"
next
end

FortiOS 7.4.5 Administration Guide 221

Fortinet Inc.
Network

next
end

To add an interface to a hardware switch, it cannot be referenced by an existing configuration and its IP address must be
set to 0.0.0.0/0.0.0.0.

Example of using 802.1X on virtual switches

In this example, port3 and port4 are part of a hardware switch interface. The hardware switch acts as a virtual switch so
that devices can connect directly to these ports and perform 802.1X authentication on the port.

Prerequisites:

1. Configure a RADIUS server (see RADIUS servers on page 2604).

2. Define a user group named test to use the remote RADIUS server and for 802.1X authentication (see User
definition, groups, and settings on page 2564).
3. Configure a hardware switch (named 18188) with port3 and port4 as the members.
4. Configure a firewall policy that allows traffic from the 18188 hardware switch to go to the internet.
5. Enable 802.1X authentication on the client devices.

To configure 802.1X authentication on a hardware switch in the GUI:

1. Go to Network > Interfaces and edit the hardware switch.

2. In the Network section, enable Security mode and select 802.1X.
3. Click the + to add the User group.

FortiOS 7.4.5 Administration Guide 222

Fortinet Inc.
Network

4. Click OK.

To configure 802.1X authentication on a hardware switch in the CLI:

1. Configure the virtual hardware switch interfaces:

config system virtual-switch
edit "18188"
set physical-switch "sw0"
config port
edit "port3"
next
edit "port4"
next
end

FortiOS 7.4.5 Administration Guide 223

Fortinet Inc.
Network

next
end

2. Configure 802.1X authentication:

config system interface
edit "18188"
set vdom "vdom1"
set ip 1.1.1.1 255.255.255.0
set allowaccess ping https ssh snmp fgfm ftm
set type hard-switch
set security-mode 802.1X
set security-groups "test"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 52
next
end

To verify the that the 802.1X authentication was successful:

1. Get a client connected to port3 to authenticate to access the internet.

2. In FortiOS, verify the 802.1X authentication port status:
# diagnose sys 802-1x status

Virtual switch '18188' (default mode) 802.1x member status:

port3: Link up, 802.1X state: authorized
port4: Link up, 802.1X state: unauthorized

Example of disabling 802.1x on one port

In this example, FortiGate is connected to two switches, and a virtual switch named hw1 is configured with two port
members: port3 and port5. 802.1x authentication is enabled for port3 and disabled for port5.

To configure 802.1x authentication for individual ports:

1. Configure a virtual switch to use port3 and port5:

config system virtual-switch
edit "hw1"
set physical-switch "sw0"
config port
edit "port3"
next
edit "port5"
next
end
next
end

FortiOS 7.4.5 Administration Guide 224

Fortinet Inc.
Network

2. Enable 802.1x authentication for the virtual switch:

config system interface
edit "hw1"
set vdom "vdom1"
set ip 6.6.6.1 255.255.255.0
set allowaccess ping https ssh
set type hard-switch
set security-mode 802.1X
set security-groups "group_radius"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 55
set ip-managed-by-fortiipam disable
next
end

3. Disable 802.1x authentication on port5:

config system interface
edit "port5"
set vdom "vdom1"
set type physical
set security-8021x-member-mode disable
set snmp-index 9
next
end

802.1x authentication is disabled on port5 and remains enabled on port3.

Example of disabling STP on one port

In this example, FortiGate is connected to two switches, and a virtual switch named hw1 is configured with two port
members: port3 and port5. STP is enabled for port3 and disabled for port5. Any STP sent to port5 is silently ignored.
Port3 remains enabled for STP.

To configure STP for individual ports:

1. Configure a virtual switch to use port3 and port5:

config system virtual-switch
edit "hw1"
set physical-switch "sw0"
config port
edit "port3"
next
edit "port5"
next
end
next
end

FortiOS 7.4.5 Administration Guide 225

Fortinet Inc.
Network

2. Enable STP for the virtual switch:

config system interface
edit "hw1"
set vdom "vdom1"
set ip 6.6.6.1 255.255.255.0
set allowaccess ping https ssh
set type hard-switch
set stp enable
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 55
set ip-managed-by-fortiipam disable
next
end

3. Disable STP on port5 by enabling it as an STP edge port:

config system interface
edit "port5"
set vdom "vdom1"
set type physical
set stp-edge enable
set snmp-index 9
next
end

Port5 is enabled as an edge port with STP disabled. Port3 remains enabled for STP.

Zone

Zones are a group of one or more physical or virtual FortiGate interfaces that you can apply firewall policies to for
controlling inbound and outbound traffic. Grouping interfaces and VLAN subinterfaces into zones simplifies creating
firewall policies where a number of network segments can use the same policy settings and protection profiles.
When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Each interface
still has its own address. Routing is still done between interfaces, that is, routing is not affected by zones. You can use
firewall policies to control the flow of intra-zone traffic.
For example, in the sample configuration below, the network includes three separate groups of users representing
different entities on the company network. While each group has its own set of ports and VLANs in each area, they can
all use the same firewall policy and protection profiles to access the Internet. Rather than the administrator making nine
separate firewall policies, he can make administration simpler by adding the required interfaces to a zone and creating
three policies.

Example configuration

You can configure policies for connections to and from a zone but not between interfaces in a zone. For this example,
you can create a firewall policy to go between zone 1 and zone 3, but not between WAN2 and WAN1, or WAN1 and
DMZ1.

FortiOS 7.4.5 Administration Guide 226

Fortinet Inc.
Network

To create a zone in the GUI:

1. Go to Network > Interfaces.

If VDOMs are enabled, go to the VDOM to create a zone.

2. Click Create New > Zone.

3. Configure the Name and add the Interface Members.
4. Enable or disable Block intra-zone traffic as required.
5. Click OK.

To configure a zone to include the internal interface and a VLAN using the CLI:

config system zone

edit zone_1
set interface internal VLAN_1
set intrazone {deny | allow}
next
end

Using zone in a firewall policy

To configure a firewall policy to allow any interface to access the Internet using the CLI:

config firewall policy

edit 2
set name "2"
set srcintf "Zone_1"
set dstintf "port15"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

FortiOS 7.4.5 Administration Guide 227

Fortinet Inc.
 Network

Intra-zone traffic

In the zone configuration you can set intrazone deny to prohibit the different interfaces in the same zone to talk to
each other.
For example, if you have ten interfaces in your zone and the intrazone setting is deny. You now want to allow traffic
between a very small number of networks on different interfaces that are part of the zone but you do not want to disable
the intra-zone blocking.
In this example, the zone VLANs are defined as: 192.168.1.0/24, 192.168.2.0/24, ... 192.168.10.0/24.
This policy allows traffic from 192.168.1.x to 192.168.2.x even though they are in the same zone and intra-zone blocking
is enabled. The intra-zone blocking acts as a default deny rule and you have to specifically override it by creating a policy
within the zone.

To enable intra-zone traffic, create the following policy:

Source Interface Zone-name, e.g., Vlans

Source Address 192.168.1.0/24

Destination Zone-name (same as Source Interface, i.e., Vlans)

Destination Address 192.168.2.0/24

Virtual wire pair

A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode
VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a
virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual
wire pair. Redundant and 802.3ad aggregate (LACP) interfaces can be included in a virtual wire pair.
Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port
pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the
request’s MAC address pair.

When creating a new virtual wire pair, the Interface members field displays interfaces without
assigned addresses. Interfaces with assigned addresses are not displayed.
Therefore, you cannot add to a virtual wire pair an interface with Addressing mode set to
DHCP. If you change the interface settings to Manual with IP/Netmask set to 0.0.0.0/0.0.0.0,
you can add the interface to a virtual wire pair.

Example

In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate
operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the
ISFW over the virtual wire pair.

Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before
creating a virtual wire pair, make sure you have a different port configured to allow admin
access using your preferred protocol.

FortiOS 7.4.5 Administration Guide 228

Fortinet Inc.
Network

To add a virtual wire pair using the GUI:

1. Go to Network > Interfaces.

2. Click Create New > Virtual Wire Pair.
3. Enter a name for the virtual wire pair.
4. Select the Interface Members to add to the virtual wire pair (port3 and port 4).
These interfaces cannot be part of a switch, such as the default LAN/internal interface.
5. If required, enable Wildcard VLAN and set the VLAN Filter.
6. Click OK.

To add a virtual wire pair using the CLI:

config system virtual-wire-pair

edit "VWP-name"
set member "port3" "port4"
set wildcard-vlan disable
next
end

To create a virtual wire pair policy using the GUI:

1. Go to Policy & Objects > Firewall Virtual Wire Pair Policy.

2. Click Create New.
3. In the Virtual Wire Pair field, click the + to add the virtual wire pair.
4. Select the direction (arrows) that traffic is allowed to flow.
5. Configure the other settings as needed.
6. Click OK.

To create a virtual wire pair policy using the CLI:

config firewall policy

edit 1
set name "VWP-Policy"
set srcintf "port3" "port4"
set dstintf "port3" "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set fsso disable
next
end

FortiOS 7.4.5 Administration Guide 229

Fortinet Inc.
Network

Configuring multiple virtual wire pairs in a virtual wire pair policy

You can create a virtual wire pair policy that includes different virtual wire pairs in NGFW profile and policy mode. This
reduces overhead to create multiple similar policies for each VWP. In NGFW policy mode, multiple virtual wire pairs can
be configured in a Security Virtual Wire Pair Policy and Virtual Wire Pair SSL Inspection & Authentication policy.
The virtual wire pair settings must have wildcard VLAN enabled. When configuring a policy in the CLI, the virtual wire pair
members must be entered in srcintf and dstintf as pairs.

To configure multiple virtual wire pairs in a policy in the GUI:

1. Configure the virtual wire pairs:

a. Go to Network > Interfaces and click Create New > Virtual Wire Pair.
b. Create a pair with the following settings:

Name test-vwp-1

Interface members wan1, wan2

Wildcard VLAN Enable

c. Click OK.
d. Click Create New > Virtual Wire Pair and create another pair with the following settings:

Name test-vwp-2

Interface members port19, port20

Wildcard VLAN Enable

e. Click OK.
2. Configure the policy:
a. Go to Policy & Objects > Firewall Virtual Wire Pair Policy and click Create New.
b. In the Virtual Wire Pair field, click the + to add test-vwp-1 and test-vwp-2. Select the direction for each of the
selected virtual wire pairs.

FortiOS 7.4.5 Administration Guide 230

Fortinet Inc.
Network

c. Configure the other settings as needed.

d. Click OK.

To configure multiple virtual wire pairs in a policy in the CLI:

1. Configure the virtual wire pairs:

config system virtual-wire-pair
edit "test-vwp-1"
set member "wan1" "wan2"
set wildcard-vlan enable
next
edit "test-vwp-2"
set member "port19" "port20"
set wildcard-vlan enable
next
end

2. Configure the policy:

config firewall policy
edit 1
set name "vwp1&2-policy"
set srcintf "port19" "wan1"
set dstintf "port20" "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end

FortiOS 7.4.5 Administration Guide 231

Fortinet Inc.
Network

PRP handling in NAT mode with virtual wire pair

PRP (Parallel Redundancy Protocol) is supported in NAT mode for a virtual wire pair. This preserves the PRP RCT
(redundancy control trailer) while the packet is processed by the FortiGate.

To configure PRP handling on a device in NAT mode:

1. Enable PRP in the VDOM settings:

(root) # config system settings
set prp-trailer-action enable
end

2. Enable PRP in the NPU attributes:

(global) # config system npu
set prp-port-in "port15"
set prp-port-out "port16"
end

3. Configure the virtual wire pair:

(root) # config system virtual-wire-pair
edit "test-vwp-1"
set member "port15" "port16"
next
end

Using VLAN sub-interfaces in virtual wire pairs

VLAN sub-interfaces, such as regular 802.1Q and 802.1ad (QinQ), are allowed to be members of a virtual wire pair.

Example

In this example, the FortiGate has two VLAN interfaces. The first interface is a QinQ (802.1ad) interface over the
physical interface port3. The second interface is a basic 802.1Q VLAN interface over physical interface port5. These two
interfaces are grouped in a virtual wire pair so that bi-directional traffic is allowed. This example demonstrates ICMP from
the client (3.3.3.4) sent to the server (3.3.3.1).

To configure VLAN sub-interfaces in a virtual wire pair:

1. Configure the QinQ interfaces:

config system interface
edit "8021ad-port3"
set vdom "vdom1"
set vlan-protocol 8021ad
set device-identification enable
set role lan
set snmp-index 31

FortiOS 7.4.5 Administration Guide 232

Fortinet Inc.
Network

set interface "port3"

set vlanid 3
next
edit "8021Q"
set vdom "vdom1"
set device-identification enable
set role lan
set snmp-index 32
set interface "8021ad-port3"
set vlanid 33
next
end

2. Configure the 802.1Q interface:

config system interface
edit "8021q-port5"
set vdom "vdom1"
set device-identification enable
set role lan
set snmp-index 33
set interface "port5"
set vlanid 5
next
end

3. Configure the virtual wire pair:

config system virtual-wire-pair
edit "VWP1"
set member "8021Q" "8021q-port5"
next
end

4. Configure the firewall policy:

config firewall policy
edit 1
set name "1"
set srcintf "8021Q" "8021q-port5"
set dstintf "8021Q" "8021q-port5"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end

To verify that bi-directional traffic passes through the FortiGate:

# diagnose sys session filter policy 1

# diagnose sys session list

session info: proto=1 proto_state=00 duration=18 expire=42 timeout=0 flags=00000000

socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=

FortiOS 7.4.5 Administration Guide 233

Fortinet Inc.
Network

per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=may_dirty br npu
statistic(bytes/packets/allow_err): org=168/2/1 reply=168/2/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=56->55/55->56 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 3.3.3.4:3072->3.3.3.1:8(0.0.0.0:0)
hook=post dir=reply act=noop 3.3.3.1:3072->3.3.3.4:0(0.0.0.0:0)
src_mac=08:5b:0e:71:bf:c6 dst_mac=d4:76:a0:5d:b2:de
misc=0 policy_id=1 pol_uuid_idx=534 auth_info=0 chk_client_info=0 vd=3
serial=00005f6c tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000c00 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=187/156, ipid=156/187,
vlan=0x0005/0x0021
vlifid=156/187, vtag_in=0x0005/0x0021 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=0/5
total session 1

DVLAN QinQ on NP7 platforms over virtual wire pairs

DVLAN 802.1ad and 802.1Q modes are supported on NP7 platforms over virtual wire pairs, which provides better
performance and packet processing.
The default DVLAN mode is 802.1ad, but the DVLAN mode can be changed using diagnose npu np7 dvlan-mode
<dvlan_mode> {<npid> | all}. The DVLAN mode can be applied to a specific NPID or all NPIDs. For example:
l diagnose npu np7 dvlan-mode 802.1AD 0 will set NP0 to work in 802.1ad mode.
l diagnose npu np7 dvlan-mode 802.1Q all will set all NPUs to work in 802.1Q mode.

A reboot is required for custom DVLAN settings to take effect. To avoid any inconveniences or
disruptions, changing the DVLAN settings should be done during a scheduled downtime or
maintenance window.
The DVLAN mode should only be changed if you are solely using the virtual wire pair (VWP)
and are seeking to enhance performance. Enabling this feature may impact VLAN interfaces
within your network.

In the virtual wire pair settings, the outer-vlan-id can be set. This is the same value as the outer provider-tag (S-
Tag).

To configure the outer VLAN ID:

config system virtual-wire-pair

edit "dvlan-test"
set member "port33" "port34"
set wildcard-vlan enable
set outer-vlan-id 1234
next
end

FortiOS 7.4.5 Administration Guide 234

Fortinet Inc.
Network

Enhanced MAC VLAN

The Media Access Control (MAC) Virtual Local Area Network (VLAN) feature in Linux allows you to configure multiple
virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.
FortiGate implements an enhanced MAC VLAN consisting of a MAC VLAN with bridge functionality. Because each MAC
VLAN has a unique MAC address, virtual IP addresses (VIPs) and IP pools are supported, and you can disable Source
Network Address Translation (SNAT) in policies.
MAC VLAN cannot be used in a transparent mode virtual domain (VDOM). In a transparent mode VDOM, a packet
leaves an interface with the MAC address of the original source instead of the interface’s MAC address. FortiGate
implements an enhanced version of MAC VLAN where it adds a MAC table in the MAC VLAN which learns the MAC
addresses when traffic passes through.
If you configure a VLAN ID for an enhanced MAC VLAN, it won’t join the switch of the underlying interface. When a
packet is sent to this interface, a VLAN tag is inserted in the packet and the packet is sent to the driver of the underlying
interface. When the underlying interface receives a packet, if the VLAN ID doesn’t match, it won’t deliver the packet to
this enhanced MAC VLAN interface.

When using a VLAN ID, the ID and the underlying interface must be a unique pair, even if the
belong to different VDOMs. This is because the underlying, physical interface uses the VLAN
ID as the identifier to dispatch traffic among the VLAN and enhanced MAC VLAN interfaces.

If you use an interface in an enhanced MAC VLAN, do not use it for other purposes such as a management interface, HA
heartbeat interface, or in Transparent VDOMs.
If a physical interface is used by an EMAC VLAN interface, you cannot use it in a Virtual Wire Pair.
In high availability (HA) configurations, enhanced MAC VLAN is treated as a physical interface. It’s assigned a unique
physical interface ID and the MAC table is synchronized with the secondary devices in the same HA cluster.

In HA configurations, FortiGate assigns a virtual MAC to each interface. Virtual interfaces,

such as EMAC VLAN interfaces with underlying NPU VLINK interface, are an exception and
do not get assigned virtual MAC addresses.

Example 1: Enhanced MAC VLAN configuration for multiple VDOMs that use the same
interface or VLAN

In this example, a FortiGate is connected, through port 1 to a router that’s connected to the Internet. Three VDOMs share
the same interface (port 1) which connects to the same router that’s connected to the Internet. Three enhanced MAC
VLAN interfaces are configured on port 1 for the three VDOMs. The enhanced MAC VLAN interfaces are in the same IP
subnet segment and each have unique MAC addresses.
The underlying interface (port 1) can be a physical interface, an aggregate interface, or a VLAN interface on a physical or
aggregate interface.

FortiOS 7.4.5 Administration Guide 235

Fortinet Inc.
Network

To configure enhanced MAC VLAN for this example in the CLI:

config system interface

edit port1.emacvlan1
set vdom VDOM1
set type emac-vlan
set interface port1
next
edit port 1.emacvlan2
set vdom VDOM2
set type emac-vlan
set interface port1
next
edit port1.emacvlan3
set vdom VDOM3
set type emac-vlan
set interface port1
next
end

Example 2: Enhanced MAC VLAN configuration for shared VDOM links among multiple
VDOMs

In this example, multiple VDOMs can connect to each other using enhanced MAC VLAN on network processing unit
(NPU) virtual link (Vlink) interfaces.
FortiGate VDOM links (NPU-Vlink) are designed to be peer-to-peer connections and VLAN interfaces on NPU Vlink
ports use the same MAC address. Connecting more than two VDOMs using NPU Vlinks and VLAN interfaces is not
recommended as the VLAN interfaces share the same MAC address. To avoid overlapping MAC addresses on the
same NPU Vlink, use EMAC VLANs instead.

FortiOS 7.4.5 Administration Guide 236

Fortinet Inc.
Network

To configure enhanced MAC VLAN for this example in the CLI:

config system interface

edit npu0_vlink0.emacvlan1
set vdom VDOM1
set type emac-vlan
set interface npu0_vlink0
next
edit npu0_vlink0.emacvlan2
set vdom VDOM3
set type emac-vlan
set interface npu0_vlink0
next
edit npu0_vlink1.emacvlan1
set vdom VDOM2
set type emac-vlan
set interface npu0_vlink1
next
end

Example 3: Enhanced MAC VLAN configuration for unique MAC addresses for each
VLAN interface on the same physical port

Some networks require a unique MAC address for each VLAN interface when the VLAN interfaces share the same
physical port. In this case, the enhanced MAC VLAN interface is used the same way as normal VLAN interfaces.
To configure this, use the set vlanid command for the VLAN tag. The VLAN ID and interface must be a unique pair,
even if they belong to different VDOMs.

To configure enhanced MAC VLAN:

config system interface

edit <interface-name>
set type emac-vlan
set vlanid <VLAN-ID>
set interface <physical-interface>
next
end

FortiGate supports a maximum of 512 EMAC VLAN interfaces per underlying interface, and a
maximum of 600 MAC addresses including EMAC VLAN interfaces.

VXLAN

Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud computing deployments. It
encapsulates layer 2 Ethernet frames within layer 3 IP packets using the UDP transport protocol on port 4789. VXLAN
endpoints that terminate VXLAN tunnels can be virtual or physical switch ports, and are known as VXLAN tunnel
endpoints (VTEPs).

FortiOS 7.4.5 Administration Guide 237

Fortinet Inc.
Network

Sample VXLAN packet

A VXLAN packet encapsulation occurs by first inserting a VXLAN header in front of the original layer 2 frame. This
VXLAN header uses 3 B for the VNID that is used to identify the VXLAN segment, meaning that there are 16,777,215
different possible VNIDs. This allows for more unique LAN segments than possible VLANs. The original frame and the
VXLAN header are then encapsulated into the UDP payload. The outer IP header allows it to be routed and transported
over a layer 3 network, thus providing a layer 2 overlay scheme over a layer 3 network.
This equates to 50 B of overhead over the original frame: 14 B (Ethernet) + 20 B (IPv4) + 8 B (UDP) + 8 B (VXLAN
headers). Since fragmenting a VXLAN packet is not recommended, it is advisable to increase the MTU size to 1550 B or
above if possible, or to decrease the TCP MSS size inside a firewall policy.
For more information about VXLAN, see RFC 7348.
The following topics provide information about VXLAN:
l General VXLAN configuration and topologies on page 238
l VLAN inside VXLAN on page 242
l Virtual wire pair with VXLAN on page 244
l VXLAN over IPsec tunnel with virtual wire pair on page 246
l VXLAN over IPsec using a VXLAN tunnel endpoint on page 250
l VXLAN with MP-BGP EVPN on page 255
l VXLAN troubleshooting on page 267

General VXLAN configuration and topologies

This topic describes general VXLAN configurations and commonly used topologies. In the most basic configuration, a
FortiGate is configured as a VXLAN tunnel endpoint (VTEP).

To configure a FortiGate as a VTEP:

1. Configure the local interface:

config system vxlan
edit <name>
set interface <string>
set vni <integer>
set ip-version {ipv4-unicast | ipv6-unicast | ipv4-multicast | ipv6-multicast}
set dstport <integer>
set remote-ip <IP_address>
set remote-ip6 <IP_address>
next
end

FortiOS 7.4.5 Administration Guide 238

Fortinet Inc.
Network

interface <string> Set the local outgoing interface for the VXLAN encapsulated traffic.
vni <integer> Set the VXLAN network ID.
ip-version {ipv4-unicast Set the IP version to use for the VXLAN device and communication over
| ipv6-unicast | VXLAN (default = ipv4-unicast).
ipv4-multicast |
ipv6-multicast}
dstport <integer> Set the VXLAN destination port (default = 4789).
remote-ip <IP_address> Set the IPv4 address of the remote VXLAN endpoint.
remote-ip6 <IP_address> Set the IPv6 address of the remote VXLAN endpoint.

The VXLAN system interface is automatically created with a vxlan type.

2. Configure the VXLAN interface settings:
config system interface
edit <name>
set vdom <string>
set type vxlan
set ip <IP_address>
set allowaccess {ping https ssh http telnet fgfm radius-acct probe-response
fabric ftm speed-test}
next
end

3. Connect the internal interface and VXLAN interface to the same L2 network.
l Connect using a software switch:
config system switch-interface
edit <name>
set vdom <string>
set member <member_1> <member_2> ... <member_n>
set intra-switch-policy {implicit | explicit}
next
end

member <member_1> Enter the VXLAN interface and other physical or virtual interfaces that will
<member_2> ... share the L2 network.
<member_n>
When adding an interface member to a software switch, it cannot have an
IP address or be referenced in any other settings. For newly created VLAN
interfaces, it is advised to change the role from LAN to undefined so that an
address is not automatically assigned.
intra-switch-policy Allow any traffic between switch interfaces or require firewall policies to
{implicit | allow traffic between switch interfaces:
explicit}
l implicit: traffic between switch members is implicitly allowed.

l explicit: traffic between switch members must match firewall

policies (explicit firewall policies are required to allow traffic between

members).
When in explicit mode, traffic can be offloaded to SOC4/SOC5/NP6/NP7
processors.

l Connect using a virtual wire pair:

FortiOS 7.4.5 Administration Guide 239

Fortinet Inc.
Network

config system virtual-wire-pair

edit <name>
set member <member_1> <member_2>
set wildcard-vlan {enable | disable}
set vlan-filter <filter>
next
end

member <member_1> Enter the VXLAN interface and other physical or virtual interface that will
<member_2> share the L2 network.
wildcard-vlan {enable | Enable/disable wildcard VLAN. Disable to prevent VLAN-tagged traffic
disable} between the members of the virtual wire pair (default). Enable for VLAN
tags to be allowed between the members.
vlan-filter <filter> When wildcard-vlan is enabled, set the VLAN filter to specify which VLANs
are allowed. By default, an empty vlan-filter allows all VLANs.

4. If using a virtual wire pair, configure a firewall policy that allows bi-directional traffic between the members of the
virtual wire pair and inspection between them:
config firewall policy
edit <id>
set name <name>
set srcintf <member_1> <member_2>
set dstintf <member_1> <member_2>
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

Topologies

Many topologies can be deployed with VXLAN. A FortiGate can connect to VXLAN endpoints that are Fortinet devices or
devices from other vendors. In the following topologies, it is assumed that at least one of the VTEPs is a FortiGate. The
second VTEP can be any vendor.

Basic VXLAN between two VTEPs

In this topology, a FortiGate (VTEP 1) is configured with a VXLAN interface over port1 where the remote-ip points to
port1 of VTEP 2. The VXLAN interface and port2 can be associated with the same L2 network by making them members
of either a software switch or a virtual wire pair. Devices under the L2 switches are part of the same L2 network.

FortiOS 7.4.5 Administration Guide 240

Fortinet Inc.
Network

See Virtual wire pair with VXLAN on page 244 for an example configuration.

VXLAN between two VTEPs with wildcard VLANs

In this topology, a FortiGate (VTEP 1) is configured with a VXLAN interface over port1 where the remote-ip points to
port1 of VTEP 2. The VXLAN interface is combined with port2 into the same L2 network using a virtual wire pair. The
virtual wire pair allows wildcard VLANs to pass, which allows VLAN tags to be encapsulated over VXLAN. As a result,
VLANs can span different switches over VXLAN.

Variations of these two scenarios can also be found in FortiGate to FortiSwitch FortiLink connections over VXLAN. See
Deployment procedures in the FortiSwitch VXLAN Deployment Guide for example configurations.

VXLAN between two VTEPs over IPsec

In scenarios where VTEPs are located in different sites and traffic must be secured between the sites, VXLAN will need
to be encrypted over IPsec. The VXLAN interface must use the IPsec interface as its outgoing interface. The remote-
ip must be configured as the IP of the remote IPsec gateway. The VXLAN interface can be combined with port2 into the
same L2 network using a software switch or virtual wire pair. Devices under the L2 switches can communicate with each
other.

See VXLAN over IPsec tunnel with virtual wire pair on page 246 for an example configuration. A variation of this scenario
is explained in FortiGate LAN extension on page 746 and in FortiExtender as FortiGate LAN extension (FortiExtender
FortiGate-Managed Administration Guide).

VXLAN between multiple VTEPs in an IPsec hub and spoke topology

In this topology, an IPsec VPN hub and spoke overlay network is already configured between sites. To allow networks
behind the hub and spokes to be connected together, each spoke has a VXLAN connection to the hub, and the hub
allows interconnection between its private network and each of the VXLAN interfaces to the spokes. In this scenario, the
private networks behind each spoke are actually on the same L2 network as the private network behind the hub.

FortiOS 7.4.5 Administration Guide 241

Fortinet Inc.
Network

See VXLAN over IPsec using a VXLAN tunnel endpoint on page 250 for an example configuration.

VLAN inside VXLAN

VLANs can be assigned to VXLAN interfaces. In a data center network where VXLAN is used to create an L2 overlay
network and for multitenant environments, a customer VLAN tag can be assigned to VXLAN interface. This allows the
VLAN tag from VLAN traffic to be encapsulated within the VXLAN packet.

To configure VLAN inside VXLAN on HQ1:

1. Configure VXLAN:
config system vxlan
edit "vxlan1"
set interface port1
set vni 1000
set remote-ip 173.1.1.1
next
end

2. Configure system interface:

config system interface
edit vlan100
set vdom root

FortiOS 7.4.5 Administration Guide 242

Fortinet Inc.
Network

set vlanid 100

set interface dmz
next
edit vxlan100
set type vlan
set vlanid 100
set vdom root
set interface vxlan1
next
end

3. Configure software-switch:
config system switch-interface
edit sw1
set vdom root
set member vlan100 vxlan100
set intra-switch-policy implicit
next
end

The default intra-switch-policy implicit behavior allows traffic between member

interfaces within the switch. Therefore, it is not necessary to create firewall policies to allow
this traffic.

Instead of creating a software-switch, it is possible to use a virtual-wire-pair as well. See

Virtual wire pair with VXLAN on page 244.

To configure VLAN inside VXLAN on HQ2:

1. Configure VXLAN:
config system vxlan
edit "vxlan2"
set interface port25
set vni 1000
set remote-ip 173.1.1.2
next
end
2. Configure system interface:
config system interface
edit vlan100
set vdom root
set vlanid 100
set interface port20
next
edit vxlan100
set type vlan
set vlanid 100
set vdom root
set interface vxlan2
next
end

FortiOS 7.4.5 Administration Guide 243

Fortinet Inc.
Network

3. Configure software-switch:
config system switch-interface
edit sw1
set vdom root
set member vlan100 vxlan100
next
end

To verify the configuration:

Ping PC1 from PC2.

The following is captured on HQ2:

This captures the VXLAN traffic between 172.1.1.1 and 172.1.1.2 with the VLAN 100 tag inside.

Virtual wire pair with VXLAN

Virtual wire pairs can be used with VXLAN interfaces.

In this examples, VXLAN interfaces are added between FortiGate HQ1 and FortiGate HQ2, a virtual wire pair is added in
HQ1, and firewall policies are created on both HQ1 and HQ2.

To create VXLAN interface on HQ1:

config system interface

edit "port11"
set vdom "root"
set ip 10.2.2.1 255.255.255.0
set allowaccess ping https ssh snmp telnet
next

FortiOS 7.4.5 Administration Guide 244

Fortinet Inc.
Network

end
config system vxlan
edit "vxlan1"
set interface "port11"
set vni 1000
set remote-ip "10.2.2.2"
next
end

To create VXLAN interface on HQ2:

config system interface

edit "port11"
set vdom "root"
set ip 10.2.2.2 255.255.255.0
set allowaccess ping https ssh snmp http
next
end
config system vxlan
edit "vxlan1"
set interface "port11"
set vni 1000
set remote-ip "10.2.2.1"
next
end
config system interface
edit "vxlan1"
set vdom "root"
set ip 10.1.100.2 255.255.255.0
set allowaccess ping https ssh snmp
next
end

To create a virtual wire pair on HQ1:

config system virtual-wire-pair

edit "vwp1"
set member "port10" "vxlan1"
next
end

To create a firewall policy on HQ1:

config firewall policy

edit 5
set name "vxlan-policy"
set srcintf "port10" "vxlan1"
set dstintf "port10" "vxlan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"

FortiOS 7.4.5 Administration Guide 245

Fortinet Inc.
Network

set webfilter-profile "default"

set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set fsso disable
next
end

To create a firewall policy on HQ2:

config firewall policy

edit 5
set name "1"
set srcintf "port13"
set dstintf "vxlan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set nat enable
next
end

VXLAN over IPsec tunnel with virtual wire pair

VXLAN can be used to encapsulate VLAN traffic over a Layer 3 network. Using IPsec VPN tunnels to secure a
connection between two sites, VXLAN can encapsulate VLAN traffic over the VPN tunnel to extend the VLANs between
the two sites.
In this example, a site-to-site VPN tunnel is formed between two FortiGates. A VXLAN is configured over the IPsec
interface. Multiple VLANs are connected to a switch behind each FortiGate. Host1 and Host2 are connected to VLAN10
on the switches on each site, and Host21 and Host22 are connected to VLAN20. Using virtual wire pairs, the internal
interface (port1) will be paired with the VXLAN interface (vxlan) to allow VLAN traffic to pass through in either direction.

FortiOS 7.4.5 Administration Guide 246

Fortinet Inc.
Network

To configure FGT-A:

1. Configure the WAN interface:

config system interface
edit "wan1"
set vdom "root"
set ip 11.11.11.11 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set role wan
set snmp-index 1
next
end

2. Configure a static route to send all traffic out the WAN interface:
config router static
edit 1
set gateway 11.11.11.1
set device "wan1"
next
end

3. Configure the IPsec tunnel:

config vpn ipsec phase1-interface
edit "ipsec"
set interface "wan1"
set peertype any
set proposal aes256-sha1
set remote-gw 22.22.22.22
set psksecret **********
next
end
config vpn ipsec phase2-interface
edit "ipsec"
set phase1name "ipsec"
set proposal aes256-sha1
set auto-negotiate enable
next
end

4. Configure local and remote IP addresses for the IPsec interface:

config system interface
edit "ipsec"
set ip 10.200.0.1 255.255.255.255
set remote-ip 10.200.0.2 255.255.255.252
next
end

5. Configure the VXLAN interface and bind it to the IPsec interface:

config system vxlan
edit "vxlan"
set interface "ipsec"
set vni 10
set remote-ip "10.200.0.2"

FortiOS 7.4.5 Administration Guide 247

Fortinet Inc.
Network

next
end

The remote IP address is the address of the remote IPsec peer.

6. Configure a virtual wire pair with the port1 and vxlan interfaces as members:
config system virtual-wire-pair
edit "vwp"
set member "port1" "vxlan"
set wildcard-vlan enable
next
end

The interfaces added to the virtual wire pair cannot be part of a switch, such as the default internal interface.
By enabling wildcard VLANs on the virtual wire pair, all VLAN tagged traffic that is allowed by the virtual wire pair
firewall policies passes through the pair.
7. Configure a virtual wire pair firewall policy to allow traffic between the port1 and vxlan interfaces:
config firewall policy
edit 4
set name "vwp-pol"
set srcintf "port1" "vxlan"
set dstintf "port1" "vxlan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

To configure FGT-B

1. Configure the WAN interface:

config system interface
edit "wan1"
set vdom "root"
set ip 22.22.22.22 255.255.255.0 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set role wan
set snmp-index 1
next
end

2. Configure a static route to send all traffic out the WAN interface:
config router static
edit 1
set gateway 22.22.22.2
set device "wan1"
next
end

3. Configure the IPsec tunnel:

FortiOS 7.4.5 Administration Guide 248

Fortinet Inc.
Network

config vpn ipsec phase1-interface

edit "ipsec"
set interface "wan1"
set peertype any
set proposal aes256-sha1
set remote-gw 11.11.11.11
set psksecret **********
next
end
config vpn ipsec phase2-interface
edit "ipsec"
set phase1name "ipsec"
set proposal aes256-sha1
set auto-negotiate enable
next
end

4. Configure local and remote IP addresses for the IPsec interface:

config system interface
edit "ipsec"
set ip 10.200.0.2 255.255.255.255
set remote-ip 10.200.0.1 255.255.255.252
next
end

5. Configure the VXLAN interface and bind it to the IPsec interface:

config system vxlan
edit "vxlan"
set interface "ipsec"
set vni 10
set remote-ip "10.200.0.1"
next
end

The remote IP address is the address of the remote IPsec peer.

6. Configure a virtual wire pair with the port1 and vxlan interfaces as members:
config system virtual-wire-pair
edit "vwp"
set member "port1" "vxlan"
set wildcard-vlan enable
next
end

7. Configure a firewall policy to allow traffic between the port1 and vxlan interfaces:
config firewall policy
edit 4
set name "vwp-pol"
set srcintf "port1" "vxlan"
set dstintf "port1" "vxlan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"

FortiOS 7.4.5 Administration Guide 249

Fortinet Inc.
Network

next
end

Test the configuration

To test the configuration, ping Host2 (VLAN10: 192.168.10.2/24) from Host1 (VLAN10: 192.168.10.1/24):

C:\>ping 192.168.10.2

Pinging 192.168.10.2 with 32 bytes of data:

Reply from 192.168.10.2: bytes=32 time=8ms TTL=56
Reply from 192.168.10.2: bytes=32 time=8ms TTL=56
Reply from 192.168.10.2: bytes=32 time=8ms TTL=56
Reply from 192.168.10.2: bytes=32 time=11ms TTL=56

Ping statistics for 192.168.10.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 11ms, Average = 8ms

Host21 should also be able to ping Host22.

VXLAN over IPsec using a VXLAN tunnel endpoint

This example describes how to implement VXLAN over IPsec VPN using a VXLAN tunnel endpoint (VTEP).

This example uses a hub and spoke topology. Dialup VPN is used because it allows a single phase 1 dialup definition on
the hub FortiGate. Additional spoke tunnels are added with minimal changes to the hub by adding a user account and
VXLAN interface for each spoke. Spoke-to-spoke communication is established through the hub. This example assumes
that the authentication users and user groups have already been created. While this topology demonstrates hub and
spoke with dialup tunnels with XAuth authentication, the same logic can be applied to a static VPN with or without XAuth.
IPsec tunnel interfaces are used to support VXLAN tunnel termination. An IP address is set for each tunnel interface.
Ping access is allowed for troubleshooting purposes.
VTEPs are created on the hub and each spoke to forward VXLAN traffic through the IPsec tunnels. VXLAN encapsulates
OSI layer 2 Ethernet frames within layer 3 IP packets. You will need to either combine the internal port1 and VXLAN

FortiOS 7.4.5 Administration Guide 250

Fortinet Inc.
Network

interface into a soft switch, or create a virtual wire pair so that devices behind port1 have direct layer 2 access to remote
peers over the VXLAN tunnel. This example uses a switch interface on the hub and a virtual wire pair on the spokes to
demonstrate the two different methods.
In order to apply an IPsec VPN interface on the VXLAN interface setting, net-device must be disabled in the IPsec
VPN phase 1 settings.

To configure the hub FortiGate:

1. Configure the IPsec phase 1 interface:

config vpn ipsec phase1-interface
edit "SPOKES"
set type dynamic
set interface "port2"
set mode aggressive
set peertype one
set net-device disable
set proposal aes256-sha256
set xauthtype auto
set authusrgrp "SPOKES"
set peerid "SPOKES"
set psksecret <secret>
next
end

2. Configure the IPsec phase 2 interface:

config vpn ipsec phase2-interface
edit "SPOKES"
set phase1name "SPOKES"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
next
end

3. Configure the IPsec VPN policy that allows VXLAN traffic between the spokes:
config firewall policy
edit 1
set name "VXLAN_SPOKE_to_SPOKE"
set srcintf "SPOKES"
set dstintf "SPOKES"
set srcaddr "NET_192.168.255.0"
set dstaddr "NET_192.168.255.0"
set action accept
set schedule "always"
set service "UDP_4789"
set logtraffic all
set fsso disable
next
end

4. Configure the IPsec tunnel interfaces (the remote IP address is not used, but it is necessary for this configuration):
config system interface
edit "SPOKES"
set vdom "root"

FortiOS 7.4.5 Administration Guide 251

Fortinet Inc.
Network

set ip 192.168.255.1 255.255.255.255

set allowaccess ping
set type tunnel
set remote-ip 192.168.255.254 255.255.255.0
set snmp-index 12
set interface "port2"
next
end

5. Configure the VXLAN interfaces. Each spoke requires a VXLAN interface with a different VNI. The remote IP is the
tunnel interfaces IP of the spokes.
a. Spoke 1:
config system VXLAN
edit "SPOKES_VXLAN1"
set interface "SPOKES"
set vni 1
set remote-ip "192.168.255.2"
next
end

b. Spoke 2:
config system VXLAN
edit "SPOKES_VXLAN2"
set interface "SPOKES"
set vni 2
set remote-ip "192.168.255.3"
next
end

To configure the spoke FortiGates:

1. Configure the IPsec phase 1 interface:

config vpn ipsec phase1-interface
edit "HUB"
set interface "port2"
set mode aggressive
set peertype any
set net-device disable
set proposal aes256-sha256
set localid "SPOKES"
set xauthtype client
set authusr "SPOKE1"
set authpasswd <secret>
set remote-gw <hub public IP>
set psksecret <secret>
next
end

2. Configure the IPsec phase 2 interface:

config vpn ipsec phase2-interface
edit "HUB"
set phase1name "HUB"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305

FortiOS 7.4.5 Administration Guide 252

Fortinet Inc.
Network

set auto-negotiate enable

set src-subnet 192.168.255.2 255.255.255.255
next
end

The hub FortiGate inserts a reverse route pointing to newly established tunnel interfaces
for any of the subnets that the spoke FortiGate's source quick mode selectors provides.
This is why you should set the tunnel IP address here.

3. Configure the IPsec VPN policy:

config firewall policy
edit 1
set name "VTEP_IPSEC_POLICY"
set srcintf "HUB"
set dstintf "HUB"
set srcaddr "none"
set dstaddr "none"
set action accept
set schedule "always"
set service "PING"
set logtraffic disable
set fsso disable
next
end

4. Configure the IPsec tunnel interface:

config system interface
edit "HUB"
set vdom "root"
set ip 192.168.255.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 192.168.255.1 255.255.255.0
set snmp-index 12
set interface "port2"
next
end

5. Configure the VXLAN interfaces (the remote IP is the tunnel interface IP of the hub):
a. Spoke 1:
config system VXLAN
edit "HUB_VXLAN"
set interface "HUB"
set vni 1
set remote-ip "192.168.255.1"
next
end

b. Spoke 2:
config system VXLAN
edit "HUB_VXLAN"
set interface "HUB"
set vni 2

FortiOS 7.4.5 Administration Guide 253

Fortinet Inc.
Network

set remote-ip "192.168.255.1"

next
end

To bind the VXLAN interface to the internal interface:

1. Configure a switch interface on the hub:

config system switch-interface
edit "SW"
set vdom "root"
set member "port1" "SPOKES_VXLAN1" "SPOKES_VXLAN2"
set intra-switch-policy {implicit | explicit}
next
end

Allowing intra-switch traffic is implicitly allowed by default. Use set intra-switch-

policy explicit to require firewall policies to allow traffic between switch interfaces.

2. Configure a virtual wire pair on the spokes:

config system virtual-wire-pair
edit "VWP"
set member "HUB_VXLAN" "port1"
next
end

The virtual wire pair requires an explicit policy to allow traffic between interfaces.

To test the configuration:

1. Ping the hub FortiGate from the spoke FortiGate:

user@pc-spoke1:~$ ping 192.168.1.1 -c 3
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.24 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.672 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.855 ms
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002 ms
rtt min/avg/max/mdev = 0.672/0.923/1.243/0.239 ms

2. Sniff traffic on the hub FortiGate:

# diagnose sniffer packet any 'icmp or (udp and port 4789)' 4 0
interfaces=[any] filters=[icmp or (udp and port 4789)]
15:00:01.438230 SPOKES in 192.168.255.2.4790 -&gt; 192.168.255.1.4789: udp 106
15:00:01.438256 SPOKES_VXLAN1 in 192.168.1.2 -&gt; 192.168.1.1: icmp: echo request
15:00:01.438260 port1 out 192.168.1.2 -&gt; 192.168.1.1: icmp: echo request
15:00:01.438532 port1 in 192.168.1.1 -&gt; 192.168.1.2: icmp: echo reply
15:00:01.438536 SPOKES_VXLAN1 out 192.168.1.1 -&gt; 192.168.1.2: icmp: echo reply
15:00:01.438546 SPOKES out 192.168.255.1.4851 -&gt; 192.168.255.2.4789: udp 106

FortiOS 7.4.5 Administration Guide 254

Fortinet Inc.
Network

VXLAN with MP-BGP EVPN

FortiOS supports VXLAN as implemented according to RFC 7348. Currently, VXLAN relies on determining the MAC
address of the destination host by using address resolution protocol (ARP) broadcast frames encapsulated in multicast
packets.
l A multicast group is maintained with all the VXLAN tunnel endpoints (VTEPs) associated with the same VXLAN,
namely, with the same VXLAN network identifier (VNI).
l The multicast packets that encapsulate ARP broadcast frames are sent to this multicast group, and then the
destination host replies to the source host using unicast IP packet encapsulated using VXLAN.
l The source and destination FortiGates as VTEPs each maintain a mapping of MAC addresses to remote VTEPs.
As with non-VXLAN traffic, VXLAN relies on the preceding ARP process, commonly known as flood-and-learn that
floods the network with broadcast frames encapsulated as multicast packets to learn MAC addresses. In the RFC 7348
implementation of VXLAN, the data plane is simultaneously used as a control plane.
The following topology demonstrates how flood-and-learn uses ARP broadcast traffic flooded throughout the VXLAN for
PC A to learn PC D's MAC address when PC A tries to connect to PC D.

Multiprotocol Border Gateway Protocol Ethernet Virtual Private Network (MP-BGP EVPN) support for VXLAN allows for
learning MAC addresses in a way that is more suitable for large deployments than flood-and-learn.
MP-BGP EVPN is a standards-based control plane that supports the distribution of attached host MAC and IP addresses
using MP-BGP, namely, using the EVPN address family and MAC addresses treated as routing entries in BGP. As a
control plane that is separate from the data plane, MP-BGP EVPN avoids flood-and-learn in the network, and the wide
use of BGP as an external gateway protocol on the internet proves its ability to scale well with large deployments. The
following topology demonstrates how MP-BGP EVPN distributes route type 2 MAC/IP advertisement routes among
VTEPs in the VXLAN, and minimizes ARP broadcast traffic required for PC A to learn PC D's MAC address when PC A
tries to connect to PC D.

FortiOS 7.4.5 Administration Guide 255

Fortinet Inc.
Network

MP-BGP EVPN supports the following features:

l Route type 2 (MAC/IP advertisement route) and route type 3 (inclusive multicast Ethernet tag route)
l Intra-subnet communication
l Single-homing use cases
l VLAN-based service, namely, there is only one broadcast domain per EVPN instance (EVI). This is due to the
current VXLAN design that supports a single VNI for a VXLAN interface.
l EVPN running on IPv4 unicast VXLAN
l Egress replication for broadcast, unknown unicast, and multicast (BUM) traffic
l VXLAN MAC learning from traffic
l IP address local learning
l ARP suppression

For more information about MP-BGP EVPN, see RFC 7432. For more information about
EVPN and VXLAN, see RFC 8365.

Currently, MP-BGP EVPN supports only VRF 0.

Basic MP-BGP EVPN configuration

The MP-BGP EVPN feature builds on the CLI commands used for configuring VXLAN using a VXLAN tunnel endpoint
(VTEP). See General VXLAN configuration and topologies on page 238 for more details.
After configuring VXLAN using a VTEP, the following CLI commands are configured to enable MP-BGP EVPN on each
VTEP.

FortiOS 7.4.5 Administration Guide 256

Fortinet Inc.
Network

To configure MP-BGP EVPN on each VTEP:

1. Configure the EVPN settings:

config system evpn
edit <id>
set rd {AA | AA:NN | A.B.C.D:NN}
set import-rt <AA:NN>
set export-rt <AA:NN>
set ip-local-learning {enable | disable}
set arp-suppression {enable | disable}
next
end

The ip-local-learning setting is used to enable/disable monitoring the local ARP table of the switch interface
to learn the IP/MAC bindings, and advertise them to neighbors. This setting is disabled by default, but must be
enabled when configuring MP-BGP EVPN.
The arp-suppression setting is used to enable/disable using proxy ARP to perform suppression of ARP
discovery using the flood-and-learn approach. This setting is disabled by default. When enabled, proxy ARP entries
are added on the switch interface to suppress the ARP flooding of known IP/MAC bindings, which were learned by
the MP-BGP EVPN control plane.
2. Configure the EVPN settings within the VXLAN settings:
config system vxlan
edit <name>
set interface <string>
set vni <integer>
set evpn-id <integer>
set learn-from-traffic {enable | disable}
next
end

The learn-from-traffic setting is used to enable/disable learning of remote VNIs from VXLAN traffic. This
setting is disabled by default, and should only be enabled when local and all remote peers are using same VNI
value, and some of the peers do not have MP-BGP EVPN capability.
3. Configure the BGP settings:
config router bgp
set ibgp-multipath {enable | disable}
set recursive-next-hop {enable | disable}
set graceful-restart {enable | disable}
config neighbor
edit <WAN_IP_of_other_VTEP>
set ebgp-enforce-multihop {enable | disable}
set next-hop-self {enable | disable}
set next-hop-self-vpnv4 {enable | disable}
set soft-reconfiguration {enable | disable}
set soft-reconfiguration-evpn {enable | disable}
set remote-as <AS_number>
next
end
end

4. Configure the EVPN setting within the HA settings:

FortiOS 7.4.5 Administration Guide 257

Fortinet Inc.
Network

config system ha
set evpn-ttl <integer>
end

Example

In this example, two FortiGates are configured as VXLAN tunnel endpoints (VTEPs). A VXLAN is configured to allow L2
connectivity between the networks behind each FortiGate. The VXLAN interface vxlan1 and port2 are placed on the
same L2 network using a software switch (sw1). An L2 network is formed between PC1 and PC2. MP-BGP EVPN is
used as the control plane to learn and distribute MAC address information within a single L2 domain identified using a
specific VNI.

The VTEPs have the following MAC address tables:

Interface/endpoint VTEP1 VTEP2

vxlan1 82:51:d1:44:bf:93 d2:21:00:c9:e6:98

port2 50:00:00:03:00:01 50:00:00:04:00:01

sw1 50:00:00:03:00:01 50:00:00:04:00:01

The MAC address of PC1 is 00:50:00:00:06:00. The MAC address of PC2 is 00:50:00:00:07:00.
This example assumes that the WAN interface and default route settings have already been configured on the VTEP 1
and VTEP 2 FortiGates. These configurations are omitted from the example. All peers are configured for MP-BGP
EVPN.

To configure the VTEP1 FortiGate:

1. Configure the loopback interface:

config system interface
edit "loopback1"
set vdom "root"
set ip 1.1.1.1 255.255.255.255
set allowaccess ping https ssh http
set type loopback

FortiOS 7.4.5 Administration Guide 258

Fortinet Inc.
Network

next
end

2. Configure the EVPN settings:

config system evpn
edit 100
set rd "100:100"
set import-rt "1:1"
set export-rt "1:1"
set ip-local-learning enable
set arp-suppression enable
next
end

3. Configure the local interface and EVPN settings within the VXLAN settings:
config system vxlan
edit "vxlan1"
set interface "loopback1"
set vni 1000
set evpn-id 100
next
end

4. Configure the EVPN settings within the BGP settings:

config router bgp
set as 65001
set router-id 1.1.1.1
set ibgp-multipath enable
set recursive-next-hop enable
set graceful-restart enable
config neighbor
edit "172.25.160.101"
set ebgp-enforce-multihop enable
set next-hop-self enable
set next-hop-self-vpnv4 enable
set soft-reconfiguration enable
set soft-reconfiguration-evpn enable
set remote-as 65001
next
end
config network
edit 1
set prefix 1.1.1.1 255.255.255.255
next
end
end

172.27.16.237 is the WAN IP address of the VTEP2 FortiGate.

5. Configure the software switch:
config system switch-interface
edit "sw1"
set vdom "root"
set member "port2" "vxlan1"
set intra-switch-policy explicit

FortiOS 7.4.5 Administration Guide 259

Fortinet Inc.
Network

next
end

6. Configure the software switch interface settings:

config system interface
edit "sw1"
set vdom "root"
set ip 172.18.1.253 255.255.255.0
set allowaccess ping
set type switch
next
end

7. Configure the firewall policies between the member interfaces in the software switch:
config firewall policy
edit 1
set srcintf "port2"
set dstintf "vxlan1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "vxlan1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end

To configure the VTEP2 FortiGate:

1. Configure the loopback interface:

config system interface
edit "loopback2"
set vdom "root"
set ip 2.2.2.2 255.255.255.255
set allowaccess ping https ssh http
set type loopback
next
end

2. Configure the EVPN settings:

config system evpn
edit 100
set rd "100:100"
set import-rt "1:1"
set export-rt "1:1"
set ip-local-learning enable

FortiOS 7.4.5 Administration Guide 260

Fortinet Inc.
Network

set arp-suppression enable

next
end

3. Configure the local interface and EVPN settings within the VXLAN settings:
config system vxlan
edit "vxlan1"
set interface "loopback2"
set vni 1000
set evpn-id 100
next
end

4. Configure the EVPN settings within the BGP settings:

config router bgp
set as 65001
set router-id 2.2.2.2
set ibgp-multipath enable
set recursive-next-hop enable
set graceful-restart enable
config neighbor
edit "172.25.160.100"
set ebgp-enforce-multihop enable
set next-hop-self enable
set next-hop-self-vpnv4 enable
set soft-reconfiguration enable
set soft-reconfiguration-evpn enable
set remote-as 65001
next
end
config network
edit 1
set prefix 2.2.2.2 255.255.255.255
next
end
end

172.27.16.236 is the WAN IP address of the VTEP1 FortiGate.

5. Configure the software switch:
config system switch-interface
edit "sw1"
set vdom "root"
set member "port2" "vxlan1"
set intra-switch-policy explicit
next
end

6. Configure the software switch interface settings:

config system interface
edit "sw1"
set vdom "root"
set ip 172.18.1.254 255.255.255.0
set allowaccess ping
set type switch

FortiOS 7.4.5 Administration Guide 261

Fortinet Inc.
Network

next
end

7. Configure the firewall policies between the member interfaces in the software switch:
config firewall policy
edit 1
set srcintf "port2"
set dstintf "vxlan1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "vxlan1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end

To verify the MP-BGP EVPN status on the VTEP1 FortiGate:

1. From a host computer with IP address 172.18.1.11, perform the following.

a. Check the ARP cache:
# arp
Address HWtype HWaddress Flags Mask Iface
172.18.1.253 ether 50:00:00:03:00:01 C ens3

b. Ping the host computer with IP address 172.18.1.33:

# ping 172.18.1.33 -c 4
PING 172.18.1.33 (172.18.1.33) 56(84) bytes of data.
64 bytes from 172.18.1.33: icmp_seq=1 ttl=64 time=1325 ms
64 bytes from 172.18.1.33: icmp_seq=2 ttl=64 time=319 ms
64 bytes from 172.18.1.33: icmp_seq=3 ttl=64 time=3.96 ms
64 bytes from 172.18.1.33: icmp_seq=4 ttl=64 time=1.66 ms

--- 172.18.1.33 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3007ms
rtt min/avg/max/mdev = 1.660/412.614/1325.209/542.530 ms

c. Check the ARP cache again:

# arp
Address HWtype HWaddress Flags Mask Iface
172.18.1.33 ether 00:50:00:00:07:00 C ens3
172.18.1.253 ether 50:00:00:03:00:01 C ens3

2. On the VTEP1 FortiGate, run the switch and VXLAN debug commands.

FortiOS 7.4.5 Administration Guide 262

Fortinet Inc.
Network

a. Verify the forwarding database for vxlan1:

# diagnose sys vxlan fdb list vxlan1
mac=00:00:00:00:00:00 state=0x0082 remote_ip=2.2.2.2 port=4789 vni=1000 ifindex0
mac=00:50:00:00:07:00 state=0x0082 remote_ip=2.2.2.2 port=4789 vni=1000 ifindex0

total fdb num: 2

b. Verify the forwarding database statistics for vxlan1:

# diagnose sys vxlan fdb stat vxlan1
fdb_table_size=256 fdb_table_used=2 fdb_entry=2 fdb_max_depth=1 cleanup_idx=0 c2

c. Verify the bridging information for sw1:

# diagnose netlink brctl name host sw1
show bridge control interface sw1 host.
fdb: hash size=32768, used=5, num=5, depth=1, gc_time=4, ageing_time=3, arp-sups
Bridge sw1 host table
port no device devname mac addr ttl attributes
2 15 vxlan1 00:00:00:00:00:00 28 Hit(28)
2 15 vxlan1 00:50:00:00:07:00 18 Hit(18)
2 15 vxlan1 82:51:d1:44:bf:93 0 Local Static
1 4 port2 00:50:00:00:06:00 14 Hit(14)
1 4 port2 50:00:00:03:00:01 0 Local Static

3. Run the BGP EVPN commands and observe the route type 2 (MAC/IP advertisement route) and route type 3
(inclusive multicast Ethernet tag route).
a. Verify the BGP L2 VPN EVPN summary information:
# get router info bgp evpn summary

VRF 0 BGP router identifier 1.1.1.1, local AS number 65001

BGP table version is 2
1 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pd

172.25.160.101 4 65001 9 9 1 0 0 00:04:02 3

Total number of neighbors 1

b. Verify the BGP L2 VPN EVPN network information:

# get router info bgp evpn network
Network Next Hop Metric LocPrf Weight RouteTag Path
Route Distinguisher: 100:100 (Default for VRF 0)
*> [2][0][48][00:50:00:00:06:00][0]/72
1.1.1.1 0 100 32768 0 i <-/>
*> [2][0][48][00:50:00:00:06:00][32][172.18.1.11]/104
1.1.1.1 0 100 32768 0 i <-/>
*>i[2][0][48][00:50:00:00:07:00][0]/72
2.2.2.2 0 100 0 0 i <-/>
*>i[2][0][48][00:50:00:00:07:00][32][172.18.1.33]/104
2.2.2.2 0 100 0 0 i <-/>
*> [3][0][32][1.1.1.1]/80
1.1.1.1 0 100 32768 0 i <-/>
*>i[3][0][32][2.2.2.2]/80
2.2.2.2 0 100 0 0 i <-/>

FortiOS 7.4.5 Administration Guide 263

Fortinet Inc.
Network

Network Next Hop Metric LocPrf Weight RouteTag Path

Route Distinguisher: 100:100 (received from VRF 0)
*>i[2][0][48][00:50:00:00:07:00][0]/72
2.2.2.2 0 100 0 0 i <-/>
*>i[2][0][48][00:50:00:00:07:00][32][172.18.1.33]/104
2.2.2.2 0 100 0 0 i <-/>
*>i[3][0][32][2.2.2.2]/80
2.2.2.2 0 100 0 0 i <-/>

c. Verify the BGP L2 VPN EVPN context:

# get router info bgp evpn context
L2VPN EVPN context for VRF 0
ID 100 vlan-based, RD is [100:100]
Import RT: RT:1:1
Export RT: RT:1:1
Bridge domain 0 VNI 1000
Encapsulation 8(VXLAN)
Source interface loopback1
Source address 1.1.1.1

d. Verify the BGP L2 VPN EVPN information for VRF 0:

# get router info bgp evpn vrf 0
Network Next Hop Metric LocPrf Weight RouteTag Path
Route Distinguisher: 100:100 (Default for VRF 0)
*> [2][0][48][00:50:00:00:06:00][0]/72
1.1.1.1 0 100 32768 0 i <-/>
*> [2][0][48][00:50:00:00:06:00][32][172.18.1.11]/104
1.1.1.1 0 100 32768 0 i <-/>
*>i[2][0][48][00:50:00:00:07:00][0]/72
2.2.2.2 0 100 0 0 i <-/>
*>i[2][0][48][00:50:00:00:07:00][32][172.18.1.33]/104
2.2.2.2 0 100 0 0 i <-/>
*> [3][0][32][1.1.1.1]/80
1.1.1.1 0 100 32768 0 i <-/>
*>i[3][0][32][2.2.2.2]/80
2.2.2.2 0 100 0 0 i <-/>

Network Next Hop Metric LocPrf Weight RouteTag Path

Route Distinguisher: 100:100 (received from VRF 0)
*>i[2][0][48][00:50:00:00:07:00][0]/72
2.2.2.2 0 100 0 0 i <-/>
*>i[2][0][48][00:50:00:00:07:00][32][172.18.1.33]/104
2.2.2.2 0 100 0 0 i <-/>
*>i[3][0][32][2.2.2.2]/80
2.2.2.2 0 100 0 0 i <-/>

e. Verify the BGP L2 VPN EVPN information for RD 100:100:

# get router info bgp evpn rd 100:100
Network Next Hop Metric LocPrf Weight RouteTag Path
Route Distinguisher: 100:100 (Default for VRF 0)
*> [2][0][48][00:50:00:00:06:00][0]/72
1.1.1.1 0 100 32768 0 i <-/>
*> [2][0][48][00:50:00:00:06:00][32][172.18.1.11]/104
1.1.1.1 0 100 32768 0 i <-/>

FortiOS 7.4.5 Administration Guide 264

Fortinet Inc.
Network

*>i[2][0][48][00:50:00:00:07:00][0]/72
2.2.2.2 0 100 0 0 i <-/>
*>i[2][0][48][00:50:00:00:07:00][32][172.18.1.33]/104
2.2.2.2 0 100 0 0 i <-/>
*> [3][0][32][1.1.1.1]/80
1.1.1.1 0 100 32768 0 i <-/>
*>i[3][0][32][2.2.2.2]/80
2.2.2.2 0 100 0 0 i <-/>

Network Next Hop Metric LocPrf Weight RouteTag Path

Route Distinguisher: 100:100 (received from VRF 0)
*>i[2][0][48][00:50:00:00:07:00][0]/72
2.2.2.2 0 100 0 0 i <-/>
*>i[2][0][48][00:50:00:00:07:00][32][172.18.1.33]/104
2.2.2.2 0 100 0 0 i <-/>
*>i[3][0][32][2.2.2.2]/80
2.2.2.2 0 100 0 0 i <-/>

f. Verify the neighbor EVPN advertised routes for 172.25.160.101:

# get router info bgp neighbors 172.25.160.101 advertised-routes evpn
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

Route Distinguisher: 100:100 (Default for VRF 0) (Default for VRF 0)
*>i[2][0][48][00:50:00:00:06:00][0]/72
1.1.1.1 100 32768 0 i <-/>
*>i[2][0][48][00:50:00:00:06:00][32][172.18.1.11]/104
1.1.1.1 100 32768 0 i <-/>
*>i[3][0][32][1.1.1.1]/80
1.1.1.1 100 32768 0 i <-/>

Total number of prefixes 3

g. Verify the neighbor EVPN received routes for 172.25.160.101:

# get router info bgp neighbors 172.25.160.101 received-routes evpn
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

Route Distinguisher: 100:100 (received from VRF 0) (received from VRF 0)
*>i[2][0][48][00:50:00:00:07:00][0]/72
2.2.2.2 100 0 0 i <-/>
*>i[2][0][48][00:50:00:00:07:00][32][172.18.1.33]/104
2.2.2.2 100 0 0 i <-/>
*>i[3][0][32][2.2.2.2]/80
2.2.2.2 100 0 0 i <-/>

Total number of prefixes 3

h. Verify the neighbor EVPN routes:

# get router info bgp neighbors 172.25.160.101 routes evpn
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

FortiOS 7.4.5 Administration Guide 265

Fortinet Inc.
Network

S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path

Route Distinguisher: 100:100 (Default for VRF 0) (Default for VRF 0)
*>i[2][0][48][00:50:00:00:07:00][0]/72
2.2.2.2 0 100 0 0 i <-/>
*>i[2][0][48][00:50:00:00:07:00][32][172.18.1.33]/104
2.2.2.2 0 100 0 0 i <-/>
*>i[3][0][32][2.2.2.2]/80
2.2.2.2 0 100 0 0 i <-/>
Route Distinguisher: 100:100 (received from VRF 0) (received from VRF 0)
*>i[2][0][48][00:50:00:00:07:00][0]/72
2.2.2.2 0 100 0 0 i <-/>
*>i[2][0][48][00:50:00:00:07:00][32][172.18.1.33]/104
2.2.2.2 0 100 0 0 i <-/>
*>i[3][0][32][2.2.2.2]/80
2.2.2.2 0 100 0 0 i <-/>

Total number of prefixes 6

4. Run the following EVPN get commands.

a. Verify the EVPN instances:
# get l2vpn evpn instance
EVPN instance: 100
IP local learning enabled
ARP suppression enabled
HA primary
Number of bridge domain: 1
Bridge domain: TAGID 0 VNI 1000 ADDR 1.1.1.1 VXLAN vxlan1 SWITCH sw1

b. Verify the EVPN table:

# get l2vpn evpn table
EVPN instance 100
Broadcast domain VNI 1000 TAGID 0

EVPN instance 100

Broadcast domain VNI 1000 TAGID 0

EVPN MAC table:

MAC VNI Remote Addr Binded Address
00:50:00:00:07:00 1000 2.2.2.2 172.18.1.33
1000 2.2.2.2 -

EVPN IP table:
Address VNI Remote Addr MAC
172.18.1.33 1000 2.2.2.2 00:50:00:00:07:00

EVPN Local MAC table:

"Inactive" means this MAC/IP pair will not be sent to peer.
Flag code: S - Static F - FDB. Trailing * means HA
MAC Flag Status Binded Address
00:50:00:00:06:00 Active 172.18.1.11
F Active -

FortiOS 7.4.5 Administration Guide 266

Fortinet Inc.
Network

EVPN Local IP table:

Address MAC
172.18.1.11 00:50:00:00:06:00

EVPN PEER table:

VNI Remote Addr Binded Address
1000 2.2.2.2 2.2.2.2

5. Run the proxy ARP diagnose command:

# diagnose ip parp list
Address Hardware Addr Interface
172.18.1.33 00:50:00:00:07:00 sw1

VXLAN troubleshooting

The following commands can be used to troubleshoot VXLAN connectivity:

l diagnose sys vxlan fdb list <VXLAN_interface>

l diagnose sys vxlan fdb stat <VXLAN_interface>

l diagnose netlink brctl name host <switch_interface>

l diagnose debug sniffer packet any 'udp and port 4789' 4 0 l

l diagnose debug enable

l diagnose debug flow filter port 4789

l diagnose debug flow trace start <repeat_#>

Topology

The following topology is used as an example configuration to demonstrate VXLAN troubleshooting steps.

In this example, two FortiGates are configured as VXLAN tunnel endpoints (VTEPs). A VXLAN is configured to allow L2
connectivity between the networks behind each FortiGate. The VXLAN interface and port6 are placed on the same L2
network using a software switch (sw100). An L2 network is formed between PC1 and PC2.
The VTEPs have the following MAC address tables:

FortiOS 7.4.5 Administration Guide 267

Fortinet Inc.
Network

Interface/endpoint VTEP 1 VTEP 2

vxlan100 7e:f2:d1:84:75:0f ca:fa:31:23:8d:c1

port6 00:0c:29:4e:5c:1c 00:0c:29:d0:3e:0d

sw100 00:0c:29:4e:5c:1c 00:0c:29:d0:3e:0d

The MAC address of PC1 is 00:0c:29:90:4f:bf. The MAC address of PC2 is 00:0c:29:f0:88:2c.

To configure the VTEP 1 FortiGate:

1. Configure the local interface:

config system vxlan
edit "vxlan100"
set interface "port2"
set vni 100
set remote-ip "192.168.2.87"
next
end

2. Configure the interface settings:

config system interface
edit "port2"
set vdom "root"
set ip 192.168.2.86 255.255.255.0
set allowaccess ping https ssh http fabric
next
edit "vxlan100"
set vdom "root"
set type vxlan
set interface "port2"
next
end

3. Configure the software switch:

config system switch-interface
edit "sw100"
set vdom "root"
set member "port6" "vxlan100"
next
end

4. Configure the software switch interface settings:

config system interface
edit "sw100"
set vdom "root"
set ip 10.10.100.86 255.255.255.0
set allowaccess ping
set type switch
set device-identification enable
set lldp-transmission enable
set role lan

FortiOS 7.4.5 Administration Guide 268

Fortinet Inc.
Network

next
end

To configure the VTEP 2 FortiGate:

1. Configure the local interface:

config system vxlan
edit "vxlan100"
set interface "port2"
set vni 100
set remote-ip "192.168.2.86"
next
end

2. Configure the interface settings:

config system interface
edit "port2"
set vdom "root"
set ip 192.168.2.87 255.255.255.0
set allowaccess ping https ssh snmp http
next
edit "vxlan100"
set vdom "root"
set type vxlan
set interface "port2"
next
end

3. Configure the software switch:

config system switch-interface
edit "sw100"
set vdom "root"
set member "port6" "vxlan100"
next
end

4. Configure the software switch interface settings:

config system interface
edit "sw100"
set vdom "root"
set ip 10.10.100.87 255.255.255.0
set allowaccess ping
set type switch
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 42
next
end

FortiOS 7.4.5 Administration Guide 269

Fortinet Inc.
Network

To run diagnostics and debugs:

1. Start a ping from PC1 10.10.100.10 to PC2 10.10.100.20:

C:\Users\fortidocs>ping 10.10.100.20

Pinging 10.10.100.20 with 32 bytes of data:

Reply from 10.10.100.20: bytes=32 time=2ms TTL=128
Reply from 10.10.100.20: bytes=32 time=1ms TTL=128
Reply from 10.10.100.20: bytes=32 time=1ms TTL=128
Reply from 10.10.100.20: bytes=32 time<1ms TTL=128

Ping statistics for 10.10.100.20:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 1ms

2. Verify the ARP table:

C:\Users\fortidocs>arp /a

Interface: 10.10.100.10 --- 0x21

Internet Address Physical Address Type
10.10.100.20 00-0c-29-f0-88-2c dynamic
10.10.100.86 00-0c-29-4e-5c-1c dynamic
10.10.100.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static

3. Run diagnostics on the VTEP 1 FortiGate.

a. Verify the forwarding database of VXLAN interface vxlan100:
# diagnose sys vxlan fdb list vxlan100
mac=00:00:00:00:00:00 state=0x0082 remote_ip=192.168.2.87 port=4789 vni=100 ifindex=6
mac=00:0c:29:f0:88:2c state=0x0002 remote_ip=192.168.2.87 port=4789 vni=100 ifindex=6

total fdb num: 2

The MAC address 00:0c:29:f0:88:2c is learned from PC2 10.10.100.20.

b. Verify the summary of statistics from the VXLAN’s forwarding database:
# diagnose sys vxlan fdb stat vxlan100
fdb_table_size=256 fdb_table_used=2 fdb_entry=2 fdb_max_depth=1 cleanup_idx=0
cleanup_timer=252

c. Verify the software switch’s forwarding table:

# diagnose netlink brctl name host sw100
show bridge control interface sw100 host.
fdb: hash size=32768, used=6, num=6, depth=1, gc_time=4, ageing_time=3, simple=switch
Bridge sw100 host table
port no device devname mac addr ttl attributes
1 7 port6 00:0c:29:4e:5c:1c 0 Local Static
2 33 vxlan100 7e:f2:d1:84:75:0f 0 Local Static
2 33 vxlan100 00:00:00:00:00:00 26 Hit(26)
1 7 port6 00:0c:29:90:4f:bf 0 Hit(0)
1 7 port6 00:0c:29:d0:3e:ef 7 Hit(7)
2 33 vxlan100 00:0c:29:f0:88:2c 0 Hit(0)

FortiOS 7.4.5 Administration Guide 270

Fortinet Inc.
Network

The MAC address of port6 is 00:0c:29:4e:5c:1c. The MAC address of vxlan100 is 7e:f2:d1:84:75:0f. The MAC
address 00:0c:29:f0:88:2c of PC2 is learned from the remote network.
4. Run diagnostics on the VTEP 2 FortiGate.
a. Verify the forwarding database of VXLAN interface vxlan100:
# diagnose sys vxlan fdb list vxlan100
mac=00:00:00:00:00:00 state=0x0082 remote_ip=192.168.2.86 port=4789 vni=100 ifindex=6
mac=00:0c:29:90:4f:bf state=0x0002 remote_ip=192.168.2.86 port=4789 vni=100 ifindex=6

total fdb num: 2

The MAC address 00:0c:29:90:4f:bf is learned from PC1 10.10.100.10.

b. Verify the summary of statistics from the VXLAN’s forwarding database:
# diagnose sys vxlan fdb stat vxlan100
fdb_table_size=256 fdb_table_used=2 fdb_entry=2 fdb_max_depth=1 cleanup_idx=0
cleanup_timer=304

c. Verify the software switch’s forwarding table:

# diagnose netlink brctl name host sw100
show bridge control interface sw100 host.
fdb: hash size=32768, used=5, num=5, depth=1, gc_time=4, ageing_time=3, simple=switch
Bridge sw100 host table
port no device devname mac addr ttl attributes
2 50 vxlan100 00:00:00:00:00:00 10 Hit(10)
2 50 vxlan100 00:0c:29:90:4f:bf 2 Hit(2)
1 7 port6 00:0c:29:d0:3e:0d 0 Local Static
2 50 vxlan100 ca:fa:31:23:8d:c1 0 Local Static
1 7 port6 00:0c:29:f0:88:2c 0 Hit(0)

The MAC address of port6 is 00:0c:29:d0:3e:0d. The MAC address of vxlan100 is ca:fa:31:23:8d:c1. The MAC
address 00:0c:29:90:4f:bf of PC1 is learned from the remote network.
5. Perform a sniffer trace on the VTEP 1 FortiGate to view the life of the packets as they pass through the FortiGate:
# diagnose sniffer packet any 'host 10.10.100.20 or (udp and host 192.168.2.87)' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.10.100.20 or (udp and host 192.168.2.87)]
2022-11-04 14:35:18.567602 port6 in arp who-has 10.10.100.20 tell 10.10.100.10
2022-11-04 14:35:18.567629 vxlan100 out arp who-has 10.10.100.20 tell 10.10.100.10
2022-11-04 14:35:18.567642 port2 out 192.168.2.86.4804 -> 192.168.2.87.4789: udp 68
2022-11-04 14:35:18.567658 sw100 in arp who-has 10.10.100.20 tell 10.10.100.10
2022-11-04 14:35:18.568239 port2 in 192.168.2.87.4789 -> 192.168.2.86.4789: udp 68
2022-11-04 14:35:18.568263 vxlan100 in arp reply 10.10.100.20 is-at 00:0c:29:f0:88:2c
2022-11-04 14:35:18.568272 port6 out arp reply 10.10.100.20 is-at 00:0c:29:f0:88:2c
2022-11-04 14:35:18.568425 port6 in 10.10.100.10 -> 10.10.100.20: icmp: echo request
2022-11-04 14:35:18.568435 vxlan100 out 10.10.100.10 -> 10.10.100.20: icmp: echo request
2022-11-04 14:35:18.568443 port2 out 192.168.2.86.4805 -> 192.168.2.87.4789: udp 82
2022-11-04 14:35:18.568912 port2 in 192.168.2.87.4789 -> 192.168.2.86.4789: udp 68
2022-11-04 14:35:18.568925 vxlan100 in arp who-has 10.10.100.10 tell 10.10.100.20
2022-11-04 14:35:18.568935 port6 out arp who-has 10.10.100.10 tell 10.10.100.20
2022-11-04 14:35:18.568945 sw100 in arp who-has 10.10.100.10 tell 10.10.100.20
2022-11-04 14:35:18.569070 port6 in arp reply 10.10.100.10 is-at 00:0c:29:90:4f:bf
2022-11-04 14:35:18.569076 vxlan100 out arp reply 10.10.100.10 is-at 00:0c:29:90:4f:bf
2022-11-04 14:35:18.569081 port2 out 192.168.2.86.4806 -> 192.168.2.87.4789: udp 68
2022-11-04 14:35:18.569417 port2 in 192.168.2.87.4789 -> 192.168.2.86.4789: udp 82

FortiOS 7.4.5 Administration Guide 271

Fortinet Inc.
Network

2022-11-04 14:35:18.569427 vxlan100 in 10.10.100.20 -> 10.10.100.10: icmp: echo reply

2022-11-04 14:35:18.569431 port6 out 10.10.100.20 -> 10.10.100.10: icmp: echo reply

In the output, the following packet sequence is seen on the FortiGate:

a. The FortiGate receives an ARP request from PC1 10.10.100.10 on port6.
b. The ARP request is forwarded to vxlan100 on the same software switch, where it gets encapsulated and sent
out as a UDP port 4789 packet on port2.
c. A reply is received on port2 from the remote VTEP with the ARP response encapsulated in UDP port 4789
again.
d. The ARP reply is forwarded back out of port6 to PC1.
e. PC1 sends the ICMP request using the same steps.
6. Perform the same sniffer trace filter with a level 6 verbose level. In this example, the packet capture is converted into
a Wireshark file.

The packet that leaves the physical port2 is encapsulated in UDP and has a VXLAN header with VNI 100 as the
identifier. There is an additional 50 B overhead of the UDP encapsulated VXLAN packets as opposed to the
unencapsulated packets (for example, packet 4 versus packets 1 and 2).

DNS

Domain name system (DNS) is used by devices to locate websites by mapping a domain name to a website’s IP
address.
A FortiGate can serve different roles based on user requirements:
l A FortiGate can control what DNS server a network uses.
l A FortiGate can function as a DNS server.
FortiGuard Dynamic DNS (DDNS) allows a remote administrator to access a FortiGate's Internet-facing interface using a
domain name that remains constant even when its IP address changes.

FortiOS 7.4.5 Administration Guide 272

Fortinet Inc.
 Network

FortiOS supports DNS configuration for both IPv4 and IPv6 addressing. When a user requests a website, the FortiGate
looks to the configured DNS servers to provide the IP address of the website in order to know which server to contact to
complete the transaction.
The FortiGate queries the DNS servers whenever it needs to resolve a domain name into an IP address, such as for NTP
or web servers defined by their domain names.
The following topics provide information about DNS:
l Important DNS CLI commands on page 273
l DNS domain list on page 276
l FortiGate DNS server on page 278
l DDNS on page 285
l DNS latency information on page 289
l DNS over TLS and HTTPS on page 291
l Transparent conditional DNS forwarder on page 295
l Interfaces in non-management VDOMs as the source IP address of the DNS conditional forwarding server on page
299
l DNS session helpers on page 301
l DNS troubleshooting on page 302

Important DNS CLI commands

DNS settings can be configured with the following CLI command:

config system dns
set primary <ip_address>
set secondary <ip_address>
set protocol {cleartext dot doh}
set ssl-certificate <string>
set server-hostname <hostname>
set domain <domains>
set ip6-primary <ip6_address>
set ip6-secondary <ip6_address>
set timeout <integer>
set retry <integer>
set dns-cache-limit <integer>
set dns-cache-ttl <integer>
set cache-notfound-responses {enable | disable}
set interface-select-method {auto | sdwan | specify}
set interface <interface>
set source-ip <class_ip>
set server-select-method {least-rtt | failover}
set alt-primary <ip_address>
set alt-secondary <ip_address>
set log {disable |error | all}
set fqdn-cache-ttl <integer>
set fqdn-min-refresh <integer>
set fqdn-max-refresh <integer>
end

For a FortiGate with multiple logical CPUs, you can set the DNS process number from 1 to the number of logical CPUs.
The default DNS process number is 1.

FortiOS 7.4.5 Administration Guide 273

Fortinet Inc.
Network

config system global

set dnsproxy-worker-count <integer>
end

DNS protocols

The following DNS protocols can be enabled:

l cleartext: Enable clear text DNS over port 53 (default).
l dot: Enable DNS over TLS.
l doh: Enable DNS over HTTPS.
For more information, see DNS over TLS and HTTPS on page 291.

cache-notfound-responses

When enabled, any DNS requests that are returned with NOT FOUND can be stored in the cache. The DNS server is not
asked to resolve the host name for NOT FOUND entries. By default, this option is disabled.

dns-cache-limit

Set the number of DNS entries that are stored in the cache (0 to 4294967295, default = 5000). Entries that remain in the
cache provide a quicker response to requests than going out to the Internet to get the same information.

dns-cache-ttl

The duration that the DNS cache retains information, in seconds (60 to 86400 (1 day), default = 1800).

fqdn-cache-ttl

FQDN cache time to live (TTL), in seconds (0 - 86400, default = 0).

This is the amount of time an FQDN's address record can live if not refreshed. This setting applies globally, across all
VDOMs, to FQDNs that have unspecified firewall address cache-ttl settings. If the cache-ttl value is configured
for an FQDN address, it will supersede the fqdn-cache-ttl setting for that address.
For example, configure the FQDN cache TTL on the global VDOM:
config system dns
set fqdn-cache-ttl 2000
end
# diagnose test application dnsproxy 6
...
vfid=0 name=test.bb.com ver=IPv4 wait_list=0 timer=985 min_ttl=1000 cache_ttl=2000 slot=-1
num=1 wildcard=0
1.1.1.1 (ttl=1000:991:1991)
vfid=0 name=*.google.com ver=IPv4 wait_list=0 timer=0 min_ttl=0 cache_ttl=2000 slot=-1 num=0
wildcard=
...

FortiOS 7.4.5 Administration Guide 274

Fortinet Inc.
Network

Change the cache TTL in a VDOM for a specific address:

config firewall address
edit "test.bb.com"
set cache-ttl 1000
next
end
# sudo global diagnose test application dnsproxy 6
...
vfid=0 name=test.bb.com ver=IPv4 wait_list=0 timer=864 min_ttl=1000 cache_ttl=1000 slot=-1
num=1 wildcard=0
1.1.1.1 (ttl=1000:870:1870)
vfid=0 name=*.google.com ver=IPv4 wait_list=0 timer=0 min_ttl=0 cache_ttl=2000 slot=-1 num=0
wildcard=1
...

fqdn-min-refresh

FQDN cache minimum refresh time, in seconds (10 - 3600, default = 60).
An FQDN normally requeries for updates according to the lowest TTL interval returned from all the DNS records in a
DNS response. The FortiGate has a default minimum refresh interval of 60 seconds; if a TTL interval is shorter than 60
seconds, it still requires a minimum of 60 seconds for the FortiGate to requery for new addresses. The fqdn-min-
refresh setting changes the interval. The settings could be shortened if there are FQDNs that require fast resolutions
based on a short TTL interval.
For example, if fqdn_min_refresh is unspecified:
# diagnose test application dnsproxy 3
worker idx: 0
...
FQDN: min_refresh=60 max_refresh=3600
...
# diagnose test application dnsproxy 6
worker idx: 0
vfid=0 name=aa.com ver=IPv4 wait_list=0 timer=28 min_ttl=20 cache_ttl=0 slot=-1 num=1
wildcard=0
23.202.195.114 (ttl=20:0:0)

The min_refresh is the default value of 60 seconds. Although the min_ttl (TTL returned) value is shorter, the
FortiGate only requeries for updates based on the min_refresh value. the timer value is the countdown until the next
refresh is triggered. The FortiGate triggers a refresh slightly earlier than the larger of the min_refresh or min_ttl
value.
If fqdn_min_refresh is configured:
config system dns
set fqdn-min-refresh 20
end
# diagnose test application dnsproxy 3
worker idx: 0
...
FQDN: min_refresh=20 max_refresh=3600
...

FortiOS 7.4.5 Administration Guide 275

Fortinet Inc.
 Network

# diagnose test application dnsproxy 6

worker idx: 0
vfid=0 name=aa.com ver=IPv4 wait_list=0 timer=8 min_ttl=20 cache_ttl=0 slot=-1 num=1
wildcard=0
23.202.195.114 (ttl=20:14:14)

This setting can be used in combination with fqdn-cache-ttl and cache-ttl to send more frequent queries and
store more resolved addresses in cache. This is useful in scenarios where the FQDN has many resolutions and changes
very frequently.

fqdn-max-refresh

FQDN cache maximum refresh time, in seconds (3600 - 86400, default = 3600).
The fqdn-max-refresh setting is used to control the global upper limit of the FQDN refresh timer. FQDN entries with a
TTL interval that is longer than the fqdn-max-refresh value will have their refresh timer reduced to this upper limit.
This allows the FortiGate to dictate the upper limit in querying for DNS updates for its FQDN addresses.

VDOM DNS

When the FortiGate is in multi-vdom mode, DNS is handled by the management VDOM. However in some cases,
administrators may want to configure custom DNS settings on a non-management VDOM. For example, in a multi-
tenant scenario, each VDOM might be occupied by a different tenant, and each tenant might require its own DNS server.
For more information on VDOM DNS, see Interfaces in non-management VDOMs as the source IP address of the DNS
conditional forwarding server on page 299.

To configure a custom VDOM within a non-management VDOM:

config vdom
edit <vdom>
config system vdom-dns
set vdom-dns enable
set primary <primary_DNS>
set secondary <secondary_DNS>
set protocol {cleartext dot doh}
set ip6-primary <primary_IPv6_DNS>
set ip6-secondary <secondary_IPv6_DNS>
set source-ip <IP_address>
set interface-select-method {auto | sdwan | specify}
end
next
end

DNS domain list

You can configure up to eight domains in the DNS settings using the GUI or the CLI.
When a FortiGate requests a URL that does not include an FQDN, FortiOS resolves the URL by traversing through the
DNS domain list and performing a query for each domain until the first match is found.
By default, FortiGates use FortiGuard's DNS servers:

FortiOS 7.4.5 Administration Guide 276

Fortinet Inc.
Network

l Primary: 96.45.45.45
l Secondary: 96.45.46.46
You can also customize the DNS timeout time and the number of retry attempts.

To configure a DNS domain list in the GUI:

1. Go to Network > DNS.

2. Set DNS Servers to Specify.
3. Configure the primary and secondary DNS servers as needed.
4. In the Local Domain Name field, enter the first domain (sample.com in this example).
5. Click the + to add more domains (example.com and domainname.com in this example). You can enter up to eight
domains.
6. Configure additional DNS protocol and IPv6 settings as needed.

7. Click Apply.

To configure a DNS domain list in the CLI:

config system dns

set primary 96.45.45.45
set secondary 96.45.46.46
set domain "sample.com" "example.com" "domainname.com"
end

Verify the DNS configuration

In the following example, the local DNS server has the entry for host1 mapped to the FQDN of host1.sample.com, and
the entry for host2 is mapped to the FQDN of host2.example.com.

FortiOS 7.4.5 Administration Guide 277

Fortinet Inc.
 Network

To verify that the DNS domain list is configured:

1. Open the FortiGate CLI.

2. Enter execute ping host1.
The system returns the following response:
PING host1.sample.com (1.1.1.1): 56 data bytes

As the request does not include an FQDN, FortiOS traverses the configured DNS domain list to find a match.
Because host1 is mapped to the host1.sample.com, FortiOS resolves host1 to sample.com, the first entry in the
domain list.
3. Enter execute ping host2.
The system returns the following response:
PING host2.example.com (2.2.2.2): 56 data bytes

FortiOS traverses the domain list to find a match. It first queries sample.com, the first entry in the domain list, but
does not find a match. It then queries the second entry in the domain list, example.com. Because host2 is mapped
to the FQDN of host2.example.com, FortiOS resolves host2 to example.com.

DNS timeout and retry settings

The DNS timeout and retry settings can be customized using the CLI.
config system dns
set timeout <integer>
set retry <integer>
end

timeout <integer> The DNS query timeout interval, in seconds (1 - 10, default = 5).
retry <integer> The number of times to retry the DNS query (0 - 5, default - 2).

FortiGate DNS server

You can create local DNS servers for your network. Depending on your requirements, you can either manually maintain
your entries (primary DNS server), or use it to refer to an outside source (secondary DNS server).
A local, primary DNS server requires that you to manually add all URL and IP address combinations. Using a primary
DNS server for local services can minimize inbound and outbound traffic, and access time. Making it authoritative is not
recommended, because IP addresses can change, and maintaining the list can become labor intensive.
A secondary DNS server refers to an alternate source to obtain URL and IP address combinations. This is useful when
there is a primary DNS server where the entry list is maintained.
FortiGate as a DNS server also supports TLS and HTTPS connections to a DNS client. See DNS over TLS and HTTPS
on page 291 for details.
DNS over QUIC (DoQ) and DNS over HTTP3 (DoH3) are supported in proxy mode inspection for transparent and local-
in explicit modes. See DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS modes on page 1752 for
details.
See Basic DNS server configuration example on page 282 for a sample configuration.
By default, DNS server options are not available in the FortiGate GUI.

FortiOS 7.4.5 Administration Guide 278

Fortinet Inc.
Network

To enable DNS server options in the GUI:

1. Go to System > Feature Visibility.

2. Enable DNS Database in the Additional Features section.
3. Click Apply.

To configure the FortiGate as a DNS server in the GUI:

1. Go to Network > DNS Servers.

2. Enable DNS services on an interface:
a. In the DNS Service on Interface table, click Create New.
b. Configure the following:

Interface Select the interface to enable DNS service on.

Mode Set the DNS server mode:

l Recursive: The system first checks for the requested record in the

shadow DNS database. If the record is not found locally, the query is
then forwarded to the system’s DNS server for further lookup. This
mode ensures a comprehensive search for the requested record,
utilizing both local and system DNS resources.
l Non-Recursive: Search is restricted to the Public DNS database only.
If the requested record is not found, the query will not be forwarded to
the system’s DNS server. This mode is useful when you need to limit
queries strictly to local resources.
l Forward to System DNS: The local DNS database is bypassed and all
queries are forwarded directly to the system’s DNS server. This is
beneficial when you need to rely solely on system-level DNS
resources for resolving queries.

DNS Filter Apply a DNS filter profile to DNS server. This option is not available when
Mode is Non-Recursive. See Applying DNS filter to FortiGate DNS server
on page 1748 for more information.

DNS over HTTPS Enable DNS over HTTPS (DoH). DoH is a method of performing DNS
resolution over a secure HTTPS connection. See DNS over TLS and
HTTPS on page 291 for more information

DNS over HTTP3 Enable DNS over HTTP3 (DoH3). DoH3 is a method of performing DNS
resolution over an HTTP3 connection. See DNS over QUIC and DNS over
HTTP3 for transparent and local-in DNS modes on page 1752 for more
information

DNS over QUIC Enable DNS over QUIC (DoQ). DoQ is a method of performing DNS
resolution over a QUICK UDP Internet Connection (QUIC) connection. See
DNS over QUIC and DNS over HTTP3 for transparent and local-in DNS
modes on page 1752 for more information

c. Click OK.
3. Build the DNS database:

FortiOS 7.4.5 Administration Guide 279

Fortinet Inc.
Network

a. In the DNS Database table, click Create New.

b. Configure the following:

Type Select the zone type:

l Primary: The primary DNS zone, to manage entries directly.

l Secondary: The secondary DNS zone, to import entries from other

DNS zones. The purpose of a secondary DNS zone is to provide
redundancy and load balancing. If the primary DNS server fails, the
secondary DNS server can continue to resolve queries for the domain.

View Select the zone view:

l Shadow: This type of DNS zone is designed for both internal and

external clients, allowing them to resolve DNS queries with the

recursive DNS server on FortiGate. It creates a shadow of your public
DNS records within your private network.
l Public: This type of DNS zone is intended to serve external clients
only, allowing them to resolve DNS queries with the non-recursive
DNS server on FortiGate. It contains records that map the domain
names of your publicly accessible services to their respective IP
addresses. These records are propagated across the internet,
allowing anyone in the world to find and connect to your services.
l Proxy: This special type of shadow DNS zone is specifically designed
for explicit proxy. It allows the explicit proxy to perform DNS lookups
using a local database, providing faster and more efficient resolution
of domain names. Internal users can experience improved
performance and reduced latency when accessing websites and
online services through the explicit proxy.

DNS Zone The name of the DNS zone.

Domain Name The domain name.

Hostname of Primary DNS The domain name of the default DNS server for this zone. This option is
only available when Type is Primary.

IP of Primary The IP address of the primary DNS server. This option is only available
when Type is Secondary.

Contact Email Address The email address of the administrator for this zone. You can specify only
the username, such as admin, or the full email address, such as
[email protected]. When using only a username, the domain of the email is
the zone. This option is only available when Type is Primary.

TTL The default time-to-live value for the entries of this DNS zone. This option
is only available when Type is Primary.

Authoritative Enabling Authoritative makes this server is the primary and sole source of
information for this specific DNS zone. It prevents the FortiGate from
seeking DNS records further upstream. Enabling authoritative is not
recommended.

DNS Forwarder

c. Add DNS entries:

FortiOS 7.4.5 Administration Guide 280

Fortinet Inc.
Network

i. In the DNS Entries table, click Create New.

ii. Configure the following:

Type The resource record type. The availability of the subsequent settings
vary depending on the selected type.
l Address (A): This is the host type. It maps a hostname to an IPv4

address in the DNS system, allowing a browser or other client to

access a server using its domain name.
l Name Server (NS): This is the name server type. It indicates which
DNS server is authoritative for that domain
l Canonical Name (CNAME): This is the canonical name type. It’s
used to alias one name to another.
l Mail Exchange (MX): This is the mail exchange type. It routes email
to a specified mail server based on the information in the record.
l IPv6 Address (AAAA): This is the IPv6 host type. Similar to the A
record, but it maps a hostname to an IPv6 address.
l IPv4 Pointer (PTR): This is the pointer type for IPv4. It provides a
mapping of the IP address to a hostname, essentially the reverse
of what an A record does.
l IPv6 Pointer (PTR): This is the pointer type for IPv6. It functions
similarly to the IPv4 PTR record, but for IPv6 addresses.

TTL The time-to-live for this entry.

iii. Click OK.

d. Click OK.

To configure the FortiGate as a DNS server in the CLI:

1. Configure DNS servers:

config system dns-server
edit <name>
set dnsfilter-profile {string}
set doh {enable | disable}
set doh3 {enable | disable}
set doq {enable | disable}
set mode {recursive | non-recursive | forward-only}
next
end

See config system dns-server in the CLI reference for a comprehensive list of commands.
2. Configure DNS database:
config system dns-database
edit <name>
set authoritative {enable | disable}
set contact {string}
set domain {string}
set forwarder {user}
set primary-name {string}
set ttl {integer}

FortiOS 7.4.5 Administration Guide 281

Fortinet Inc.
Network

set type {primary | secondary}

set view {shadow | public | shadow-ztna | proxy}
config dns-entry
edit <id>
set status {enable | disable}
set type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6}
set ttl {integer}
set ip {ipv4-address-any}
set ipv6 {ipv6-address}
set hostname {string}
set canonical-name {string}
next
end
next
end

See config system dns-database in the CLI reference for a comprehensive list of commands.

Basic DNS server configuration example

This section describes how to create an unauthoritative primary DNS server. The interface mode is recursive so that, if
the request cannot be fulfilled, the external DNS servers will be queried.

In this example, the Local site is configured as an unauthoritative primary DNS server.

To configure FortiGate as a primary DNS server in the GUI:

1. Go to Network > DNS Servers.

2. In the DNS Database table, click Create New.
3. Set Type to Primary.
4. Set View to Shadow.
The View setting controls the accessibility of the DNS server. If you select Public, external users can access or use
the DNS server. If you select Shadow, only internal users can use it.
5. Enter a DNS Zone, for example, WebServer.
6. Enter the Domain Name of the zone, for example, example.com.
7. Enter the Hostname of the DNS server, for example, corporate.
8. Enter the Contact Email Address for the administrator, for example, [email protected].
9. Disable Authoritative.

FortiOS 7.4.5 Administration Guide 282

Fortinet Inc.
Network

10. Add DNS entries:

a. In the DNS Entries table, click Create New.
b. Select a Type, for example Address (A).
c. Set the Hostname, for example web.

d. Configure the remaining settings as needed. The options might vary depending on the selected Type.
e. Click OK.
11. Add more DNS entries as needed.
12. Click OK.
13. Enable DNS services on an interface:
a. Go to Network > DNS Servers.
b. In the DNS Service on Interface table, click Create New.
c. Select the Interface for the DNS server, such as port1.
d. Set the Mode to Recursive.

FortiOS 7.4.5 Administration Guide 283

Fortinet Inc.
Network

e. Click OK.

To configure FortiGate as a primary DNS server in the CLI:

config system dns-database

edit WebServer
set domain example.com
set type primary
set view shadow
set ttl 86400
set primary-name corporate
set contact [email protected]
set authoritative disable
config dns-entry
edit 1
set status enable
set hostname web
set type A
set ip 172.16.200.254
next
end
next
end

config system dns-server

edit port1
set mode recursive
next
end

To verify the configuration:

1. Send a DNS query for a DNS entry configured locally on the Local site FortiGate:
C:\Users\demo>nslookup office.microsoft.com
Server: Unknown
Address: 172.16.200.1
Non-authoritative answer:
Name: web.example.com
Address: 172.16.200.254

The query is resolved to the IP address configured in the shadow DNS database on the Local site FortiGate.
2. Send a DNS query for a domain that is not configured on the Local site FortiGate:

FortiOS 7.4.5 Administration Guide 284

Fortinet Inc.
Network

C:\Users\demo>nslookup facebook.com
Server: Unknown
Address: 172.16.200.1
Non-authoritative answer:
Name: facebook.com
Addresses: 157.240.22.35

The query is resolved by the central DNS server.

DDNS

If your external IP address changes regularly and you want a static domain name, you can configure the external
interface to use a dynamic DNS (DDNS) service. This ensures that external users and customers can always connect to
your company firewall. You can configure FortiGuard as the DDNS server using the GUI or CLI.
Multiple DDNS interfaces can be configured in the GUI. The number of DDNS entries that can be configured is restricted
by table size, with limits of 16, 32, and 64 entries for entry-level, mid-range, and high-end FortiGates respectively.
A license or subscription is not required to use the DDNS service, but configuring DDNS in the GUI is not supported if:
l The FortiGate model is a 1000-series or higher.
l The FortiGate is a VM.
l The DNS server is not using FortiGuard as the DNS.

DDNS is not supported in transparent mode.

Sample topology

In this example, FortiGuard DDNS is enabled and the DDNS server is set to float-zone.com. Other DDNS server options
include fortiddns.com and fortidyndns.com.

To configure multiple DDNS entries in the GUI:

1. Go to Network > DNS.

2. In the Dynamic DNS table, click Create new.

FortiOS 7.4.5 Administration Guide 285

Fortinet Inc.
Network

The New DDNS Entry pane opens.

3. Configure the DDNS entry settings:
a. Select the Interface with the dynamic connection.
b. Select the Server that you have an account with.
c. Enter the Unique Location.

d. Click OK.

FortiOS 7.4.5 Administration Guide 286

Fortinet Inc.
Network

4. Click Create new and repeat step 3 to add more entries.

5. Click Apply.

To configure the FortiGuard DDNS service as an IPv4 DDNS server in the CLI:

config system ddns

edit 1
set ddns-server FortiGuardDDNS
set server-type ipv4
set ddns-domain "branch.float-zone.com"
set addr-type ipv4
set use-public-ip enable
set monitor-interface "wan1"
next
end

To configure the FortiGuard DDNS service as an IPv6 DDNS server in the CLI:

config system ddns

edit 1
set ddns-server FortiGuardDDNS
set server-type ipv6
set ddns-domain "fgtatest001.float-zone.com"
set addr-type ipv6
set monitor-interface "wan1"
next
end

DDNS servers other than FortiGuard

If you do not have a FortiGuard subscription, or want to use a different DDNS server, you can configure a DDNS server
for each interface. Only the first configure port appears in the GUI.
The available commands vary depending on the selected DDNS server.

To configure DDNS servers other than FortiGuard in the CLI:

config system ddns

edit <DDNS_ID>
set monitor-interface <external_interface>
set ddns-server <ddns_server_selection>
set server-type {ipv4 | ipv6}
set ddns-server-addr <address>
set addr-type ipv6 {ipv4 | ipv6}
next
end

To configure an IPv6 DDNS client with generic DDNS on port 3 in the CLI:

config system ddns

edit 1
set ddns-server genericDDNS
set server-type ipv6
set ddns-server-addr "2004:16:16:16::2" "16.16.16.2" "ddns.genericddns.com"

FortiOS 7.4.5 Administration Guide 287

Fortinet Inc.
Network

set ddns-domain "test.com"

set addr-type ipv6
set monitor-interface "port3"
next
end

Refresh DDNS IP addresses

When using a public IP that is not assigned to the FortiGate, the FortiGate cannot trigger an update when the IP address
changes. The FortiGate can be configured to refresh DDNS IP addresses by periodically checking the DDNS server at
an update interval.

To configure FortiGate to refresh DDNS IP addresses in the CLI:

config system ddns

edit 1
set use-public-ip enable
set update-interval <seconds>
next
end

When update-interval is set to 0:

l For FortiGuard DDNS, the interval is 300 seconds.
l For third part DDNS servers, the interval is assigned by the DDNS server.

Disable cleartext

When clear-text is disabled, FortiGate uses the SSL connection to send and receive DDNS updates.

To disable cleartext and set the SSL certificate in the CLI:

config system ddns

edit 2
set clear-text disable
set ssl-certificate <cert_name>
next
end

DDNS update override

A DHCP server has an override command option that allows DHCP server communications to go through DDNS to
perform updates for the DHCP client. This enforces a DDNS update of the A field every time even if the DHCP client
does not request it. This allows support for the allow, ignore, and deny client-updates options.

To enable DDNS update override in the CLI:

config system dhcp server

edit 1
set ddns-update enable
set ddns-update-override enable

FortiOS 7.4.5 Administration Guide 288

Fortinet Inc.
 Network

set ddns-server-ip <ddns_server_ip>

set ddns-zone <ddns_zone>
next
end

Troubleshooting

To debug DDNS:

# diagnose debug application ddnscd -1

# diagnose debug enable

To check if a DDNS server is available:

# diagnose test application ddnscd 3

Not available:
FortiDDNS status:
ddns_ip=0.0.0.0, ddns_ip6=::, ddns_port=443 svr_num=0 domain_num=0

Available:
FortiDDNS status:
ddns_ip=208.91.113.230, ddns_ip6=::, ddns_port=443 svr_num=1 domain_num=3
svr[0]= 208.91.113.230
domain[0]= fortiddns.com
domain[1]= fortidyndns.com
domain[2]= float-zone.com

DNS latency information

High latency in DNS traffic can result in an overall sluggish experience for end-users. In the DNS Settings pane, you can
quickly identify DNS latency issues in your configuration.
Go to Network > DNS to view DNS latency information in the right side bar. If you use FortiGuard DNS, latency
information for DNS, DNS filter, web filter, and outbreak prevention servers is also visible. Hover your pointer over a
latency value to see when it was last updated.

FortiOS 7.4.5 Administration Guide 289

Fortinet Inc.
Network

To view DNS latency information using the CLI:

# diagnose test application dnsproxy 2

worker idx: 0
worker: count=1 idx=0
retry_interval=500 query_timeout=1495
DNS latency info:
vfid=0 server=2001::1 latency=1494 updated=73311
vfid=0 server=96.45.46.46 latency=1405 updated=2547
vfid=0 server=8.8.8.8 latency=19 updated=91
SDNS latency info:
vfid=0 server=173.243.140.53 latency=1 updated=707681
DNS_CACHE: alloc=35, hit=26
RATING_CACHE: alloc=1, hit=49
DNS UDP: req=66769 res=63438 fwd=83526 alloc=0 cmp=0 retrans=16855 to=3233
cur=111 switched=8823467 num_switched=294 v6_cur=80 v6_switched=7689041 num_v6_
switched=6
ftg_res=8 ftg_fwd=8 ftg_retrans=0
DNS TCP: req=0, res=0, fwd=0, retrans=0 alloc=0, to=0
FQDN: alloc=45 nl_write_cnt=9498 nl_send_cnt=21606 nl_cur_cnt=0
Botnet: searched=57 hit=0 filtered=57 false_positive=0

To view the latency from web filter and outbreak protection servers using the CLI:

# diagnose debug rating

Locale : english

Service : Web-filter
Status : Enable
License : Contract

Service : Antispam
Status : Disable

Service : Virus Outbreak Prevention

Status : Disable

-=- Server List (Tue Jan 22 08:03:14 2019) -=-

FortiOS 7.4.5 Administration Guide 290

Fortinet Inc.
 Network

IP Weight RTT Flags TZ Packets Curr Lost Total Lost Updated Time
173.243.138.194 10 0 DI -8 700 0 2 Tue Jan 22 08:02:44
2019
173.243.138.195 10 0 -8 698 0 4 Tue Jan 22 08:02:44
2019
173.243.138.198 10 0 -8 698 0 4 Tue Jan 22 08:02:44
2019
173.243.138.196 10 0 -8 697 0 3 Tue Jan 22 08:02:44
2019
173.243.138.197 10 1 -8 694 0 0 Tue Jan 22 08:02:44
2019
96.45.33.64 10 22 D -8 701 0 6 Tue Jan 22 08:02:44
2019
64.26.151.36 40 62 -5 704 0 10 Tue Jan 22 08:02:44
2019
64.26.151.35 40 62 -5 703 0 9 Tue Jan 22 08:02:44
2019
209.222.147.43 40 70 D -5 696 0 1 Tue Jan 22 08:02:44
2019
66.117.56.42 40 70 -5 697 0 3 Tue Jan 22 08:02:44
2019
66.117.56.37 40 71 -5 702 0 9 Tue Jan 22 08:02:44
2019
65.210.95.239 40 74 -5 695 0 1 Tue Jan 22 08:02:44
2019
65.210.95.240 40 74 -5 695 0 1 Tue Jan 22 08:02:44
2019
45.75.200.88 90 142 0 706 0 12 Tue Jan 22 08:02:44
2019
45.75.200.87 90 155 0 714 0 20 Tue Jan 22 08:02:44
2019
45.75.200.85 90 156 0 711 0 17 Tue Jan 22 08:02:44
2019
45.75.200.86 90 159 0 704 0 10 Tue Jan 22 08:02:44
2019
62.209.40.72 100 157 1 701 0 7 Tue Jan 22 08:02:44
2019
62.209.40.74 100 173 1 705 0 11 Tue Jan 22 08:02:44
2019
62.209.40.73 100 173 1 699 0 5 Tue Jan 22 08:02:44
2019
121.111.236.179 180 138 9 706 0 12 Tue Jan 22 08:02:44
2019
121.111.236.180 180 138 9 704 0 10 Tue Jan 22 08:02:44
2019

DNS over TLS and HTTPS

DNS over TLS (DoT) is a security protocol for encrypting and encapsulating DNS queries and responses over the TLS
protocol. DoT increases user privacy and security by preventing eavesdropping and manipulation of DNS data via man-
in-the-middle attacks. Similarly, DNS over HTTPS (DoH) provides a method of performing DNS resolution over a secure
HTTPS connection. DoT and DoH are supported in explicit mode where the FortiGate acts as an explicit DNS server that
listens for DoT and DoH requests. Local-out DNS traffic over TLS and HTTPS is also supported.

FortiOS 7.4.5 Administration Guide 291

Fortinet Inc.
Network

Basic configurations for enabling DoT and DoH for local-out DNS queries

Before enabling DoT or DoH, ensure that they are supported by the DNS servers. The legacy FortiGuard DNS servers
(208.91.112.53 and 208.91.112.52) do not support DoT or DoH queries, and will drop these packets. At times, the
latency status of the DNS servers might also appear high or unreachable.
Disabling DoT and DoH is recommended when they are not supported by the DNS servers.

To enable DoT and DoH DNS in the GUI:

1. Go to Network > DNS.

2. Enter the primary and secondary DNS server addresses.
3. In the DNS Protocols section, enable TLS (TCP/853) and HTTPS (TCP/443).

4. Configure the other settings as needed.

5. Click Apply.

To enable DoT and DoH DNS in the CLI:

config system dns

set primary 1.1.1.1
set secondary 1.0.0.1
set protocol {cleartext dot doh}
end

To enable DoH on the DNS server in the GUI:

1. Go to Network > DNS Servers.

2. In the DNS Service on Interface section, edit an existing interface, or create a new one.
3. Select a Mode, and DNS Filter profile.
4. Enable DNS over HTTPS.

FortiOS 7.4.5 Administration Guide 292

Fortinet Inc.
Network

5. Click OK.

To enable DoH on the DNS server in the CLI:

config system dns-server

edit "port1"
set dnsfilter-profile "dnsfilter"
set doh enable
next
end

Examples

The following examples demonstrate how configure DNS settings to support DoT and DoH queries made to the
FortiGate.

DoT

The following example uses a DNS filter profile where the education category is blocked.

To enable scanning DoT traffic in explicit mode with a DNS filter:

1. Configure the DNS settings:

config system dns
set primary 1.1.1.1
set secondary 1.0.0.1
set protocol dot
end

2. Configure the DNS filter profile:

config dnsfilter profile
edit "dnsfilter"
config ftgd-dns
config filters

FortiOS 7.4.5 Administration Guide 293

Fortinet Inc.
Network

edit 1
set category 30
set action block
next
end
end
next
end

3. Configure the DNS server settings:

config system dns-server
edit "port1"
set dnsfilter-profile "dnsfilter"
next
end

4. Send a DNS query over TLS (this example uses kdig on an Ubuntu client) using the FortiGate as the DNS server.
The www.ubc.ca domain belongs to the education category:
root@client:/tmp# kdig -d @10.1.100.173 +tls +header +all www.ubc.ca
;; DEBUG: Querying for owner(www.ubc.ca.), class(1), type(1), server(10.1.100.173), port
(853), protocol(TCP)
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1,
C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=FortiGate,CN=FG3H1E5818903681,EMAIL=support
@fortinet.com
;; DEBUG: SHA-256 PIN: Xhkpv9ABEhxDLtWG+lGEndNrBR7B1xjRYlGn2ltlkb8=
;; DEBUG: #2, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=Certificate
Authority,CN=fortinet-subca2001,[email protected]
;; DEBUG: SHA-256 PIN: 3T8EqFBjpRSkxQNPFagjUNeEUghXOEYp904ROlJM8yo=
;; DEBUG: #3, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=Certificate
Authority,CN=fortinet-ca2,[email protected]
;; DEBUG: SHA-256 PIN: /QfV4N3k5oxQR5RHtW/rbn/HrHgKpMLN0DEaeXY5yPg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, skipping certificate verification
;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 56719
;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.ubc.ca. IN A

;; ANSWER SECTION:
www.ubc.ca. 60 IN A 208.91.112.55

;; Received 44 B
;; Time 2021-03-12 23:11:27 PST
;; From 10.1.100.173@853(TCP) in 0.2 ms
root@client:/tmp#

The IP returned by the FortiGate for ubc.ca belongs to the FortiGuard block page, so the query was blocked
successfully.

DoH

The following example uses a DNS filter profile where the education category is blocked.

FortiOS 7.4.5 Administration Guide 294

Fortinet Inc.
 Network

To configure scanning DoH traffic in explicit mode with a DNS filter:

1. Configure the DNS settings:

config system dns
set primary 1.1.1.1
set secondary 1.0.0.1
set protocol doh
end

2. Configure the DNS filter profile:

config dnsfilter profile
edit "dnsfilter"
config ftgd-dns
config filters
edit 1
set category 30
set action block
next
end
end
next
end

3. Configure the DNS server settings:

config system dns-server
edit "port1"
set dnsfilter-profile "dnsfilter"
set doh enable
next
end

4. In your browser, enable DNS over HTTPS.

5. On your computer, edit the TCP/IP settings to use the FortiGate interface address as the DNS server.
6. In your browser, go to a website in the education category (www.ubc.ca). The website is redirected to the block
page.

Transparent conditional DNS forwarder

The transparent conditional DNS forwarder allows the FortiGate to intercept and reroute DNS queries for specific
domains to a specific DNS server. For example, when a client’s DNS is located in a distant location, in order to resolve
destination addresses (such as SaaS applications) to the closest application server, the FortiGate can intercept and
reroute the requests to a local DNS to resolve.
This is done by parsing entries and creating a list of filters based on the domain names of zones. When a DNS request
matches one of these filters, the DNS proxy will retrieve the zone's data. The DNS request will then be handled based on
the zone's forwarder settings and whether a local answer is available. It may be forwarded to the original destination
address, the forwarder address, or not forwarded at all if a local answer is available.

FortiOS 7.4.5 Administration Guide 295

Fortinet Inc.
Network

This provides greater control over DNS requests, especially when the administrator is not managing the DNS server
configuration of the client devices. This can improve network efficiency and performance by resolving IPs local to the
client's PCs rather than IPs local to the central DNS server.
This feature is not supported on FortiGate models with 2 GB RAM or less. See Proxy-related features not supported on
FortiGate 2 GB RAM models on page 101 for more information.

Example

In this example, FortiGates at various locations are connected to a central site by VPN tunnels where the corporate DNS
server is located. Typically, DNS queries from different sites are sent to the central DNS server and resolved to an IP
local to the central site, which might cause latency and performance issues for certain destinations, such as SaaS
applications.

The Local Site FortiGate is configured with the Microsoft domain and a local DNS entry. Traffic matching the Microsoft
domain is either forwarded to the local DNS server or resolved by the FortiGate, which resolves it to an IP local to the
Local Site, thus improving performance.
This example assumes the following have been configured:
l A successfully operational site-to-site VPN between the Local Site and the Central Site FortiGates (see Site-to-site
VPN on page 2064 for more information).
l Appropriate routing and network interfaces.
l The client PCs are configured to use the Central DNS Server.

The transparent conditional DNS forwarder feature only works with a proxy-based firewall
policy.

FortiOS 7.4.5 Administration Guide 296

Fortinet Inc.
Network

By default, DNS server options are not available in the GUI.

To enable DNS server options in the GUI:

1. Go to System > Feature Visibility.

2. In the Additional Features section, enable DNS Database.
3. Click Apply.

To configure the DNS zone and local DNS entries on the Local Site FortiGate in the GUI:

1. Go to Network > DNS Servers.

2. In the DNS Database table, click Create New.
3. Enter a DNS Zone name (SaaS_applications).
4. Enter a Domain Name (microsoft.com).
5. Disable the Authoritative setting.
6. In the DNS Forwarder field, click the + and enter the DNS Forwarder address (172.16.200.3).
7. Configure the DNS entry:
a. In the DNS Entries table, click Create New.
b. Set the Type to Address (A).
c. Enter a Hostname (office).
d. Configure the remaining settings as needed. The options vary depending on the selected Type.
e. Click OK.
f. Optionally, add more DNS entries if needed.
8. In the CLI, configure the source IP:
config system dns-database
edit "SaaS_applications"
set source-ip 13.13.13.2
next
end

If the DNS server is accessed over a VPN, it may be necessary to specify a source IP for
the FortiGate to reach the DNS server. See How to let the FortiGate access internal DNS
through site-to-site IPsec VPN for more information.
Site-to-site VPN is not a mandatory requirement for this feature to work and is only
applicable to this example.

To configure the DNS zone and local DNS entries on the Local Site FortiGate in the CLI:

config system dns-database

edit "SaaS_applications"
set domain "microsoft.com"
set authoritative disable
set forwarder "172.16.200.3"
set source-ip 13.13.13.2

FortiOS 7.4.5 Administration Guide 297

Fortinet Inc.
Network

config dns-entry
edit 1
set hostname "office"
set ip 172.16.200.55
next
end
next
end

To add the DNS database to a DNS filter profile:

config dnsfilter profile

edit "SaaS"
set transparent-dns-database "SaaS_applications"
next
end

Multiple DNS databases can be selected for transparent-dns-database.

After selecting a DNS database, users are not permitted to modify the domain name of the
zone. Before making any changes to the domain name, remove the reference from the
dnsfilter profile.

To apply the DNS filter profile in a firewall policy in the GUI:

1. Go to Policy & Objects > Firewall Policy and edit the outbound policy towards the IPsec VPN tunnel.
2. Set the Inspection Mode to Proxy-based.
3. In the Security Profiles section, enable DNS Filter and select the profile created in the previous procedure (SaaS).
4. In the Logging Options section, enable Log Allowed Traffic.
5. Configure the remaining settings as needed.
6. Click OK.

To apply the DNS filter profile to the outbound policy towards the IPsec VPN tunnel in the CLI:

config firewall policy

edit 1
set name "outbound_VPN"
...
set inspection-mode proxy
set dnsfilter-profile "SaaS"
set logtraffic enable
...
next
end

To verify the configuration:

From one of the Windows client desktops, use the nslookup command to send various DNS queries.
1. Send a DNS query for a DNS entry configured locally on the Local Site FortiGate:
C:\Users\demo>nslookup office.microsoft.com
Server: Unknown

FortiOS 7.4.5 Administration Guide 298

Fortinet Inc.
 Network

Address: 192.168.16.254
Non-authoritative answer:
Name: osiprod-wus-pineapple-100.westus.cloudapp.azure.com
Address: 172.16.200.55

The query is resolved to the IP address configured on the Local Site FortiGate.
2. Send a DNS query for the domain configured on the Local Site FortiGate:
C:\Users\demo>nslookup teams.microsoft.com
Server: Unknown
Address: 192.168.16.254
Non-authoritative answer:
Name: s-0005.s-msedge.net
Address: 172.16.200.254

The query is resolved by the local DNS server.

3. Send a DNS query for a domain that is not configured on the Local Site FortiGate:
C:\Users\demo>nslookup facebook.com
Server: Unknown
Address: 192.168.16.254
Non-authoritative answer:
Name: facebook.com
Addresses: 157.240.249.35

The query is resolved by the central DNS server.

IPv6 support for conditional DNS forwarder

The configuration for IPv6 is similar to an IPv4 conditional DNS forwarder. When configuring the DNS forwarder address,
the IPv6 address must be specified.

To configure a DNS forwarder:

config system dns-database

edit <name>
set source-ip6 <IPv6_address>
set forwarder6 <IPv6_address>
next
end

If the DNS server is accessed over a VPN, it may be necessary to specify a source IP for the
FortiGate to reach the DNS server. See How to let the FortiGate access internal DNS through
site-to-site IPsec VPN for more information.

Interfaces in non-management VDOMs as the source IP address of the DNS

conditional forwarding server

Interfaces that are in non-management VDOMs can be the source IP address of the DNS conditional forwarding server.
l When vdom-dns is enabled in a VDOM, only the IP addresses of interfaces in that VDOM can be configured as the
source-ip.

FortiOS 7.4.5 Administration Guide 299

Fortinet Inc.
Network

l When vdom-dns is disabled (default), only the IP address of interfaces in the management VDOM can be
configured as the source-ip.
For more information on VDOM DNS, see Important DNS CLI commands on page 273.
In this example:
l vdom1 is a non-management VDOM
l port8 is assigned to vdom1 and has IP address 13.13.13.13
l port1 is assigned to the management VDOM (root) and has IP address 172.16.200.1

To configure the interfaces:

config global
config system interface
edit "port8"
set vdom "vdom1"
set ip 13.13.13.13 255.255.255.0
next
edit "port1"
set vdom "root"
set ip 172.16.200.1 255.255.255.0
next
end
end

To test configuring a source IP address when vdom-dns is disabled:

config vdom
edit vdom1
config system vdom-dns
set vdom-dns disable
end
next
end

l port8 cannot be used as the source IP address in a DNS database because it is assigned to vdom1, and not to a
management VDOM:
config vdom
edit vdom1
config system dns-database
edit "1"
set source-ip 13.13.13.13
13.13.13.13 does not match any interface ip in vdom root.
node_check_object fail! for source-ip 13.13.13.13

l port1 can be used as the source IP address in a DNS database because it is assigned to the management VDOM:
config vdom
edit vdom1
config system dns-database
edit "1"
set source-ip 172.16.200.1
next
end

FortiOS 7.4.5 Administration Guide 300

Fortinet Inc.