Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jay_Libove
Contributor

turn on Real Time AV protection on FortiClient from FortiGate

FortiOS 5.0.4, I have an Endpoint Profile configured which is successfully pushing configurations down to a FortiClint (on Windows XP, v5.0.6.320, with AntiVirus v5.147). The pushed configuration includes that AV appears in the FortiClient dashboard, and that AV is enabled. But the FortiClient dashboard shows the AV function as disabled. I don' t see, either in the FortiOS GUI or CLI, an option other than " forticlient-av: enable" , so I don' t understand why the FortiClient says that AV is disabled? thanks,
3 REPLIES 3
kolawale_FTNT

Upload your FortiOS and FortiClient configuration files for review. You may also send these to forticlient-feedback@fortinet.com.
Jay_Libove
Contributor

Thanks kolawale. FG100D configuration is below (since this forum doesn' t allow attaching non-graphics; private data removed). How do I get a copy/export of the FortiClient config?
#config-version=FG100D-5.00-FW-build228-130809:opmode=0:vdom=0:user=jlibove
 #conf_file_ver=2696268914854781645
 #buildno=0228
 #global_vdom=1
 config system global
     set admin-server-cert " fortigate1" 
     set admintimeout 480
     set fgd-alert-subscription advisory latest-threat
     set gui-application-control disable
     set gui-dlp disable
     set gui-dns-database enable
     set gui-load-balance enable
     set gui-wanopt-cache enable
     set hostname " FG100D3G........" 
     set optimize antivirus
     set revision-backup-on-logout enable
     set revision-image-auto-backup enable
     set timezone 28
 end
 config system accprofile
     edit " prof_admin" 
         set admingrp read-write
         set authgrp read-write
         set endpoint-control-grp read-write
         set fwgrp read-write
         set loggrp read-write
         set mntgrp read-write
         set netgrp read-write
         set routegrp read-write
         set sysgrp read-write
         set updategrp read-write
         set utmgrp read-write
         set vpngrp read-write
         set wanoptgrp read-write
         set wifi read-write
     next
     edit " super-readonly" 
         set admingrp read
         set authgrp read
         set endpoint-control-grp read
         set fwgrp read
         set loggrp read
         set mntgrp read
         set netgrp read
         set routegrp read
         set sysgrp read
         set updategrp read
         set utmgrp read
         set vpngrp read
         set wanoptgrp read
         set wifi read
     next
 end
 config wireless-controller vap
     edit " mesh.root" 
         set vdom " root" 
         set mesh-backhaul enable
         set ssid " fortinet.mesh.root" 
         set passphrase ENC 
     next
     edit " mesh.dmgmt-vdom" 
         set vdom " dmgmt-vdom" 
         set mesh-backhaul enable
         set ssid " fortinet.mesh.dmgmt-vdom" 
         set passphrase ENC 
     next
 end
 config system interface
     edit " wan1" 
         set vdom " root" 
         set type physical
         set external enable
         set snmp-index 1
     next
     edit " dmz" 
         set vdom " root" 
         set ip 10.10.10.1 255.255.255.0
         set allowaccess ping https fgfm capwap
         set type physical
         set snmp-index 2
     next
     edit " modem" 
         set vdom " root" 
         set mode pppoe
         set allowaccess capwap
         set type physical
         set snmp-index 3
     next
     edit " ssl.root" 
         set vdom " root" 
         set ip 169.254.1.1 255.255.255.255
         set allowaccess capwap
         set type tunnel
         set alias " sslvpn tunnel interface" 
         set listen-forticlient-connection enable
         set snmp-index 4
     next
     edit " mesh.root" 
         set vdom " root" 
         set type vap-switch
         set snmp-index 11
     next
     edit " mesh.dmgmt-vdom" 
         set vdom " dmgmt-vdom" 
         set type vap-switch
         set snmp-index 14
     next
     edit " wan2" 
         set vdom " root" 
         set type physical
         set snmp-index 5
     next
     edit " mgmt" 
         set vdom " root" 
         set status down
         set type physical
         set snmp-index 6
     next
     edit " ha1" 
         set vdom " root" 
         set allowaccess capwap
         set type physical
         set snmp-index 7
     next
     edit " ha2" 
         set vdom " root" 
         set allowaccess capwap
         set type physical
         set snmp-index 8
     next
     edit " internal" 
         set vdom " root" 
         set ip 192.168.1.4 255.255.248.0
         set allowaccess ping https ssh http telnet fgfm capwap
         set type physical
         set description " Internal" 
         set snmp-index 9
     next
     edit " iOSIPsec1" 
         set vdom " root" 
         set type tunnel
         set snmp-index 12
     next
     edit " ONO" 
         set vdom " root" 
         set ip 84.124.xx.xx 255.255.255.248
         set allowaccess ping https ssh
         set snmp-index 13
         set interface " wan2" 
         set vlanid 3
     next
     edit " FortiCliIPsec" 
         set vdom " root" 
         set type tunnel
         set snmp-index 16
         set interface " ONO" 
     next
     edit " AndroidIPsec1" 
         set vdom " root" 
         set type tunnel
         set snmp-index 10
         set interface " ONO" 
     next
     edit " internal2" 
         set vdom " root" 
         set ip 192.168.32.1 255.255.240.0
         set allowaccess ping https ssh fgfm capwap
         set device-identification enable
         set listen-forticlient-connection enable
         set snmp-index 15
         set interface " internal" 
         set vlanid 5
     next
 end
 config system password-policy
     set status enable
     set min-lower-case-letter 1
     set min-upper-case-letter 1
     set min-non-alphanumeric 1
     set min-number 1
     set expire-status enable
     set expire-day 366
 end
 config system admin
     edit " admin" 
         set trusthost1 192.168.0.0 255.255.192.0
         set accprofile " super_admin" 
         set vdom " root" 
         set password-expire 2014-08-15 10:17:03
             config dashboard-tabs
                 edit 1
                     set name " Status" 
                 next
                 edit 2
                     set columns 1
                     set name " Top Sources" 
                 next
                 edit 3
                     set columns 1
                     set name " Top Destinations" 
                 next
                 edit 4
                     set columns 1
                     set name " Top Applications" 
                 next
                 edit 5
                     set columns 1
                     set name " Traffic History" 
                 next
                 edit 6
                     set columns 1
                     set name " Threat History" 
                 next
             end
             config dashboard
                 edit 1
                     set tab-id 1
                     set column 1
                 next
                 edit 2
                     set widget-type licinfo
                     set tab-id 1
                     set column 1
                 next
                 edit 3
                     set widget-type jsconsole
                     set tab-id 1
                     set column 1
                 next
                 edit 4
                     set widget-type sysres
                     set tab-id 1
                     set column 2
                 next
                 edit 5
                     set widget-type gui-features
                     set tab-id 1
                     set column 2
                 next
                 edit 6
                     set widget-type alert
                     set tab-id 1
                     set column 2
                     set top-n 10
                 next
                 edit 21
                     set widget-type sessions
                     set tab-id 2
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                 next
                 edit 31
                     set widget-type sessions
                     set tab-id 3
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                     set report-by destination
                 next
                 edit 41
                     set widget-type sessions
                     set tab-id 4
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                     set report-by application
                 next
                 edit 51
                     set widget-type sessions-bandwidth
                     set tab-id 5
                     set column 1
                 next
                 edit 61
                     set widget-type threat-history
                     set tab-id 6
                     set column 1
                 next
             end
             config login-time
                 edit " admin" 
                     set last-login 2013-10-11 10:45:36
                 next
             end
         set password ENC 
     next
     edit " jlibove" 
         set trusthost1 192.168.0.0 255.255.192.0
         set accprofile " super_admin" 
         set comments " Jay Libove, Security Manager" 
         set vdom " root" 
         set password-expire 2014-08-15 10:17:03
             config dashboard-tabs
                 edit 1
                     set name " Status" 
                 next
                 edit 2
                     set columns 1
                     set name " Top Sources" 
                 next
                 edit 3
                     set columns 1
                     set name " Top Destinations" 
                 next
                 edit 4
                     set columns 1
                     set name " Top Applications" 
                 next
                 edit 5
                     set columns 1
                     set name " Traffic History" 
                 next
                 edit 6
                     set columns 1
                     set name " Threat History" 
                 next
             end
             config dashboard
                 edit 1
                     set tab-id 1
                     set column 1
                 next
                 edit 2
                     set widget-type licinfo
                     set tab-id 1
                     set column 1
                 next
                 edit 3
                     set widget-type jsconsole
                     set tab-id 1
                     set column 1
                 next
                 edit 4
                     set widget-type sysres
                     set tab-id 1
                     set column 2
                 next
                 edit 5
                     set widget-type gui-features
                     set tab-id 1
                     set column 2
                 next
                 edit 6
                     set widget-type alert
                     set tab-id 1
                     set column 2
                     set top-n 10
                 next
                 edit 21
                     set widget-type sessions
                     set tab-id 2
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                 next
                 edit 31
                     set widget-type sessions
                     set tab-id 3
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                     set report-by destination
                 next
                 edit 41
                     set widget-type sessions
                     set tab-id 4
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                     set report-by application
                 next
                 edit 51
                     set widget-type sessions-bandwidth
                     set tab-id 5
                     set column 1
                 next
                 edit 61
                     set widget-type threat-history
                     set tab-id 6
                     set column 1
                 next
             end
         set email-to " " 
             config login-time
                 edit " jlibove" 
                     set last-failed-login 2013-09-14 20:26:49
                     set last-login 2013-10-11 10:57:26
                 next
             end
         set password ENC 
     next
     edit " dfranco" 
         set trusthost1 192.168.0.0 255.255.192.0
         set accprofile " prof_admin" 
         set comments " Dani (HelpDesk)" 
         set vdom " root" 
         set password-expire 2014-09-05 16:26:22
             config dashboard-tabs
                 edit 1
                     set name " Status" 
                 next
                 edit 2
                     set columns 1
                     set name " Top Sources" 
                 next
                 edit 3
                     set columns 1
                     set name " Top Destinations" 
                 next
                 edit 4
                     set columns 1
                     set name " Top Applications" 
                 next
                 edit 5
                     set columns 1
                     set name " Traffic History" 
                 next
                 edit 6
                     set columns 1
                     set name " Threat History" 
                 next
             end
             config dashboard
                 edit 1
                     set tab-id 1
                     set column 1
                 next
                 edit 2
                     set widget-type licinfo
                     set tab-id 1
                     set column 1
                 next
                 edit 3
                     set widget-type jsconsole
                     set tab-id 1
                     set column 1
                 next
                 edit 4
                     set widget-type sysres
                     set tab-id 1
                     set column 2
                 next
                 edit 5
                     set widget-type gui-features
                     set tab-id 1
                     set column 2
                 next
                 edit 6
                     set widget-type alert
                     set tab-id 1
                     set column 2
                     set top-n 10
                 next
                 edit 21
                     set widget-type sessions
                     set tab-id 2
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                 next
                 edit 31
                     set widget-type sessions
                     set tab-id 3
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                     set report-by destination
                 next
                 edit 41
                     set widget-type sessions
                     set tab-id 4
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                     set report-by application
                 next
                 edit 51
                     set widget-type sessions-bandwidth
                     set tab-id 5
                     set column 1
                 next
                 edit 61
                     set widget-type threat-history
                     set tab-id 6
                     set column 1
                 next
             end
         set email-to " dani" 
             config login-time
                 edit " dfranco" 
                     set last-login 2013-10-04 18:04:43
                 next
             end
         set password ENC 
     next
     edit " jruiz" 
         set trusthost1 192.168.0.0 255.255.192.0
         set accprofile " prof_admin" 
         set comments " Javi (HelpDesk)" 
         set vdom " root" 
         set password-expire 2014-09-05 16:19:12
             config dashboard-tabs
                 edit 1
                     set name " Status" 
                 next
                 edit 2
                     set columns 1
                     set name " Top Sources" 
                 next
                 edit 3
                     set columns 1
                     set name " Top Destinations" 
                 next
                 edit 4
                     set columns 1
                     set name " Top Applications" 
                 next
                 edit 5
                     set columns 1
                     set name " Traffic History" 
                 next
                 edit 6
                     set columns 1
                     set name " Threat History" 
                 next
             end
             config dashboard
                 edit 1
                     set tab-id 1
                     set column 1
                 next
                 edit 2
                     set widget-type licinfo
                     set tab-id 1
                     set column 1
                 next
                 edit 3
                     set widget-type jsconsole
                     set tab-id 1
                     set column 1
                 next
                 edit 4
                     set widget-type sysres
                     set tab-id 1
                     set column 2
                 next
                 edit 5
                     set widget-type gui-features
                     set tab-id 1
                     set column 2
                 next
                 edit 6
                     set widget-type alert
                     set tab-id 1
                     set column 2
                     set top-n 10
                 next
                 edit 21
                     set widget-type sessions
                     set tab-id 2
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                 next
                 edit 31
                     set widget-type sessions
                     set tab-id 3
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                     set report-by destination
                 next
                 edit 41
                     set widget-type sessions
                     set tab-id 4
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                     set report-by application
                 next
                 edit 51
                     set widget-type sessions-bandwidth
                     set tab-id 5
                     set column 1
                 next
                 edit 61
                     set widget-type threat-history
                     set tab-id 6
                     set column 1
                 next
             end
         set email-to " javier" 
             config login-time
                 edit " jruiz" 
                     set last-login 2013-10-04 17:35:37
                 next
             end
         set password ENC 
     next
     edit " fortisupport" 
         set trusthost1 
         set trusthost2 
         set accprofile " super-readonly" 
         set vdom " root" 
         set password-expire 2014-09-15 20:06:22
             config dashboard-tabs
                 edit 1
                     set name " Status" 
                 next
                 edit 2
                     set columns 1
                     set name " Top Sources" 
                 next
                 edit 3
                     set columns 1
                     set name " Top Destinations" 
                 next
                 edit 4
                     set columns 1
                     set name " Top Applications" 
                 next
                 edit 5
                     set columns 1
                     set name " Traffic History" 
                 next
                 edit 6
                     set columns 1
                     set name " Threat History" 
                 next
             end
             config dashboard
                 edit 1
                     set tab-id 1
                     set column 1
                 next
                 edit 2
                     set widget-type licinfo
                     set tab-id 1
                     set column 1
                 next
                 edit 3
                     set widget-type jsconsole
                     set tab-id 1
                     set column 1
                 next
                 edit 4
                     set widget-type sysres
                     set tab-id 1
                     set column 2
                 next
                 edit 5
                     set widget-type gui-features
                     set tab-id 1
                     set column 2
                 next
                 edit 6
                     set widget-type alert
                     set tab-id 1
                     set column 2
                     set top-n 10
                 next
                 edit 21
                     set widget-type sessions
                     set tab-id 2
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                 next
                 edit 31
                     set widget-type sessions
                     set tab-id 3
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                     set report-by destination
                 next
                 edit 41
                     set widget-type sessions
                     set tab-id 4
                     set column 1
                     set top-n 25
                     set sort-by msg-counts
                     set report-by application
                 next
                 edit 51
                     set widget-type sessions-bandwidth
                     set tab-id 5
                     set column 1
                 next
                 edit 61
                     set widget-type threat-history
                     set tab-id 6
                     set column 1
                 next
             end
             config login-time
                 edit " fortisupport" 
                     set last-login 2013-09-23 16:15:48
                 next
             end
         set password ENC 
     next
 end
 config system ha
     set override disable
 end
 config system storage
     edit " FLASH" 
         set media-type " scsi" 
         set partition " 47C5F8C40E34928E" 
     next
 end
 config system dns
     set primary 192.168.1.1
     set domain " mycompany.es" 
 end
 config system replacemsg-image
     edit " logo_fnet" 
         set image-base64 ' ' 
         set image-type gif
     next
     edit " logo_fguard_wf" 
         set image-base64 ' ' 
         set image-type gif
     next
     edit " logo_fw_auth" 
         set image-base64 ' ' 
         set image-type png
     next
     edit " logo_v2_fnet" 
         set image-base64 ' ' 
         set image-type png
     next
     edit " logo_v2_fguard_wf" 
         set image-base64 ' ' 
         set image-type png
     next
 end
 config system replacemsg mail " email-block" 
 end
 config system replacemsg mail " email-dlp-subject" 
 end
 config system replacemsg mail " email-dlp-ban" 
 end
 config system replacemsg mail " email-filesize" 
 end
 config system replacemsg mail " partial" 
 end
 config system replacemsg mail " smtp-block" 
 end
 config system replacemsg mail " smtp-filesize" 
 end
 config system replacemsg http " bannedword" 
 end
 config system replacemsg http " url-block" 
     set buffer " <!DOCTYPE html PUBLIC \" -//W3C//DTD HTML 4.01//EN\" >
 <html>
   <head>
     <meta http-equiv=\" Content-Type\"  content=\" text/html; charset=UTF-8\" >
     <style type=\" text/css\" >
       html,body{
         height:100%;
         padding:0;
         margin:0;
       }.oc{
         display:table;
         width:100%;
         height:100%;
       }.ic{
         display:table-cell;
         vertical-align:middle;
         height:100%;
       }div.msg{
         display:block;
         border:1px solid #30c;
         padding:0;
         width:500px;
         font-family:helvetica,sans-serif;
         margin:10px auto;
       }h1{
         font-weight:bold;
         color:#fff;
         font-size:14px;
         margin:0;
         padding:2px;
         text-align:center;
         background: #30c;
       }p{
         font-size:12px;
         margin:15px auto;
         width:75%;
         font-family:helvetica,sans-serif;
         text-align:left;
       }
     </style>
     <title>
       The URL you requested has been blocked
     </title>
   </head>
   <body>
     <div class=\" oc\" >
       <div class=\" ic\" >
         <div class=\" msg\" >
           <h1>
             The URL you requested has been blocked
           </h1>
           <p>
             The page you have requested has been blocked, because the URL is banned.
             <br />
             <br />
             URL = %%URL%%
             <br />
             CATEGORY = %%CATEGORY%%
             <br />
             %%OVERRIDE%%
           </p>
         </div>
       </div>
     </div>
   </body>
 </html>" 
 end
 config system replacemsg http " urlfilter-err" 
 end
 config system replacemsg http " infcache-block" 
 end
 config system replacemsg http " http-block" 
 end
 config system replacemsg http " http-filesize" 
 end
 config system replacemsg http " http-dlp-ban" 
 end
 config system replacemsg http " http-archive-block" 
 end
 config system replacemsg http " http-contenttypeblock" 
 end
 config system replacemsg http " https-invalid-cert-block" 
 end
 config system replacemsg http " http-client-block" 
 end
 config system replacemsg http " http-client-filesize" 
 end
 config system replacemsg http " http-client-bannedword" 
 end
 config system replacemsg http " http-post-block" 
 end
 config system replacemsg http " http-client-archive-block" 
 end
 config system replacemsg http " switching-protocols-block" 
 end
 config system replacemsg webproxy " deny" 
 end
 config system replacemsg webproxy " user-limit" 
 end
 config system replacemsg webproxy " auth-challenge" 
 end
 config system replacemsg webproxy " auth-login-fail" 
 end
 config system replacemsg webproxy " auth-authorization-fail" 
 end
 config system replacemsg webproxy " http-err" 
 end
 config system replacemsg ftp " ftp-dl-blocked" 
 end
 config system replacemsg ftp " ftp-dl-filesize" 
 end
 config system replacemsg ftp " ftp-dl-dlp-ban" 
 end
 config system replacemsg ftp " ftp-explicit-banner" 
 end
 config system replacemsg ftp " ftp-dl-archive-block" 
 end
 config system replacemsg nntp " nntp-dl-blocked" 
 end
 config system replacemsg nntp " nntp-dl-filesize" 
 end
 config system replacemsg nntp " nntp-dlp-subject" 
 end
 config system replacemsg nntp " nntp-dlp-ban" 
 end
 config system replacemsg fortiguard-wf " ftgd-block" 
 end
 config system replacemsg fortiguard-wf " http-err" 
 end
 config system replacemsg fortiguard-wf " ftgd-ovrd" 
 end
 config system replacemsg fortiguard-wf " ftgd-quota" 
 end
 config system replacemsg fortiguard-wf " ftgd-warning" 
 end
 config system replacemsg spam " ipblocklist" 
 end
 config system replacemsg spam " smtp-spam-dnsbl" 
 end
 config system replacemsg spam " smtp-spam-feip" 
 end
 config system replacemsg spam " smtp-spam-helo" 
 end
 config system replacemsg spam " smtp-spam-emailblack" 
 end
 config system replacemsg spam " smtp-spam-mimeheader" 
 end
 config system replacemsg spam " reversedns" 
 end
 config system replacemsg spam " smtp-spam-bannedword" 
 end
 config system replacemsg spam " smtp-spam-ase" 
 end
 config system replacemsg spam " submit" 
 end
 config system replacemsg im " im-file-xfer-block" 
 end
 config system replacemsg im " im-file-xfer-name" 
 end
 config system replacemsg im " im-file-xfer-infected" 
 end
 config system replacemsg im " im-file-xfer-size" 
 end
 config system replacemsg im " im-dlp" 
 end
 config system replacemsg im " im-dlp-ban" 
 end
 config system replacemsg im " im-voice-chat-block" 
 end
 config system replacemsg im " im-video-chat-block" 
 end
 config system replacemsg im " im-photo-share-block" 
 end
 config system replacemsg im " im-long-chat-block" 
 end
 config system replacemsg alertmail " alertmail-virus" 
 end
 config system replacemsg alertmail " alertmail-block" 
 end
 config system replacemsg alertmail " alertmail-nids-event" 
 end
 config system replacemsg alertmail " alertmail-crit-event" 
 end
 config system replacemsg alertmail " alertmail-disk-full" 
 end
 config system replacemsg admin " pre_admin-disclaimer-text" 
 end
 config system replacemsg admin " post_admin-disclaimer-text" 
 end
 config system replacemsg auth " auth-disclaimer-page-1" 
 end
 config system replacemsg auth " auth-disclaimer-page-2" 
 end
 config system replacemsg auth " auth-disclaimer-page-3" 
 end
 config system replacemsg auth " auth-reject-page" 
 end
 config system replacemsg auth " auth-login-page" 
 end
 config system replacemsg auth " auth-login-failed-page" 
 end
 config system replacemsg auth " auth-token-login-page" 
 end
 config system replacemsg auth " auth-token-login-failed-page" 
 end
 config system replacemsg auth " auth-success-msg" 
 end
 config system replacemsg auth " auth-challenge-page" 
 end
 config system replacemsg auth " auth-keepalive-page" 
 end
 config system replacemsg auth " auth-portal-page" 
 end
 config system replacemsg auth " auth-password-page" 
 end
 config system replacemsg auth " auth-fortitoken-page" 
 end
 config system replacemsg auth " auth-next-fortitoken-page" 
 end
 config system replacemsg auth " auth-email-token-page" 
 end
 config system replacemsg auth " auth-sms-token-page" 
 end
 config system replacemsg auth " auth-email-harvesting-page" 
 end
 config system replacemsg auth " auth-email-failed-page" 
 end
 config system replacemsg auth " auth-cert-passwd-page" 
 end
 config system replacemsg auth " auth-guest-print-page" 
 end
 config system replacemsg auth " auth-guest-email-page" 
 end
 config system replacemsg captive-portal-dflt " cpa-disclaimer-page-1" 
 end
 config system replacemsg captive-portal-dflt " cpa-disclaimer-page-2" 
 end
 config system replacemsg captive-portal-dflt " cpa-disclaimer-page-3" 
 end
 config system replacemsg captive-portal-dflt " cpa-reject-page" 
 end
 config system replacemsg captive-portal-dflt " cpa-login-page" 
 end
 config system replacemsg captive-portal-dflt " cpa-login-failed-page" 
 end
 config system replacemsg sslvpn " sslvpn-login" 
 end
 config system replacemsg sslvpn " sslvpn-limit" 
 end
 config system replacemsg ec " endpt-download-portal" 
 end
 config system replacemsg ec " endpt-download-portal-mac" 
 end
 config system replacemsg ec " endpt-download-portal-ios" 
 end
 config system replacemsg ec " endpt-download-portal-aos" 
 end
 config system replacemsg ec " endpt-download-portal-other" 
 end
 config system replacemsg device-detection-portal " device-detection-failure" 
 end
 config system replacemsg nac-quar " nac-quar-virus" 
 end
 config system replacemsg nac-quar " nac-quar-dos" 
 end
 config system replacemsg nac-quar " nac-quar-ips" 
 end
 config system replacemsg nac-quar " nac-quar-dlp" 
 end
 config system replacemsg traffic-quota " per-ip-shaper-block" 
 end
 config system replacemsg utm " virus-html" 
 end
 config system replacemsg utm " virus-text" 
 end
 config system replacemsg utm " dlp-html" 
 end
 config system replacemsg utm " dlp-text" 
 end
 config vpn certificate ca
     edit " CA_Cert_1" 
         set ca 
 "            <h2 class=" fgd_icon" >blocked</h2>
         </div>
         <div class=" main" >
 <h3>Endpoint Security Required</h3><div class=" notice" >The use of this security policy requires that the latest FortiClient Endpoint Security software and antivirus signature package are installed.<br></div><div><h4>Contact your network administrator for assistance.</h4></div>    </div>
     </div>
 </body>
 </html>
 
     next
 end
 config vpn certificate local
     edit " fortigate1" 
         set password ENC 
         set private-key " 
 "            <h2 class=" fgd_icon" >blocked</h2>
         </div>
         <div class=" main" >
 <h3>Endpoint Security Required</h3><div class=" notice" >The use of this security policy requires that the latest FortiClient Endpoint Security software and antivirus signature package are installed.<br></div><div><h4>Contact your network administrator for assistance.</h4></div>    </div>
     </div>
 </body>
 </html>
 
         set certificate " 
 "  the latest FortiClient Endpoint Security software and antivirus signature package are installed.<br></div><div><h4>Contact your network administrator for assistance.</h4></div>    </div>
     </div>
 </body>
 </html>
 
     next
 end
 config user device-category
     edit " ipad" 
     next
     edit " iphone" 
     next
     edit " gaming-console" 
     next
     edit " blackberry-phone" 
     next
     edit " blackberry-playbook" 
     next
     edit " linux-pc" 
     next
     edit " mac" 
     next
     edit " windows-pc" 
     next
     edit " android-phone" 
     next
     edit " android-tablet" 
     next
     edit " media-streaming" 
     next
     edit " windows-phone" 
     next
     edit " windows-tablet" 
     next
     edit " fortinet-device" 
     next
     edit " ip-phone" 
     next
     edit " router-nat-device" 
     next
     edit " other-network-device" 
     next
     edit " collected-emails" 
     next
     edit " all" 
     next
 end
 config antivirus service " http" 
     set scan-bzip2 disable
     set uncompnestlimit 12
     set uncompsizelimit 10
 end
 config antivirus service " https" 
     set scan-bzip2 disable
     set uncompnestlimit 12
     set uncompsizelimit 10
 end
 config antivirus service " ftp" 
     set scan-bzip2 disable
     set uncompnestlimit 12
     set uncompsizelimit 10
 end
 config antivirus service " ftps" 
     set scan-bzip2 disable
     set uncompnestlimit 12
     set uncompsizelimit 10
 end
 config antivirus service " pop3" 
     set scan-bzip2 disable
     set uncompnestlimit 12
     set uncompsizelimit 10
 end
 config antivirus service " pop3s" 
     set scan-bzip2 disable
     set uncompnestlimit 12
     set uncompsizelimit 10
 end
 config antivirus service " imap" 
     set scan-bzip2 disable
     set uncompnestlimit 12
     set uncompsizelimit 10
 end
 config antivirus service " imaps" 
     set scan-bzip2 disable
     set uncompnestlimit 12
     set uncompsizelimit 10
 end
 config antivirus service " smtp" 
     set scan-bzip2 disable
     set uncompnestlimit 12
     set uncompsizelimit 10
 end
 config antivirus service " smtps" 
     set scan-bzip2 disable
     set uncompnestlimit 12
     set uncompsizelimit 10
 end
 config antivirus service " nntp" 
     set scan-bzip2 disable
     set uncompnestlimit 12
     set uncompsizelimit 10
 end
 config antivirus service " im" 
     set scan-bzip2 disable
     set uncompnestlimit 12
     set uncompsizelimit 10
 end
 config wanopt storage
     edit " FLASH" 
         set size 8708
     next
 end
 config system session-sync
 end
 config system fortiguard
 end
 config ips global
     set default-app-cat-mask 18446744073474670591
 end
 config ips dbinfo
     set version 1
 end
 config log syslogd setting
     set status enable
     set server " 192.168.1.200" 
     set source-ip 192.168.1.4
 end
 config system email-server
     set reply-to " " 
     set server " aspmx.l.google.com" 
     set security starttls
 end
 config gui console
     unset preferences
 end
 config system session-helper
     edit 1
         set name pptp
         set port 1723
         set protocol 6
     next
     edit 2
         set name h323
         set port 1720
         set protocol 6
     next
     edit 3
         set name ras
         set port 1719
         set protocol 17
     next
     edit 4
         set name tns
         set port 1521
         set protocol 6
     next
     edit 5
         set name tftp
         set port 69
         set protocol 17
     next
     edit 6
         set name rtsp
         set port 554
         set protocol 6
     next
     edit 7
         set name rtsp
         set port 7070
         set protocol 6
     next
     edit 8
         set name rtsp
         set port 8554
         set protocol 6
     next
     edit 9
         set name ftp
         set port 21
         set protocol 6
     next
     edit 10
         set name mms
         set port 1863
         set protocol 6
     next
     edit 11
         set name pmap
         set port 111
         set protocol 6
     next
     edit 12
         set name pmap
         set port 111
         set protocol 17
     next
     edit 13
         set name sip
         set port 5060
         set protocol 17
     next
     edit 14
         set name dns-udp
         set port 53
         set protocol 17
     next
     edit 15
         set name rsh
         set port 514
         set protocol 6
     next
     edit 16
         set name rsh
         set port 512
         set protocol 6
     next
     edit 17
         set name dcerpc
         set port 135
         set protocol 6
     next
     edit 18
         set name dcerpc
         set port 135
         set protocol 17
     next
     edit 19
         set name mgcp
         set port 2427
         set protocol 17
     next
     edit 20
         set name mgcp
         set port 2727
         set protocol 17
     next
 end
 config system auto-install
     set auto-install-config enable
     set auto-install-image enable
 end
 config system ntp
         config ntpserver
             edit 1
                 set server " ntp1.fortinet.net" 
             next
             edit 2
                 set server " ntp2.fortinet.net" 
             next
         end
     set ntpsync enable
     set syncinterval 60
     set type custom
 end
 config system settings
     set sip-tcp-port 5060
     set sip-udp-port 5060
 end
 config system replacemsg-group
     edit " web-filter-default" 
         set comment " System Generated" 
         set group-type utm
             config custom-message
                 edit " 26" 
                     set buffer " This website is blocked by the FortiGate URL Filter.
 <br>
 If you have a valid business need to access this site, please contact with all of the details in this message.
 <br>
 <br>
 
 Filtering service %%SERVICE%%
 <br>
 Website IP %%DEST_IP%%
 <br>
 URL %%URL%%
 <br>
 Website Category %%CATEGORY%%
 <br>
 <br>
 %%OVERRIDE%%
 " 
                     set header http
                     set format html
                 next
             end
     next
 end
 config system dhcp server
     edit 1
         set default-gateway 192.168.32.1
         set interface " internal2" 
             config ip-range
                 edit 1
                     set end-ip 192.168.32.254
                     set start-ip 192.168.32.2
                 next
             end
         set netmask 255.255.240.0
         set dns-server1 192.168.1.1
     next
 end
 config firewall address
     edit " all" 
     next
     edit " SSLVPN_TUNNEL_ADDR1" 
         set comment " SSLVPN clients IP addresses range" 
         set type iprange
         set end-ip 192.168.8.94
         set start-ip 192.168.8.65
     next
     edit " IPsecVPN_usersIPs_range" 
         set comment " IPsec VPN users IPs range Aggressive mode NOT iOS clients" 
         set type iprange
         set end-ip 192.168.8.126
         set start-ip 192.168.8.97
     next
     edit " SP internal wired LAN1" 
         set subnet 192.168.0.0 255.255.248.0
     next
     edit " iOSIPsec_users_range" 
         set comment " IPsec IPs for iOS Main mode only" 
         set type iprange
         set end-ip 192.168.8.158
         set start-ip 192.168.8.129
     next
     edit " SP internal WiFi LAN SP_OFFICE" 
         set subnet 192.168.12.0 255.255.252.0
     next
     edit " ONO IP address x.x.x.x/32" 
         set comment " ONO IP address x.x.x.x/32" 
         set type iprange
         set end-ip x.x.x.x
         set start-ip x.x.x.x
     next
     edit " Hacker1-212.67.x.x" 
         set comment " Repeated SSL VPN unauthorized login attempts" 
         set subnet 212.67.0.0 255.255.0.0
     next
     edit " 192.168.255.255" 
         set comment " 192.168.0.0/16 broadcast" 
         set type iprange
         set end-ip 192.168.255.255
         set start-ip 192.168.255.255
     next
     edit " 192.168.7.255" 
         set comment " 192.168.0.0/21 broadcast" 
         set type iprange
         set end-ip 192.168.7.255
         set start-ip 192.168.7.255
     next
     edit " SP internal WiFi LAN SP_GUEST" 
         set associated-interface " internal" 
         set subnet 192.168.16.0 255.255.255.0
     next
     edit " SP internal wired LAN2" 
         set associated-interface " internal2" 
         set subnet 192.168.32.0 255.255.240.0
     next
     edit " SP internal WiFi Mgmt subnet" 
         set associated-interface " internal" 
         set subnet 192.168.17.0 255.255.255.0
     next
     edit " 192.168.32.3" 
         set associated-interface " internal2" 
         set comment " Jay Android tablet 20131002" 
         set type iprange
         set end-ip 192.168.32.3
         set start-ip 192.168.32.3
     next
 end
 config firewall multicast-address
     edit " all" 
         set end-ip 239.255.255.255
         set start-ip 224.0.0.0
     next
 end
 config firewall address6
     edit " all" 
     next
     edit " SSLVPN_TUNNEL_IPv6_ADDR1" 
         set ip6 fdff:ffff::1/120
     next
 end
 config firewall service category
     edit " General" 
         set comment " general services" 
     next
     edit " Web Access" 
         set comment " web access" 
     next
     edit " File Access" 
         set comment " file access" 
     next
     edit " Email" 
         set comment " email services" 
     next
     edit " Network Services" 
         set comment " network services" 
     next
     edit " Authentication" 
         set comment " authentication service" 
     next
     edit " Remote Access" 
         set comment " remote access" 
     next
     edit " Tunneling" 
         set comment " tunneling service" 
     next
     edit " VoIP, Messaging & Other Applications" 
         set comment " VoIP, messaging, and other applications" 
     next
     edit " Web Proxy" 
         set comment " Explicit web proxy" 
     next
 end
 config firewall service custom
     edit " ALL" 
         set category " General" 
         set protocol IP
     next
     edit " ALL_TCP" 
         set category " General" 
         set tcp-portrange 1-65535
     next
     edit " ALL_UDP" 
         set category " General" 
         set udp-portrange 1-65535
     next
     edit " ALL_ICMP" 
         set category " General" 
         set protocol ICMP
         unset icmptype
     next
     edit " ALL_ICMP6" 
         set category " General" 
         set protocol ICMP6
         unset icmptype
     next
     edit " GRE" 
         set category " Tunneling" 
         set protocol IP
         set protocol-number 47
     next
     edit " AH" 
         set category " Tunneling" 
         set protocol IP
         set protocol-number 51
     next
     edit " ESP" 
         set category " Tunneling" 
         set protocol IP
         set protocol-number 50
     next
     edit " AOL" 
         set visibility disable
         set tcp-portrange 5190-5194
     next
     edit " BGP" 
         set category " Network Services" 
         set tcp-portrange 179
     next
     edit " DHCP" 
         set category " Network Services" 
         set udp-portrange 67-68
     next
     edit " DNS" 
         set category " Network Services" 
         set tcp-portrange 53
         set udp-portrange 53
     next
     edit " FINGER" 
         set visibility disable
         set tcp-portrange 79
     next
     edit " FTP" 
         set category " File Access" 
         set tcp-portrange 21
     next
     edit " FTP_GET" 
         set category " File Access" 
         set tcp-portrange 21
     next
     edit " FTP_PUT" 
         set category " File Access" 
         set tcp-portrange 21
     next
     edit " GOPHER" 
         set visibility disable
         set tcp-portrange 70
     next
     edit " H323" 
         set category " VoIP, Messaging & Other Applications" 
         set tcp-portrange 1720 1503
         set udp-portrange 1719
     next
     edit " HTTP" 
         set category " Web Access" 
         set tcp-portrange 80
     next
     edit " HTTPS" 
         set category " Web Access" 
         set tcp-portrange 443
     next
     edit " IKE" 
         set category " Tunneling" 
         set udp-portrange 500 4500
     next
     edit " IMAP" 
         set category " Email" 
         set tcp-portrange 143
     next
     edit " IMAPS" 
         set category " Email" 
         set tcp-portrange 993
     next
     edit " Internet-Locator-Service" 
         set visibility disable
         set tcp-portrange 389
     next
     edit " IRC" 
         set category " VoIP, Messaging & Other Applications" 
         set tcp-portrange 6660-6669
     next
     edit " L2TP" 
         set category " Tunneling" 
         set tcp-portrange 1701
         set udp-portrange 1701
     next
     edit " LDAP" 
         set category " Authentication" 
         set tcp-portrange 389
     next
     edit " NetMeeting" 
         set visibility disable
         set tcp-portrange 1720
     next
     edit " NFS" 
         set category " File Access" 
         set tcp-portrange 111 2049
         set udp-portrange 111 2049
     next
     edit " NNTP" 
         set visibility disable
         set tcp-portrange 119
     next
     edit " NTP" 
         set category " Network Services" 
         set tcp-portrange 123
         set udp-portrange 123
     next
     edit " OSPF" 
         set category " Network Services" 
         set protocol IP
         set protocol-number 89
     next
     edit " PC-Anywhere" 
         set category " Remote Access" 
         set tcp-portrange 5631
         set udp-portrange 5632
     next
     edit " PING" 
         set category " Network Services" 
         set protocol ICMP
         set icmptype 8
         unset icmpcode
     next
     edit " TIMESTAMP" 
         set protocol ICMP
         set visibility disable
         set icmptype 13
         unset icmpcode
     next
     edit " INFO_REQUEST" 
         set protocol ICMP
         set visibility disable
         set icmptype 15
         unset icmpcode
     next
     edit " INFO_ADDRESS" 
         set protocol ICMP
         set visibility disable
         set icmptype 17
         unset icmpcode
     next
     edit " ONC-RPC" 
         set category " Remote Access" 
         set tcp-portrange 111
         set udp-portrange 111
     next
     edit " DCE-RPC" 
         set category " Remote Access" 
         set tcp-portrange 135
         set udp-portrange 135
     next
     edit " POP3" 
         set category " Email" 
         set tcp-portrange 110
     next
     edit " POP3S" 
         set category " Email" 
         set tcp-portrange 995
     next
     edit " PPTP" 
         set category " Tunneling" 
         set tcp-portrange 1723
     next
     edit " QUAKE" 
         set visibility disable
         set udp-portrange 26000 27000 27910 27960
     next
     edit " RAUDIO" 
         set visibility disable
         set udp-portrange 7070
     next
     edit " REXEC" 
         set visibility disable
         set tcp-portrange 512
     next
     edit " RIP" 
         set category " Network Services" 
         set udp-portrange 520
     next
     edit " RLOGIN" 
         set visibility disable
         set tcp-portrange 513:512-1023
     next
     edit " RSH" 
         set visibility disable
         set tcp-portrange 514:512-1023
     next
     edit " SCCP" 
         set category " VoIP, Messaging & Other Applications" 
         set tcp-portrange 2000
     next
     edit " SIP" 
         set category " VoIP, Messaging & Other Applications" 
         set udp-portrange 5060
     next
     edit " SIP-MSNmessenger" 
         set category " VoIP, Messaging & Other Applications" 
         set tcp-portrange 1863
     next
     edit " SAMBA" 
         set category " File Access" 
         set tcp-portrange 139
     next
     edit " SMTP" 
         set category " Email" 
         set tcp-portrange 25
     next
     edit " SMTPS" 
         set category " Email" 
         set tcp-portrange 465
     next
     edit " SNMP" 
         set category " Network Services" 
         set tcp-portrange 161-162
         set udp-portrange 161-162
     next
     edit " SSH" 
         set category " Remote Access" 
         set tcp-portrange 22
     next
     edit " SYSLOG" 
         set category " Network Services" 
         set udp-portrange 514
     next
     edit " TALK" 
         set visibility disable
         set udp-portrange 517-518
     next
     edit " TELNET" 
         set category " Remote Access" 
         set tcp-portrange 23
     next
     edit " TFTP" 
         set category " File Access" 
         set udp-portrange 69
     next
     edit " MGCP" 
         set visibility disable
         set udp-portrange 2427 2727
     next
     edit " UUCP" 
         set visibility disable
         set tcp-portrange 540
     next
     edit " VDOLIVE" 
         set visibility disable
         set tcp-portrange 7000-7010
     next
     edit " WAIS" 
         set visibility disable
         set tcp-portrange 210
     next
     edit " WINFRAME" 
         set visibility disable
         set tcp-portrange 1494 2598
     next
     edit " X-WINDOWS" 
         set category " Remote Access" 
         set tcp-portrange 6000-6063
     next
     edit " PING6" 
         set protocol ICMP6
         set visibility disable
         set icmptype 128
         unset icmpcode
     next
     edit " MS-SQL" 
         set category " VoIP, Messaging & Other Applications" 
         set tcp-portrange 1433 1434
     next
     edit " MYSQL" 
         set category " VoIP, Messaging & Other Applications" 
         set tcp-portrange 3306
     next
     edit " RDP" 
         set category " Remote Access" 
         set tcp-portrange 3389
     next
     edit " VNC" 
         set category " Remote Access" 
         set tcp-portrange 5900
     next
     edit " DHCP6" 
         set category " Network Services" 
         set udp-portrange 546 547
     next
     edit " SQUID" 
         set category " Tunneling" 
         set tcp-portrange 3128
     next
     edit " SOCKS" 
         set category " Tunneling" 
         set tcp-portrange 1080
         set udp-portrange 1080
     next
     edit " WINS" 
         set category " Remote Access" 
         set tcp-portrange 1512
         set udp-portrange 1512
     next
     edit " RADIUS" 
         set category " Authentication" 
         set udp-portrange 1812 1813
     next
     edit " RADIUS-OLD" 
         set visibility disable
         set udp-portrange 1645 1646
     next
     edit " CVSPSERVER" 
         set visibility disable
         set tcp-portrange 2401
         set udp-portrange 2401
     next
     edit " AFS3" 
         set category " File Access" 
         set tcp-portrange 7000-7009
         set udp-portrange 7000-7009
     next
     edit " TRACEROUTE" 
         set category " Network Services" 
         set udp-portrange 33434-33535
     next
     edit " RTSP" 
         set category " VoIP, Messaging & Other Applications" 
         set tcp-portrange 554 7070 8554
         set udp-portrange 554
     next
     edit " MMS" 
         set visibility disable
         set tcp-portrange 1755
         set udp-portrange 1024-5000
     next
     edit " KERBEROS" 
         set category " Authentication" 
         set tcp-portrange 88
         set udp-portrange 88
     next
     edit " LDAP_UDP" 
         set category " Authentication" 
         set udp-portrange 389
     next
     edit " SMB" 
         set category " File Access" 
         set tcp-portrange 445
     next
     edit " ALL_CUSTOM" 
         set category " General" 
         set protocol IP
     next
     edit " webproxy" 
         set explicit-proxy enable
         set category " Web Proxy" 
         set protocol ALL
         set tcp-portrange 0-65535:0-65535
     next
 end
 config firewall service group
     edit " Email Access" 
         set member " DNS"  " IMAP"  " IMAPS"  " POP3"  " POP3S"  " SMTP"  " SMTPS" 
     next
     edit " Web Access" 
         set member " DNS"  " HTTP"  " HTTPS" 
     next
     edit " Windows AD" 
         set member " DCE-RPC"  " DNS"  " KERBEROS"  " LDAP"  " LDAP_UDP"  " SAMBA"  " SMB" 
     next
     edit " Exchange Server" 
         set member " DCE-RPC"  " DNS"  " HTTPS" 
     next
     edit " Exchange Server OWA" 
         set member " DNS"  " HTTPS" 
     next
     edit " Outlook" 
         set member " DCE-RPC"  " DNS"  " IMAP"  " IMAPS"  " POP3"  " POP3S"  " SMTP"  " SMTPS"  " HTTPS" 
     next
 end
 config webfilter ftgd-local-cat
     edit " custom1" 
         set id 140
     next
     edit " custom2" 
         set id 141
     next
 end
 config ips sensor
     edit " default" 
         set comment " prevent critical attacks" 
             config entries
                 edit 1
                     set severity high critical 
                 next
             end
     next
     edit " all_default" 
         set comment " all predefined signatures with default setting" 
             config entries
                 edit 1
                 next
             end
     next
     edit " all_default_pass" 
         set comment " all predefined signatures with PASS action" 
             config entries
                 edit 1
                     set action pass
                 next
             end
     next
     edit " protect_http_server" 
         set comment " protect against HTTP server-side vulnerabilities" 
             config entries
                 edit 1
                     set location server 
                     set protocol HTTP 
                 next
             end
     next
     edit " protect_email_server" 
         set comment " protect against EMail server-side vulnerabilities" 
             config entries
                 edit 1
                     set location server 
                     set protocol SMTP POP3 IMAP 
                 next
             end
     next
     edit " protect_client" 
         set comment " protect against client-side vulnerabilities" 
             config entries
                 edit 1
                     set location client 
                 next
             end
     next
 end
 config firewall shaper traffic-shaper
     edit " high-priority" 
         set maximum-bandwidth 1048576
         set per-policy enable
     next
     edit " medium-priority" 
         set maximum-bandwidth 1048576
         set per-policy enable
         set priority medium
     next
     edit " low-priority" 
         set maximum-bandwidth 1048576
         set per-policy enable
         set priority low
     next
     edit " guarantee-100kbps" 
         set guaranteed-bandwidth 100
         set maximum-bandwidth 1048576
         set per-policy enable
     next
     edit " shared-1M-pipe" 
         set maximum-bandwidth 1024
     next
 end
 config application list
     edit " default" 
         set comment " monitor all applications" 
             config entries
                 edit 1
                     set action pass
                 next
             end
     next
     edit " block-p2p" 
             config entries
                 edit 1
                     set category 2
                 next
             end
     next
     edit " monitor-p2p-and-media" 
             config entries
                 edit 1
                     set action pass
                     set category 2
                 next
                 edit 2
                     set action pass
                     set category 5
                 next
             end
     next
 end
 config dlp filepattern
     edit 1
             config entries
                 edit " *.bat" 
                 next
                 edit " *.com" 
                 next
                 edit " *.dll" 
                 next
                 edit " *.doc" 
                 next
                 edit " *.exe" 
                 next
                 edit " *.gz" 
                 next
                 edit " *.hta" 
                 next
                 edit " *.ppt" 
                 next
                 edit " *.rar" 
                 next
                 edit " *.scr" 
                 next
                 edit " *.tar" 
                 next
                 edit " *.tgz" 
                 next
                 edit " *.vb?" 
                 next
                 edit " *.wps" 
                 next
                 edit " *.xl?" 
                 next
                 edit " *.zip" 
                 next
                 edit " *.pif" 
                 next
                 edit " *.cpl" 
                 next
             end
         set name " builtin-patterns" 
     next
     edit 2
             config entries
                 edit " bat" 
                     set filter-type type
                     set file-type bat
                 next
                 edit " exe" 
                     set filter-type type
                     set file-type exe
                 next
                 edit " elf" 
                     set filter-type type
                     set file-type elf
                 next
                 edit " hta" 
                     set filter-type type
                     set file-type hta
                 next
             end
         set name " all_executables" 
     next
 end
 config dlp fp-sensitivity
     edit " Private" 
     next
     edit " Critical" 
     next
     edit " Warning" 
     next
 end
 config dlp sensor
     edit " default" 
         set comment " summary archive email and web traffics" 
         set extended-utm-log enable
     next
     edit " Content_Summary" 
         set extended-utm-log enable
     next
     edit " Content_Archive" 
         set extended-utm-log enable
     next
     edit " Large-File" 
         set extended-utm-log enable
     next
     edit " Credit-Card" 
         set extended-utm-log enable
     next
     edit " SSN-Sensor" 
         set extended-utm-log enable
     next
 end
 config webfilter content
 end
 config webfilter urlfilter
     edit 1
             config entries
                 edit " www.meneame.net" 
                     set action allow
                 next
             end
         set name " default" 
     next
 end
 config spamfilter bword
 end
 config spamfilter bwl
 end
 config spamfilter mheader
 end
 config spamfilter dnsbl
 end
 config spamfilter iptrust
 end
 config client-reputation profile
 end
 config netscan assets
     edit 1
         set addr-type range
         set name " internal2_LAN" 
         set start-ip 192.168.32.1
         set end-ip 192.168.63.254
     next
     edit 2
         set name " 192.168.32.4" 
         set start-ip 192.168.32.4
     next
 end
 config icap profile
     edit " default" 
     next
 end
 config vpn ssl settings
     set dns-server1 192.168.32.1
     set servercert " fortigate1" 
     set algorithm high
     set idle-timeout 1800
     set tunnel-ip-pools " SSLVPN_TUNNEL_ADDR1" 
     set port 8443
 end
 config vpn ssl web host-check-software
     edit " FortiClient-AV" 
         set guid " C86EC76D-5A4C-40E7-BD94-59358E544D81" 
     next
     edit " FortiClient-FW" 
         set guid " 528CB157-D384-4593-AAAA-E42DFF111CED" 
         set type fw
     next
     edit " FortiClient-AV-Vista-Win7" 
         set guid " 385618A6-2256-708E-3FB9-7E98B93F91F9" 
     next
     edit " FortiClient-FW-Vista-Win7" 
         set guid " 006D9983-6839-71D6-14E6-D7AD47ECD682" 
         set type fw
     next
     edit " AVG-Internet-Security-AV" 
         set guid " 17DDD097-36FF-435F-9E1B-52D74245D6BF" 
     next
     edit " AVG-Internet-Security-AV-Vista-Win7" 
         set guid " 0C939084-9E57-CBDB-EA61-0B0C7F62AF82" 
     next
     edit " CA-Anti-Virus" 
         set guid " 17CFD1EA-56CF-40B5-A06B-BD3A27397C93" 
     next
     edit " CA-Internet-Security-AV" 
         set guid " 6B98D35F-BB76-41C0-876B-A50645ED099A" 
     next
     edit " CA-Internet-Security-AV-Vista-Win7" 
         set guid " 3EED0195-0A4B-4EF3-CC4F-4F401BDC245F" 
     next
     edit " F-Secure-Internet-Security-AV" 
         set guid " E7512ED5-4245-4B4D-AF3A-382D3F313F15" 
     next
     edit " F-Secure-Internet-Security-AV-Vista-Win7" 
         set guid " 15414183-282E-D62C-CA37-EF24860A2F17" 
     next
     edit " Kaspersky-AV" 
         set guid " 2C4D4BC6-0793-4956-A9F9-E252435469C0" 
     next
     edit " Kaspersky-AV-Vista-Win7" 
         set guid " AE1D740B-8F0F-D137-211D-873D44B3F4AE" 
     next
     edit " McAfee-Internet-Security-Suite-AV" 
         set guid " 84B5EE75-6421-4CDE-A33A-DD43BA9FAD83" 
     next
     edit " McAfee-Internet-Security-Suite-AV-Vista-Win7" 
         set guid " 86355677-4064-3EA7-ABB3-1B136EB04637" 
     next
     edit " McAfee-Virus-Scan-Enterprise" 
         set guid " 918A2B0B-2C60-4016-A4AB-E868DEABF7F0" 
     next
     edit " Norton-360-2.0-AV" 
         set guid " A5F1BC7C-EA33-4247-961C-0217208396C4" 
     next
     edit " Norton-360-3.0-AV" 
         set guid " E10A9785-9598-4754-B552-92431C1C35F8" 
     next
     edit " Norton-Internet-Security-AV" 
         set guid " E10A9785-9598-4754-B552-92431C1C35F8" 
     next
     edit " Norton-Internet-Security-AV-Vista-Win7" 
         set guid " 88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855" 
     next
     edit " Symantec-Endpoint-Protection-AV" 
         set guid " FB06448E-52B8-493A-90F3-E43226D3305C" 
     next
     edit " Symantec-Endpoint-Protection-AV-Vista-Win7" 
         set guid " 88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855" 
     next
     edit " Panda-Antivirus+Firewall-2008-AV" 
         set guid " EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A" 
     next
     edit " Panda-Internet-Security-AV" 
         set guid " 4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0" 
     next
     edit " Sophos-Anti-Virus" 
         set guid " 3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD" 
     next
     edit " Sophos-Enpoint-Secuirty-and-Control-AV-Vista-Win7" 
         set guid " 479CCF92-4960-B3E0-7373-BF453B467D2C" 
     next
     edit " Trend-Micro-AV" 
         set guid " 7D2296BC-32CC-4519-917E-52E652474AF5" 
     next
     edit " Trend-Micro-AV-Vista-Win7" 
         set guid " 48929DFC-7A52-A34F-8351-C4DBEDBD9C50" 
     next
     edit " ZoneAlarm-AV" 
         set guid " 5D467B10-818C-4CAB-9FF7-6893B5B8F3CF" 
     next
     edit " ZoneAlarm-AV-Vista-Win7" 
         set guid " D61596DF-D219-341C-49B3-AD30538CBC5B" 
     next
     edit " AVG-Internet-Security-FW" 
         set guid " 8DECF618-9569-4340-B34A-D78D28969B66" 
         set type fw
     next
     edit " AVG-Internet-Security-FW-Vista-Win7" 
         set guid " 34A811A1-D438-CA83-C13E-A23981B1E8F9" 
         set type fw
     next
     edit " CA-Internet-Security-FW" 
         set guid " 38102F93-1B6E-4922-90E1-A35D8DC6DAA3" 
         set type fw
     next
     edit " CA-Internet-Security-FW-Vista-Win7" 
         set guid " 06D680B0-4024-4FAB-E710-E675E50F6324" 
         set type fw
     next
     edit " CA-Personal-Firewall" 
         set guid " 14CB4B80-8E52-45EA-905E-67C1267B4160" 
         set type fw
     next
     edit " F-Secure-Internet-Security-FW" 
         set guid " D4747503-0346-49EB-9262-997542F79BF4" 
         set type fw
     next
     edit " F-Secure-Internet-Security-FW-Vista-Win7" 
         set guid " 2D7AC0A6-6241-D774-E168-461178D9686C" 
         set type fw
     next
     edit " Kaspersky-FW" 
         set guid " 2C4D4BC6-0793-4956-A9F9-E252435469C0" 
         set type fw
     next
     edit " Kaspersky-FW-Vista-Win7" 
         set guid " 9626F52E-C560-D06F-0A42-2E08BA60B3D5" 
         set type fw
     next
     edit " McAfee-Internet-Security-Suite-FW" 
         set guid " 94894B63-8C7F-4050-BDA4-813CA00DA3E8" 
         set type fw
     next
     edit " McAfee-Internet-Security-Suite-FW-Vista-Win7" 
         set guid " BE0ED752-0A0B-3FFF-80EC-B2269063014C" 
         set type fw
     next
     edit " Norton-360-2.0-FW" 
         set guid " 371C0A40-5A0C-4AD2-A6E5-69C02037FBF3" 
         set type fw
     next
     edit " Norton-360-3.0-FW" 
         set guid " 7C21A4C9-F61F-4AC4-B722-A6E19C16F220" 
         set type fw
     next
     edit " Norton-Internet-Security-FW" 
         set guid " 7C21A4C9-F61F-4AC4-B722-A6E19C16F220" 
         set type fw
     next
     edit " Norton-Internet-Security-FW-Vista-Win7" 
         set guid " B0F2DB13-C654-2E74-30D4-99C9310F0F2E" 
         set type fw
     next
     edit " Symantec-Endpoint-Protection-FW" 
         set guid " BE898FE3-CD0B-4014-85A9-03DB9923DDB6" 
         set type fw
     next
     edit " Symantec-Endpoint-Protection-FW-Vista-Win7" 
         set guid " B0F2DB13-C654-2E74-30D4-99C9310F0F2E" 
         set type fw
     next
     edit " Panda-Antivirus+Firewall-2008-FW" 
         set guid " 7B090DC0-8905-4BAF-8040-FD98A41C8FB8" 
         set type fw
     next
     edit " Panda-Internet-Security-2006~2007-FW" 
         set guid " 4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0" 
         set type fw
     next
     edit " Panda-Internet-Security-2008~2009-FW" 
         set guid " 7B090DC0-8905-4BAF-8040-FD98A41C8FB8" 
         set type fw
     next
     edit " Sophos-Enpoint-Secuirty-and-Control-FW" 
         set guid " 0786E95E-326A-4524-9691-41EF88FB52EA" 
         set type fw
     next
     edit " Sophos-Enpoint-Secuirty-and-Control-FW-Vista-Win7" 
         set guid " 7FA74EB7-030F-B2B8-582C-1670C5953A57" 
         set type fw
     next
     edit " Trend-Micro-FW" 
         set guid " 3E790E9E-6A5D-4303-A7F9-185EC20F3EB6" 
         set type fw
     next
     edit " Trend-Micro-FW-Vista-Win7" 
         set guid " 70A91CD9-303D-A217-A80E-6DEE136EDB2B" 
         set type fw
     next
     edit " ZoneAlarm-FW" 
         set guid " 829BDA32-94B3-44F4-8446-F8FCFF809F8B" 
         set type fw
     next
     edit " ZoneAlarm-FW-Vista-Win7" 
         set guid " EE2E17FA-9876-3544-62EC-0405AD5FFB20" 
         set type fw
     next
 end
 config vpn ssl web portal
     edit " full-access" 
         set allow-access web ftp smb telnet ssh vnc rdp citrix rdpnative portforward
         set heading " SP FG SSLVPN Full Access" 
         set page-layout double-column
             config widget
                 edit 1
                     set name " Tunnel Mode" 
                     set type tunnel
                     set column two
                     set ipv6-split-tunneling disable
                     set ip-pools " SSLVPN_TUNNEL_ADDR1" 
                     set ipv6-pools " SSLVPN_TUNNEL_IPv6_ADDR1" 
                     set save-password enable
                 next
                 edit 2
                     set name " Bookmark_Category1" 
                     set allow-apps web ftp smb telnet ssh vnc rdp citrix rdpnative portforward
                         config bookmarks
                             edit " bookmark1" 
                                 set description " Cisco SG500-52 no. 1 planta 11" 
                                 set url " https://192.168.1.217" 
                             next
                             edit " Cisco SG500-52num1" 
                                 set description " Cisco SG500-52 num 1" 
                                 set url " https://cisco_sg500-52-1.mycompany.es" 
                             next
                         end
                 next
                 edit 3
                     set name " Connection Tool" 
                     set type tool
                     set column two
                     set allow-apps web ftp smb telnet ssh vnc rdp citrix rdpnative portforward
                 next
                 edit 4
                     set name " Session Information" 
                     set type info
                 next
                 edit 5
                     set name " FortiClient Download" 
                     set type forticlient-download
                     set column two
                 next
             end
     next
     edit " web-access" 
         set allow-access web ftp smb telnet ssh vnc rdp citrix rdpnative portforward
         set theme orange
         set heading " SP FG SSLVPN Web Access" 
             config widget
                 edit 1
                     set name " BookmarkCategory1Test" 
                     set allow-apps web ftp smb telnet ssh vnc rdp citrix rdpnative portforward
                         config bookmarks
                             edit " Bookmark1Test" 
                                 set description " Cisco SG500-52no.1" 
                                 set url " https://cisco_sg500-52-1.mycompany.es" 
                             next
                         end
                 next
                 edit 3
                     set name " FortiClient Download" 
                     set type forticlient-download
                 next
                 edit 4
                     set name " Session Information" 
                     set type info
                 next
                 edit 5
                     set name " Connection Tool" 
                     set type tool
                     set allow-apps web ftp smb telnet ssh vnc rdp citrix rdpnative portforward
                 next
             end
     next
     edit " tunnel-access" 
         set heading " SP FG SSLVPN Tunnel Access" 
             config widget
                 edit 1
                     set name " Tunnel Mode" 
                     set type tunnel
                     set ipv6-split-tunneling disable
                     set ip-pools " SSLVPN_TUNNEL_ADDR1" 
                     set ipv6-pools " SSLVPN_TUNNEL_IPv6_ADDR1" 
                     set save-password enable
                     set keep-alive enable
                 next
             end
     next
 end
 config user fortitoken
     edit " FTKMOB386DC3A717" 
         set license " FTMTRIAL00053118" 
     next
     edit " FTKMOB38A585C0D5" 
         set license " FTMTRIAL00053118" 
     next
 end
 config user local
     edit " guest" 
         set type password
         set passwd-time 2013-08-22 12:26:47
         set passwd ENC 
     next
     edit " jlibove" 
         set type password
         set email-to " " 
         set passwd-time 2013-09-12 17:25:27
         set passwd ENC 
     next
     edit " iOSTest" 
         set type password
         set email-to " " 
         set passwd-time 2013-09-09 11:11:08
         set passwd ENC 
     next
     edit " svelez" 
         set type password
         set email-to " " 
         set passwd-time 2013-08-13 11:30:42
         set passwd ENC 
     next
     edit " ganguera" 
         set type password
         set email-to " " 
         set passwd-time 2013-09-26 17:45:29
         set passwd ENC
     next
     edit " rvalles" 
         set type password
         set email-to " " 
         set passwd-time 2013-08-21 18:21:21
         set passwd ENC
     next
     edit " bjuncosa" 
         set type password
         set email-to " " 
         set passwd-time 2013-08-28 11:00:35
         set passwd ENC
     next
     edit " jgarcia" 
         set type password
         set email-to " " 
         set passwd-time 2013-08-30 17:45:38
         set passwd ENC
     next
     edit " dfranco" 
         set type password
         set email-to " " 
         set passwd-time 2013-09-04 16:40:10
         set passwd ENC
     next
     edit " rgomez" 
         set type password
         set email-to " " 
         set passwd-time 2013-09-06 16:59:34
         set passwd ENC
     next
     edit " mcanaleta" 
         set type password
         set email-to " " 
         set passwd-time 2013-09-06 17:13:47
         set passwd ENC
     next
     edit " jruiz" 
         set type password
         set email-to " " 
         set passwd-time 2013-09-06 17:22:41
         set passwd ENC
     next
     edit " adiaz" 
         set type password
         set email-to " " 
         set passwd-time 2013-10-04 10:05:41
         set passwd ENC
     next
     edit " jexposito" 
         set type password
         set email-to " " 
         set passwd-time 2013-10-04 18:16:23
         set passwd ENC
     next
 end
 config user group
     edit " FSSO_Guest_Users" 
         set group-type fsso-service
     next
     edit " Guest-group" 
         set member " guest" 
     next
     edit " sslvpntunnel" 
     next
     edit " ipsecvpn" 
         set member " jlibove"  " bjuncosa"  " mcanaleta"  " jruiz" 
     next
     edit " sslvpnportal" 
     next
     edit " ipseciOS" 
         set member " iOSTest"  " svelez"  " jlibove"  " ganguera"  " jgarcia"  " dfranco"  " rgomez"  " mcanaleta"  " jruiz" 
     next
     edit " sslvpntunnelandportal" 
         set member " ganguera"  " rvalles"  " bjuncosa"  " jlibove"  " mcanaleta"  " jruiz"  " jexposito" 
     next
     edit " WebFilterOverriders" 
         set member " bjuncosa"  " dfranco"  " ganguera"  " jlibove"  " jruiz"  " mcanaleta"  " adiaz" 
     next
 end
 config user device
     edit " SP-JLibove" 
         set mac 30:f9:ed:f3:xx:xx
         set type windows-pc
     next
     edit " Guillem MacOSX notebook" 
         set mac 40:6c:8f:2c:xx:xx
         set type mac
     next
     edit " Jay Android Tablet" 
         set mac 14:89:fd:c7:xx:xx
         set type android-tablet
     next
     edit " QA trasto Alberto" 
         set mac 00:53:45:00:00:00
         set type windows-pc
     next
 end
 config user device-group
     edit " Windows-FortiAV" 
         set comment " Windows clients needing an AV of last resort" 
         set member " QA trasto Alberto " 
     next
 end
 config voip profile
     edit " default" 
         set comment " default VoIP profile" 
         set extended-utm-log enable
             config sip
                 set log-violations enable
             end
             config sccp
                 set log-call-summary enable
                 set log-violations enable
             end
     next
     edit " strict" 
         set extended-utm-log enable
             config sip
                 set malformed-request-line discard
                 set malformed-header-via discard
                 set malformed-header-from discard
                 set malformed-header-to discard
                 set malformed-header-call-id discard
                 set malformed-header-cseq discard
                 set malformed-header-rack discard
                 set malformed-header-rseq discard
                 set malformed-header-contact discard
                 set malformed-header-record-route discard
                 set malformed-header-route discard
                 set malformed-header-expires discard
                 set malformed-header-content-type discard
                 set malformed-header-content-length discard
                 set malformed-header-max-forwards discard
                 set malformed-header-allow discard
                 set malformed-header-p-asserted-identity discard
                 set malformed-header-sdp-v discard
                 set malformed-header-sdp-o discard
                 set malformed-header-sdp-s discard
                 set malformed-header-sdp-i discard
                 set malformed-header-sdp-c discard
                 set malformed-header-sdp-b discard
                 set malformed-header-sdp-z discard
                 set malformed-header-sdp-k discard
                 set malformed-header-sdp-a discard
                 set malformed-header-sdp-t discard
                 set malformed-header-sdp-r discard
                 set malformed-header-sdp-m discard
             end
     next
 end
 config webfilter profile
     edit " default" 
         set comment " default web filtering" 
         set replacemsg-group " web-filter-default" 
         set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override
         set post-action comfort
             config override
                 set ovrd-user-group " " 
             end
             config web
                 set urlfilter-table 1
             end
             config ftgd-wf
                 set options error-allow
                 set category-override 140 141
                     config filters
                         edit 19
                             set action authenticate
                             set auth-usr-grp " WebFilterOverriders" 
                             set category 4
                         next
                         edit 18
                             set action authenticate
                             set auth-usr-grp " WebFilterOverriders" 
                             set category 26
                             set override-replacemsg " 26" 
                         next
                         edit 20
                             set action authenticate
                             set auth-usr-grp " WebFilterOverriders" 
                             set category 61
                             set override-replacemsg " 26" 
                         next
                         edit 21
                             set action authenticate
                             set auth-usr-grp " WebFilterOverriders" 
                             set category 86
                             set override-replacemsg " 26" 
                         next
                     end
             end
         set extended-utm-log disable
     next
     edit " web-filter-flow" 
         set comment " flow-based web filter profile" 
         set inspection-mode flow-based
         set post-action comfort
             config ftgd-wf
                     config filters
                         edit 1
                             set action warning
                             set category 2
                         next
                         edit 2
                             set action warning
                             set category 7
                         next
                         edit 3
                             set action warning
                             set category 8
                         next
                         edit 4
                             set action warning
                             set category 9
                         next
                         edit 5
                             set action warning
                             set category 11
                         next
                         edit 6
                             set action warning
                             set category 12
                         next
                         edit 7
                             set action warning
                             set category 13
                         next
                         edit 8
                             set action warning
                             set category 14
                         next
                         edit 9
                             set action warning
                             set category 15
                         next
                         edit 10
                             set action warning
                             set category 16
                         next
                         edit 11
                             set action warning
                         next
                         edit 12
                             set action warning
                             set category 57
                         next
                         edit 13
                             set action warning
                             set category 63
                         next
                         edit 14
                             set action warning
                             set category 64
                         next
                         edit 15
                             set action warning
                             set category 65
                         next
                         edit 16
                             set action warning
                             set category 66
                         next
                         edit 17
                             set action warning
                             set category 67
                         next
                         edit 18
                             set action block
                             set category 26
                         next
                     end
             end
     next
 end
 config webfilter override
 end
 config webfilter override-user
 end
 config webfilter ftgd-warning
 end
 config webfilter ftgd-local-rating
 end
 config webfilter search-engine
     edit " google" 
         set hostname " .*\\.google\\..*" 
         set url " ^\\/((custom|search|images|videosearch|webhp)\\?)" 
         set query " q=" 
         set safesearch url
         set safesearch-str " &safe=active" 
     next
     edit " yahoo" 
         set hostname " .*\\.yahoo\\..*" 
         set url " ^\\/search(\\/video|\\/images){0,1}(\\?|;)" 
         set query " p=" 
         set safesearch url
         set safesearch-str " &vm=r" 
     next
     edit " bing" 
         set hostname " www\\.bing\\.com" 
         set url " ^(\\/images|\\/videos)?(\\/search|\\/async)\\?" 
         set query " q=" 
         set safesearch url
         set safesearch-str " &adlt=strict" 
     next
     edit " yandex" 
         set hostname " yandex\\..*" 
         set url " ^\\/(yand){0,1}(search)[\\/]{0,}.{0,}\\?" 
         set query " text=" 
         set safesearch url
         set safesearch-str " &fyandex=1" 
     next
     edit " youtube" 
         set hostname " .*\\.youtube\\..*" 
         set safesearch header
     next
     edit " baidu" 
         set hostname " .*\\.baidu\\.com" 
         set url " ^\\/s?\\?" 
         set query " wd=" 
     next
     edit " baidu2" 
         set hostname " .*\\.baidu\\.com" 
         set url " ^\\/(ns|q|m|i|v)\\?" 
         set query " word=" 
     next
     edit " baidu3" 
         set hostname " tieba\\.baidu\\.com" 
         set url " ^\\/f\\?" 
         set query " kw=" 
     next
 end
 config vpn ipsec phase1-interface
     edit " iOSIPsec1" 
         set type dynamic
         set interface " ONO" 
         set dhgrp 2
         set peertype one
         set xauthtype auto
         set mode aggressive
         set mode-cfg enable
         set proposal aes256-sha512 aes256-sha1 aes128-sha1
         set peerid " iOSIPsec1" 
         set authusrgrp " ipseciOS" 
         set ipv4-start-ip 192.168.8.129
         set ipv4-end-ip 192.168.8.158
         set ipv4-netmask 255.255.255.224
         set ipv4-dns-server1 192.168.1.1
         set psksecret ENC 
     next
     edit " FortiCliIPsec" 
         set type dynamic
         set interface " ONO" 
         set xauthtype auto
         set mode aggressive
         set mode-cfg enable
         set proposal aes256-sha512 aes128-sha1 3des-sha1
         set authusrgrp " ipsecvpn" 
         set ipv4-start-ip 192.168.8.97
         set ipv4-end-ip 192.168.8.126
         set ipv4-netmask 255.255.255.224
         set ipv4-dns-server1 192.168.1.1
         set psksecret ENC 
     next
     edit " AndroidIPsec1" 
         set type dynamic
         set interface " ONO" 
         set dhgrp 2
         set xauthtype auto
         set mode-cfg enable
         set proposal aes256-sha512 aes128-sha1 3des-md5
         set comments " android 2.3 IPsec client requires Main Mode" 
         set authusrgrp " ipsecvpn" 
         set ipv4-start-ip 192.168.8.97
         set ipv4-end-ip 192.168.8.126
         set ipv4-dns-server1 192.168.1.1
         set psksecret ENC 
     next
 end
 config vpn ipsec phase2-interface
     edit " iOSIPsec1b" 
         set phase1name " iOSIPsec1" 
         set proposal aes256-sha512 aes256-sha1 aes128-sha1
         set dhgrp 2
     next
     edit " FortiCliIPsec" 
         set phase1name " FortiCliIPsec" 
         set proposal aes256-sha512 aes128-sha1 3des-sha1
     next
     edit " AndroidIPsec1b" 
         set phase1name " AndroidIPsec1" 
         set proposal aes256-sha512 aes128-sha1 3des-md5
         set dhgrp 2
     next
 end
 config system dns-server
     edit " internal2" 
         set mode forward-only
     next
     edit " ssl.root" 
         set mode forward-only
     next
 end
 config antivirus settings
     set grayware enable
 end
 config antivirus profile
     edit " default" 
         set comment " scan and delete virus" 
         set inspection-mode flow-based
         set block-botnet-connections enable
         set extended-utm-log enable
             config http
                 set options scan
             end
             config ftp
                 set options scan
             end
             config imap
                 set options scan
             end
             config pop3
                 set options scan
             end
             config smtp
                 set options scan
             end
             config mapi
                 set options scan
             end
             config nntp
                 set options scan
             end
             config im
                 set options scan
             end
             config smb
                 set options scan
             end
         set av-virus-log disable
     next
     edit " AV-flow" 
         set comment " flow-based scan and delete virus" 
         set inspection-mode flow-based
         set extended-utm-log enable
             config http
                 set options scan
             end
             config ftp
                 set options scan
             end
             config imap
                 set options scan
             end
             config pop3
                 set options scan
             end
             config smtp
                 set options scan
             end
             config nntp
                 set options scan
             end
             config im
                 set options scan
             end
         set av-virus-log disable
     next
 end
 config spamfilter profile
     edit " default" 
         set comment " malware and phishing URL filtering" 
         set flow-based enable
         set extended-utm-log enable
             config imap
                 set log enable
             end
             config pop3
                 set log enable
             end
             config smtp
                 set log enable
             end
             config msn-hotmail
                 set log enable
             end
             config yahoo-mail
                 set log enable
             end
             config gmail
                 set log enable
             end
     next
 end
 config report layout
     edit " default" 
             config body-item
                 edit 350
                     set type misc
                     set misc-component section-start
                     set column 1
                     set title " Bandwidth and Application Usage" 
                 next
                 edit 401
                     set type chart
                     set chart " bandwidth.applications" 
                     set chart-options include-no-data
                 next
                 edit 501
                     set type chart
                     set chart " web.usage" 
                     set chart-options include-no-data
                 next
                 edit 511
                     set type chart
                     set chart " email.usage" 
                     set chart-options include-no-data
                 next
                 edit 515
                     set type chart
                     set chart " threats" 
                     set chart-options include-no-data
                 next
                 edit 521
                     set type chart
                     set chart " vpn.usage" 
                     set chart-options include-no-data
                 next
                 edit 525
                     set type chart
                     set chart " events" 
                     set chart-options include-no-data
                 next
                 edit 601
                     set type chart
                     set hide enable
                     set chart " traffic.bandwidth.users" 
                     set chart-options include-no-data
                     set drill-down-items " 5" 
                     set drill-down-types " 0" 
                 next
             end
         set email-recipients " " 
         set email-send enable
         set format pdf
         set options dummy-option
             config page
                     config footer
                             config footer-item
                                 edit 1
                                     set content " Fortinet Inc. All rights reserved" 
                                 next
                                 edit 2
                                     set style " align_right" 
                                     set content " ${page_no}" 
                                 next
                             end
                     end
                     config header
                             config header-item
                                 edit 1
                                     set type image
                                     set style " align_right" 
                                     set img-src " fortinet_logo.jpg" 
                                 next
                             end
                     end
                 set options header-on-first-page footer-on-first-page
                 set page-break-before heading1
                 set paper letter
             end
         set style-theme " default-report" 
         set title " FortiGate System Analysis Report" 
     next
 end
 config wanopt settings
     set host-id " default-id" 
 end
 config wanopt profile
     edit " default" 
         set comments " default WANopt profile" 
     next
 end
 config web-proxy global
     set proxy-fqdn " default.fqdn" 
 end
 config wanopt webcache
     set always-revalidate enable
 end
 config web-proxy url-match
     edit " AppRiver hosted Exchange OWA" 
         set cache-exemption enable
         set url-pattern " exg6.exghost.com" 
     next
 end
 config firewall schedule recurring
     edit " always" 
         set day sunday monday tuesday wednesday thursday friday saturday
     next
 end
 config firewall profile-protocol-options
     edit " default" 
         set comment " all default services" 
             config http
                 set ports 80
                 set options no-content-summary
                 unset post-lang
             end
             config ftp
                 set ports 21
                 set options no-content-summary splice
             end
             config imap
                 set ports 143
                 set options fragmail no-content-summary
             end
             config mapi
                 set ports 135
                 set options fragmail no-content-summary
             end
             config pop3
                 set ports 110
                 set options fragmail no-content-summary
             end
             config smtp
                 set ports 25
                 set options fragmail no-content-summary splice
             end
             config nntp
                 set ports 119
                 set options no-content-summary splice
             end
             config im
                 unset options
             end
             config dns
                 set ports 53
             end
     next
 end
 config firewall deep-inspection-options
     edit " default" 
         set comment " all default services" 
             config https
                 set ports 443
                 set status disable
             end
             config ftps
                 set ports 990
                 set status disable
             end
             config imaps
                 set ports 993
                 set status disable
             end
             config pop3s
                 set ports 995
                 set status disable
             end
             config smtps
                 set ports 465
                 set status disable
             end
             config ssh
                 set ports 22
             end
     next
 end
 config firewall identity-based-route
 end
 config firewall policy
     edit 12
         set srcintf " ONO" 
         set dstintf " any" 
         set srcaddr " Hacker1-212.67.x.x" 
         set dstaddr " all" 
         set schedule " always" 
         set service " ALL" 
         set logtraffic disable
         set comments " Repeated unauthorized SSL VPN login attempts 2013-08" 
     next
     edit 21
         set srcintf " internal2" 
         set dstintf " ONO" 
         set srcaddr " 192.168.32.3" 
         set action accept
         set status disable
         set comments " test enforcing endpoint policy" 
         set email-collection-portal enable
         set forticlient-compliance-enforcement-portal enable
         set forticlient-compliance-devices android
         set identity-based enable
         set identity-from device
         set nat enable
             config identity-based-policy
                 edit 1
                     set schedule " always" 
                     set utm-status enable
                     set dstaddr " all" 
                     set service " ALL" 
                     set devices " Jay Android Tablet" 
                     set endpoint-compliance enable
                     set av-profile " default" 
                     set webfilter-profile " default" 
                     set spamfilter-profile " default" 
                     set ips-sensor " default" 
                     set profile-protocol-options " default" 
                 next
             end
     next
     edit 20
         set srcintf " ONO" 
         set dstintf " any" 
         set srcaddr " all" 
         set dstaddr " ONO IP address 84.124.xx.xx/32" 
         set action ssl-vpn
         set comments " SSL VPN Tunnel and Portal authentication rule for users who may access both. Gives access to SSL VPN Portal \" full-access\" . And allows onward tunnel as well as proxy access to all destinations internal and external." 
         set sslvpn-cipher high
         set identity-based enable
             config identity-based-policy
                 edit 1
                     set schedule " always" 
                     set groups " sslvpntunnelandportal" 
                     set service " ALL" 
                     set sslvpn-portal " full-access" 
                 next
             end
     next
     edit 16
         set srcintf " ONO" 
         set dstintf " any" 
         set srcaddr " all" 
         set dstaddr " all" 
         set action ssl-vpn
         set comments " SSL VPN Tunnel (only) authentication rule for users. Gives access to SSL VPN Portal \" tunnel-access\" . And allows onward tunnel access to all destinations internal and external." 
         set sslvpn-cipher high
         set identity-based enable
             config identity-based-policy
                 edit 1
                     set schedule " always" 
                     set groups " sslvpntunnel" 
                     set service " ALL" 
                     set sslvpn-portal " tunnel-access" 
                 next
             end
     next
     edit 19
         set srcintf " FortiCliIPsec" 
         set dstintf " ONO" 
         set srcaddr " IPsecVPN_usersIPs_range" 
         set dstaddr " all" 
         set action accept
         set schedule " always" 
         set service " ALL" 
         set nat enable
     next
     edit 8
         set srcintf " FortiCliIPsec" 
         set dstintf " any" 
         set srcaddr " IPsecVPN_usersIPs_range" 
         set dstaddr " all" 
         set action accept
         set schedule " always" 
         set service " ALL" 
     next
     edit 10
         set srcintf " ONO" 
         set dstintf " any" 
         set srcaddr " all" 
         set dstaddr " all" 
         set action ssl-vpn
         set sslvpn-cipher high
         set identity-based enable
             config identity-based-policy
                 edit 1
                     set schedule " always" 
                     set groups " sslvpnportal" 
                     set service " ALL" 
                     set sslvpn-portal " web-access" 
                 next
             end
     next
     edit 13
         set srcintf " iOSIPsec1" 
         set dstintf " internal" 
         set srcaddr " iOSIPsec_users_range" 
         set dstaddr " SP internal wired LAN1"  " SP internal WiFi LAN SP_OFFICE" 
         set action accept
         set schedule " always" 
         set service " ALL" 
     next
     edit 11
         set srcintf " iOSIPsec1" 
         set dstintf " ONO" 
         set srcaddr " iOSIPsec_users_range" 
         set dstaddr " all" 
         set action accept
         set schedule " always" 
         set service " ALL" 
         set nat enable
     next
     edit 17
         set srcintf " iOSIPsec1" 
         set dstintf " internal" 
         set srcaddr " iOSIPsec_users_range" 
         set dstaddr " all" 
         set action accept
         set schedule " always" 
         set service " ALL" 
         set comments " While FortiGate uses MikroTik as outbound default route, must have this firewall rule to allow dest IP ALL via Internal interface." 
     next
     edit 14
         set srcintf " internal" 
         set dstintf " iOSIPsec1" 
         set srcaddr " SP internal wired LAN1"  " SP internal WiFi LAN SP_OFFICE" 
         set dstaddr " iOSIPsec_users_range" 
         set action accept
         set schedule " always" 
         set service " ALL" 
     next
     edit 15
         set srcintf " internal" 
         set dstintf " FortiCliIPsec" 
         set srcaddr " SP internal wired LAN1"  " SP internal WiFi LAN SP_OFFICE" 
         set dstaddr " IPsecVPN_usersIPs_range" 
         set action accept
         set schedule " always" 
         set service " ALL" 
     next
     edit 18
         set srcintf " internal" 
         set dstintf " ONO" 
         set srcaddr " SP internal wired LAN1"  " SP internal WiFi LAN SP_OFFICE"  " SP internal WiFi LAN SP_GUEST" 
         set dstaddr " all" 
         set action accept
         set schedule " always" 
         set service " ALL" 
         set utm-status enable
         set webcache enable
         set comments " Allow Internal Wired LAN users to get out to the Internet via ONO VLAN interface" 
         set av-profile " default" 
         set webfilter-profile " default" 
         set spamfilter-profile " default" 
         set ips-sensor " default" 
         set profile-protocol-options " default" 
         set nat enable
     next
     edit 25
         set srcintf " internal2" 
         set dstintf " ONO" 
         set srcaddr " SP internal wired LAN2" 
         set dstaddr " all" 
         set action accept
         set schedule " always" 
         set service " ALL" 
         set utm-status enable
         set av-profile " default" 
         set webfilter-profile " default" 
         set spamfilter-profile " default" 
         set ips-sensor " default" 
         set profile-protocol-options " default" 
         set nat enable
     next
     edit 22
         set srcintf " internal2" 
         set dstintf " internal" 
         set srcaddr " SP internal wired LAN2" 
         set dstaddr " SP internal wired LAN1"  " SP internal WiFi LAN SP_OFFICE"  " SP internal WiFi LAN SP_GUEST"  " SP internal WiFi Mgmt subnet" 
         set action accept
         set schedule " always" 
         set service " ALL" 
         set utm-status enable
         set comments " Allows FortiGate Internal2 LAN to talk to MikroTik Internal LAN" 
         set ips-sensor " default" 
         set profile-protocol-options " default" 
     next
     edit 23
         set srcintf " internal" 
         set dstintf " internal2" 
         set srcaddr " SP internal WiFi LAN SP_OFFICE"  " SP internal wired LAN1" 
         set dstaddr " SP internal wired LAN2" 
         set action accept
         set schedule " always" 
         set service " ALL" 
         set utm-status enable
         set comments " Allow MikroTik Internal LAN to reach FortiGate Internal2 LAN" 
         set ips-sensor " default" 
         set profile-protocol-options " default" 
     next
     edit 24
         set srcintf " ONO" 
         set dstintf " any" 
         set srcaddr " all" 
         set dstaddr " all" 
         set action ssl-vpn
         set comments " let ssl portal users use web connection tool" 
         set identity-based enable
             config identity-based-policy
                 edit 1
                     set schedule " always" 
                     set groups " sslvpntunnelandportal" 
                     set service " ALL" 
                     set sslvpn-portal " full-access" 
                 next
             end
     next
 end
 config firewall local-in-policy
 end
 config firewall policy6
 end
 config firewall local-in-policy6
 end
 config firewall ttl-policy
 end
 config firewall policy64
 end
 config firewall policy46
 end
 config firewall interface-policy
 end
 config firewall interface-policy6
 end
 config firewall sniff-interface-policy
 end
 config firewall sniff-interface-policy6
 end
 config firewall DoS-policy
 end
 config firewall DoS-policy6
 end
 config firewall sniffer
     edit 2
         set interface " internal" 
         set host " 192.168.255.255" 
     next
     edit 3
         set interface " ONO" 
         set host " 192.254.232.236" 
     next
     edit 4
         set interface " ssl.root" 
         set host " 192.168.8.65" 
     next
 end
 config endpoint-control profile
     edit " Windows-FortiAV" 
             config forticlient-winmac-settings
                 set forticlient-av enable
                 set forticlient-vpn-provisioning enable
                     config forticlient-vpn-settings
                         edit " SP FG SSL VPN" 
                             set type ssl
                             set remote-gw " node.com" 
                             set sslvpn-access-port 8443
                         next
                     end
                 set forticlient-log-upload disable
                 set forticlient-update-from-fmg enable
                 set forticlient-update-failover-to-fdn disable
                 set forticlient-ui-options av vpn
             end
             config forticlient-android-settings
             end
             config forticlient-ios-settings
             end
         set description " Windows clients needing an AV of last resort" 
         set device-groups " Windows-FortiAV" 
     next
     edit " default" 
             config forticlient-winmac-settings
                 set forticlient-vpn-provisioning enable
                     config forticlient-vpn-settings
                         edit " FG SSL VPN" 
                             set type ssl
                             set remote-gw " vpn.mycompany.es" 
                             set sslvpn-access-port 8443
                         next
                     end
                 set forticlient-log-upload disable
                 set forticlient-ui-options vpn
             end
             config forticlient-android-settings
             end
             config forticlient-ios-settings
             end
     next
 end
 config wireless-controller wids-profile
     edit " default" 
         set comment " default wids profile" 
         set wireless-bridge enable
         set deauth-broadcast enable
         set null-ssid-probe-resp enable
         set long-duration-attack enable
         set invalid-mac-oui enable
         set weak-wep-iv enable
         set auth-frame-flood enable
         set assoc-frame-flood enable
         set spoofed-deauth enable
         set asleap-attack enable
         set eapol-start-flood enable
         set eapol-logoff-flood enable
         set eapol-succ-flood enable
         set eapol-fail-flood enable
         set eapol-pre-succ-flood enable
         set eapol-pre-fail-flood enable
     next
 end
 config wireless-controller wtp-profile
     edit " FAP220A-default" 
             config platform
                 set type 220A
             end
         set ap-country US
             config radio-1
                 set band 802.11n
             end
             config radio-2
                 set band 802.11n-5G
             end
     next
     edit " FAP112B-default" 
             config platform
                 set type 112B
             end
         set ap-country US
             config radio-1
                 set band 802.11n
             end
             config radio-2
                 set mode disabled
             end
     next
     edit " FAP220B-default" 
         set ap-country US
             config radio-1
                 set band 802.11n-5G
             end
             config radio-2
                 set band 802.11n
             end
     next
     edit " FAP210B-default" 
             config platform
                 set type 210B
             end
         set ap-country US
             config radio-1
                 set band 802.11n
             end
             config radio-2
                 set mode disabled
             end
     next
     edit " FAP222B-default" 
             config platform
                 set type 222B
             end
         set ap-country US
             config radio-1
                 set band 802.11n
             end
             config radio-2
                 set band 802.11n-5G
             end
     next
     edit " FAP320B-default" 
             config platform
                 set type 320B
             end
         set ap-country US
             config radio-1
                 set band 802.11n-5G
             end
             config radio-2
                 set band 802.11n
             end
     next
 end
 config log disk setting
     set status enable
     set maximum-log-age 0
 end
 config log setting
     set fwpolicy-implicit-log enable
     set local-in-deny disable
     set resolve-hosts disable
 end
 config alertemail setting
     set username " " 
     set mailto1 " " 
     set filter-mode threshold
     set severity warning
 end
 config router rip
         config redistribute " connected" 
         end
         config redistribute " static" 
         end
         config redistribute " ospf" 
         end
         config redistribute " bgp" 
         end
         config redistribute " isis" 
         end
 end
 config router ripng
         config redistribute " connected" 
         end
         config redistribute " static" 
         end
         config redistribute " ospf" 
         end
         config redistribute " bgp" 
         end
         config redistribute " isis" 
         end
 end
 config router static
     edit 1
         set device " ONO" 
         set gateway 84.124.xxx.xxx
     next
     edit 4
         set comment " Route to reach SSLVPN clients" 
         set device " ssl.root" 
         set dst 192.168.8.64 255.255.255.224
     next
     edit 5
         set comment " to reach internal hosts on Wi-Fi SP_OFFICE" 
         set device " internal" 
         set dst 192.168.12.0 255.255.252.0
         set gateway 192.168.1.1
     next
     edit 6
         set comment " To reach iOS IPsec VPN clients" 
         set device " iOSIPsec1" 
         set dst 192.168.8.128 255.255.255.224
     next
     edit 7
         set comment " To reach FortiClient IPsec VPN users (non-iOS)" 
         set device " FortiCliIPsec" 
         set dst 192.168.8.96 255.255.255.224
     next
     edit 8
         set comment " For FG internals to reach SP_GUEST Wi-Fi LAN" 
         set device " internal" 
         set dst 192.168.16.0 255.255.255.0
         set gateway 192.168.1.1
     next
     edit 9
         set comment " Cisco Wi-Fi Management VLAN" 
         set device " internal" 
         set dst 192.168.17.0 255.255.255.0
         set gateway 192.168.1.1
     next
 end
 config router ospf
         config redistribute " connected" 
         end
         config redistribute " static" 
         end
         config redistribute " rip" 
         end
         config redistribute " bgp" 
         end
         config redistribute " isis" 
         end
 end
 config router ospf6
         config redistribute " connected" 
         end
         config redistribute " static" 
         end
         config redistribute " rip" 
         end
         config redistribute " bgp" 
         end
         config redistribute " isis" 
         end
 end
 config router bgp
         config redistribute " connected" 
         end
         config redistribute " rip" 
         end
         config redistribute " ospf" 
         end
         config redistribute " static" 
         end
         config redistribute " isis" 
         end
         config redistribute6 " connected" 
         end
         config redistribute6 " rip" 
         end
         config redistribute6 " ospf" 
         end
         config redistribute6 " static" 
         end
         config redistribute6 " isis" 
         end
 end
 config router isis
         config redistribute " connected" 
         end
         config redistribute " rip" 
         end
         config redistribute " ospf" 
         end
         config redistribute " bgp" 
         end
         config redistribute " static" 
         end
 end
 config router multicast
 end
 
kolawale_FTNT

>> How do I get a copy/export of the FortiClient config? From the FortiClient GUI, select File -> Settings. Click the Backup button. Be sure to choose " no password" in the Backup Configuration dialog box displayed. >> FG100D configuration is below I reviewed the section of the configuration listed below and have the following question: Does the MAC address of the client match the one defined below? If it does not, you will get the default EC profile on the client. The MAC address used by the client is displayed on the FortiGate EC monitor page.
  config user device 
      edit " QA trasto Alberto"  
          set mac 00:53:45:00:00:00 
          set type windows-pc 
      next 
  end 
  config user device-group 
      edit " Windows-FortiAV"  
          set comment " Windows clients needing an AV of last resort"  
          set member " QA trasto Alberto "  
      next 
  end 
  config endpoint-control profile 
      edit " Windows-FortiAV"  
              config forticlient-winmac-settings 
                  set forticlient-av enable 
                  set forticlient-vpn-provisioning enable 
                      config forticlient-vpn-settings 
                          edit " SP FG SSL VPN"  
                              set type ssl 
                              set remote-gw " node.com"  
                              set sslvpn-access-port 8443 
                          next 
                      end 
                  set forticlient-log-upload disable 
                  set forticlient-update-from-fmg enable 
                  set forticlient-update-failover-to-fdn disable 
                  set forticlient-ui-options av vpn 
              end 
              config forticlient-android-settings 
              end 
              config forticlient-ios-settings 
              end 
          set description " Windows clients needing an AV of last resort"  
          set device-groups " Windows-FortiAV"  
      next 
      edit " default"  
              config forticlient-winmac-settings 
                  set forticlient-vpn-provisioning enable 
                      config forticlient-vpn-settings 
                          edit " FG SSL VPN"  
                              set type ssl 
                              set remote-gw " vpn.mycompany.es"  
                              set sslvpn-access-port 8443 
                          next 
                      end 
                  set forticlient-log-upload disable 
                  set forticlient-ui-options vpn 
              end 
              config forticlient-android-settings 
              end 
              config forticlient-ios-settings 
              end 
      next 
  end 
 
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors