Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- turn on Real Time AV protection on FortiClient fr...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
turn on Real Time AV protection on FortiClient from FortiGate
FortiOS 5.0.4, I have an Endpoint Profile configured which is successfully pushing configurations down to a FortiClint (on Windows XP, v5.0.6.320, with AntiVirus v5.147).
The pushed configuration includes that AV appears in the FortiClient dashboard, and that AV is enabled.
But the FortiClient dashboard shows the AV function as disabled.
I don' t see, either in the FortiOS GUI or CLI, an option other than " forticlient-av: enable" , so I don' t understand why the FortiClient says that AV is disabled?
thanks,
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Upload your FortiOS and FortiClient configuration files for review. You may also send these to forticlient-feedback@fortinet.com.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks kolawale. FG100D configuration is below (since this forum doesn' t allow attaching non-graphics; private data removed).
How do I get a copy/export of the FortiClient config?
#config-version=FG100D-5.00-FW-build228-130809:opmode=0:vdom=0:user=jlibove
#conf_file_ver=2696268914854781645
#buildno=0228
#global_vdom=1
config system global
set admin-server-cert " fortigate1"
set admintimeout 480
set fgd-alert-subscription advisory latest-threat
set gui-application-control disable
set gui-dlp disable
set gui-dns-database enable
set gui-load-balance enable
set gui-wanopt-cache enable
set hostname " FG100D3G........"
set optimize antivirus
set revision-backup-on-logout enable
set revision-image-auto-backup enable
set timezone 28
end
config system accprofile
edit " prof_admin"
set admingrp read-write
set authgrp read-write
set endpoint-control-grp read-write
set fwgrp read-write
set loggrp read-write
set mntgrp read-write
set netgrp read-write
set routegrp read-write
set sysgrp read-write
set updategrp read-write
set utmgrp read-write
set vpngrp read-write
set wanoptgrp read-write
set wifi read-write
next
edit " super-readonly"
set admingrp read
set authgrp read
set endpoint-control-grp read
set fwgrp read
set loggrp read
set mntgrp read
set netgrp read
set routegrp read
set sysgrp read
set updategrp read
set utmgrp read
set vpngrp read
set wanoptgrp read
set wifi read
next
end
config wireless-controller vap
edit " mesh.root"
set vdom " root"
set mesh-backhaul enable
set ssid " fortinet.mesh.root"
set passphrase ENC
next
edit " mesh.dmgmt-vdom"
set vdom " dmgmt-vdom"
set mesh-backhaul enable
set ssid " fortinet.mesh.dmgmt-vdom"
set passphrase ENC
next
end
config system interface
edit " wan1"
set vdom " root"
set type physical
set external enable
set snmp-index 1
next
edit " dmz"
set vdom " root"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping https fgfm capwap
set type physical
set snmp-index 2
next
edit " modem"
set vdom " root"
set mode pppoe
set allowaccess capwap
set type physical
set snmp-index 3
next
edit " ssl.root"
set vdom " root"
set ip 169.254.1.1 255.255.255.255
set allowaccess capwap
set type tunnel
set alias " sslvpn tunnel interface"
set listen-forticlient-connection enable
set snmp-index 4
next
edit " mesh.root"
set vdom " root"
set type vap-switch
set snmp-index 11
next
edit " mesh.dmgmt-vdom"
set vdom " dmgmt-vdom"
set type vap-switch
set snmp-index 14
next
edit " wan2"
set vdom " root"
set type physical
set snmp-index 5
next
edit " mgmt"
set vdom " root"
set status down
set type physical
set snmp-index 6
next
edit " ha1"
set vdom " root"
set allowaccess capwap
set type physical
set snmp-index 7
next
edit " ha2"
set vdom " root"
set allowaccess capwap
set type physical
set snmp-index 8
next
edit " internal"
set vdom " root"
set ip 192.168.1.4 255.255.248.0
set allowaccess ping https ssh http telnet fgfm capwap
set type physical
set description " Internal"
set snmp-index 9
next
edit " iOSIPsec1"
set vdom " root"
set type tunnel
set snmp-index 12
next
edit " ONO"
set vdom " root"
set ip 84.124.xx.xx 255.255.255.248
set allowaccess ping https ssh
set snmp-index 13
set interface " wan2"
set vlanid 3
next
edit " FortiCliIPsec"
set vdom " root"
set type tunnel
set snmp-index 16
set interface " ONO"
next
edit " AndroidIPsec1"
set vdom " root"
set type tunnel
set snmp-index 10
set interface " ONO"
next
edit " internal2"
set vdom " root"
set ip 192.168.32.1 255.255.240.0
set allowaccess ping https ssh fgfm capwap
set device-identification enable
set listen-forticlient-connection enable
set snmp-index 15
set interface " internal"
set vlanid 5
next
end
config system password-policy
set status enable
set min-lower-case-letter 1
set min-upper-case-letter 1
set min-non-alphanumeric 1
set min-number 1
set expire-status enable
set expire-day 366
end
config system admin
edit " admin"
set trusthost1 192.168.0.0 255.255.192.0
set accprofile " super_admin"
set vdom " root"
set password-expire 2014-08-15 10:17:03
config dashboard-tabs
edit 1
set name " Status"
next
edit 2
set columns 1
set name " Top Sources"
next
edit 3
set columns 1
set name " Top Destinations"
next
edit 4
set columns 1
set name " Top Applications"
next
edit 5
set columns 1
set name " Traffic History"
next
edit 6
set columns 1
set name " Threat History"
next
end
config dashboard
edit 1
set tab-id 1
set column 1
next
edit 2
set widget-type licinfo
set tab-id 1
set column 1
next
edit 3
set widget-type jsconsole
set tab-id 1
set column 1
next
edit 4
set widget-type sysres
set tab-id 1
set column 2
next
edit 5
set widget-type gui-features
set tab-id 1
set column 2
next
edit 6
set widget-type alert
set tab-id 1
set column 2
set top-n 10
next
edit 21
set widget-type sessions
set tab-id 2
set column 1
set top-n 25
set sort-by msg-counts
next
edit 31
set widget-type sessions
set tab-id 3
set column 1
set top-n 25
set sort-by msg-counts
set report-by destination
next
edit 41
set widget-type sessions
set tab-id 4
set column 1
set top-n 25
set sort-by msg-counts
set report-by application
next
edit 51
set widget-type sessions-bandwidth
set tab-id 5
set column 1
next
edit 61
set widget-type threat-history
set tab-id 6
set column 1
next
end
config login-time
edit " admin"
set last-login 2013-10-11 10:45:36
next
end
set password ENC
next
edit " jlibove"
set trusthost1 192.168.0.0 255.255.192.0
set accprofile " super_admin"
set comments " Jay Libove, Security Manager"
set vdom " root"
set password-expire 2014-08-15 10:17:03
config dashboard-tabs
edit 1
set name " Status"
next
edit 2
set columns 1
set name " Top Sources"
next
edit 3
set columns 1
set name " Top Destinations"
next
edit 4
set columns 1
set name " Top Applications"
next
edit 5
set columns 1
set name " Traffic History"
next
edit 6
set columns 1
set name " Threat History"
next
end
config dashboard
edit 1
set tab-id 1
set column 1
next
edit 2
set widget-type licinfo
set tab-id 1
set column 1
next
edit 3
set widget-type jsconsole
set tab-id 1
set column 1
next
edit 4
set widget-type sysres
set tab-id 1
set column 2
next
edit 5
set widget-type gui-features
set tab-id 1
set column 2
next
edit 6
set widget-type alert
set tab-id 1
set column 2
set top-n 10
next
edit 21
set widget-type sessions
set tab-id 2
set column 1
set top-n 25
set sort-by msg-counts
next
edit 31
set widget-type sessions
set tab-id 3
set column 1
set top-n 25
set sort-by msg-counts
set report-by destination
next
edit 41
set widget-type sessions
set tab-id 4
set column 1
set top-n 25
set sort-by msg-counts
set report-by application
next
edit 51
set widget-type sessions-bandwidth
set tab-id 5
set column 1
next
edit 61
set widget-type threat-history
set tab-id 6
set column 1
next
end
set email-to " "
config login-time
edit " jlibove"
set last-failed-login 2013-09-14 20:26:49
set last-login 2013-10-11 10:57:26
next
end
set password ENC
next
edit " dfranco"
set trusthost1 192.168.0.0 255.255.192.0
set accprofile " prof_admin"
set comments " Dani (HelpDesk)"
set vdom " root"
set password-expire 2014-09-05 16:26:22
config dashboard-tabs
edit 1
set name " Status"
next
edit 2
set columns 1
set name " Top Sources"
next
edit 3
set columns 1
set name " Top Destinations"
next
edit 4
set columns 1
set name " Top Applications"
next
edit 5
set columns 1
set name " Traffic History"
next
edit 6
set columns 1
set name " Threat History"
next
end
config dashboard
edit 1
set tab-id 1
set column 1
next
edit 2
set widget-type licinfo
set tab-id 1
set column 1
next
edit 3
set widget-type jsconsole
set tab-id 1
set column 1
next
edit 4
set widget-type sysres
set tab-id 1
set column 2
next
edit 5
set widget-type gui-features
set tab-id 1
set column 2
next
edit 6
set widget-type alert
set tab-id 1
set column 2
set top-n 10
next
edit 21
set widget-type sessions
set tab-id 2
set column 1
set top-n 25
set sort-by msg-counts
next
edit 31
set widget-type sessions
set tab-id 3
set column 1
set top-n 25
set sort-by msg-counts
set report-by destination
next
edit 41
set widget-type sessions
set tab-id 4
set column 1
set top-n 25
set sort-by msg-counts
set report-by application
next
edit 51
set widget-type sessions-bandwidth
set tab-id 5
set column 1
next
edit 61
set widget-type threat-history
set tab-id 6
set column 1
next
end
set email-to " dani"
config login-time
edit " dfranco"
set last-login 2013-10-04 18:04:43
next
end
set password ENC
next
edit " jruiz"
set trusthost1 192.168.0.0 255.255.192.0
set accprofile " prof_admin"
set comments " Javi (HelpDesk)"
set vdom " root"
set password-expire 2014-09-05 16:19:12
config dashboard-tabs
edit 1
set name " Status"
next
edit 2
set columns 1
set name " Top Sources"
next
edit 3
set columns 1
set name " Top Destinations"
next
edit 4
set columns 1
set name " Top Applications"
next
edit 5
set columns 1
set name " Traffic History"
next
edit 6
set columns 1
set name " Threat History"
next
end
config dashboard
edit 1
set tab-id 1
set column 1
next
edit 2
set widget-type licinfo
set tab-id 1
set column 1
next
edit 3
set widget-type jsconsole
set tab-id 1
set column 1
next
edit 4
set widget-type sysres
set tab-id 1
set column 2
next
edit 5
set widget-type gui-features
set tab-id 1
set column 2
next
edit 6
set widget-type alert
set tab-id 1
set column 2
set top-n 10
next
edit 21
set widget-type sessions
set tab-id 2
set column 1
set top-n 25
set sort-by msg-counts
next
edit 31
set widget-type sessions
set tab-id 3
set column 1
set top-n 25
set sort-by msg-counts
set report-by destination
next
edit 41
set widget-type sessions
set tab-id 4
set column 1
set top-n 25
set sort-by msg-counts
set report-by application
next
edit 51
set widget-type sessions-bandwidth
set tab-id 5
set column 1
next
edit 61
set widget-type threat-history
set tab-id 6
set column 1
next
end
set email-to " javier"
config login-time
edit " jruiz"
set last-login 2013-10-04 17:35:37
next
end
set password ENC
next
edit " fortisupport"
set trusthost1
set trusthost2
set accprofile " super-readonly"
set vdom " root"
set password-expire 2014-09-15 20:06:22
config dashboard-tabs
edit 1
set name " Status"
next
edit 2
set columns 1
set name " Top Sources"
next
edit 3
set columns 1
set name " Top Destinations"
next
edit 4
set columns 1
set name " Top Applications"
next
edit 5
set columns 1
set name " Traffic History"
next
edit 6
set columns 1
set name " Threat History"
next
end
config dashboard
edit 1
set tab-id 1
set column 1
next
edit 2
set widget-type licinfo
set tab-id 1
set column 1
next
edit 3
set widget-type jsconsole
set tab-id 1
set column 1
next
edit 4
set widget-type sysres
set tab-id 1
set column 2
next
edit 5
set widget-type gui-features
set tab-id 1
set column 2
next
edit 6
set widget-type alert
set tab-id 1
set column 2
set top-n 10
next
edit 21
set widget-type sessions
set tab-id 2
set column 1
set top-n 25
set sort-by msg-counts
next
edit 31
set widget-type sessions
set tab-id 3
set column 1
set top-n 25
set sort-by msg-counts
set report-by destination
next
edit 41
set widget-type sessions
set tab-id 4
set column 1
set top-n 25
set sort-by msg-counts
set report-by application
next
edit 51
set widget-type sessions-bandwidth
set tab-id 5
set column 1
next
edit 61
set widget-type threat-history
set tab-id 6
set column 1
next
end
config login-time
edit " fortisupport"
set last-login 2013-09-23 16:15:48
next
end
set password ENC
next
end
config system ha
set override disable
end
config system storage
edit " FLASH"
set media-type " scsi"
set partition " 47C5F8C40E34928E"
next
end
config system dns
set primary 192.168.1.1
set domain " mycompany.es"
end
config system replacemsg-image
edit " logo_fnet"
set image-base64 ' '
set image-type gif
next
edit " logo_fguard_wf"
set image-base64 ' '
set image-type gif
next
edit " logo_fw_auth"
set image-base64 ' '
set image-type png
next
edit " logo_v2_fnet"
set image-base64 ' '
set image-type png
next
edit " logo_v2_fguard_wf"
set image-base64 ' '
set image-type png
next
end
config system replacemsg mail " email-block"
end
config system replacemsg mail " email-dlp-subject"
end
config system replacemsg mail " email-dlp-ban"
end
config system replacemsg mail " email-filesize"
end
config system replacemsg mail " partial"
end
config system replacemsg mail " smtp-block"
end
config system replacemsg mail " smtp-filesize"
end
config system replacemsg http " bannedword"
end
config system replacemsg http " url-block"
set buffer " <!DOCTYPE html PUBLIC \" -//W3C//DTD HTML 4.01//EN\" >
<html>
<head>
<meta http-equiv=\" Content-Type\" content=\" text/html; charset=UTF-8\" >
<style type=\" text/css\" >
html,body{
height:100%;
padding:0;
margin:0;
}.oc{
display:table;
width:100%;
height:100%;
}.ic{
display:table-cell;
vertical-align:middle;
height:100%;
}div.msg{
display:block;
border:1px solid #30c;
padding:0;
width:500px;
font-family:helvetica,sans-serif;
margin:10px auto;
}h1{
font-weight:bold;
color:#fff;
font-size:14px;
margin:0;
padding:2px;
text-align:center;
background: #30c;
}p{
font-size:12px;
margin:15px auto;
width:75%;
font-family:helvetica,sans-serif;
text-align:left;
}
</style>
<title>
The URL you requested has been blocked
</title>
</head>
<body>
<div class=\" oc\" >
<div class=\" ic\" >
<div class=\" msg\" >
<h1>
The URL you requested has been blocked
</h1>
<p>
The page you have requested has been blocked, because the URL is banned.
<br />
<br />
URL = %%URL%%
<br />
CATEGORY = %%CATEGORY%%
<br />
%%OVERRIDE%%
</p>
</div>
</div>
</div>
</body>
</html>"
end
config system replacemsg http " urlfilter-err"
end
config system replacemsg http " infcache-block"
end
config system replacemsg http " http-block"
end
config system replacemsg http " http-filesize"
end
config system replacemsg http " http-dlp-ban"
end
config system replacemsg http " http-archive-block"
end
config system replacemsg http " http-contenttypeblock"
end
config system replacemsg http " https-invalid-cert-block"
end
config system replacemsg http " http-client-block"
end
config system replacemsg http " http-client-filesize"
end
config system replacemsg http " http-client-bannedword"
end
config system replacemsg http " http-post-block"
end
config system replacemsg http " http-client-archive-block"
end
config system replacemsg http " switching-protocols-block"
end
config system replacemsg webproxy " deny"
end
config system replacemsg webproxy " user-limit"
end
config system replacemsg webproxy " auth-challenge"
end
config system replacemsg webproxy " auth-login-fail"
end
config system replacemsg webproxy " auth-authorization-fail"
end
config system replacemsg webproxy " http-err"
end
config system replacemsg ftp " ftp-dl-blocked"
end
config system replacemsg ftp " ftp-dl-filesize"
end
config system replacemsg ftp " ftp-dl-dlp-ban"
end
config system replacemsg ftp " ftp-explicit-banner"
end
config system replacemsg ftp " ftp-dl-archive-block"
end
config system replacemsg nntp " nntp-dl-blocked"
end
config system replacemsg nntp " nntp-dl-filesize"
end
config system replacemsg nntp " nntp-dlp-subject"
end
config system replacemsg nntp " nntp-dlp-ban"
end
config system replacemsg fortiguard-wf " ftgd-block"
end
config system replacemsg fortiguard-wf " http-err"
end
config system replacemsg fortiguard-wf " ftgd-ovrd"
end
config system replacemsg fortiguard-wf " ftgd-quota"
end
config system replacemsg fortiguard-wf " ftgd-warning"
end
config system replacemsg spam " ipblocklist"
end
config system replacemsg spam " smtp-spam-dnsbl"
end
config system replacemsg spam " smtp-spam-feip"
end
config system replacemsg spam " smtp-spam-helo"
end
config system replacemsg spam " smtp-spam-emailblack"
end
config system replacemsg spam " smtp-spam-mimeheader"
end
config system replacemsg spam " reversedns"
end
config system replacemsg spam " smtp-spam-bannedword"
end
config system replacemsg spam " smtp-spam-ase"
end
config system replacemsg spam " submit"
end
config system replacemsg im " im-file-xfer-block"
end
config system replacemsg im " im-file-xfer-name"
end
config system replacemsg im " im-file-xfer-infected"
end
config system replacemsg im " im-file-xfer-size"
end
config system replacemsg im " im-dlp"
end
config system replacemsg im " im-dlp-ban"
end
config system replacemsg im " im-voice-chat-block"
end
config system replacemsg im " im-video-chat-block"
end
config system replacemsg im " im-photo-share-block"
end
config system replacemsg im " im-long-chat-block"
end
config system replacemsg alertmail " alertmail-virus"
end
config system replacemsg alertmail " alertmail-block"
end
config system replacemsg alertmail " alertmail-nids-event"
end
config system replacemsg alertmail " alertmail-crit-event"
end
config system replacemsg alertmail " alertmail-disk-full"
end
config system replacemsg admin " pre_admin-disclaimer-text"
end
config system replacemsg admin " post_admin-disclaimer-text"
end
config system replacemsg auth " auth-disclaimer-page-1"
end
config system replacemsg auth " auth-disclaimer-page-2"
end
config system replacemsg auth " auth-disclaimer-page-3"
end
config system replacemsg auth " auth-reject-page"
end
config system replacemsg auth " auth-login-page"
end
config system replacemsg auth " auth-login-failed-page"
end
config system replacemsg auth " auth-token-login-page"
end
config system replacemsg auth " auth-token-login-failed-page"
end
config system replacemsg auth " auth-success-msg"
end
config system replacemsg auth " auth-challenge-page"
end
config system replacemsg auth " auth-keepalive-page"
end
config system replacemsg auth " auth-portal-page"
end
config system replacemsg auth " auth-password-page"
end
config system replacemsg auth " auth-fortitoken-page"
end
config system replacemsg auth " auth-next-fortitoken-page"
end
config system replacemsg auth " auth-email-token-page"
end
config system replacemsg auth " auth-sms-token-page"
end
config system replacemsg auth " auth-email-harvesting-page"
end
config system replacemsg auth " auth-email-failed-page"
end
config system replacemsg auth " auth-cert-passwd-page"
end
config system replacemsg auth " auth-guest-print-page"
end
config system replacemsg auth " auth-guest-email-page"
end
config system replacemsg captive-portal-dflt " cpa-disclaimer-page-1"
end
config system replacemsg captive-portal-dflt " cpa-disclaimer-page-2"
end
config system replacemsg captive-portal-dflt " cpa-disclaimer-page-3"
end
config system replacemsg captive-portal-dflt " cpa-reject-page"
end
config system replacemsg captive-portal-dflt " cpa-login-page"
end
config system replacemsg captive-portal-dflt " cpa-login-failed-page"
end
config system replacemsg sslvpn " sslvpn-login"
end
config system replacemsg sslvpn " sslvpn-limit"
end
config system replacemsg ec " endpt-download-portal"
end
config system replacemsg ec " endpt-download-portal-mac"
end
config system replacemsg ec " endpt-download-portal-ios"
end
config system replacemsg ec " endpt-download-portal-aos"
end
config system replacemsg ec " endpt-download-portal-other"
end
config system replacemsg device-detection-portal " device-detection-failure"
end
config system replacemsg nac-quar " nac-quar-virus"
end
config system replacemsg nac-quar " nac-quar-dos"
end
config system replacemsg nac-quar " nac-quar-ips"
end
config system replacemsg nac-quar " nac-quar-dlp"
end
config system replacemsg traffic-quota " per-ip-shaper-block"
end
config system replacemsg utm " virus-html"
end
config system replacemsg utm " virus-text"
end
config system replacemsg utm " dlp-html"
end
config system replacemsg utm " dlp-text"
end
config vpn certificate ca
edit " CA_Cert_1"
set ca
" <h2 class=" fgd_icon" >blocked</h2>
</div>
<div class=" main" >
<h3>Endpoint Security Required</h3><div class=" notice" >The use of this security policy requires that the latest FortiClient Endpoint Security software and antivirus signature package are installed.<br></div><div><h4>Contact your network administrator for assistance.</h4></div> </div>
</div>
</body>
</html>
next
end
config vpn certificate local
edit " fortigate1"
set password ENC
set private-key "
" <h2 class=" fgd_icon" >blocked</h2>
</div>
<div class=" main" >
<h3>Endpoint Security Required</h3><div class=" notice" >The use of this security policy requires that the latest FortiClient Endpoint Security software and antivirus signature package are installed.<br></div><div><h4>Contact your network administrator for assistance.</h4></div> </div>
</div>
</body>
</html>
set certificate "
" the latest FortiClient Endpoint Security software and antivirus signature package are installed.<br></div><div><h4>Contact your network administrator for assistance.</h4></div> </div>
</div>
</body>
</html>
next
end
config user device-category
edit " ipad"
next
edit " iphone"
next
edit " gaming-console"
next
edit " blackberry-phone"
next
edit " blackberry-playbook"
next
edit " linux-pc"
next
edit " mac"
next
edit " windows-pc"
next
edit " android-phone"
next
edit " android-tablet"
next
edit " media-streaming"
next
edit " windows-phone"
next
edit " windows-tablet"
next
edit " fortinet-device"
next
edit " ip-phone"
next
edit " router-nat-device"
next
edit " other-network-device"
next
edit " collected-emails"
next
edit " all"
next
end
config antivirus service " http"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " https"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " ftp"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " ftps"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " pop3"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " pop3s"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " imap"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " imaps"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " smtp"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " smtps"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " nntp"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config antivirus service " im"
set scan-bzip2 disable
set uncompnestlimit 12
set uncompsizelimit 10
end
config wanopt storage
edit " FLASH"
set size 8708
next
end
config system session-sync
end
config system fortiguard
end
config ips global
set default-app-cat-mask 18446744073474670591
end
config ips dbinfo
set version 1
end
config log syslogd setting
set status enable
set server " 192.168.1.200"
set source-ip 192.168.1.4
end
config system email-server
set reply-to " "
set server " aspmx.l.google.com"
set security starttls
end
config gui console
unset preferences
end
config system session-helper
edit 1
set name pptp
set port 1723
set protocol 6
next
edit 2
set name h323
set port 1720
set protocol 6
next
edit 3
set name ras
set port 1719
set protocol 17
next
edit 4
set name tns
set port 1521
set protocol 6
next
edit 5
set name tftp
set port 69
set protocol 17
next
edit 6
set name rtsp
set port 554
set protocol 6
next
edit 7
set name rtsp
set port 7070
set protocol 6
next
edit 8
set name rtsp
set port 8554
set protocol 6
next
edit 9
set name ftp
set port 21
set protocol 6
next
edit 10
set name mms
set port 1863
set protocol 6
next
edit 11
set name pmap
set port 111
set protocol 6
next
edit 12
set name pmap
set port 111
set protocol 17
next
edit 13
set name sip
set port 5060
set protocol 17
next
edit 14
set name dns-udp
set port 53
set protocol 17
next
edit 15
set name rsh
set port 514
set protocol 6
next
edit 16
set name rsh
set port 512
set protocol 6
next
edit 17
set name dcerpc
set port 135
set protocol 6
next
edit 18
set name dcerpc
set port 135
set protocol 17
next
edit 19
set name mgcp
set port 2427
set protocol 17
next
edit 20
set name mgcp
set port 2727
set protocol 17
next
end
config system auto-install
set auto-install-config enable
set auto-install-image enable
end
config system ntp
config ntpserver
edit 1
set server " ntp1.fortinet.net"
next
edit 2
set server " ntp2.fortinet.net"
next
end
set ntpsync enable
set syncinterval 60
set type custom
end
config system settings
set sip-tcp-port 5060
set sip-udp-port 5060
end
config system replacemsg-group
edit " web-filter-default"
set comment " System Generated"
set group-type utm
config custom-message
edit " 26"
set buffer " This website is blocked by the FortiGate URL Filter.
<br>
If you have a valid business need to access this site, please contact with all of the details in this message.
<br>
<br>
Filtering service %%SERVICE%%
<br>
Website IP %%DEST_IP%%
<br>
URL %%URL%%
<br>
Website Category %%CATEGORY%%
<br>
<br>
%%OVERRIDE%%
"
set header http
set format html
next
end
next
end
config system dhcp server
edit 1
set default-gateway 192.168.32.1
set interface " internal2"
config ip-range
edit 1
set end-ip 192.168.32.254
set start-ip 192.168.32.2
next
end
set netmask 255.255.240.0
set dns-server1 192.168.1.1
next
end
config firewall address
edit " all"
next
edit " SSLVPN_TUNNEL_ADDR1"
set comment " SSLVPN clients IP addresses range"
set type iprange
set end-ip 192.168.8.94
set start-ip 192.168.8.65
next
edit " IPsecVPN_usersIPs_range"
set comment " IPsec VPN users IPs range Aggressive mode NOT iOS clients"
set type iprange
set end-ip 192.168.8.126
set start-ip 192.168.8.97
next
edit " SP internal wired LAN1"
set subnet 192.168.0.0 255.255.248.0
next
edit " iOSIPsec_users_range"
set comment " IPsec IPs for iOS Main mode only"
set type iprange
set end-ip 192.168.8.158
set start-ip 192.168.8.129
next
edit " SP internal WiFi LAN SP_OFFICE"
set subnet 192.168.12.0 255.255.252.0
next
edit " ONO IP address x.x.x.x/32"
set comment " ONO IP address x.x.x.x/32"
set type iprange
set end-ip x.x.x.x
set start-ip x.x.x.x
next
edit " Hacker1-212.67.x.x"
set comment " Repeated SSL VPN unauthorized login attempts"
set subnet 212.67.0.0 255.255.0.0
next
edit " 192.168.255.255"
set comment " 192.168.0.0/16 broadcast"
set type iprange
set end-ip 192.168.255.255
set start-ip 192.168.255.255
next
edit " 192.168.7.255"
set comment " 192.168.0.0/21 broadcast"
set type iprange
set end-ip 192.168.7.255
set start-ip 192.168.7.255
next
edit " SP internal WiFi LAN SP_GUEST"
set associated-interface " internal"
set subnet 192.168.16.0 255.255.255.0
next
edit " SP internal wired LAN2"
set associated-interface " internal2"
set subnet 192.168.32.0 255.255.240.0
next
edit " SP internal WiFi Mgmt subnet"
set associated-interface " internal"
set subnet 192.168.17.0 255.255.255.0
next
edit " 192.168.32.3"
set associated-interface " internal2"
set comment " Jay Android tablet 20131002"
set type iprange
set end-ip 192.168.32.3
set start-ip 192.168.32.3
next
end
config firewall multicast-address
edit " all"
set end-ip 239.255.255.255
set start-ip 224.0.0.0
next
end
config firewall address6
edit " all"
next
edit " SSLVPN_TUNNEL_IPv6_ADDR1"
set ip6 fdff:ffff::1/120
next
end
config firewall service category
edit " General"
set comment " general services"
next
edit " Web Access"
set comment " web access"
next
edit " File Access"
set comment " file access"
next
edit " Email"
set comment " email services"
next
edit " Network Services"
set comment " network services"
next
edit " Authentication"
set comment " authentication service"
next
edit " Remote Access"
set comment " remote access"
next
edit " Tunneling"
set comment " tunneling service"
next
edit " VoIP, Messaging & Other Applications"
set comment " VoIP, messaging, and other applications"
next
edit " Web Proxy"
set comment " Explicit web proxy"
next
end
config firewall service custom
edit " ALL"
set category " General"
set protocol IP
next
edit " ALL_TCP"
set category " General"
set tcp-portrange 1-65535
next
edit " ALL_UDP"
set category " General"
set udp-portrange 1-65535
next
edit " ALL_ICMP"
set category " General"
set protocol ICMP
unset icmptype
next
edit " ALL_ICMP6"
set category " General"
set protocol ICMP6
unset icmptype
next
edit " GRE"
set category " Tunneling"
set protocol IP
set protocol-number 47
next
edit " AH"
set category " Tunneling"
set protocol IP
set protocol-number 51
next
edit " ESP"
set category " Tunneling"
set protocol IP
set protocol-number 50
next
edit " AOL"
set visibility disable
set tcp-portrange 5190-5194
next
edit " BGP"
set category " Network Services"
set tcp-portrange 179
next
edit " DHCP"
set category " Network Services"
set udp-portrange 67-68
next
edit " DNS"
set category " Network Services"
set tcp-portrange 53
set udp-portrange 53
next
edit " FINGER"
set visibility disable
set tcp-portrange 79
next
edit " FTP"
set category " File Access"
set tcp-portrange 21
next
edit " FTP_GET"
set category " File Access"
set tcp-portrange 21
next
edit " FTP_PUT"
set category " File Access"
set tcp-portrange 21
next
edit " GOPHER"
set visibility disable
set tcp-portrange 70
next
edit " H323"
set category " VoIP, Messaging & Other Applications"
set tcp-portrange 1720 1503
set udp-portrange 1719
next
edit " HTTP"
set category " Web Access"
set tcp-portrange 80
next
edit " HTTPS"
set category " Web Access"
set tcp-portrange 443
next
edit " IKE"
set category " Tunneling"
set udp-portrange 500 4500
next
edit " IMAP"
set category " Email"
set tcp-portrange 143
next
edit " IMAPS"
set category " Email"
set tcp-portrange 993
next
edit " Internet-Locator-Service"
set visibility disable
set tcp-portrange 389
next
edit " IRC"
set category " VoIP, Messaging & Other Applications"
set tcp-portrange 6660-6669
next
edit " L2TP"
set category " Tunneling"
set tcp-portrange 1701
set udp-portrange 1701
next
edit " LDAP"
set category " Authentication"
set tcp-portrange 389
next
edit " NetMeeting"
set visibility disable
set tcp-portrange 1720
next
edit " NFS"
set category " File Access"
set tcp-portrange 111 2049
set udp-portrange 111 2049
next
edit " NNTP"
set visibility disable
set tcp-portrange 119
next
edit " NTP"
set category " Network Services"
set tcp-portrange 123
set udp-portrange 123
next
edit " OSPF"
set category " Network Services"
set protocol IP
set protocol-number 89
next
edit " PC-Anywhere"
set category " Remote Access"
set tcp-portrange 5631
set udp-portrange 5632
next
edit " PING"
set category " Network Services"
set protocol ICMP
set icmptype 8
unset icmpcode
next
edit " TIMESTAMP"
set protocol ICMP
set visibility disable
set icmptype 13
unset icmpcode
next
edit " INFO_REQUEST"
set protocol ICMP
set visibility disable
set icmptype 15
unset icmpcode
next
edit " INFO_ADDRESS"
set protocol ICMP
set visibility disable
set icmptype 17
unset icmpcode
next
edit " ONC-RPC"
set category " Remote Access"
set tcp-portrange 111
set udp-portrange 111
next
edit " DCE-RPC"
set category " Remote Access"
set tcp-portrange 135
set udp-portrange 135
next
edit " POP3"
set category " Email"
set tcp-portrange 110
next
edit " POP3S"
set category " Email"
set tcp-portrange 995
next
edit " PPTP"
set category " Tunneling"
set tcp-portrange 1723
next
edit " QUAKE"
set visibility disable
set udp-portrange 26000 27000 27910 27960
next
edit " RAUDIO"
set visibility disable
set udp-portrange 7070
next
edit " REXEC"
set visibility disable
set tcp-portrange 512
next
edit " RIP"
set category " Network Services"
set udp-portrange 520
next
edit " RLOGIN"
set visibility disable
set tcp-portrange 513:512-1023
next
edit " RSH"
set visibility disable
set tcp-portrange 514:512-1023
next
edit " SCCP"
set category " VoIP, Messaging & Other Applications"
set tcp-portrange 2000
next
edit " SIP"
set category " VoIP, Messaging & Other Applications"
set udp-portrange 5060
next
edit " SIP-MSNmessenger"
set category " VoIP, Messaging & Other Applications"
set tcp-portrange 1863
next
edit " SAMBA"
set category " File Access"
set tcp-portrange 139
next
edit " SMTP"
set category " Email"
set tcp-portrange 25
next
edit " SMTPS"
set category " Email"
set tcp-portrange 465
next
edit " SNMP"
set category " Network Services"
set tcp-portrange 161-162
set udp-portrange 161-162
next
edit " SSH"
set category " Remote Access"
set tcp-portrange 22
next
edit " SYSLOG"
set category " Network Services"
set udp-portrange 514
next
edit " TALK"
set visibility disable
set udp-portrange 517-518
next
edit " TELNET"
set category " Remote Access"
set tcp-portrange 23
next
edit " TFTP"
set category " File Access"
set udp-portrange 69
next
edit " MGCP"
set visibility disable
set udp-portrange 2427 2727
next
edit " UUCP"
set visibility disable
set tcp-portrange 540
next
edit " VDOLIVE"
set visibility disable
set tcp-portrange 7000-7010
next
edit " WAIS"
set visibility disable
set tcp-portrange 210
next
edit " WINFRAME"
set visibility disable
set tcp-portrange 1494 2598
next
edit " X-WINDOWS"
set category " Remote Access"
set tcp-portrange 6000-6063
next
edit " PING6"
set protocol ICMP6
set visibility disable
set icmptype 128
unset icmpcode
next
edit " MS-SQL"
set category " VoIP, Messaging & Other Applications"
set tcp-portrange 1433 1434
next
edit " MYSQL"
set category " VoIP, Messaging & Other Applications"
set tcp-portrange 3306
next
edit " RDP"
set category " Remote Access"
set tcp-portrange 3389
next
edit " VNC"
set category " Remote Access"
set tcp-portrange 5900
next
edit " DHCP6"
set category " Network Services"
set udp-portrange 546 547
next
edit " SQUID"
set category " Tunneling"
set tcp-portrange 3128
next
edit " SOCKS"
set category " Tunneling"
set tcp-portrange 1080
set udp-portrange 1080
next
edit " WINS"
set category " Remote Access"
set tcp-portrange 1512
set udp-portrange 1512
next
edit " RADIUS"
set category " Authentication"
set udp-portrange 1812 1813
next
edit " RADIUS-OLD"
set visibility disable
set udp-portrange 1645 1646
next
edit " CVSPSERVER"
set visibility disable
set tcp-portrange 2401
set udp-portrange 2401
next
edit " AFS3"
set category " File Access"
set tcp-portrange 7000-7009
set udp-portrange 7000-7009
next
edit " TRACEROUTE"
set category " Network Services"
set udp-portrange 33434-33535
next
edit " RTSP"
set category " VoIP, Messaging & Other Applications"
set tcp-portrange 554 7070 8554
set udp-portrange 554
next
edit " MMS"
set visibility disable
set tcp-portrange 1755
set udp-portrange 1024-5000
next
edit " KERBEROS"
set category " Authentication"
set tcp-portrange 88
set udp-portrange 88
next
edit " LDAP_UDP"
set category " Authentication"
set udp-portrange 389
next
edit " SMB"
set category " File Access"
set tcp-portrange 445
next
edit " ALL_CUSTOM"
set category " General"
set protocol IP
next
edit " webproxy"
set explicit-proxy enable
set category " Web Proxy"
set protocol ALL
set tcp-portrange 0-65535:0-65535
next
end
config firewall service group
edit " Email Access"
set member " DNS" " IMAP" " IMAPS" " POP3" " POP3S" " SMTP" " SMTPS"
next
edit " Web Access"
set member " DNS" " HTTP" " HTTPS"
next
edit " Windows AD"
set member " DCE-RPC" " DNS" " KERBEROS" " LDAP" " LDAP_UDP" " SAMBA" " SMB"
next
edit " Exchange Server"
set member " DCE-RPC" " DNS" " HTTPS"
next
edit " Exchange Server OWA"
set member " DNS" " HTTPS"
next
edit " Outlook"
set member " DCE-RPC" " DNS" " IMAP" " IMAPS" " POP3" " POP3S" " SMTP" " SMTPS" " HTTPS"
next
end
config webfilter ftgd-local-cat
edit " custom1"
set id 140
next
edit " custom2"
set id 141
next
end
config ips sensor
edit " default"
set comment " prevent critical attacks"
config entries
edit 1
set severity high critical
next
end
next
edit " all_default"
set comment " all predefined signatures with default setting"
config entries
edit 1
next
end
next
edit " all_default_pass"
set comment " all predefined signatures with PASS action"
config entries
edit 1
set action pass
next
end
next
edit " protect_http_server"
set comment " protect against HTTP server-side vulnerabilities"
config entries
edit 1
set location server
set protocol HTTP
next
end
next
edit " protect_email_server"
set comment " protect against EMail server-side vulnerabilities"
config entries
edit 1
set location server
set protocol SMTP POP3 IMAP
next
end
next
edit " protect_client"
set comment " protect against client-side vulnerabilities"
config entries
edit 1
set location client
next
end
next
end
config firewall shaper traffic-shaper
edit " high-priority"
set maximum-bandwidth 1048576
set per-policy enable
next
edit " medium-priority"
set maximum-bandwidth 1048576
set per-policy enable
set priority medium
next
edit " low-priority"
set maximum-bandwidth 1048576
set per-policy enable
set priority low
next
edit " guarantee-100kbps"
set guaranteed-bandwidth 100
set maximum-bandwidth 1048576
set per-policy enable
next
edit " shared-1M-pipe"
set maximum-bandwidth 1024
next
end
config application list
edit " default"
set comment " monitor all applications"
config entries
edit 1
set action pass
next
end
next
edit " block-p2p"
config entries
edit 1
set category 2
next
end
next
edit " monitor-p2p-and-media"
config entries
edit 1
set action pass
set category 2
next
edit 2
set action pass
set category 5
next
end
next
end
config dlp filepattern
edit 1
config entries
edit " *.bat"
next
edit " *.com"
next
edit " *.dll"
next
edit " *.doc"
next
edit " *.exe"
next
edit " *.gz"
next
edit " *.hta"
next
edit " *.ppt"
next
edit " *.rar"
next
edit " *.scr"
next
edit " *.tar"
next
edit " *.tgz"
next
edit " *.vb?"
next
edit " *.wps"
next
edit " *.xl?"
next
edit " *.zip"
next
edit " *.pif"
next
edit " *.cpl"
next
end
set name " builtin-patterns"
next
edit 2
config entries
edit " bat"
set filter-type type
set file-type bat
next
edit " exe"
set filter-type type
set file-type exe
next
edit " elf"
set filter-type type
set file-type elf
next
edit " hta"
set filter-type type
set file-type hta
next
end
set name " all_executables"
next
end
config dlp fp-sensitivity
edit " Private"
next
edit " Critical"
next
edit " Warning"
next
end
config dlp sensor
edit " default"
set comment " summary archive email and web traffics"
set extended-utm-log enable
next
edit " Content_Summary"
set extended-utm-log enable
next
edit " Content_Archive"
set extended-utm-log enable
next
edit " Large-File"
set extended-utm-log enable
next
edit " Credit-Card"
set extended-utm-log enable
next
edit " SSN-Sensor"
set extended-utm-log enable
next
end
config webfilter content
end
config webfilter urlfilter
edit 1
config entries
edit " www.meneame.net"
set action allow
next
end
set name " default"
next
end
config spamfilter bword
end
config spamfilter bwl
end
config spamfilter mheader
end
config spamfilter dnsbl
end
config spamfilter iptrust
end
config client-reputation profile
end
config netscan assets
edit 1
set addr-type range
set name " internal2_LAN"
set start-ip 192.168.32.1
set end-ip 192.168.63.254
next
edit 2
set name " 192.168.32.4"
set start-ip 192.168.32.4
next
end
config icap profile
edit " default"
next
end
config vpn ssl settings
set dns-server1 192.168.32.1
set servercert " fortigate1"
set algorithm high
set idle-timeout 1800
set tunnel-ip-pools " SSLVPN_TUNNEL_ADDR1"
set port 8443
end
config vpn ssl web host-check-software
edit " FortiClient-AV"
set guid " C86EC76D-5A4C-40E7-BD94-59358E544D81"
next
edit " FortiClient-FW"
set guid " 528CB157-D384-4593-AAAA-E42DFF111CED"
set type fw
next
edit " FortiClient-AV-Vista-Win7"
set guid " 385618A6-2256-708E-3FB9-7E98B93F91F9"
next
edit " FortiClient-FW-Vista-Win7"
set guid " 006D9983-6839-71D6-14E6-D7AD47ECD682"
set type fw
next
edit " AVG-Internet-Security-AV"
set guid " 17DDD097-36FF-435F-9E1B-52D74245D6BF"
next
edit " AVG-Internet-Security-AV-Vista-Win7"
set guid " 0C939084-9E57-CBDB-EA61-0B0C7F62AF82"
next
edit " CA-Anti-Virus"
set guid " 17CFD1EA-56CF-40B5-A06B-BD3A27397C93"
next
edit " CA-Internet-Security-AV"
set guid " 6B98D35F-BB76-41C0-876B-A50645ED099A"
next
edit " CA-Internet-Security-AV-Vista-Win7"
set guid " 3EED0195-0A4B-4EF3-CC4F-4F401BDC245F"
next
edit " F-Secure-Internet-Security-AV"
set guid " E7512ED5-4245-4B4D-AF3A-382D3F313F15"
next
edit " F-Secure-Internet-Security-AV-Vista-Win7"
set guid " 15414183-282E-D62C-CA37-EF24860A2F17"
next
edit " Kaspersky-AV"
set guid " 2C4D4BC6-0793-4956-A9F9-E252435469C0"
next
edit " Kaspersky-AV-Vista-Win7"
set guid " AE1D740B-8F0F-D137-211D-873D44B3F4AE"
next
edit " McAfee-Internet-Security-Suite-AV"
set guid " 84B5EE75-6421-4CDE-A33A-DD43BA9FAD83"
next
edit " McAfee-Internet-Security-Suite-AV-Vista-Win7"
set guid " 86355677-4064-3EA7-ABB3-1B136EB04637"
next
edit " McAfee-Virus-Scan-Enterprise"
set guid " 918A2B0B-2C60-4016-A4AB-E868DEABF7F0"
next
edit " Norton-360-2.0-AV"
set guid " A5F1BC7C-EA33-4247-961C-0217208396C4"
next
edit " Norton-360-3.0-AV"
set guid " E10A9785-9598-4754-B552-92431C1C35F8"
next
edit " Norton-Internet-Security-AV"
set guid " E10A9785-9598-4754-B552-92431C1C35F8"
next
edit " Norton-Internet-Security-AV-Vista-Win7"
set guid " 88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855"
next
edit " Symantec-Endpoint-Protection-AV"
set guid " FB06448E-52B8-493A-90F3-E43226D3305C"
next
edit " Symantec-Endpoint-Protection-AV-Vista-Win7"
set guid " 88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855"
next
edit " Panda-Antivirus+Firewall-2008-AV"
set guid " EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A"
next
edit " Panda-Internet-Security-AV"
set guid " 4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0"
next
edit " Sophos-Anti-Virus"
set guid " 3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD"
next
edit " Sophos-Enpoint-Secuirty-and-Control-AV-Vista-Win7"
set guid " 479CCF92-4960-B3E0-7373-BF453B467D2C"
next
edit " Trend-Micro-AV"
set guid " 7D2296BC-32CC-4519-917E-52E652474AF5"
next
edit " Trend-Micro-AV-Vista-Win7"
set guid " 48929DFC-7A52-A34F-8351-C4DBEDBD9C50"
next
edit " ZoneAlarm-AV"
set guid " 5D467B10-818C-4CAB-9FF7-6893B5B8F3CF"
next
edit " ZoneAlarm-AV-Vista-Win7"
set guid " D61596DF-D219-341C-49B3-AD30538CBC5B"
next
edit " AVG-Internet-Security-FW"
set guid " 8DECF618-9569-4340-B34A-D78D28969B66"
set type fw
next
edit " AVG-Internet-Security-FW-Vista-Win7"
set guid " 34A811A1-D438-CA83-C13E-A23981B1E8F9"
set type fw
next
edit " CA-Internet-Security-FW"
set guid " 38102F93-1B6E-4922-90E1-A35D8DC6DAA3"
set type fw
next
edit " CA-Internet-Security-FW-Vista-Win7"
set guid " 06D680B0-4024-4FAB-E710-E675E50F6324"
set type fw
next
edit " CA-Personal-Firewall"
set guid " 14CB4B80-8E52-45EA-905E-67C1267B4160"
set type fw
next
edit " F-Secure-Internet-Security-FW"
set guid " D4747503-0346-49EB-9262-997542F79BF4"
set type fw
next
edit " F-Secure-Internet-Security-FW-Vista-Win7"
set guid " 2D7AC0A6-6241-D774-E168-461178D9686C"
set type fw
next
edit " Kaspersky-FW"
set guid " 2C4D4BC6-0793-4956-A9F9-E252435469C0"
set type fw
next
edit " Kaspersky-FW-Vista-Win7"
set guid " 9626F52E-C560-D06F-0A42-2E08BA60B3D5"
set type fw
next
edit " McAfee-Internet-Security-Suite-FW"
set guid " 94894B63-8C7F-4050-BDA4-813CA00DA3E8"
set type fw
next
edit " McAfee-Internet-Security-Suite-FW-Vista-Win7"
set guid " BE0ED752-0A0B-3FFF-80EC-B2269063014C"
set type fw
next
edit " Norton-360-2.0-FW"
set guid " 371C0A40-5A0C-4AD2-A6E5-69C02037FBF3"
set type fw
next
edit " Norton-360-3.0-FW"
set guid " 7C21A4C9-F61F-4AC4-B722-A6E19C16F220"
set type fw
next
edit " Norton-Internet-Security-FW"
set guid " 7C21A4C9-F61F-4AC4-B722-A6E19C16F220"
set type fw
next
edit " Norton-Internet-Security-FW-Vista-Win7"
set guid " B0F2DB13-C654-2E74-30D4-99C9310F0F2E"
set type fw
next
edit " Symantec-Endpoint-Protection-FW"
set guid " BE898FE3-CD0B-4014-85A9-03DB9923DDB6"
set type fw
next
edit " Symantec-Endpoint-Protection-FW-Vista-Win7"
set guid " B0F2DB13-C654-2E74-30D4-99C9310F0F2E"
set type fw
next
edit " Panda-Antivirus+Firewall-2008-FW"
set guid " 7B090DC0-8905-4BAF-8040-FD98A41C8FB8"
set type fw
next
edit " Panda-Internet-Security-2006~2007-FW"
set guid " 4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0"
set type fw
next
edit " Panda-Internet-Security-2008~2009-FW"
set guid " 7B090DC0-8905-4BAF-8040-FD98A41C8FB8"
set type fw
next
edit " Sophos-Enpoint-Secuirty-and-Control-FW"
set guid " 0786E95E-326A-4524-9691-41EF88FB52EA"
set type fw
next
edit " Sophos-Enpoint-Secuirty-and-Control-FW-Vista-Win7"
set guid " 7FA74EB7-030F-B2B8-582C-1670C5953A57"
set type fw
next
edit " Trend-Micro-FW"
set guid " 3E790E9E-6A5D-4303-A7F9-185EC20F3EB6"
set type fw
next
edit " Trend-Micro-FW-Vista-Win7"
set guid " 70A91CD9-303D-A217-A80E-6DEE136EDB2B"
set type fw
next
edit " ZoneAlarm-FW"
set guid " 829BDA32-94B3-44F4-8446-F8FCFF809F8B"
set type fw
next
edit " ZoneAlarm-FW-Vista-Win7"
set guid " EE2E17FA-9876-3544-62EC-0405AD5FFB20"
set type fw
next
end
config vpn ssl web portal
edit " full-access"
set allow-access web ftp smb telnet ssh vnc rdp citrix rdpnative portforward
set heading " SP FG SSLVPN Full Access"
set page-layout double-column
config widget
edit 1
set name " Tunnel Mode"
set type tunnel
set column two
set ipv6-split-tunneling disable
set ip-pools " SSLVPN_TUNNEL_ADDR1"
set ipv6-pools " SSLVPN_TUNNEL_IPv6_ADDR1"
set save-password enable
next
edit 2
set name " Bookmark_Category1"
set allow-apps web ftp smb telnet ssh vnc rdp citrix rdpnative portforward
config bookmarks
edit " bookmark1"
set description " Cisco SG500-52 no. 1 planta 11"
set url " https://192.168.1.217"
next
edit " Cisco SG500-52num1"
set description " Cisco SG500-52 num 1"
set url " https://cisco_sg500-52-1.mycompany.es"
next
end
next
edit 3
set name " Connection Tool"
set type tool
set column two
set allow-apps web ftp smb telnet ssh vnc rdp citrix rdpnative portforward
next
edit 4
set name " Session Information"
set type info
next
edit 5
set name " FortiClient Download"
set type forticlient-download
set column two
next
end
next
edit " web-access"
set allow-access web ftp smb telnet ssh vnc rdp citrix rdpnative portforward
set theme orange
set heading " SP FG SSLVPN Web Access"
config widget
edit 1
set name " BookmarkCategory1Test"
set allow-apps web ftp smb telnet ssh vnc rdp citrix rdpnative portforward
config bookmarks
edit " Bookmark1Test"
set description " Cisco SG500-52no.1"
set url " https://cisco_sg500-52-1.mycompany.es"
next
end
next
edit 3
set name " FortiClient Download"
set type forticlient-download
next
edit 4
set name " Session Information"
set type info
next
edit 5
set name " Connection Tool"
set type tool
set allow-apps web ftp smb telnet ssh vnc rdp citrix rdpnative portforward
next
end
next
edit " tunnel-access"
set heading " SP FG SSLVPN Tunnel Access"
config widget
edit 1
set name " Tunnel Mode"
set type tunnel
set ipv6-split-tunneling disable
set ip-pools " SSLVPN_TUNNEL_ADDR1"
set ipv6-pools " SSLVPN_TUNNEL_IPv6_ADDR1"
set save-password enable
set keep-alive enable
next
end
next
end
config user fortitoken
edit " FTKMOB386DC3A717"
set license " FTMTRIAL00053118"
next
edit " FTKMOB38A585C0D5"
set license " FTMTRIAL00053118"
next
end
config user local
edit " guest"
set type password
set passwd-time 2013-08-22 12:26:47
set passwd ENC
next
edit " jlibove"
set type password
set email-to " "
set passwd-time 2013-09-12 17:25:27
set passwd ENC
next
edit " iOSTest"
set type password
set email-to " "
set passwd-time 2013-09-09 11:11:08
set passwd ENC
next
edit " svelez"
set type password
set email-to " "
set passwd-time 2013-08-13 11:30:42
set passwd ENC
next
edit " ganguera"
set type password
set email-to " "
set passwd-time 2013-09-26 17:45:29
set passwd ENC
next
edit " rvalles"
set type password
set email-to " "
set passwd-time 2013-08-21 18:21:21
set passwd ENC
next
edit " bjuncosa"
set type password
set email-to " "
set passwd-time 2013-08-28 11:00:35
set passwd ENC
next
edit " jgarcia"
set type password
set email-to " "
set passwd-time 2013-08-30 17:45:38
set passwd ENC
next
edit " dfranco"
set type password
set email-to " "
set passwd-time 2013-09-04 16:40:10
set passwd ENC
next
edit " rgomez"
set type password
set email-to " "
set passwd-time 2013-09-06 16:59:34
set passwd ENC
next
edit " mcanaleta"
set type password
set email-to " "
set passwd-time 2013-09-06 17:13:47
set passwd ENC
next
edit " jruiz"
set type password
set email-to " "
set passwd-time 2013-09-06 17:22:41
set passwd ENC
next
edit " adiaz"
set type password
set email-to " "
set passwd-time 2013-10-04 10:05:41
set passwd ENC
next
edit " jexposito"
set type password
set email-to " "
set passwd-time 2013-10-04 18:16:23
set passwd ENC
next
end
config user group
edit " FSSO_Guest_Users"
set group-type fsso-service
next
edit " Guest-group"
set member " guest"
next
edit " sslvpntunnel"
next
edit " ipsecvpn"
set member " jlibove" " bjuncosa" " mcanaleta" " jruiz"
next
edit " sslvpnportal"
next
edit " ipseciOS"
set member " iOSTest" " svelez" " jlibove" " ganguera" " jgarcia" " dfranco" " rgomez" " mcanaleta" " jruiz"
next
edit " sslvpntunnelandportal"
set member " ganguera" " rvalles" " bjuncosa" " jlibove" " mcanaleta" " jruiz" " jexposito"
next
edit " WebFilterOverriders"
set member " bjuncosa" " dfranco" " ganguera" " jlibove" " jruiz" " mcanaleta" " adiaz"
next
end
config user device
edit " SP-JLibove"
set mac 30:f9:ed:f3:xx:xx
set type windows-pc
next
edit " Guillem MacOSX notebook"
set mac 40:6c:8f:2c:xx:xx
set type mac
next
edit " Jay Android Tablet"
set mac 14:89:fd:c7:xx:xx
set type android-tablet
next
edit " QA trasto Alberto"
set mac 00:53:45:00:00:00
set type windows-pc
next
end
config user device-group
edit " Windows-FortiAV"
set comment " Windows clients needing an AV of last resort"
set member " QA trasto Alberto "
next
end
config voip profile
edit " default"
set comment " default VoIP profile"
set extended-utm-log enable
config sip
set log-violations enable
end
config sccp
set log-call-summary enable
set log-violations enable
end
next
edit " strict"
set extended-utm-log enable
config sip
set malformed-request-line discard
set malformed-header-via discard
set malformed-header-from discard
set malformed-header-to discard
set malformed-header-call-id discard
set malformed-header-cseq discard
set malformed-header-rack discard
set malformed-header-rseq discard
set malformed-header-contact discard
set malformed-header-record-route discard
set malformed-header-route discard
set malformed-header-expires discard
set malformed-header-content-type discard
set malformed-header-content-length discard
set malformed-header-max-forwards discard
set malformed-header-allow discard
set malformed-header-p-asserted-identity discard
set malformed-header-sdp-v discard
set malformed-header-sdp-o discard
set malformed-header-sdp-s discard
set malformed-header-sdp-i discard
set malformed-header-sdp-c discard
set malformed-header-sdp-b discard
set malformed-header-sdp-z discard
set malformed-header-sdp-k discard
set malformed-header-sdp-a discard
set malformed-header-sdp-t discard
set malformed-header-sdp-r discard
set malformed-header-sdp-m discard
end
next
end
config webfilter profile
edit " default"
set comment " default web filtering"
set replacemsg-group " web-filter-default"
set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override
set post-action comfort
config override
set ovrd-user-group " "
end
config web
set urlfilter-table 1
end
config ftgd-wf
set options error-allow
set category-override 140 141
config filters
edit 19
set action authenticate
set auth-usr-grp " WebFilterOverriders"
set category 4
next
edit 18
set action authenticate
set auth-usr-grp " WebFilterOverriders"
set category 26
set override-replacemsg " 26"
next
edit 20
set action authenticate
set auth-usr-grp " WebFilterOverriders"
set category 61
set override-replacemsg " 26"
next
edit 21
set action authenticate
set auth-usr-grp " WebFilterOverriders"
set category 86
set override-replacemsg " 26"
next
end
end
set extended-utm-log disable
next
edit " web-filter-flow"
set comment " flow-based web filter profile"
set inspection-mode flow-based
set post-action comfort
config ftgd-wf
config filters
edit 1
set action warning
set category 2
next
edit 2
set action warning
set category 7
next
edit 3
set action warning
set category 8
next
edit 4
set action warning
set category 9
next
edit 5
set action warning
set category 11
next
edit 6
set action warning
set category 12
next
edit 7
set action warning
set category 13
next
edit 8
set action warning
set category 14
next
edit 9
set action warning
set category 15
next
edit 10
set action warning
set category 16
next
edit 11
set action warning
next
edit 12
set action warning
set category 57
next
edit 13
set action warning
set category 63
next
edit 14
set action warning
set category 64
next
edit 15
set action warning
set category 65
next
edit 16
set action warning
set category 66
next
edit 17
set action warning
set category 67
next
edit 18
set action block
set category 26
next
end
end
next
end
config webfilter override
end
config webfilter override-user
end
config webfilter ftgd-warning
end
config webfilter ftgd-local-rating
end
config webfilter search-engine
edit " google"
set hostname " .*\\.google\\..*"
set url " ^\\/((custom|search|images|videosearch|webhp)\\?)"
set query " q="
set safesearch url
set safesearch-str " &safe=active"
next
edit " yahoo"
set hostname " .*\\.yahoo\\..*"
set url " ^\\/search(\\/video|\\/images){0,1}(\\?|;)"
set query " p="
set safesearch url
set safesearch-str " &vm=r"
next
edit " bing"
set hostname " www\\.bing\\.com"
set url " ^(\\/images|\\/videos)?(\\/search|\\/async)\\?"
set query " q="
set safesearch url
set safesearch-str " &adlt=strict"
next
edit " yandex"
set hostname " yandex\\..*"
set url " ^\\/(yand){0,1}(search)[\\/]{0,}.{0,}\\?"
set query " text="
set safesearch url
set safesearch-str " &fyandex=1"
next
edit " youtube"
set hostname " .*\\.youtube\\..*"
set safesearch header
next
edit " baidu"
set hostname " .*\\.baidu\\.com"
set url " ^\\/s?\\?"
set query " wd="
next
edit " baidu2"
set hostname " .*\\.baidu\\.com"
set url " ^\\/(ns|q|m|i|v)\\?"
set query " word="
next
edit " baidu3"
set hostname " tieba\\.baidu\\.com"
set url " ^\\/f\\?"
set query " kw="
next
end
config vpn ipsec phase1-interface
edit " iOSIPsec1"
set type dynamic
set interface " ONO"
set dhgrp 2
set peertype one
set xauthtype auto
set mode aggressive
set mode-cfg enable
set proposal aes256-sha512 aes256-sha1 aes128-sha1
set peerid " iOSIPsec1"
set authusrgrp " ipseciOS"
set ipv4-start-ip 192.168.8.129
set ipv4-end-ip 192.168.8.158
set ipv4-netmask 255.255.255.224
set ipv4-dns-server1 192.168.1.1
set psksecret ENC
next
edit " FortiCliIPsec"
set type dynamic
set interface " ONO"
set xauthtype auto
set mode aggressive
set mode-cfg enable
set proposal aes256-sha512 aes128-sha1 3des-sha1
set authusrgrp " ipsecvpn"
set ipv4-start-ip 192.168.8.97
set ipv4-end-ip 192.168.8.126
set ipv4-netmask 255.255.255.224
set ipv4-dns-server1 192.168.1.1
set psksecret ENC
next
edit " AndroidIPsec1"
set type dynamic
set interface " ONO"
set dhgrp 2
set xauthtype auto
set mode-cfg enable
set proposal aes256-sha512 aes128-sha1 3des-md5
set comments " android 2.3 IPsec client requires Main Mode"
set authusrgrp " ipsecvpn"
set ipv4-start-ip 192.168.8.97
set ipv4-end-ip 192.168.8.126
set ipv4-dns-server1 192.168.1.1
set psksecret ENC
next
end
config vpn ipsec phase2-interface
edit " iOSIPsec1b"
set phase1name " iOSIPsec1"
set proposal aes256-sha512 aes256-sha1 aes128-sha1
set dhgrp 2
next
edit " FortiCliIPsec"
set phase1name " FortiCliIPsec"
set proposal aes256-sha512 aes128-sha1 3des-sha1
next
edit " AndroidIPsec1b"
set phase1name " AndroidIPsec1"
set proposal aes256-sha512 aes128-sha1 3des-md5
set dhgrp 2
next
end
config system dns-server
edit " internal2"
set mode forward-only
next
edit " ssl.root"
set mode forward-only
next
end
config antivirus settings
set grayware enable
end
config antivirus profile
edit " default"
set comment " scan and delete virus"
set inspection-mode flow-based
set block-botnet-connections enable
set extended-utm-log enable
config http
set options scan
end
config ftp
set options scan
end
config imap
set options scan
end
config pop3
set options scan
end
config smtp
set options scan
end
config mapi
set options scan
end
config nntp
set options scan
end
config im
set options scan
end
config smb
set options scan
end
set av-virus-log disable
next
edit " AV-flow"
set comment " flow-based scan and delete virus"
set inspection-mode flow-based
set extended-utm-log enable
config http
set options scan
end
config ftp
set options scan
end
config imap
set options scan
end
config pop3
set options scan
end
config smtp
set options scan
end
config nntp
set options scan
end
config im
set options scan
end
set av-virus-log disable
next
end
config spamfilter profile
edit " default"
set comment " malware and phishing URL filtering"
set flow-based enable
set extended-utm-log enable
config imap
set log enable
end
config pop3
set log enable
end
config smtp
set log enable
end
config msn-hotmail
set log enable
end
config yahoo-mail
set log enable
end
config gmail
set log enable
end
next
end
config report layout
edit " default"
config body-item
edit 350
set type misc
set misc-component section-start
set column 1
set title " Bandwidth and Application Usage"
next
edit 401
set type chart
set chart " bandwidth.applications"
set chart-options include-no-data
next
edit 501
set type chart
set chart " web.usage"
set chart-options include-no-data
next
edit 511
set type chart
set chart " email.usage"
set chart-options include-no-data
next
edit 515
set type chart
set chart " threats"
set chart-options include-no-data
next
edit 521
set type chart
set chart " vpn.usage"
set chart-options include-no-data
next
edit 525
set type chart
set chart " events"
set chart-options include-no-data
next
edit 601
set type chart
set hide enable
set chart " traffic.bandwidth.users"
set chart-options include-no-data
set drill-down-items " 5"
set drill-down-types " 0"
next
end
set email-recipients " "
set email-send enable
set format pdf
set options dummy-option
config page
config footer
config footer-item
edit 1
set content " Fortinet Inc. All rights reserved"
next
edit 2
set style " align_right"
set content " ${page_no}"
next
end
end
config header
config header-item
edit 1
set type image
set style " align_right"
set img-src " fortinet_logo.jpg"
next
end
end
set options header-on-first-page footer-on-first-page
set page-break-before heading1
set paper letter
end
set style-theme " default-report"
set title " FortiGate System Analysis Report"
next
end
config wanopt settings
set host-id " default-id"
end
config wanopt profile
edit " default"
set comments " default WANopt profile"
next
end
config web-proxy global
set proxy-fqdn " default.fqdn"
end
config wanopt webcache
set always-revalidate enable
end
config web-proxy url-match
edit " AppRiver hosted Exchange OWA"
set cache-exemption enable
set url-pattern " exg6.exghost.com"
next
end
config firewall schedule recurring
edit " always"
set day sunday monday tuesday wednesday thursday friday saturday
next
end
config firewall profile-protocol-options
edit " default"
set comment " all default services"
config http
set ports 80
set options no-content-summary
unset post-lang
end
config ftp
set ports 21
set options no-content-summary splice
end
config imap
set ports 143
set options fragmail no-content-summary
end
config mapi
set ports 135
set options fragmail no-content-summary
end
config pop3
set ports 110
set options fragmail no-content-summary
end
config smtp
set ports 25
set options fragmail no-content-summary splice
end
config nntp
set ports 119
set options no-content-summary splice
end
config im
unset options
end
config dns
set ports 53
end
next
end
config firewall deep-inspection-options
edit " default"
set comment " all default services"
config https
set ports 443
set status disable
end
config ftps
set ports 990
set status disable
end
config imaps
set ports 993
set status disable
end
config pop3s
set ports 995
set status disable
end
config smtps
set ports 465
set status disable
end
config ssh
set ports 22
end
next
end
config firewall identity-based-route
end
config firewall policy
edit 12
set srcintf " ONO"
set dstintf " any"
set srcaddr " Hacker1-212.67.x.x"
set dstaddr " all"
set schedule " always"
set service " ALL"
set logtraffic disable
set comments " Repeated unauthorized SSL VPN login attempts 2013-08"
next
edit 21
set srcintf " internal2"
set dstintf " ONO"
set srcaddr " 192.168.32.3"
set action accept
set status disable
set comments " test enforcing endpoint policy"
set email-collection-portal enable
set forticlient-compliance-enforcement-portal enable
set forticlient-compliance-devices android
set identity-based enable
set identity-from device
set nat enable
config identity-based-policy
edit 1
set schedule " always"
set utm-status enable
set dstaddr " all"
set service " ALL"
set devices " Jay Android Tablet"
set endpoint-compliance enable
set av-profile " default"
set webfilter-profile " default"
set spamfilter-profile " default"
set ips-sensor " default"
set profile-protocol-options " default"
next
end
next
edit 20
set srcintf " ONO"
set dstintf " any"
set srcaddr " all"
set dstaddr " ONO IP address 84.124.xx.xx/32"
set action ssl-vpn
set comments " SSL VPN Tunnel and Portal authentication rule for users who may access both. Gives access to SSL VPN Portal \" full-access\" . And allows onward tunnel as well as proxy access to all destinations internal and external."
set sslvpn-cipher high
set identity-based enable
config identity-based-policy
edit 1
set schedule " always"
set groups " sslvpntunnelandportal"
set service " ALL"
set sslvpn-portal " full-access"
next
end
next
edit 16
set srcintf " ONO"
set dstintf " any"
set srcaddr " all"
set dstaddr " all"
set action ssl-vpn
set comments " SSL VPN Tunnel (only) authentication rule for users. Gives access to SSL VPN Portal \" tunnel-access\" . And allows onward tunnel access to all destinations internal and external."
set sslvpn-cipher high
set identity-based enable
config identity-based-policy
edit 1
set schedule " always"
set groups " sslvpntunnel"
set service " ALL"
set sslvpn-portal " tunnel-access"
next
end
next
edit 19
set srcintf " FortiCliIPsec"
set dstintf " ONO"
set srcaddr " IPsecVPN_usersIPs_range"
set dstaddr " all"
set action accept
set schedule " always"
set service " ALL"
set nat enable
next
edit 8
set srcintf " FortiCliIPsec"
set dstintf " any"
set srcaddr " IPsecVPN_usersIPs_range"
set dstaddr " all"
set action accept
set schedule " always"
set service " ALL"
next
edit 10
set srcintf " ONO"
set dstintf " any"
set srcaddr " all"
set dstaddr " all"
set action ssl-vpn
set sslvpn-cipher high
set identity-based enable
config identity-based-policy
edit 1
set schedule " always"
set groups " sslvpnportal"
set service " ALL"
set sslvpn-portal " web-access"
next
end
next
edit 13
set srcintf " iOSIPsec1"
set dstintf " internal"
set srcaddr " iOSIPsec_users_range"
set dstaddr " SP internal wired LAN1" " SP internal WiFi LAN SP_OFFICE"
set action accept
set schedule " always"
set service " ALL"
next
edit 11
set srcintf " iOSIPsec1"
set dstintf " ONO"
set srcaddr " iOSIPsec_users_range"
set dstaddr " all"
set action accept
set schedule " always"
set service " ALL"
set nat enable
next
edit 17
set srcintf " iOSIPsec1"
set dstintf " internal"
set srcaddr " iOSIPsec_users_range"
set dstaddr " all"
set action accept
set schedule " always"
set service " ALL"
set comments " While FortiGate uses MikroTik as outbound default route, must have this firewall rule to allow dest IP ALL via Internal interface."
next
edit 14
set srcintf " internal"
set dstintf " iOSIPsec1"
set srcaddr " SP internal wired LAN1" " SP internal WiFi LAN SP_OFFICE"
set dstaddr " iOSIPsec_users_range"
set action accept
set schedule " always"
set service " ALL"
next
edit 15
set srcintf " internal"
set dstintf " FortiCliIPsec"
set srcaddr " SP internal wired LAN1" " SP internal WiFi LAN SP_OFFICE"
set dstaddr " IPsecVPN_usersIPs_range"
set action accept
set schedule " always"
set service " ALL"
next
edit 18
set srcintf " internal"
set dstintf " ONO"
set srcaddr " SP internal wired LAN1" " SP internal WiFi LAN SP_OFFICE" " SP internal WiFi LAN SP_GUEST"
set dstaddr " all"
set action accept
set schedule " always"
set service " ALL"
set utm-status enable
set webcache enable
set comments " Allow Internal Wired LAN users to get out to the Internet via ONO VLAN interface"
set av-profile " default"
set webfilter-profile " default"
set spamfilter-profile " default"
set ips-sensor " default"
set profile-protocol-options " default"
set nat enable
next
edit 25
set srcintf " internal2"
set dstintf " ONO"
set srcaddr " SP internal wired LAN2"
set dstaddr " all"
set action accept
set schedule " always"
set service " ALL"
set utm-status enable
set av-profile " default"
set webfilter-profile " default"
set spamfilter-profile " default"
set ips-sensor " default"
set profile-protocol-options " default"
set nat enable
next
edit 22
set srcintf " internal2"
set dstintf " internal"
set srcaddr " SP internal wired LAN2"
set dstaddr " SP internal wired LAN1" " SP internal WiFi LAN SP_OFFICE" " SP internal WiFi LAN SP_GUEST" " SP internal WiFi Mgmt subnet"
set action accept
set schedule " always"
set service " ALL"
set utm-status enable
set comments " Allows FortiGate Internal2 LAN to talk to MikroTik Internal LAN"
set ips-sensor " default"
set profile-protocol-options " default"
next
edit 23
set srcintf " internal"
set dstintf " internal2"
set srcaddr " SP internal WiFi LAN SP_OFFICE" " SP internal wired LAN1"
set dstaddr " SP internal wired LAN2"
set action accept
set schedule " always"
set service " ALL"
set utm-status enable
set comments " Allow MikroTik Internal LAN to reach FortiGate Internal2 LAN"
set ips-sensor " default"
set profile-protocol-options " default"
next
edit 24
set srcintf " ONO"
set dstintf " any"
set srcaddr " all"
set dstaddr " all"
set action ssl-vpn
set comments " let ssl portal users use web connection tool"
set identity-based enable
config identity-based-policy
edit 1
set schedule " always"
set groups " sslvpntunnelandportal"
set service " ALL"
set sslvpn-portal " full-access"
next
end
next
end
config firewall local-in-policy
end
config firewall policy6
end
config firewall local-in-policy6
end
config firewall ttl-policy
end
config firewall policy64
end
config firewall policy46
end
config firewall interface-policy
end
config firewall interface-policy6
end
config firewall sniff-interface-policy
end
config firewall sniff-interface-policy6
end
config firewall DoS-policy
end
config firewall DoS-policy6
end
config firewall sniffer
edit 2
set interface " internal"
set host " 192.168.255.255"
next
edit 3
set interface " ONO"
set host " 192.254.232.236"
next
edit 4
set interface " ssl.root"
set host " 192.168.8.65"
next
end
config endpoint-control profile
edit " Windows-FortiAV"
config forticlient-winmac-settings
set forticlient-av enable
set forticlient-vpn-provisioning enable
config forticlient-vpn-settings
edit " SP FG SSL VPN"
set type ssl
set remote-gw " node.com"
set sslvpn-access-port 8443
next
end
set forticlient-log-upload disable
set forticlient-update-from-fmg enable
set forticlient-update-failover-to-fdn disable
set forticlient-ui-options av vpn
end
config forticlient-android-settings
end
config forticlient-ios-settings
end
set description " Windows clients needing an AV of last resort"
set device-groups " Windows-FortiAV"
next
edit " default"
config forticlient-winmac-settings
set forticlient-vpn-provisioning enable
config forticlient-vpn-settings
edit " FG SSL VPN"
set type ssl
set remote-gw " vpn.mycompany.es"
set sslvpn-access-port 8443
next
end
set forticlient-log-upload disable
set forticlient-ui-options vpn
end
config forticlient-android-settings
end
config forticlient-ios-settings
end
next
end
config wireless-controller wids-profile
edit " default"
set comment " default wids profile"
set wireless-bridge enable
set deauth-broadcast enable
set null-ssid-probe-resp enable
set long-duration-attack enable
set invalid-mac-oui enable
set weak-wep-iv enable
set auth-frame-flood enable
set assoc-frame-flood enable
set spoofed-deauth enable
set asleap-attack enable
set eapol-start-flood enable
set eapol-logoff-flood enable
set eapol-succ-flood enable
set eapol-fail-flood enable
set eapol-pre-succ-flood enable
set eapol-pre-fail-flood enable
next
end
config wireless-controller wtp-profile
edit " FAP220A-default"
config platform
set type 220A
end
set ap-country US
config radio-1
set band 802.11n
end
config radio-2
set band 802.11n-5G
end
next
edit " FAP112B-default"
config platform
set type 112B
end
set ap-country US
config radio-1
set band 802.11n
end
config radio-2
set mode disabled
end
next
edit " FAP220B-default"
set ap-country US
config radio-1
set band 802.11n-5G
end
config radio-2
set band 802.11n
end
next
edit " FAP210B-default"
config platform
set type 210B
end
set ap-country US
config radio-1
set band 802.11n
end
config radio-2
set mode disabled
end
next
edit " FAP222B-default"
config platform
set type 222B
end
set ap-country US
config radio-1
set band 802.11n
end
config radio-2
set band 802.11n-5G
end
next
edit " FAP320B-default"
config platform
set type 320B
end
set ap-country US
config radio-1
set band 802.11n-5G
end
config radio-2
set band 802.11n
end
next
end
config log disk setting
set status enable
set maximum-log-age 0
end
config log setting
set fwpolicy-implicit-log enable
set local-in-deny disable
set resolve-hosts disable
end
config alertemail setting
set username " "
set mailto1 " "
set filter-mode threshold
set severity warning
end
config router rip
config redistribute " connected"
end
config redistribute " static"
end
config redistribute " ospf"
end
config redistribute " bgp"
end
config redistribute " isis"
end
end
config router ripng
config redistribute " connected"
end
config redistribute " static"
end
config redistribute " ospf"
end
config redistribute " bgp"
end
config redistribute " isis"
end
end
config router static
edit 1
set device " ONO"
set gateway 84.124.xxx.xxx
next
edit 4
set comment " Route to reach SSLVPN clients"
set device " ssl.root"
set dst 192.168.8.64 255.255.255.224
next
edit 5
set comment " to reach internal hosts on Wi-Fi SP_OFFICE"
set device " internal"
set dst 192.168.12.0 255.255.252.0
set gateway 192.168.1.1
next
edit 6
set comment " To reach iOS IPsec VPN clients"
set device " iOSIPsec1"
set dst 192.168.8.128 255.255.255.224
next
edit 7
set comment " To reach FortiClient IPsec VPN users (non-iOS)"
set device " FortiCliIPsec"
set dst 192.168.8.96 255.255.255.224
next
edit 8
set comment " For FG internals to reach SP_GUEST Wi-Fi LAN"
set device " internal"
set dst 192.168.16.0 255.255.255.0
set gateway 192.168.1.1
next
edit 9
set comment " Cisco Wi-Fi Management VLAN"
set device " internal"
set dst 192.168.17.0 255.255.255.0
set gateway 192.168.1.1
next
end
config router ospf
config redistribute " connected"
end
config redistribute " static"
end
config redistribute " rip"
end
config redistribute " bgp"
end
config redistribute " isis"
end
end
config router ospf6
config redistribute " connected"
end
config redistribute " static"
end
config redistribute " rip"
end
config redistribute " bgp"
end
config redistribute " isis"
end
end
config router bgp
config redistribute " connected"
end
config redistribute " rip"
end
config redistribute " ospf"
end
config redistribute " static"
end
config redistribute " isis"
end
config redistribute6 " connected"
end
config redistribute6 " rip"
end
config redistribute6 " ospf"
end
config redistribute6 " static"
end
config redistribute6 " isis"
end
end
config router isis
config redistribute " connected"
end
config redistribute " rip"
end
config redistribute " ospf"
end
config redistribute " bgp"
end
config redistribute " static"
end
end
config router multicast
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
>> How do I get a copy/export of the FortiClient config?
From the FortiClient GUI, select File -> Settings. Click the Backup button. Be sure to choose " no password" in the Backup Configuration dialog box displayed.
>> FG100D configuration is below
I reviewed the section of the configuration listed below and have the following question:
Does the MAC address of the client match the one defined below? If it does not, you will get the default EC profile on the client.
The MAC address used by the client is displayed on the FortiGate EC monitor page.
config user device
edit " QA trasto Alberto"
set mac 00:53:45:00:00:00
set type windows-pc
next
end
config user device-group
edit " Windows-FortiAV"
set comment " Windows clients needing an AV of last resort"
set member " QA trasto Alberto "
next
end
config endpoint-control profile
edit " Windows-FortiAV"
config forticlient-winmac-settings
set forticlient-av enable
set forticlient-vpn-provisioning enable
config forticlient-vpn-settings
edit " SP FG SSL VPN"
set type ssl
set remote-gw " node.com"
set sslvpn-access-port 8443
next
end
set forticlient-log-upload disable
set forticlient-update-from-fmg enable
set forticlient-update-failover-to-fdn disable
set forticlient-ui-options av vpn
end
config forticlient-android-settings
end
config forticlient-ios-settings
end
set description " Windows clients needing an AV of last resort"
set device-groups " Windows-FortiAV"
next
edit " default"
config forticlient-winmac-settings
set forticlient-vpn-provisioning enable
config forticlient-vpn-settings
edit " FG SSL VPN"
set type ssl
set remote-gw " vpn.mycompany.es"
set sslvpn-access-port 8443
next
end
set forticlient-log-upload disable
set forticlient-ui-options vpn
end
config forticlient-android-settings
end
config forticlient-ios-settings
end
next
end
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiClient 7.4. no OTP pop-up window 116 Views
- SSL VPN for iOS with certificate... 105 Views
- ZTNA does not work on macOS 188 Views
- How does ZTNA work? 156 Views
- BruteForce Blocking/Filtering 162 Views
Labels
-
FortiGate
8,210 -
FortiClient
1,653 -
5.2
801 -
FortiManager
690 -
5.4
639 -
FortiAnalyzer
524 -
FortiSwitch
440 -
FortiAP
436 -
6.0
416 -
FortiClient EMS
378 -
5.6
362 -
FortiMail
303 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
191 -
SSL-VPN
187 -
FortiNAC
166 -
IPsec
163 -
6.4
128 -
FortiGuard
128 -
FortiGateCloud
99 -
SD-WAN
98 -
FortiSIEM
96 -
FortiCloud Products
94 -
FortiToken
87 -
FortiAuthenticator
76 -
Customer Service
75 -
Wireless Controller
75 -
Firewall policy
65 -
4.0MR3
64 -
FortiProxy
54 -
Fortivoice
50 -
FortiEDR
50 -
FortiADC
50 -
VLAN
45 -
High Availability
44 -
FortiExtender
43 -
FortiDNS
42 -
ZTNA
42 -
FortiSandbox
40 -
Routing
36 -
BGP
36 -
DNS
36 -
FortiGate v5.4
35 -
LDAP
35 -
FortiSwitch v6.4
33 -
SAML
31 -
Interface
31 -
Certificate
31 -
Authentication
28 -
SSO
28 -
NAT
28 -
FortiConnect
27 -
FortiWAN
25 -
FortiConverter
25 -
FortiLink
25 -
RADIUS
24 -
VDOM
24 -
FortiGate v5.2
23 -
Application control
21 -
Virtual IP
21 -
Web profile
21 -
Logging
20 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiPAM
17 -
FortiDDoS
15 -
SSL SSH inspection
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
13 -
FortiCASB
12 -
SSID
12 -
Admin
12 -
Static route
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
SNMP
11 -
Automation
11 -
System settings
11 -
WAN optimization
11 -
FortiSOAR
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiManager v4.0
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Port policy
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Security profile
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
FortiCarrier
5 -
FortiDeceptor
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Antivirus profile
5 -
Traffic shaping profile
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1583 | |
| 1038 | |
| 749 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.