Document
Library
Product Pillars
Network Security
Network Security
FortiGate / FortiOS
FortiGate-5000
/
6000
/
7000
FortiProxy
NOC & SOC Management
FortiManager
/
FortiManager Cloud
FortiAnalyzer
/
FortiAnalyzer Cloud
FortiMonitor
FortiGate Cloud
Enterprise Networking
Secure SD-WAN
FortiLAN Cloud
FortiSwitch
FortiAP / FortiWiFi
FortiAP-U Series
FortiNAC-F
FortiExtender
/
FortiExtender Cloud
FortiAIOps
Business Communications
FortiFone
FortiVoice
/
FortiVoice Cloud
FortiRecorder
/
FortiCamera
Zero Trust Access
ZTNA
Zero Trust Network Access
FortiClient EMS
SASE
FortiSASE
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Cloud Security
Hybrid Cloud Security
FortiGate Public Cloud
FortiGate Private Cloud
Flex-VM
Cloud Native Protection
FortiCNP
FortiDevSec
Web Application / API Protection
FortiWeb
/
FortiWeb Cloud
FortiADC
/
FortiGSLB
FortiGuard ABP
SAAS Security
FortiMail
/
FortiMail Cloud
FortiCASB
Security Operations
SOC Platform
FortiAnalyzer
/
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
FortiPhish
Advanced Threat Protection
FortiSandbox
/
FortiSandbox Cloud
FortiNDR
FortiDeceptor
FortiInsight
/
FortiInsight Cloud
FortiIsolator
Endpoint Security
FortiClient
/
FortiClient Cloud
FortiEDR
Best Practices
Solution Hubs
Curated links by solution
Cloud
FortiCloud
Public & Private Cloud
Popular Solutions
Secure SD-WAN
Zero Trust Network Access
Secure Access
Security Fabric
Tele-Working
Multi-Factor Authentication
FortiASIC
Operational Technology
MSSP
4-D Resources
Define, Design, Deploy, Demo
Secure SD-WAN
Zero Trust Network Access
Wireless
Switching
Secure Access Service Edge
Identity and Access Management
Next Generation Firewall
Hardware Guides
Filter Products
FortiAnalyzer
FortiAnalyzer Big-Data
FortiADC
FortiAI
FortiAP / FortiWiFi
FortiAP U-Series
FortiAuthenticator
FortiCache
FortiCarrier
FortiController
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiEdge
FortiExtender
FortiGate
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiHypervisor
FortiIsolator
FortiMail
FortiManager
FortiNAC
FortiNDR
FortiProxy
FortiRecorder
FortiRPS
FortiSandbox
FortiSIEM
FortiSwitch
FortiTester
FortiToken
FortiVoice
FortiWAN
FortiWeb
FortiWLC
FortiWLM
Product A-Z
Filter Products
AscenLink
AV Engine
AWS Firewall Rules
FortiADC
FortiADC E Series
FortiADC Manager
FortiADC Private Cloud
FortiADC Public Cloud
FortiAIOps
FortiAnalyzer
FortiAnalyzer BigData
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Cloud
FortiAnalyzer Private Cloud
FortiAnalyzer Public Cloud
FortiAP / FortiWiFi
FortiAP-U Series
FortiAuthenticator
FortiAuthenticator Private Cloud
FortiAuthenticator Public Cloud
FortiBalancer
FortiBridge
FortiCache
FortiCamera
FortiCamera Cloud
FortiCare Elite
FortiCarrier
FortiCASB
FortiCentral
FortiClient
FortiClient Cloud
FortiCloud Services
FortiCNP
FortiConnect
FortiController
FortiConverter Service
FortiConverter Tool
FortiCore
FortiCWP
FortiDAST
FortiDB
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiDeceptor Private Cloud
FortiDeceptor Public Cloud
FortiDevSec
FortiDNS
FortiEDR/XDR
FortiExplorer
FortiExplorer Go
FortiExtender
FortiExtender Cloud
FortiFlex
FortiFone
FortiGate / FortiOS
FortiGate Cloud
FortiGate CNF
FortiGate Private Cloud
FortiGate Public Cloud
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiGSLB
FortiGuard Advanced Bot Protection
FortiGuest
FortiHypervisor
FortiInsight
FortiInsight Cloud
FortiIPAM
FortiIsolator
FortiIsolator Public Cloud
FortiLAN Cloud
FortiMail
FortiMail Cloud
FortiManager
FortiManager Cloud
FortiManager Private Cloud
FortiManager Public Cloud
FortiMonitor
FortiNAC
FortiNAC-F
FortiNDR
FortiNDR (on-premise) Private Cloud
FortiNDR (on-premise) Public Cloud
FortiNDR Cloud
FortiNDR Cloud Sensors
FortiPAM
FortiPAM Private Cloud
FortiPAM Public Cloud
FortiPhish
FortiPlanner
FortiPolicy
FortiPortal
FortiPortal Public Cloud
FortiPresence
FortiPresence VM
FortiProxy
FortiProxy Private Cloud
FortiProxy Public Cloud
FortiRecon
FortiRecorder
FortiRPS
FortiSandbox
FortiSandbox Cloud
FortiSandbox Private Cloud
FortiSandbox Public Cloud
FortiSASE
FortiSIEM
FortiSIEM Cloud
FortiSOAR
FortiSOAR Cloud
FortiSwitch
FortiSwitch Manager
FortiTap
FortiTester
FortiTester Private Cloud
FortiTester Public Cloud
FortiToken
FortiToken Cloud
FortiTrust Identity
FortiVoice
FortiVoice Cloud
FortiVoice Private Cloud
FortiVoice Public Cloud
FortiWAN
FortiWAN Controller
FortiWeb
FortiWeb Cloud
FortiWeb Manager Private Cloud
FortiWeb Manager Public Cloud
FortiWeb Private Cloud
FortiWeb Public Cloud
FortiWLM
FortiZTP
IPS Engine
Managed FortiGate Service
Overlay-as-a-Service
Security Awareness and Training
SOCaaS
Wireless Controller
Ordering Guides
Search documents and hardware ...
Handbook
What's new
Fortinet Security Fabric
Manageability
Networking
Security
SSH MITM deep inspection
Getting started
Installation
Quick installation using DHCP
NAT mode installation
Virtual wire pair
Using the GUI
Connecting using a web browser
Menus
Dashboard
Feature Visibility
Tables
Text strings
Using the CLI
Connecting to the CLI
CLI-only features
Command syntax
Sub-commands
Permissions
Tips
FortiExplorer for iOS
LED specifications
Inspection mode
Basic administration
Registration
System settings
Passwords
Configuration backups
Firmware
Downloading
Testing
Upgrading
Reverting
Installation from system reboot
Restoring from a USB key
Controlled upgrade
FortiGuard
FortiCloud
Troubleshooting your installation
Resources
Fortinet Security Fabric
Overview
Benefits
Components
Configuration
FortiGate, FortSwitch, and FortiAP
FortiAnalyzer
FortiSandbox
FortiManager
FortiClient EMS
Using the Fortinet Security Fabric
Dashboard widgets
Topology
Security Rating
Automation stitches
Triggers
Actions
Creating automation stitches
Chaining and delaying actions
Diagnose commands
Fabric Connectors
Available services
Configuration
Verifying status
SD-WAN
Configuring SD-WAN
SD-WAN requirements
Configuring a basic SD-WAN deployment
Removing existing configuration references to interfaces
Creating SD-WAN interfaces
Configuring SD-WAN load balancing
Creating a static route for the SD-WAN interface
Configuring security policies for SD-WAN
Configuring link health monitoring
Configuring SD-WAN rules
Using the best quality strategy
Using the minimum quality SLA strategy
Monitoring SD-WAN
Applying traffic shaping to SD-WAN traffic
Viewing SD-WAN information in the Fortinet Security Fabric
High availability
HA solutions
FortiGate Cluster Protocol (FGCP)
FortiGate Session Life Support Protocol (FGSP)
VRRP
Session-Aware Load Balancing Clustering (SLBC)
Enhanced Load Balancing Clustering (ELBC)
Content clustering
FGCP HA
Synchronizing the configuration
Preparing to setup HA
Basic configuration steps
Active-passive and active-active HA
Identifying the cluster
Device, link, and session failover
Primary unit selection with override disabled (default)
Primary unit selection with override enabled
DHCP and PPPoE compatability
Distributed clustering
Clusters of three or four FortiGates
Disk storage
FGCP best practices
FGCP HA glossary
FGCP support for OCVPN
GUI options
FGCP HA examples
How to set up FGCP HA
HA with three FortiGates
Active-active HA in transparent mode
FortiGate-5000 active-active HA cluster with FortiClient licenses
Replacing a failed cluster unit
HA with 802.3ad aggregate interfaces
HA with redundant interfaces
Troubleshooting
Virtual clustering
Configuration
Virtual clustering examples
Inter-VDOM links and virtual clustering
Troubleshooting virtual clustering
Full mesh HA
Full mesh HA example
Troubleshooting full mesh HA
Operating a cluster
Operating a virtual cluster
Out-of-band management
In-band management
Managing FortiGate in a virtual cluster
Shutdown/reboot the primary unit
Backup FortiGate management
RADIUS and LDAP servers
FortiGuard services
Logging
SNMP
FortiClient licenses
Cluster members list
Virtual cluster members list
HA statistics
HA configuration change
HA configuration change - virtual cluster
Backup FortiGate host name and device priority
Firmware upgrade
Firmware downgrade
Configuration backup and restore
Failover monitoring
CLI HA status
Managing individual cluster units
Disconnecting a FortiGate
Restoring a disconnected FortiGate
diagnose sys ha dump-by
Failover protection
A-P failover
A-A failover
Device failover
HA heartbeat
Unicast HA heartbeat
Cluster virtual MAC addresses
Synchronizing the configuration
Synchronizing kernel routing tables
Routing graceful restart
Link failover
Monitoring VLAN interfaces
Remote link failover
Failover affects the network
Failover monitoring
NAT mode A-P packet flow
Transparent mode A-P packet flow
Failover performance
Session failover
TCP, UDP, ICMP, and multicast sessions
If session pickup is disabled
Improving session sync performance
Pass-through sessions
Terminated sessions
IPsec VPN SA sync
WAN optimization
HA and load balancing
Load balancing schedules
TCP and UDP load balancing
NP6 and load balancing
Weighted load balancing
Dynamic optimization
Weighted load balancing example
NAT mode A-A packet flow
Transparent mode A-A packet flow
FortiGate-VM and third-party HA
VMware HA
Hyper-V HA
Layer-2 switches
Layer-3 switches
Connected equipment
Ethertype conflicts
LACPand 802.3ad aggregation
VRRP
Configuration
Adding IPv4 virtual router to an interface
Adding IPv6 virtual routers to an interface
VRRP failover
VRRP groups
VRRP virtual MACs
Single-domain VRRP example
Multi-domain VRRP example
Optional settings
FortiController-5000 VRRP support
FGSP
Between FGCP clusters
Configuration
TCP and SCTP sessions
Firmware upgrades
Configuration backup and restore
IPsec tunnels
Connectionless (UDP and ICMP) sessions
NAT sessions
Asymmetric sessions
Expectation sessions
GTP sessions
Flow-based inspection sessions
Notes and limitations
Session synchronization links
FGSP example
Verifying FGSP operation
Standalone configuration sync
Firewall
Firewall concepts
What is a firewall?
NAT mode and transparent mode
How FortiOS handles packets
Interfaces and zones
Access control lists
Firewall policies
Hair-pinning
Blocking traffic by a service or protocol
Learning mode
NGFW policy mode
DNS traffic in NGFW mode
Security profiles
Proxy option components
SSL/SSH inspection
Mirroring SSL inspected traffic
Encryption strength for proxied SSH sessions
RPC over HTTP
Security profile groups
Making security profile groups visible
NAT
The origins of NAT
Dynamic NAT
Static NAT
Benefits of NAT
NAT in transparent mode
Central NAT table
NAT64 and NAT46
NAT64 CLAT
NAT66
Session differentiation
IP pools
Services and TCP ports
Protocol types
TCP/UDP/SCTP
Protocol port values
ICMP
ICMP types and codes
log-invalid-packet
ICMPv6
ICMPv6 types and codes
IP
Protocol number
VPN policies
DSRI
Interface policies
DoS protection
Local-In policies
Security policy 0
Deny policies
Accept policies
Fixed port
Fixed port range IP pools algorithm
Endpoint security
Traffic logging
IPv6
Benefits
Addressing
Packet structure
Policies
NAT66, NAT64, NAT46 and DNS64
IPv6 tunneling
Tunneling IPv6 through IPsec VPN
IPv6 support for GRE tunnels
SIP
IPv6 MIB fields
Per-IP traffic shaper
DHCPv6
IPv6 forwarding
Authentication
FSSO
Neighbor discovery proxy
Address groups
Address ranges
Firewall addresses
SSH
ICMPv6
IPsec VPN
TCP MSS values
BGP
RIPng
RSSO
IPS
Blocking IPv6 packets by extension headers
DoS policies
Configure hosts in an SNMP community
PIM sparse mode multicast routing
Neighbor discovery proxy
Network defense
Inside FortiOS: Denial of Service (DoS) protection
Monitoring
Blocking external probes
Defending against DoS attacks
Policies
UUID support
Viewing firewall policies
Policy names
IPv4 policy
ISDB and IRDB in firewall policies
IPv6 policy
NAT64 policy
NAT46 policy
Central SNAT
IPv4 access control list
IPv6 access control list
IPv4 DoS policy
IPv6 DoS policy
Multicast policy
SSL mirroring for policies
Addresses
Interfaces
IPv4 addresses
FQDN addresses
Changing the TTL of a FQDN address
Geography based addresses
IP range addresses
IP / netmask addresses
Wildcard addressing
Wildcard FQDN
Wildcard FQDNs for SSL deep inspection exemptions
IPv6 addresses
Subnet addresses
IPv6 FQDN firewall addresses
Firewall IPv6 address templates
Multicast addresses
Multicast IP range
Broadcast subnet
Multicast IP addresses
Proxy addresses
Internet services
Address groups
Virtual IPs
IPv4 VIPs
IPv6 VIPs
NAT46 VIPs
NAT64 VIPs
FQDNs in VIPs
Dynamic VIP DNS translation
VIP groups
IP pools
IPv4 pools
IPv6 pools
NAT46 IP pools and secondary NAT64 prefixes
Services
Categories
Creating services
Specific addresses in TCP/UDP/SCTP
Service groups
Schedules
One-time schedules
Recurring schedules