Good morning,
I' ve a problem to configure a VPN between FortiGate 80C and Cisco 871
Nowadays the tunnel is up
Cisco can ping the FortiGate Network
Fortigate can ping the cisco Network
Every conexion are established (RDP FTP .. )
How I can make the Internet traffic of cisco network use vpn connexion to connect to internet with the fortigate ?
Sorry for my bad english...
Have a nice day!
Hi!
Sorry for responding late
thank for the 1st solution but it don' t work
since yesterday i rebuilt the VPN because i had some problems
now the tunnel is up and clean!!!
ping ftp rdp is ok
but it always imposible to force the web traffic to take the tunnel ..
I post the configuration file of cisco and fortigate
!This is the running config of the router: 192.168.1.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3265758045
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3265758045
revocation-check none
rsakeypair TP-self-signed-3265758045
!
!
crypto pki certificate chain TP-self-signed-3265758045
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323635 37353830 3435301E 170D3032 30333031 30323437
31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32363537
35383034 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B0C3 5FCF50AA 3E3E443F 7B372025 8B65ACF0 52F76686 59561C9F 1E1EDF81
012EB734 44F6BE8E F10508D5 6C0BD62C 39DF2ED2 5C584A58 8DECC2BA 91952B83
69D721E6 4BEC9BEE 29BE9C1C 7CB6D675 DCDD0DC5 251B225F CC30F23C 2ADF317A
6E540C74 E14ADCBC 06CFE4F8 D99C5FD3 33A95393 6C3037AD 6134AB92 4A54FD89
19770203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 145A7D38 A02D5774 51D38717 0010D90C 6A5F2808
74301D06 03551D0E 04160414 5A7D38A0 2D577451 D3871700 10D90C6A 5F280874
300D0609 2A864886 F70D0101 04050003 8181005D E6CD3555 42E95422 93DC49B2
7DF4C7D7 EC12974E FB1C147F E84E16F5 A6B727F5 D359AFB0 2E4A841C 39AF2BC3
300F5E58 F94BFB67 24294493 7206C632 9810DE2B DD4D7A12 6C9547BD 935C9394
E5B611D3 D4CC931D 22194D13 FCD0FFF0 7C1DACAD 55926EFA 430128A4 5858CBE2
CF456592 A11B9BE4 ACAB5FD3 1503F091 58B145
quit
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.251 192.168.1.254
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool sdm-pool1
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.1
!
!
no ip domain lookup
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$y9cc$zDS99mPOV8EGAgdU9nnNw.
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 0123456789 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 100
!
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface FastEthernet4
description $FW_OUTSIDE$$ETH-LAN$
ip address 83.206.64.250 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.248
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 83.206.64.192 permanent
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
!
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.7 any
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
route-map SDM_RMAP_2 permit 1
match ip address 102
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username " cisco"
with the password " cisco" . The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
#config-version=FGT80C-4.00-FW-build196-100319:opmode=0:vdom=0:user=admin
#conf_file_ver=0
#buildno=0196
config system global
set access-banner disable
set admin-https-pki-required disable
set admin-lockout-duration 60
set admin-lockout-threshold 3
set admin-maintainer enable
set admin-port 80
set admin-scp disable
set admin-server-cert " self-sign"
set admin-sport 443
set admin-ssh-port 22
set admin-ssh-v1 disable
set admin-telnet-port 23
set admintimeout 480
set anti-replay strict
set auth-cert " self-sign"
set auth-http-port 1000
set auth-https-port 1003
set auth-keepalive disable
set auth-policy-exact-match enable
set av-failopen pass
set av-failopen-session disable
set batch-cmdb enable
set cfg-save automatic
set check-protocol-header loose
set check-reset-range disable
set clt-cert-req disable
set daily-restart disable
set detection-summary enable
set dst disable
set endpoint-control-portal-port 8009
set failtime 5
set fds-statistics enable
set fsae-burst-size 300
set fsae-rate-limit 100
set gui-ipv6 disable
set gui-lines-per-page 50
set hostname " FGT80C3909639524"
set http-obfuscate modified
set ie6workaround disable
set internal-switch-mode switch
set interval 5
set ip-src-port-range 1024-25000
set language english
set ldapconntimeout 500
set log-user-in-upper disable
set loglocaldeny disable
set management-vdom " root"
set phase1-rekey enable
set radius-port 1812
set refresh 0
set registration-notification enable
set remoteauthtimeout 5
set reset-sessionless-tcp disable
set send-pmtu-icmp enable
set service-expire-notification enable
set sslvpn-sport 10443
set strong-crypto disable
set tcp-halfclose-timer 120
set tcp-halfopen-timer 60
set tcp-option enable
set tcp-timewait-timer 120
set timezone 04
set tos-based-priority high
set udp-idle-timer 180
set user-server-cert " self-sign"
set vdom-admin disable
set vip-arp-range restricted
set wireless-controller enable
set wireless-controller-port 5246
set fds-statistics-period 60
end
config system accprofile
edit " prof_admin"
set admingrp read-write
set authgrp read-write
set endpoint-control-grp read-write
set fwgrp read-write
set loggrp read-write
unset menu-file
set mntgrp read-write
set netgrp read-write
set routegrp read-write
set sysgrp read-write
set updategrp read-write
set utmgrp read-write
set vpngrp read-write
next
end
config system interface
edit " wan1"
set vdom " root"
set mode pppoe
set allowaccess ping https
set type physical
set username " fti/6rkwhwe"
set password ENC h6Y1JIXp4ej8UgEckpi6s/jsIRjogWvl2OEWrprHY9VZEFsndmsWVxzuZDCQzkPFhLXDQiRc2jH1++UJPsGjQlV8kmw1FcoyP8zEpQx2JtJX2Nt2
set defaultgw enable
next
edit " wan2"
set vdom " root"
set allowaccess ping
set type physical
next
edit " modem"
set vdom " root"
next
edit " ssl.root"
set vdom " root"
set type tunnel
next
edit " internal"
set vdom " root"
set ip 192.168.10.1 255.255.255.0
set allowaccess ping https ssh http telnet
set dns-query recursive
set type physical
next
edit " dmz"
set vdom " root"
set type physical
next
edit " To_cisco"
set vdom " root"
set type tunnel
set interface " wan1"
next
end
config system admin
edit " admin"
set accprofile " super_admin"
set vdom " root"
config dashboard
edit " sysinfo"
set column 1
next
edit " licinfo"
set column 1
next
edit " jsconsole"
set column 1
next
edit " sysres"
set column 1
next
edit " sysop"
set column 2
next
edit " alert"
set column 2
next
edit " statistics"
set column 2
next
end
next
end
config system ha
set group-id 0
set group-name " FGT-HA"
set password ENC IfF7fYOmvnTMc1CeaJgLkdGEldtsrsQto8UpoA+5gl6ytAX1onE1rDdWGx4Tt/czLrMJ9EhHFiQxzupHU93+69gOH33fW/yK1U5H4L4xFdWauzfo
set hbdev " dmz" 50 " wan1" 50
set route-ttl 10
set route-wait 0
set route-hold 10
set sync-config enable
set encryption disable
set authentication disable
set hb-interval 2
set hb-lost-threshold 6
set helo-holddown 20
set arps 5
set arps-interval 8
set session-pickup disable
set link-failed-signal disable
set uninterruptable-upgrade enable
set override disable
set priority 128
set pingserver-failover-threshold 0
set pingserver-flip-timeout 60
end
config system dns
set primary 208.91.112.53
set secondary 208.91.112.52
set domain ' '
set ip6-primary ::
set ip6-secondary ::
set dns-cache-limit 5000
set dns-cache-ttl 1800
set cache-notfound-responses disable
end
config system replacemsg mail " email-block"
set buffer " Potentially Dangerous Attachment Removed. The file \" %%FILE%%\" has been blocked. File quarantined as: \" %%QUARFILENAME%%\" ."
set header 8bit
set format text
end
config system replacemsg mail " email-virus"
set buffer " Dangerous Attachment has been Removed. The file \" %%FILE%%\" has been removed because of a virus. It was infected with the \" %%VIRUS%%\" virus. File quarantined as: \" %%QUARFILENAME%%\" ."
set header 8bit
set format text
end
config system replacemsg mail " email-dlp"
set buffer " This email has been blocked. The email message appeared to contain a data leak."
set header 8bit
set format text
end
config system replacemsg mail " email-dlp-subject"
set buffer " Data leak detected!"
set header 8bit
set format text
end
config system replacemsg mail " email-dlp-ban"
set buffer " This email has been blocked because a data leak was detected. Please contact your admin to be re-enabled."
set header 8bit
set format text
end
config system replacemsg mail " email-dlp-ban-sender"
set buffer " This email has been blocked because the sender has sent a data leak. Please contact your admin to be re-enabled."
set header 8bit
set format text
end
config system replacemsg mail " email-filesize"
set buffer " This email has been blocked. The email message is larger than the configured file size limit."
set header 8bit
set format text
end
config system replacemsg mail " partial"
set buffer " Fragmented emails are blocked."
set header 8bit
set format text
end
config system replacemsg mail " smtp-block"
set buffer " The file %%FILE%% has been blocked. File quarantined as: %%QUARFILENAME%%"
set header none
set format text
end
config system replacemsg mail " smtp-virus"
set buffer " The file %%FILE%% has been infected with the virus %%VIRUS%% File quarantined as %%QUARFILENAME%%"
set header none
set format text
end
config system replacemsg mail " smtp-filesize"
set buffer " This message is larger than the configured limit and has been blocked."
set header none
set format text
end
config system replacemsg http " bannedword"
set buffer " <HTML><BODY>The page you requested has been blocked because it contains a banned word. URL = http://%%URL%%</BODY></HTML>"
set header http
set format html
end
config system replacemsg http " url-block"
set buffer " <HTML><BODY>The URL you requested has been blocked. URL = %%URL%%</BODY></HTML>"
set header http
set format html
end
config system replacemsg http " infcache-block"
set buffer " <HTML><BODY><H2>High security alert!!!</h2><p>The URL you requested was previously found to be infected.</p><p>URL = http://%%URL%%</p></BODY></HTML>"
set header http
set format html
end
config system replacemsg http " http-block"
set buffer " <HTML> <BODY> <h2>High security alert!!!</h2> <p>You are not permitted to download the file \" %%FILE%%\" .</p> <p>URL = http://%%URL%%</p> </BODY> </HTML>"
set header http
set format html
end
config system replacemsg http " http-virus"
set buffer " <HTML><BODY><h2>High security alert!!!</h2><p>You are not permitted to download the file \" %%FILE%%\" because it is infected with the virus \" %%VIRUS%%\" . </p><p>URL = http://%%URL%%</p><p>File quarantined as: %%QUARFILENAME%%.</p></BODY></HTML>"
set header http
set format html
end
config system replacemsg http " http-filesize"
set buffer " <HTML><BODY> <h2>Attention!!!</h2><p>The file \" %%FILE%%\" has been blocked. The file is larger than the configured file size limit.</p> <p>URL = http://%%URL%%</p> </BODY></HTML>"
set header http
set format html
end
config system replacemsg http " http-dlp"
set buffer " <HTML><BODY> <h2>Attention!!!</h2><p>The transfer attempted appeared to contain a data leak!</p><p>URL = http://%%URL%%</p> </BODY></HTML>"
set header http
set format html
end
config system replacemsg http " http-dlp-ban"
set buffer " <HTML><BODY> <h2>Attention!!!</h2><p>Your user authentication or IP address has been banned due to a detected data leak. You need an admin to re-enable your computer</p><p>URL = http://%%URL%%</p> </BODY></HTML>"
set header http
set format html
end
config system replacemsg http " http-contenttypeblock"
set buffer " <HTML><BODY> <h2>Attention!!!</h2><p>Content-type not permitted.</BODY></HTML>"
set header http
set format html
end
config system replacemsg http " http-client-block"
set buffer " <HTML> <BODY> <h2>High security alert!!!</h2> <p>You are not permitted to upload the file \" %%FILE%%\" .</p> <p>URL = http://%%URL%%</p> </BODY> </HTML>"
set header http
set format html
end
config system replacemsg http " http-client-virus"
set buffer " <HTML><BODY><h2>High security alert!!!</h2><p>You are not permitted to upload the file \" %%FILE%%\" because it is infected with the virus \" %%VIRUS%%\" . </p><p>URL = http://%%URL%%</p><p>File quarantined as: %%QUARFILENAME%%.</p></BODY></HTML>"
set header http
set format html
end
config system replacemsg http " http-client-filesize"
set buffer " <HTML><BODY> <h2>Attention!!!</h2><p>Your request has been blocked. The request is larger than the configured file size limit.</p> <p>URL = http://%%URL%%</p> </BODY></HTML>"
set header http
set format html
end
config system replacemsg http " http-client-bannedword"
set buffer " <HTML><BODY>The page you uploaded has been blocked because it contains a banned word. URL = http://%%URL%%</BODY></HTML>"
set header http
set format html
end
config system replacemsg http " http-post-block"
set buffer " <HTML><BODY>HTTP POST action is not allowed for policy reasons.</BODY></HTML>"
set header http
set format html
end
config system replacemsg ftp " ftp-dl-infected"
set buffer " Transfer failed. The file %%FILE%% is infected with the virus %%VIRUS%%. File quarantined as %%QUARFILENAME%%."
set header none
set format text
end
config system replacemsg ftp " ftp-dl-blocked"
set buffer " Transfer failed. You are not permitted to transfer the file \" %%FILE%%\" ."
set header none
set format text
end
config system replacemsg ftp " ftp-dl-filesize"
set buffer " File size limit exceeded."
set header none
set format text
end
config system replacemsg ftp " ftp-dl-dlp"
set buffer " Transfer failed. Data leak detected \" %%FILE%%\" ."
set header none
set format text
end
config system replacemsg ftp " ftp-dl-dlp-ban"
set buffer " Transfer failed. You are banned from transmitting due to a detected data leak. Contact your admin to be re-enabled."
set header none
set format text
end
config system replacemsg nntp " nntp-dl-infected"
set buffer " Dangerous Attachment has been Removed. The file \" %%FILE%%\" has been removed because of a virus. It was infected with the \" %%VIRUS%%\" virus. File quarantined as: \" %%QUARFILENAME%%\" ."
set header none
set format text
end
config system replacemsg nntp " nntp-dl-blocked"
set buffer " The file %%FILE%% has been blocked. File quarantined as: %%QUARFILENAME%%"
set header none
set format text
end
config system replacemsg nntp " nntp-dl-filesize"
set buffer " This article has been blocked. The article is larger than the configured file size limit."
set header none
set format text
end
config system replacemsg nntp " nntp-dlp"
set buffer " This article has been blocked. It appears to contain a data leak."
set header none
set format text
end
config system replacemsg nntp " nntp-dlp-subject"
set buffer " Data leak detected!"
set header none
set format text
end
config system replacemsg nntp " nntp-dlp-ban"
set buffer " this article has been blocked. The user is banned for sending a data leak. Please contact your admin to be re-enabled."
set header none
set format text
end
config system replacemsg fortiguard-wf " ftgd-block"
set buffer " <html><head><title>Web Filter Violation</title></head><body><font size=2><table width=\" 100%\" ><tr><td>%%FORTIGUARD_WF%%</td><td align=\" right\" >%%FORTINET%%</td></tr><tr><td bgcolor=#ff6600 align=\" center\" colspan=2><font color=#ffffff><b>Web Page Blocked</b></font></td></tr></table><br><br>You have tried to access a web page which is in violation of your internet usage policy.<br><br>URL: %%URL%%<br>Category: %%CATEGORY%%<br><br>To have the rating of this web page re-evaluated <u><a href=\" %%FTGD_RE_EVAL%%\" >please click here</a></u>.<br>%%OVERRIDE%%<br><hr><br>Powered by %%SERVICE%%.</font></body></html>"
set header http
set format html
end
config system replacemsg fortiguard-wf " http-err"
set buffer " <html><head><title>%%HTTP_ERR_CODE%% %%HTTP_ERR_DESC%%</title></head><body><font size=2><table width=\" 100%\" ><tr><td>%%FORTIGUARD_WF%%</td><td align=\" right\" >%%FORTINET%%</td></tr><tr><td bgcolor=#3300cc align=\" center\" colspan=2><font color=#ffffff><b>%%HTTP_ERR_CODE%% %%HTTP_ERR_DESC%%</b></font></td></tr></table><br><br>The webserver for %%URL%% reported that an error occurred while trying to access the website. Please click <u><a onclick=\" history.back()\" >here</a></u> to return to the previous page.<br><br><hr><br>Powered by %%SERVICE%%.</font></body></html>"
set header http
set format html
end
config system replacemsg fortiguard-wf " ftgd-ovrd"
set buffer " <html><head><title>Web Filter Block Override</title></head><body><font size=2><table width=\" 100%\" ><tr><td>%%FORTIGUARD_WF%%</td><td align=\" right\" >%%FORTINET%%</td></tr><tr><td bgcolor=#3300cc align=\" center\" colspan=2><font color=#ffffff><b>Web Filter Block Override</b></font></td></tr><tr><td colspan=2><br><br>If you have been granted override creation privileges by your administrator, you can enter your username and password here to gain immediate access to the blocked web-page. If you do not have these privileges, please contact your administrator to gain access to the web-page.<br><br></td></tr><tr><td align=\" center\" colspan=2>%%OVRD_FORM%%</td></tr></table><br><br><hr><br>Powered by %%SERVICE%%.</font></body></html>"
set header http
set format html
end
config system replacemsg spam " ipblocklist"
set buffer " Mail from this IP address is not allowed and has been blocked."
set header none
set format text
end
config system replacemsg spam " smtp-spam-dnsbl"
set buffer " This message has been blocked because it is from a DNSBL/ORDBL IP address."
set header none
set format text
end
config system replacemsg spam " smtp-spam-feip"
set buffer " This message has been blocked because it is from a FortiGuard - AntiSpam black IP address."
set header none
set format text
end
config system replacemsg spam " smtp-spam-helo"
set buffer " This message has been blocked because the HELO/EHLO domain is invalid."
set header none
set format text
end
config system replacemsg spam " smtp-spam-emailblack"
set buffer " Mail from this email address is not allowed and has been blocked."
set header none
set format text
end
config system replacemsg spam " smtp-spam-mimeheader"
set buffer " This message has been blocked because it contains an invalid header."
set header none
set format text
end
config system replacemsg spam " reversedns"
set buffer " This message has been blocked because the return email domain is invalid."
set header none
set format text
end
config system replacemsg spam " smtp-spam-bannedword"
set buffer " This message has been blocked because it contains a banned word."
set header none
set format text
end
config system replacemsg spam " smtp-spam-ase"
set buffer " This message has been blocked because ASE reports it as spam. "
set header none
set format text
end
config system replacemsg spam " submit"
set buffer " If this email is not spam, click here to submit the signatures to FortiGuard - AntiSpam Service."
set header none
set format text
end
config system replacemsg im " im-file-xfer-block"
set buffer " Transfer failed. You are not permitted to transfer the file \" %%FILE%%\" ."
set header none
set format text
end
config system replacemsg im " im-file-xfer-name"
set buffer " Transfer %%ACTION%%. The file name \" %%FILE%%\" matches the configured file name block list."
set header none
set format text
end
config system replacemsg im " im-file-xfer-infected"
set buffer " Transfer %%ACTION%%. The file \" %%FILE%%\" is infected with the virus %%VIRUS%%. File quarantined as %%QUARFILENAME%%."
set header none
set format text
end
config system replacemsg im " im-file-xfer-size"
set buffer " Transfer %%ACTION%%. The file \" %%FILE%%\" is larger than the configured limit."
set header none
set format text
end
config system replacemsg im " im-dlp"
set buffer " Transfer %%ACTION%%. The file \" %%FILE%%\" contains a data leak."
set header none
set format text
end
config system replacemsg im " im-dlp-ban"
set buffer " Transfer %%ACTION%%. The user is banned because of a detected data leak."
set header none
set format text
end
config system replacemsg im " im-voice-chat-block"
set buffer " Connection failed. You are not permitted to use voice chat."
set header none
set format text
end
config system replacemsg im " im-photo-share-block"
set buffer " Photo sharing failed. You are not permitted to share photo."
set header none
set format text
end
config system replacemsg im " im-long-chat-block"
set buffer " Message blocked. The message is longer than the configured limit."
set header none
set format text
end
config system replacemsg alertmail " alertmail-virus"
set buffer " Virus/Worm detected: %%VIRUS%% Protocol: %%PROTOCOL%% Source IP: %%SOURCE_IP%% Destination IP: %%DEST_IP%% Email Address From: %%EMAIL_FROM%% Email Address To: %%EMAIL_TO%% "
set header none
set format text
end
config system replacemsg alertmail " alertmail-block"
set buffer " File Block Detected: %%FILE%% Protocol: %%PROTOCOL%% Source IP: %%SOURCE_IP%% Destination IP: %%DEST_IP%% Email Address From: %%EMAIL_FROM%% Email Address To: %%EMAIL_TO%% "
set header none
set format text
end
config system replacemsg alertmail " alertmail-nids-event"
set buffer " The following intrusion was observed: %%NIDS_EVENT%%."
set header none
set format text
end
config system replacemsg alertmail " alertmail-crit-event"
set buffer " The following critical firewall event was detected: %%CRITICAL_EVENT%%."
set header none
set format text
end
config system replacemsg alertmail " alertmail-disk-full"
set buffer " The log disk is Full."
set header none
set format text
end
config system replacemsg admin " admin-disclaimer-text"
set buffer " W A R N I N G W A R N I N G W A R N I N G W A R N I N G
This is a private computer system. Unauthorized access or use
is prohibited and subject to prosecution and/or disciplinary
action. All use of this system constitutes consent to
monitoring at all times and users are not entitled to any
expectation of privacy. If monitoring reveals possible evidence
of violation of criminal statutes, this evidence and any other
related information, including identification information about
the user, may be provided to law enforcement officials.
If monitoring reveals violations of security regulations or
unauthorized use, employees who violate security regulations or
make unauthorized use of this system are subject to appropriate
disciplinary action.
W A R N I N G W A R N I N G W A R N I N G W A R N I N G
"
set header none
set format text
end
config system replacemsg auth " auth-disclaimer-page-1"
set buffer " <HTML><HEAD><TITLE>Firewall Disclaimer</TITLE></HEAD><BODY><FORM ACTION=\" /\" method=\" POST\" ><INPUT TYPE=\" hidden\" NAME=\" %%MAGICID%%\" VALUE=\" %%MAGICVAL%%\" ><INPUT TYPE=\" hidden\" NAME=\" %%ANSWERID%%\" VALUE=\" %%DECLINEVAL%%\" ><INPUT TYPE=\" hidden\" NAME=\" %%REDIRID%%\" VALUE=\" %%PROTURI%%\" ><TABLE ALIGN=\" CENTER\" width=400 height=250 cellpadding=2 cellspacing=0 border=0 bgcolor=\" #008080\" ><TR><TD><TABLE border=0 width=\" 100%\" height=\" 100%\" cellpadding=0 cellspacing=0 bgcolor=\" #9dc8c6\" ><TR height=30 bgcolor=\" #008080\" ><TD><b><font size=2 face=\" Verdana\" color=\" #ffffff\" >Disclaimer Agreement</font></b></TD><TR><TR height=\" 100%\" ><TD><TABLE border=0 cellpadding=5 cellspacing=0 width=\" 320\" align=center><TR><TD colspan=2><font size=2 face=\" Times New Roman\" >You are about to access Internet content that is not under the control of the network access provider. The network access provider is therefore not responsible for any of these sites, their content or their privacy policies. The network access provider and its staff do not endorse nor make any representations about these sites, or any information, software or other products or materials found there, or any results that may be obtained from using them. If you decide to access any Internet content, you do this entirely at your own risk and you are responsible for ensuring that any accessed material does not infringe the laws governing, but not exhaustively covering, copyright, trademarks, pornography, or any other material which is slanderous, defamatory or might cause offence in any other way.</font></TD></TR><TR><TD>Do you agree to the above terms?</TD></TR><TR><TD><INPUT CLASS=\" button\" TYPE=\" button\" VALUE=\" Yes, I agree\" ONCLICK=\" agree()\" ><INPUT CLASS=\" button\" TYPE=\" button\" VALUE=\" No, I decline\" ONCLICK=\" decline()\" ></TD></TR></TABLE></TD></TR></TABLE></TD></TR></TABLE></FORM><SCRIPT LANGUAGE=\" JavaScript\" >function agree(){document.forms[0].%%ANSWERID%%.value=\" %%AGREEVAL%%\" ;document.forms[0].submit();}function decline(){document.forms[0].submit();}</SCRIPT></BODY></HTML>"
set header http
set format html
end
config system replacemsg auth " auth-disclaimer-page-2"
set buffer ' '
set header http
set format html
end
config system replacemsg auth " auth-disclaimer-page-3"
set buffer ' '
set header http
set format html
end
config system replacemsg auth " auth-reject-page"
set buffer " <HTML><HEAD><TITLE>Firewall Disclaimer Declined</TITLE></HEAD><BODY><FORM ACTION=\" /\" method=\" POST\" ><INPUT TYPE=\" hidden\" NAME=\" %%MAGICID%%\" VALUE=\" %%MAGICVAL%%\" ><INPUT TYPE=\" hidden\" NAME=\" %%REDIRID%%\" VALUE=\" %%PROTURI%%\" ><TABLE ALIGN=\" CENTER\" width=400 height=250 cellpadding=2 cellspacing=0 border=0 bgcolor=\" #008080\" ><TR><TD><TABLE border=0 width=\" 100%\" height=\" 100%\" cellpadding=0 cellspacing=0 bgcolor=\" #9dc8c6\" ><TR height=30 bgcolor=\" #008080\" ><TD><b><font size=2 face=\" Verdana\" color=\" #ffffff\" >Disclaimer Declined</font></b></TD><TR><TR height=\" 100%\" ><TD><TABLE border=0 cellpadding=5 cellspacing=0 width=\" 320\" align=center><TR><TD colspan=2><font size=2 face=\" Times New Roman\" >Sorry, network access cannot be granted unless you agree to the disclaimer.</font></TD><TR><TR><TD></TD><TD><INPUT TYPE=\" submit\" VALUE=\" Return to Disclaimer\" ></TD></TR></TABLE></TD></TR></TABLE></TD></TR></TABLE></FORM></BODY></HTML>"
set header http
set format html
end
config system replacemsg auth " auth-login-page"
set buffer " <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD><BODY><FORM ACTION=\" /\" method=\" POST\" ><INPUT TYPE=\" hidden\" NAME=\" %%MAGICID%%\" VALUE=\" %%MAGICVAL%%\" ><TABLE ALIGN=\" CENTER\" width=400 height=250 cellpadding=2 cellspacing=0 border=0 bgcolor=\" #008080\" ><TR><TD><TABLE border=0 cellpadding=0 cellspacing=0 bgcolor=\" #9dc8c6\" ><TR height=30 bgcolor=\" #008080\" ><TD><b><font size=2 face=\" Verdana\" color=\" #ffffff\" >Authentication Required</font></b></TD></TR><TR><TD><TABLE border=0 cellpadding=5 cellspacing=0 width=\" 320\" align=center><TR><TD colspan=2><font size=2 face=\" Times New Roman\" >%%QUESTION%%</font></TD></TR><TR><TD><font size=2 face=\" Times New Roman\" >Username:</font></TD><TD><INPUT TYPE=\" text\" NAME=\" %%USERNAMEID%%\" size=25></TD></TR><TR><TD><font size=2 face=\" Times New Roman\" >Password:</font></TD><TD><INPUT TYPE=\" password\" NAME=\" %%PASSWORDID%%\" size=25></TD></TR><TR><TD><INPUT TYPE=\" hidden\" NAME=\" %%REDIRID%%\" VALUE=\" %%PROTURI%%\" ><INPUT TYPE=\" submit\" VALUE=\" Continue\" ></TD></TR></TABLE></TD></TR></TABLE></TD></TR></TABLE></FORM></BODY></HTML>"
set header http
set format html
end
config system replacemsg auth " auth-login-failed-page"
set buffer " <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD><BODY><FORM ACTION=\" /\" method=\" POST\" ><INPUT TYPE=\" hidden\" NAME=\" %%MAGICID%%\" VALUE=\" %%MAGICVAL%%\" ><TABLE ALIGN=\" CENTER\" width=400 height=250 cellpadding=2 cellspacing=0 border=0 bgcolor=\" #008080\" ><TR><TD><TABLE border=0 cellpadding=0 cellspacing=0 bgcolor=\" #9dc8c6\" ><TR height=30 bgcolor=\" #008080\" ><TD><b><font size=2 face=\" Verdana\" color=\" #ffffff\" >Authentication Failed</font></b></TD></TR><TR><TD><TABLE border=0 cellpadding=5 cellspacing=0 width=\" 320\" align=center><TR><TD colspan=2><font size=2 face=\" Times New Roman\" >%%FAILED_MESSAGE%%</font></TD></TR><TR><TD><font size=2 face=\" Times New Roman\" >Username:</font></TD><TD><INPUT TYPE=\" text\" NAME=\" %%USERNAMEID%%\" size=25></TD></TR><TR><TD><font size=2 face=\" Times New Roman\" >Password:</font></TD><TD><INPUT TYPE=\" password\" NAME=\" %%PASSWORDID%%\" size=25></TD></TR><TR><TD><INPUT TYPE=\" hidden\" NAME=\" %%REDIRID%%\" VALUE=\" %%PROTURI%%\" ><INPUT TYPE=\" submit\" VALUE=\" Continue\" ></TD></TR></TABLE></TD></TR></TABLE></TD></TR></TABLE></FORM></BODY></HTML>"
set header http
set format html
end
config system replacemsg auth " auth-challenge-page"
set buffer " <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD><BODY><FORM ACTION=\" /\" method=\" POST\" ><INPUT TYPE=\" hidden\" NAME=\" %%MAGICID%%\" VALUE=\" %%MAGICVAL%%\" ><TABLE ALIGN=\" CENTER\" width=400 height=250 cellpadding=2 cellspacing=0 border=0 bgcolor=\" #008080\" ><TR><TD><TABLE border=0 cellpadding=0 cellspacing=0 bgcolor=\" #9dc8c6\" ><TR height=30 bgcolor=\" #008080\" ><TD><b><font size=2 face=\" Verdana\" color=\" #ffffff\" >Authentication Required</font></b></TD></TR><TR><TD><TABLE border=0 cellpadding=5 cellspacing=0 width=\" 320\" align=center><TR><TD colspan=2><font size=2 face=\" Times New Roman\" >%%QUESTION%%</font></TD></TR><TR><TD><font size=2 face=\" Times New Roman\" >Answer:</font></TD><TD><INPUT TYPE=\" password\" NAME=\" %%PASSWORDID%%\" size=25></TD></TR><TR><TD><INPUT TYPE=\" hidden\" NAME=\" %%USERNAMEID%%\" VALUE=\" %%USERNAMEVAL%%\" ><INPUT TYPE=\" hidden\" NAME=\" %%REQUESTID%%\" VALUE=\" %%REQUESTVAL%%\" ><INPUT TYPE=\" hidden\" NAME=\" %%REDIRID%%\" VALUE=\" %%PROTURI%%\" ><INPUT TYPE=\" hidden\" NAME=\" %%USERGROUPID%%\" VALUE=\" %%USERGROUPVAL%%\" ><INPUT TYPE=\" submit\" VALUE=\" Continue\" ></TD></TR></TABLE></TD></TR></TABLE></TD></TR></TABLE></FORM></BODY></HTML>"
set header http
set format html
end
config system replacemsg auth " auth-keepalive-page"
set buffer " <HTML>
<HEAD>
<TITLE>Firewall Authentication Keepalive Window</TITLE>
</HEAD>
<BODY>
<SCRIPT LANGUAGE=\" JavaScript\" >
var countDownTime=%%TIMEOUT%% + 1;
function countDown(){
countDownTime--;
if (countDownTime <= 0){
location.href=\" %%KEEPALIVEURL%%\" ;
return;
}
document.getElementById(\' countdown\' ).innerHTML = countDownTime;
counter=setTimeout(\" countDown()\" , 1000);
}
function startit(){
countDown();
}
window.onload=startit
</SCRIPT>
<table width=\" 100%\" height=\" 100%\" ><tr><td align=\" center\" >
<H3>This browser window is used to keep your authentication session active.</H3>
<H3>Please leave it open in the background and open a <a href=\" %%AUTH_REDIR_URL%%\" target=\" _blank\" >new window</a> to continue.</H3>
<p>Authentication Refresh in <b id=countdown>%%TIMEOUT%%</b> seconds</p>
<p><a href=\" %%AUTH_LOGOUT%%\" >logout</a></p>
</td></tr></table>
</BODY>
</HTML>
"
set header http
set format html
end
config system replacemsg sslvpn " sslvpn-login"
set buffer " <html><head><title>login</title><meta http-equiv=\" Pragma\" content=\" no-cache\" ><meta http-equiv=\" cache-control\" content=\" no-cache\" ><meta http-equiv=\" cache-control\" content=\" must-revalidate\" ><link href=\" /sslvpn/css/login.css\" rel=\" stylesheet\" type=\" text/css\" ><script type=\" text/javascript\" >if (top && top.location != window.location) top.location = top.location;if (window.opener && window.opener.top) { window.opener.top.location = window.opener.top.location; self.close(); }</script></head><body class=\" main\" ><center><table width=\" 100%\" height=\" 100%\" align=\" center\" class=\" container\" valign=\" middle\" cellpadding=\" 0\" cellspacing=\" 0\" ><tr valign=middle><td><form action=\" %%SSL_ACT%%\" method=\" %%SSL_METHOD%%\" name=\" f\" ><table class=\" list\" cellpadding=10 cellspacing=0 align=center width=400 height=180>%%SSL_LOGIN%%</table>%%SSL_HIDDEN%%</td></tr></table></form></center></body><script>document.forms[0].username.focus();</script></html>"
set header http
set format html
end
config system replacemsg sslvpn " sslvpn-limit"
set buffer " <html><head><title>Already Logged In</title><meta http-equiv=\" Pragma\" content=\" no-cache\" ><meta http-equiv=\" cache-control\" content=\" no-cache\" ><meta http-equiv=\" cache-control\" content=\" must-revalidate\" ><link href=\" /sslvpn/css/login.css\" rel=\" stylesheet\" type=\" text/css\" ><script type=\" text/javascript\" >if (top && top.location != window.location) top.location = top.location;if (window.opener && window.opener.top) { window.opener.top.location = window.opener.top.location; self.close(); }</script></head><body class=\" main\" ><center><table class=\" container\" height=\" 100%\" cellspacing=\" 0\" cellpadding=\" 0\" align=\" center\" width=\" 100%\" valign=\" middle\" ><tbody><tr valign=\" middle\" ><td><table class=\" list\" height=\" 180\" cellspacing=\" 0\" cellpadding=\" 10\" align=\" center\" width=\" 400\" ><tbody><tr class=\" dark\" ><td colspan=\" 2\" > <b>Already Logged In</b></td></tr><tr><td colspan=\" 2\" ><p>You already have an open SSL VPN connection. Opening multiple connections is not permitted.</p><p>If you proceed, your other connection will be disconnected.</p><p>Please contact your administrator if you blevieve there is a problem.</p></td></tr><tr><td style=\" text-align:center\" >%%SSL_LOGIN_ANYWAY%%</td><td style=\" text-align:center\" >%%SSL_LOGIN_CANCEL%%</td></tr></tbody></table></td></tr></tbody></table></center></body></html>"
set header http
set format html
end
config system replacemsg ec " endpt-download-portal"
set buffer " <HTML><HEAD><TITLE>Endpoint Security Required</TITLE></HEAD><BODY><TABLE ALIGN=\" CENTER\" width=500 height=250 cellpadding=2 cellspacing=0 border=0 bgcolor=\" #008080\" ><TR><TD><TABLE border=0 width=\" 100%\" height=\" 100%\" cellpadding=0 cellspacing=0 bgcolor=\" #9dc8c6\" ><TR height=30 bgcolor=\" #008080\" ><TD style=\" text-align: center\" ><b><font size=2 face=\" Verdana\" color=\" #ffffff\" >Endpoint Security Required</font></b></TD><TR><TR height=\" 100%\" ><TD><TABLE border=0 cellpadding=5 cellspacing=0 width=\" 500\" align=center><TR><TD><font size=2 face=\" Times New Roman\" >The security policy requires the latest FortiClient Endpoint Security software and antivirus signature package to to be installed.<br><br>Installing FortiClient requires that you have administrator privileges on your computer. If you do not, please contact your network administrator to have FortiClient installed.<br><br>The installer may be downloaded using the following link:<br>%%LINK%%<br>Installation instructions:<br><ul><li><span style=\" font-style:italic\" >For Internet Explorer:</span></li><ol><li>Click the above link to download the installer</li><li>When Internet Explorer asks what action you would like to take, click \" Run\" </li></ol><br><li><span style=\" font-style:italic\" >For Firefox:</span></li><ol><li>Click the above link to download the installer</li><li>Save the installer and note the location it is saved to</li><li>Open the folder containing the installer and run it</li></ol></ul>FortiClient installation may take a few minutes. Thank you for your patience.<br><br></font></TD></TR><TR><TD></TD></TR></TABLE></TD></TR></TABLE></TD></TR></TABLE></BODY></HTML>"
set header http
set format html
end
config system replacemsg ec " endpt-recommendation-portal"
set buffer " <HTML><HEAD><TITLE>Endpoint Security Required</TITLE></HEAD><BODY><TABLE ALIGN=\" CENTER\" width=500 height=250 cellpadding=2 cellspacing=0 border=0 bgcolor=\" #008080\" ><TR><TD><TABLE border=0 width=\" 100%\" height=\" 100%\" cellpadding=0 cellspacing=0 bgcolor=\" #9dc8c6\" ><TR height=30 bgcolor=\" #008080\" ><TD style=\" text-align: center\" ><b><font size=2 face=\" Verdana\" color=\" #ffffff\" >Endpoint Security Required</font></b></TD><TR><TR height=\" 100%\" ><TD><TABLE border=0 cellpadding=5 cellspacing=0 width=\" 500\" align=center><TR><TD><font size=2 face=\" Times New Roman\" >The use of this security policy recommends that the latest FortiClient Endpoint Security software and antivirus signature package are installed.<br><br>Installing FortiClient requires that you have administrator privileges on your computer. If you do not, please contact your network administrator to have FortiClient installed.<br><br>The installer may be downloaded using the following link:<br>%%LINK%%<br>Installation instructions:<br><ul><li><span style=\" font-style:italic\" >For Internet Explorer:</span></li><ol><li>Click the above link to download the installer</li><li>When Internet Explorer asks what action you would like to take, click \" Run\" </li></ol><br><li><span style=\" font-style:italic\" >For Firefox:</span></li><ol><li>Click the above link to download the installer</li><li>Save the installer and note the location it is saved to</li><li>Open the folder containing the installer and run it</li></ol></ul>FortiClient installation may take a few minutes. Thank you for your patience.<br><br></font></TD></TR><TR><TD></TD></TR></TABLE><TR height=30 bgcolor=\" #9dc8c6\" ><TD style=\" text-align: center\" ><b><font size=2 face=\" Verdana\" color=\" #ffffff\" ><a href=\" %%DST_ADDR_LINK%%\" > Continue to %%DST_ADDR_LABEL%% </a></font></b></TD><TR></TD></TR></TABLE></TD></TR></TABLE></BODY></HTML>"
set header http
set format html
end
config system replacemsg nac-quar " nac-quar-virus"
set buffer " <html><head><title>Virus Quarantine</title></head><body><font size=2><table width=\" 100%\" ><tr><td bgcolor=#3300cc align=\" center\" colspan=2><font color=#ffffff><b>Blocked because of virus</b></font></td></tr></table><br><br>A virus was detected, originating from your system. Please contact the system administrator.<br><br><hr></font></body></html>"
set header http
set format html
end
config system replacemsg nac-quar " nac-quar-dos"
set buffer " <html><head><title>Attack Detected</title></head><body><font size=2><table width=\" 100%\" ><tr><td bgcolor=#3300cc align=\" center\" colspan=2><font color=#ffffff><b>Blocked because of DoS Attack</b></font></td></tr></table><br><br>A DoS attack was detected, originating from your system. Please contact the system administrator.<br><br><hr></font></body></html>"
set header http
set format html
end
config system replacemsg nac-quar " nac-quar-ips"
set buffer " <html><head><title>Attack Detected</title></head><body><font size=2><table width=\" 100%\" ><tr><td bgcolor=#3300cc align=\" center\" colspan=2><font color=#ffffff><b>Blocked because of IPS attack</b></font></td></tr></table><br><br>An attack was detected, originating from your system. Please contact the system administrator.<br><br><hr></font></body></html>"
set header http
set format html
end
config system replacemsg nac-quar " nac-quar-dlp"
set buffer " <html><head><title>Data Leak Detected</title></head><body><font size=2><table width=\" 100%\" ><tr><td bgcolor=#3300cc align=\" center\" colspan=2><font color=#ffffff><b>Blocked because of data leak</b></font></td></tr></table><br><br>A data leak was detected, originating from your system. Please contact the system administrator.<br><br><hr></font></body></html>"
set header http
set format html
end
config system replacemsg traffic-quota " per-ip-shaper-block"
set buffer " <html><head><title>Traffic Quota Control</title></head><body><font size=2><table width=\" 100%\" ><tr><td bgcolor=#3300cc align=\" center\" colspan=2><font color=#ffffff><b>Traffic blocked because of exceed quota</b></font></td></tr></table><br><br>Traffic blocked because of exceed per IP traffic shaper quota. Please contact the system administrator.<br>%%QUOTA_INFO%%<br><br><hr></font></body></html>"
set header http
set format html
end
config system replacemsg traffic-quota " traffic-shaper-block"
set buffer " <html><head><title>Traffic Quota Control</title></head><body><font size=2><table width=\" 100%\" ><tr><td bgcolor=#3300cc align=\" center\" colspan=2><font color=#ffffff><b>Traffic blocked because of exceed quota</b></font></td></tr></table><br><br>Traffic blocked because of exceed shared traffic shaper quota. Please contact the system administrator.<br>%%QUOTA_INFO%%<br><br><hr></font></body></html>"
set header http
set format html
end
config system autoupdate schedule
set frequency every
set status disable
set time 00:60
end
config vpn certificate ca
end
config vpn certificate local
edit " Fortinet_CA_SSLProxy"
set password ENC MKTiTyaIiojcG2Jjon96cCuqG9h8yKPaNMRY0aC0yyC64QSENmekKGcofzWTpLq4Et0s4oX3qQFejWKs5YiLIob2JXDKRII1X4k2PbW4UsupLa8K
set comments " This certificate is embedded in the firmware and is the same on every unit (not unique). This is the default CA certificate the SSL Inspection will use when generating new server certificates."
set private-key " -----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,C3A82021B8889DC6
ezE/DHhZM5ydCyqzHQmKQKgqiE4s3klzfWUYbLmw7Wh/QYGurBNncdtz8L6UlPkN
beL6AGCJI/LmZg5+Wvu3Pfs5A6XeZ4DRp+biN5qduIluwvXQYFbW/4k+ZYzmoQAe
ladRK5XxVePWd89s5bY94TmxhAHEJDGJn3M5UooYgrQHbUIQ87UaWU7aq1KuSkVv
OzWNuYTKOQdYTjmwLjD8M9L/6C+T3PFHLOP02MtXJzqh1qs8Sl5TTmjREJtf7r9O
C+GIRl1In8Qzwx74ZbEPQgCycfqZjOtfCAi5zgpbR6+ctK7SPpYvE7cIQk0MX/b1
lLoQYWilnSwhM5UNNA2ijXzR/5Lmu3KJtdyeufFmMY93f+Qd45wDJtLXKoH3ov3w
MLtJASqq5hef0OdIFJz9F08Fzhu2MqMf9TuviScghcY7vvRImydqcy0A8iRDUwNx
2gY2Z6yfKduZvrgx4QdG7x8aNxu/uDooeT5amSK7hCw+/jPBHr+qOoKuiXTDVVjI
eAWCjf/bFi31967ZM7uzCsCY2VFoHljLKBrzwRsFB1g/kF68dWCxQbRHgNVseXik
8NuzFtJ9FlKJ7bNHEYL7WSyxA/Ka0iL/ONYAZJaeTvHy8n71KmZ5pUWI0nNrx2Uh
WqsgOXAe7rDW20VvUKhzokj3WkEvs69sNJzbEvmK3bXddpUfsOw9iAciLpkmple8
85ZPgERBbqfl1+Xdh83Rvi45RSSlkhl+sN1rVO8zZSzWs5COJPyay0NIZe7AR12w
2bXJTt+UaOVCeHz28mp7tWSUmN3uofGQCAHFL1BGKm1Xkt8Kw1ees9Cm2QUbZfbo
3z6ODnLLDaX+J9oejvDQtUaTkvphoCfvenyz4TLq9EMHV+ywgq651LHalKylVkTL
T0Qpt7LwgBiZAqebr5TC75st5SkqhBbzbcV4FP2IhFn/DBOQ+G5mDc+Kdr40bTpD
esaCIzlv0DuKoVzBOAcNFm0Xz/utEyIQZPh4DAehUBsEdKH8LeUggKCF1MqsdzZD
oUq0KxPOAXvWBG2aGWT7X4yUEuZwDBuO5FlTUmUc/eop9GcU65YMQflWX3vefnoq
rFwMv0nWZh7/rq3DrFdA/HrHyq004GBlKRJopIt48+pU6NeDj4NOh76qVLORihY0
p4AYDvn488caDoPXbTlC3hITxTsHt2HLEJg5i5fv7iXpiz1NObE3VU63wN5/PjJB
zUiVYL5UOFDUQNqrahULFLLoQSFhMfGDDx8Arun716OqUJ2sxnlMk46zNgRgDFpI
KWApol7nIcm0Au7B0g9jNcAdeDN8vf3QzOv+Bs5hEE/hKwTHfI74f7MeM7jDY8ML
vZ1pZs4ZE9nQvqsaYsGZUWYsukB/xgjGbM9ahAOJJ8+GZbfo638Pj7ajbKaHioRJ
C6fySgOMYuFwqboHFeRnCc/OziPgyHjsEgrAII27/D70x/fxlxHeDHis7ttIrLY/
vqXEv1W5tp4l31x6DhP8PY9QgE1bzSEOyzF5W7La1uH8o+nIGruIZSSiA5fKekhB
lAHPUDiFnJYVZfuTGx28sU4unXxCCC3LF3Rj2jS5rjOTi7gnNjiciQ==
-----END RSA PRIVATE KEY-----"
set certificate " -----BEGIN CERTIFICATE-----
MIID1zCCAr+gAwIBAgIBADANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTERMA8GA1UE
ChMIRm9ydGluZXQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMG
A1UEAxMMRm9ydGlHYXRlIENBMSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRp
bmV0LmNvbTAeFw0wODEwMTgwMDQ2MzlaFw0yODEwMTMwMDQ2MzlaMIGlMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxl
MREwDwYDVQQKEwhGb3J0aW5ldDEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MRUwEwYDVQQDEwxGb3J0aUdhdGUgQ0ExIzAhBgkqhkiG9w0BCQEWFHN1cHBv
cnRAZm9ydGluZXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tveDq5vViSsRgHROaylt0qMdteLi1D/L0AWct+j5Y+N+HskBqsK5eGHrgytW6Jr3
dtQ/53/usTI+8HHpPXj8gWune6ivjQcOAmGsB/gfwLPCa98+kLgo9wpu0NxLVbyU
i5F9OjFtMpEGsYlnu6jtrsIR8EonAnaUtYKCqPLNSVc/U97ZX9m7zyjLYEGENt2M
elnAeTDNy2VHdxvjCkHBZYuI8lygtQsFvAGdvHsoIGEKgnLHbycLCWUk1j9mTkYB
0QFKWdy45jsvrUEnaEuWBlIKNZEgy8uI1wW/Rtv1HHbofuWr/2gTIaggPjIWshak
sPA5wXth1N5pBMrPOxNoHwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQBrAfI+ULwg3M+k4s3FB6//6sPG5TcrvPdrQ8gArEeYJJCzHnVY
tknIPPx1K5V+QueAXRpLiuWphFP5w9OxWuDqHw8zwb24wJc7BD4CeFKUyYinbpDi
Yg035SKYl4TSGMOTiYRoTxqgkfzcmTFfpfD1pOJQ08Kh+1yle35WqG9Ab1jrO0Y/
vltGReZckwh9e95SPzNA43xGZPSIgxZ8007EUqYBekoSKGAQPqTalHBkzpB1Us3F
5yCZzxA4WYT9UGVwPhIVgMlZvm5NL29/5dFgts51U+P4OZ0Or+xQfWYIxTzCWtAC
1ikZ/6HeIvet27H4CPP1rolBTXw4z6olP32T
-----END CERTIFICATE-----"
next
end
config system fortiguard
set hostname " service.fortiguard.net"
set srv-ovrd disable
set port 8888
set client-override-status disable
set service-account-id ' '
set load-balance-servers 1
set analysis-service enable
set antispam-status enable
set antispam-cache enable
set antispam-cache-ttl 1800
set antispam-cache-mpercent 2
set antispam-timeout 7
set avquery-status disable
set avquery-cache enable
set avquery-cache-ttl 1800
set avquery-cache-mpercent 2
set avquery-timeout 7
set webfilter-status enable
set webfilter-cache enable
set webfilter-cache-ttl 3600
set webfilter-timeout 15
set antispam-score-threshold 80
end
config gui console
unset preferences
end
config system session-helper
edit 1
set name pptp
set port 1723
set protocol 6
next
edit 2
set name h323
set port 1720
set protocol 6
next
edit 3
set name ras
set port 1719
set protocol 17
next
edit 4
set name tns
set port 1521
set protocol 6
next
edit 5
set name tftp
set port 69
set protocol 17
next
edit 6
set name rtsp
set port 554
set protocol 6
next
edit 7
set name rtsp
set port 7070
set protocol 6
next
edit 8
set name rtsp
set port 8554
set protocol 6
next
edit 9
set name ftp
set port 21
set protocol 6
next
edit 10
set name mms
set port 1863
set protocol 6
next
edit 11
set name pmap
set port 111
set protocol 6
next
edit 12
set name pmap
set port 111
set protocol 17
next
edit 13
set name sip
set port 5060
set protocol 17
next
edit 14
set name dns-udp
set port 53
set protocol 17
next
edit 15
set name rsh
set port 514
set protocol 6
next
edit 16
set name rsh
set port 512
set protocol 6
next
edit 17
set name dcerpc
set port 135
set protocol 6
next
edit 18
set name dcerpc
set port 135
set protocol 17
next
edit 19
set name mgcp
set port 2427
set protocol 17
next
edit 20
set name mgcp
set port 2727
set protocol 17
next
end
config system auto-install
set auto-install-config enable
set auto-install-image enable
set default-config-file " fgt_system.conf"
set default-image-file " image.out"
end
config system ntp
config ntpserver
edit 1
set server " pool.ntp.org"
next
end
set ntpsync disable
set syncinterval 60
end
config antivirus service " http"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " https"
end
config antivirus service " ftp"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " pop3"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " pop3s"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " imap"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " imaps"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " smtp"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " smtps"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " nntp"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " im"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config system dhcp server
edit " internal_dhcp_server"
set default-gateway 192.168.10.1
set dns-server1 192.168.10.1
set interface " internal"
set netmask 255.255.255.0
set end-ip 192.168.10.210
set start-ip 192.168.10.110
next
end
config firewall address
edit " all"
next
edit " SSLVPN-P-TUN-0"
set type iprange
set end-ip 10.0.0.10
set start-ip 10.0.0.1
next
edit " SSLVPN-P-TUN-1"
set type iprange
set end-ip 10.0.0.10
set start-ip 10.0.0.1
next
edit " lan subnet"
set associated-interface " internal"
set subnet 192.168.10.0 255.255.255.0
next
edit " subnet cisco"
set associated-interface " To_cisco"
set subnet 192.168.1.0 255.255.255.0
next
end
config firewall address6
edit " all"
next
end
config ips sensor
edit " all_default"
set comment " all predefined signatures with default setting"
config filter
edit " 1"
next
end
next
edit " all_default_pass"
set comment " all predefined signatures with PASS action"
config filter
edit " 1"
set action pass
next
end
next
edit " protect_http_server"
set comment " protect against HTTP server-side vulnerabilities"
config filter
edit " 1"
set location server
set protocol HTTP
next
end
next
edit " protect_email_server"
set comment " protect against EMail server-side vulnerabilities"
config filter
edit " 1"
set location server
set protocol SMTP POP3 IMAP
next
end
next
edit " protect_client"
set comment " protect against client-side vulnerabilities"
config filter
edit " 1"
set location client
next
end
next
end
config ips DoS
edit " all_default"
config anomaly
edit " tcp_syn_flood"
set status enable
set threshold 2000
next
edit " tcp_port_scan"
set status enable
set threshold 1000
next
edit " tcp_src_session"
set status enable
set threshold 5000
next
edit " tcp_dst_session"
set status enable
set threshold 5000
next
edit " udp_flood"
set status enable
set threshold 2000
next
edit " udp_scan"
set status enable
set threshold 2000
next
edit " udp_src_session"
set status enable
set threshold 5000
next
edit " udp_dst_session"
set status enable
set threshold 5000
next
edit " icmp_flood"
set status enable
set threshold 250
next
edit " icmp_sweep"
set status enable
set threshold 100
next
edit " icmp_src_session"
set status enable
set threshold 300
next
edit " icmp_dst_session"
set status enable
set threshold 1000
next
end
next
edit " block_flood"
config anomaly
edit " tcp_syn_flood"
set status enable
set action block
set threshold 2000
next
edit " tcp_port_scan"
set threshold 1000
next
edit " tcp_src_session"
set threshold 5000
next
edit " tcp_dst_session"
set threshold 5000
next
edit " udp_flood"
set status enable
set action block
set threshold 2000
next
edit " udp_scan"
set threshold 2000
next
edit " udp_src_session"
set threshold 5000
next
edit " udp_dst_session"
set threshold 5000
next
edit " icmp_flood"
set status enable
set action block
set threshold 250
next
edit " icmp_sweep"
set threshold 100
next
edit " icmp_src_session"
set threshold 300
next
edit " icmp_dst_session"
set threshold 1000
next
end
next
end
config firewall shaper traffic-shaper
edit " high-priority"
set maximum-bandwidth 131072
set per-policy enable
next
edit " medium-priority"
set maximum-bandwidth 131072
set per-policy enable
set priority medium
next
edit " low-priority"
set maximum-bandwidth 131072
set per-policy enable
set priority low
next
edit " guarantee-100kbps"
set guaranteed-bandwidth 12
set maximum-bandwidth 131072
set per-policy enable
next
edit " shared-1M-pipe"
set maximum-bandwidth 128
next
end
config antivirus filepattern
edit 1
config entries
edit " *.bat"
next
edit " *.com"
next
edit " *.dll"
next
edit " *.doc"
next
edit " *.exe"
next
edit " *.gz"
next
edit " *.hta"
next
edit " *.ppt"
next
edit " *.rar"
next
edit " *.scr"
next
edit " *.tar"
next
edit " *.tgz"
next
edit " *.vb?"
next
edit " *.wps"
next
edit " *.xl?"
next
edit " *.zip"
next
edit " *.pif"
next
edit " *.cpl"
next
end
set name " builtin-patterns"
next
end
config dlp rule
edit " All-Email"
set protocol email
set sub-protocol smtp pop3 imap
set field transfer-size
set operator greater-equal
next
edit " All-HTTP"
set protocol http
set sub-protocol http-get http-post
set field transfer-size
set operator greater-equal
next
edit " All-FTP"
set protocol ftp
set sub-protocol ftp-get ftp-put
set field transfer-size
set operator greater-equal
next
edit " All-NNTP"
set protocol nntp
set field transfer-size
set operator greater-equal
next
edit " All-IM"
set protocol im
set sub-protocol aim icq msn ym
set field transfer-size
set operator greater-equal
next
edit " HTTP-Visa-Mastercard"
set protocol http
set sub-protocol http-post
set regexp " (\\W|\\b)(4\\d|5[1-5])\\d{2}([ \\-]?\\d{4}[ \\-]?){3}(\\W|\\b)"
next
edit " HTTP-AmEx"
set protocol http
set sub-protocol http-post
set regexp " (\\W|\\b)3[47]\\d{2}([ \\-]?)\\d{6}\\2\\d{5}(\\W|\\b)"
next
edit " HTTP-Canada-SIN"
set protocol http
set sub-protocol http-post
set regexp " (\\b|\\W)[1-79]\\d{2}([ \\-]?)\\d{3}\\2\\d{3}(\\b|\\W)"
next
edit " HTTP-US-SSN"
set protocol http
set sub-protocol http-post
set regexp " \\b(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}(\\b|\\W)"
next
edit " HTTP-Post-Not-Webex"
set protocol http
set sub-protocol http-post
set regexp " WebEx"
set regexp-negated enable
set regexp-wildcard enable
next
edit " Email-AmEx"
set protocol email
set sub-protocol smtp pop3 imap
set regexp " (\\W|\\b)(4\\d|5[1-5])\\d{2}([ \\-]?\\d{4}[ \\-]?){3}(\\W|\\b)"
next
edit " Email-Visa-Mastercard"
set protocol email
set sub-protocol smtp pop3 imap
set regexp " (\\W|\\b)(4\\d|5[1-5])\\d{2}([ \\-]?)\\d{4}(\\3\\d{4}){2}(\\W|\\b)"
next
edit " Email-Canada-SIN"
set protocol email
set sub-protocol smtp pop3 imap
set regexp " (\\b|\\W)[1-79]\\d{2}([ \\-]?)\\d{3}\\2\\d{3}(\\b|\\W)"
next
edit " Email-US-SSN"
set protocol email
set sub-protocol smtp pop3 imap
set regexp " \\b(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}(\\b|\\W)"
next
edit " Email-Not-Webex"
set protocol email
set sub-protocol smtp pop3 imap
set regexp " WebEx"
set regexp-negated enable
set regexp-wildcard enable
next
edit " Large-Attachment"
set protocol email
set sub-protocol smtp pop3 imap
set field attachment-size
set value 5120
set operator greater-equal
next
edit " Large-FTP-Put"
set protocol ftp
set sub-protocol ftp-put
set field transfer-size
set value 5120
set operator greater-equal
next
edit " Large-HTTP-Post"
set protocol http
set sub-protocol http-post
set field transfer-size
set value 5120
set operator greater-equal
next
end
config dlp compound
edit " Email-SIN"
set comment " Emails containing canadian SIN but are not WebEx invites"
set protocol email
set sub-protocol smtp pop3 imap
set member " Email-Canada-SIN" " Email-Not-Webex"
next
edit " HTTP-Post-SIN"
set comment " Posts containing canadian SIN but are not WebEx invites"
set protocol http
set sub-protocol http-post
set member " HTTP-Canada-SIN" " HTTP-Post-Not-Webex"
next
end
config dlp sensor
edit " Content_Summary"
config rule
edit " All-Email"
next
edit " All-FTP"
next
edit " All-HTTP"
next
edit " All-IM"
next
edit " All-NNTP"
next
end
next
edit " Content_Archive"
config rule
edit " All-Email"
set archive enable
next
edit " All-FTP"
set archive enable
next
edit " All-HTTP"
set archive enable
next
edit " All-IM"
set archive enable
next
edit " All-NNTP"
next
end
next
edit " Large-File"
config rule
edit " Large-Attachment"
next
edit " Large-FTP-Put"
next
edit " Large-HTTP-Post"
next
end
next
edit " Credit-Card"
config rule
edit " Email-AmEx"
next
edit " Email-Visa-Mastercard"
next
edit " HTTP-AmEx"
next
edit " HTTP-Visa-Mastercard"
next
end
next
edit " SSN-Sensor"
config rule
edit " Email-US-SSN"
next
edit " HTTP-US-SSN"
next
end
config compound-rule
edit " Email-SIN"
set status enable
next
edit " HTTP-Post-SIN"
set status enable
next
end
next
end
config webfilter content
end
config webfilter urlfilter
end
config spamfilter bword
end
config spamfilter emailbwl
end
config spamfilter ipbwl
end
config spamfilter mheader
end
config spamfilter dnsbl
end
config spamfilter iptrust
end
config firewall profile
edit " strict"
config log
set log-web-ftgd-err enable
end
set ftp block oversize scan splice
set http block oversize scan activexfilter bannedword cookiefilter javafilter rangeblock urlfilter
unset https
set imap block oversize scan bannedword spamemailbwl spamfsip spamfschksum spamfssubmit spamfsurl spamhdrcheck spamraddrdns
set imaps spamfssubmit
set pop3 block oversize scan bannedword spamemailbwl spamfsip spamfschksum spamfssubmit spamfsurl spamhdrcheck spamraddrdns
set pop3s spamfssubmit
set smtp block oversize scan bannedword spamemailbwl spamfsip spamfschksum spamfssubmit spamfsurl spamhdrcheck spamhelodns spamipbwl spamraddrdns spamrbl splice
set smtps spamfssubmit splice
set nntp block oversize scan
config app-recognition
edit " http"
set port 80
next
edit " https"
set port 443
next
edit " smtp"
set port 25
next
edit " pop3"
set port 110
next
edit " imap"
set port 143
next
edit " nntp"
set port 119
next
edit " ftp"
set port 21
next
edit " smtps"
set port 465
next
edit " pop3s"
set port 995
next
edit " imaps"
set port 993
next
end
set im block oversize scan
unset http-post-lang
set http-avdb extended
set smtp-avdb extended
set pop3-avdb extended
set imap-avdb extended
set ftp-avdb extended
set im-avdb extended
set nntp-avdb extended
set ftgd-wf-options strict-blocking
set ftgd-wf-https-options strict-blocking
next
edit " scan"
config log
set log-web-ftgd-err enable
end
set ftp scan splice
set http scan rangeblock
unset https
set imap scan
set imaps spamfssubmit
set pop3 scan
set pop3s spamfssubmit
set smtp scan splice
set smtps spamfssubmit splice
set nntp scan
config app-recognition
edit " http"
set port 80
next
edit " https"
set port 443
next
edit " smtp"
set port 25
next
edit " pop3"
set port 110
next
edit " imap"
set port 143
next
edit " nntp"
set port 119
next
edit " ftp"
set port 21
next
edit " smtps"
set port 465
next
edit " pop3s"
set port 995
next
edit " imaps"
set port 993
next
end
set im scan
unset http-post-lang
set ftgd-wf-options strict-blocking
set ftgd-wf-https-options strict-blocking
next
edit " web"
config log
set log-web-ftgd-err enable
end
set ftp splice
set http scan bannedword rangeblock urlfilter
unset https
set imap fragmail
set imaps fragmail spamfssubmit
set pop3 fragmail
set pop3s fragmail spamfssubmit
set smtp fragmail splice
set smtps fragmail spamfssubmit splice
unset nntp
config app-recognition
edit " http"
set port 80
next
edit " https"
set port 443
next
edit " smtp"
set port 25
next
edit " pop3"
set port 110
next
edit " imap"
set port 143
next
edit " nntp"
set port 119
next
edit " ftp"
set port 21
next
edit " smtps"
set port 465
next
edit " pop3s"
set port 995
next
edit " imaps"
set port 993
next
end
unset im
unset http-post-lang
set ftgd-wf-options strict-blocking
set ftgd-wf-https-options strict-blocking
next
edit " unfiltered"
config log
set log-web-ftgd-err enable
end
set ftp no-content-summary
set http no-content-summary rangeblock
set https no-content-summary
set imap fragmail no-content-summary
set imaps fragmail spamfssubmit
set pop3 fragmail no-content-summary
set pop3s fragmail spamfssubmit
set smtp fragmail no-content-summary splice
set smtps fragmail spamfssubmit splice
set nntp no-content-summary
config app-recognition
edit " http"
set port 80
next
edit " https"
set port 443
next
edit " smtp"
set port 25
next
edit " pop3"
set port 110
next
edit " imap"
set port 143
next
edit " nntp"
set port 119
next
edit " ftp"
set port 21
next
edit " smtps"
set port 465
next
edit " pop3s"
set port 995
next
edit " imaps"
set port 993
next
end
unset im
unset http-post-lang
set ftgd-wf-options strict-blocking
set ftgd-wf-https-options strict-blocking
next
end
config vpn ssl web host-check-software
edit " FortiClient-AV"
set guid " C86EC76D-5A4C-40E7-BD94-59358E544D81"
next
edit " FortiClient-FW"
set guid " 528CB157-D384-4593-AAAA-E42DFF111CED"
set type fw
next
edit " AVG-Internet-Security-AV"
set guid " 17DDD097-36FF-435F-9E1B-52D74245D6BF"
next
edit " CA-Anti-Virus"
set guid " 17CFD1EA-56CF-40B5-A06B-BD3A27397C93"
next
edit " F-Secure-Internet-Security-AV"
set guid " E7512ED5-4245-4B4D-AF3A-382D3F313F15"
next
edit " Kaspersky-AV"
set guid " 2C4D4BC6-0793-4956-A9F9-E252435469C0"
next
edit " McAfee-Internet-Security-Suite-AV"
set guid " 84B5EE75-6421-4CDE-A33A-DD43BA9FAD83"
next
edit " McAfee-Virus-Scan-Enterprise"
set guid " 918A2B0B-2C60-4016-A4AB-E868DEABF7F0"
next
edit " Norton-360-2.0-AV"
set guid " A5F1BC7C-EA33-4247-961C-0217208396C4"
next
edit " Norton-360-3.0-AV"
set guid " E10A9785-9598-4754-B552-92431C1C35F8"
next
edit " Norton-Internet-Security-AV"
set guid " E10A9785-9598-4754-B552-92431C1C35F8"
next
edit " Symantec-Endpoint-Protection-AV"
set guid " FB06448E-52B8-493A-90F3-E43226D3305C"
next
edit " Panda-Antivirus+Firewall-2008-AV"
set guid " EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A"
next
edit " Panda-Internet-Security-AV"
set guid " 4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0"
next
edit " Sophos-Anti-Virus"
set guid " 3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD"
next
edit " Trend-Micro-AV"
set guid " 7D2296BC-32CC-4519-917E-52E652474AF5"
next
edit " ZoneAlarm-AV"
set guid " 5D467B10-818C-4CAB-9FF7-6893B5B8F3CF"
next
edit " AVG-Internet-Security-FW"
set guid " 8DECF618-9569-4340-B34A-D78D28969B66"
set type fw
next
edit " CA-Personal-Firewall"
set guid " 14CB4B80-8E52-45EA-905E-67C1267B4160"
set type fw
next
edit " F-Secure-Internet-Security-FW"
set guid " D4747503-0346-49EB-9262-997542F79BF4"
set type fw
next
edit " Kaspersky-FW"
set guid " 2C4D4BC6-0793-4956-A9F9-E252435469C0"
set type fw
next
edit " McAfee-Internet-Security-Suite-FW"
set guid " 94894B63-8C7F-4050-BDA4-813CA00DA3E8"
set type fw
next
edit " Norton-360-2.0-FW"
set guid " 371C0A40-5A0C-4AD2-A6E5-69C02037FBF3"
set type fw
next
edit " Norton-360-3.0-FW"
set guid " 7C21A4C9-F61F-4AC4-B722-A6E19C16F220"
set type fw
next
edit " Norton-Internet-Security-FW"
set guid " 7C21A4C9-F61F-4AC4-B722-A6E19C16F220"
set type fw
next
edit " Symantec-Endpoint-Protection-FW"
set guid " BE898FE3-CD0B-4014-85A9-03DB9923DDB6"
set type fw
next
edit " Panda-Antivirus+Firewall-2008-FW"
set guid " 7B090DC0-8905-4BAF-8040-FD98A41C8FB8"
set type fw
next
edit " Panda-Internet-Security-2006~2007-FW"
set guid " 4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0"
set type fw
next
edit " Panda-Internet-Security-2008~2009-FW"
set guid " 7B090DC0-8905-4BAF-8040-FD98A41C8FB8"
set type fw
next
edit " Trend-Micro-FW"
set guid " 3E790E9E-6A5D-4303-A7F9-185EC20F3EB6"
set type fw
next
edit " ZoneAlarm-FW"
set guid " 829BDA32-94B3-44F4-8446-F8FCFF809F8B"
set type fw
next
end
config vpn ssl web portal
edit " full-access"
set allow-access web ftp smb telnet ssh vnc rdp ping
set heading " Welcome to SSL VPN Service"
set page-layout double-column
config widget
edit 4
set name " Session Information"
set type info
next
edit 2
set name " Bookmarks"
set allow-apps web ftp smb telnet ssh vnc rdp
next
edit 3
set name " Connection Tool"
set type tool
set allow-apps web ftp smb telnet ssh vnc rdp
next
edit 1
set name " Tunnel Mode"
set type tunnel
set tunnel-status enable
set ip-pools " SSLVPN-P-TUN-0"
next
end
next
edit " web-access"
set allow-access web ftp smb telnet ssh vnc rdp ping
set heading " Welcome to SSL VPN Service"
config widget
edit 4
set name " Session Information"
set type info
next
edit 1
set name " Bookmarks"
set allow-apps web ftp smb telnet ssh vnc rdp
next
end
next
edit " tunnel-access"
set heading " Welcome to SSL VPN Service"
config widget
edit 4
set name " Session Information"
set type info
next
edit 1
set name " Tunnel Mode"
set type tunnel
set tunnel-status enable
set ip-pools " SSLVPN-P-TUN-1"
next
end
next
end
config user group
edit " FSAE_Guest_Users"
set group-type directory-service
next
end
config webfilter ftgd-ovrd
end
config webfilter ftgd-ovrd-user
end
config webfilter ftgd-local-rating
end
config vpn ipsec phase1-interface
edit " To_cisco"
set interface " wan1"
set dhgrp 2
set proposal 3des-sha1
set keylife 86400
set remote-gw 83.206.64.250
set psksecret ENC V6WOCkCImwyn2B92ks25socQrgUmM7/DzA0guhYshmG32UXf2RbizntlskClIiZ5AE6Tem8C98J8MY7bZl8RUURJDhD8gGhe2mSEuXJ8E5yfyy5H
next
end
config vpn ipsec phase2-interface
edit " To_forti"
set auto-negotiate enable
set keepalive enable
set pfs disable
set phase1name " To_cisco"
set proposal 3des-sha1
set replay disable
set dst-subnet 192.168.1.0 255.255.255.0
set src-subnet 192.168.10.0 255.255.255.0
next
end
config firewall schedule recurring
edit " always"
set day sunday monday tuesday wednesday thursday friday saturday
next
end
config firewall policy
edit 1
set srcintf " internal"
set dstintf " wan1"
set srcaddr " all"
set dstaddr " all"
set action accept
set schedule " always"
set service " ANY"
set nat enable
next
edit 2
set srcintf " To_cisco"
set dstintf " internal"
set srcaddr " subnet cisco"
set dstaddr " lan subnet"
set action accept
set logtraffic enable
set schedule " always"
set service " ANY"
next
edit 3
set srcintf " internal"
set dstintf " To_cisco"
set srcaddr " lan subnet"
set dstaddr " subnet cisco"
set action accept
set logtraffic enable
set schedule " always"
set service " ANY"
next
edit 4
set srcintf " To_cisco"
set dstintf " wan1"
set srcaddr " subnet cisco"
set dstaddr " all"
set action accept
set logtraffic enable
set schedule " always"
set service " ANY"
set nat enable
next
end
config firewall policy6
end
config firewall interface-policy
end
config firewall interface-policy6
end
config firewall sniff-interface-policy
end
config firewall sniff-interface-policy6
end
config log memory setting
set status enable
end
config router rip
config redistribute " connected"
end
config redistribute " static"
end
config redistribute " ospf"
end
config redistribute " bgp"
end
end
config router ripng
config redistribute " connected"
end
config redistribute " static"
end
config redistribute " ospf"
end
config redistribute " bgp"
end
end
config router static
edit 2
set device " To_cisco"
set dst 192.168.1.0 255.255.255.0
set weight 50
next
end
config router ospf
config redistribute " connected"
end
config redistribute " static"
end
config redistribute " rip"
end
config redistribute " bgp"
end
end
config router ospf6
config redistribute " connected"
end
config redistribute " static"
end
config redistribute " rip"
end
config redistribute " bgp"
end
end
config router bgp
config redistribute " connected"
end
config redistribute " rip"
end
config redistribute " ospf"
end
config redistribute " static"
end
config redistribute6 " connected"
end
config redistribute6 " rip"
end
config redistribute6 " ospf"
end
config redistribute6 " static"
end
end
config router multicast
end
