Fortinet black logo

User Guide

Home FortiPortal 5.3.4 User Guide

Types of objects

5.3.4
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.3.8
5.3.7
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.0
5.2.0
4.1.0
Copy Link
Copy Doc ID cb74fbca-cd04-11ea-8b7d-00505692583a:479360
Download PDF

Types of objects

The page displays the following object categories:

  • Zone/Interface
  • Firewall Objects
  • Security Profiles
  • User & Device

These objects are described in the following sections.

Zone/Interface

You can define a dynamic interface or a dynamic zone. A dynamic zone allows you to specify multiple interfaces.

The following figure shows the Create New Interface form.

The following figure shows the Create New Zone form.

Specify the name of the dynamic interface or zone, add an optional description, and select one of the default mappings. You can also specify dynamic mapping for a device by selecting Per-Device Mapping.

Firewall Objects

Firewall objects include address, schedule, service and virtual IP. For additional information about the object types, see FortiOS Object Configuration.

Address

You can specify an address as a country, an FQDN or as an IP subnet and mask. The address can apply to all interfaces, or you can configure a specific interface.

You can also create an Address Group, which defines a group of related addresses.

Schedule

You can specify a set of days and time ranges with recurring or one-time schedules.

Service

Although numerous services are already configured, the system allows for administrators to configure their own.

The service object specifies the protocol and any additional information required to identify the service (which depends on the protocol):

  • IP—IP protocol number
  • TCP/UDP/SCP—source and destination port range

You can also create a service group, which defines a group of related services.

Virtual IP

The Virtual IP objects map external IP addresses to internal addresses.

The following figure shows the Virtual IP object display:

FortiPortal supports the following Virtual IP object types:

  • IPv4 Virtual IP—uses static NAT to map a range of external addresses to an internal address range
  • IPv4 Virtual IP Group—defines a group of one or more Virtual IPs, for ease of administration
  • IP Pool—defines an IP address or range of IP addresses to use as the source address (rather than the IP address of the interface)

Security Profiles

Security profiles are described in detail in the FortiGate Security Profiles document and in the online help files at FortiOS Security Profiles.

The following security profiles are supported on FortiPortal:

  • Antivirus Profile
  • Application Sensor
  • Data Leak Prevention Sensor
  • Email Filter Profile
  • IPS Sensor
  • Web Filter Profile
  • Local Category
  • Rating Overrides
  • DNS Filter Profile

Local Category (security profile introduced with FortiPortal 1.2.0)

You can create a local category and then use Rating Override to assign URLs to the new category.

Rating Overrides (security profile introduced with FortiPortal 1.2.0)

Use a Rating Override object to override the Fortinet rating for a URL. The Security Profiles document contains additional information about local categories and rating overrides.

The following figure displays rating overrides:

DNS Filter Profile (security profile introduced with FortiPortal 5.3.0)

The DNS filter profile only supports ADOM version 5.4 or higher.

You can configure DNS web filtering to allow, block, or monitor access to web content according to FortiGuard categories. When DNS web filtering is enabled, your FortiPortal must use the FortiGuard DNS service for DNS lookups. DNS lookup requests sent to the FortiGuard DNS service return with an IP address and a domain rating that includes the FortiGuard category of the web page.

FortiGuard maintains a database containing a list of known botnet command and control (C&C) addresses. This database is updated dynamically and stored on the FortiGate and requires a valid FortiGuard AntiVirus subscription. When you block DNS requests to known botnet C&C addresses, using IPS, DNS lookups are checked against the botnet C&C database. All matching DNS lookups are blocked. Matching uses a reverse prefix match, so all sub-domains are also blocked. To enable this feature, enable Block DNS requests to known botnet C&C in the Create New DNS Filter Profile or Edit DNS Filter Profile form.

You can also create a domain filter in the Create New DNS Filter Profile or Edit DNS Filter Profile form. The DNS domain filter allows you to block, allow, or monitor DNS requests by using IPS to look inside DNS packets and match the domain being looked up with the domains on the static URL filter list. If there is a match, the DNS request can be blocked, monitored, or allowed. If blocked, the DNS request is blocked and so the user cannot look up the address and connect to the site. If allowed, access to the site is allowed even if another method is used to block it.

The following figure displays a DNS filter profile:

User & Device

Security policies may allow access to specified users and user groups only (the object types in the User & Device category).

For additional information about users and user groups, refer to FortiOS Handbook: Authentication.

User Definition

You can create local (accounts stored on the FortiGate unit), or remote users (accounts stored on a remote authentication server). FortiGate supports LDAP, RADIUS, and TACACS+ servers.

The following figure shows the Edit User form for a local user:

For a remote user, you need to specify the remote server, as shown in the following figure:

Two-Factor Authentication

Two-factor authentication methods, including FortiToken, provide additional security. You can also enable two-factor authentication using FortiAuthenticator.

To use two-factor authentication:
  1. Go to Policy & Objects > Objects.
  2. In the User & Device tree, select User Definition.
  3. Right-click under the header row and select Create New or right-click an existing user definition and select Edit.
  4. Select Enable Two-factor Authentication.
  5. If you want to use a FortiToken for two-factor authentication, select FortiToken.

    FortiToken is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit authentication code. This code is entered with a user’s user name and password as two-factor authentication. The code displayed changes every 60 seconds, and when not in use the LCD screen is blanked to extend the battery life.

    There is also a mobile phone application, FortiToken Mobile, that performs much the same function.

    FortiTokens have a small hole in one end. This is intended for a lanyard to be inserted so the device can be worn around the neck, or easily stored with other electronic devices. Do not put the FortiToken on a key ring as the metal ring and other metal objects can damage it. The FortiToken is an electronic device like a cell phone and must be treated with similar care.

    Any time information about the FortiToken is transmitted, it is encrypted. When the FortiPortal unit receives the code that matches the serial number for a particular FortiToken, it is delivered and stored encrypted. This is in keeping with the Fortinetʼs commitment to keeping your network highly secured.

    FortiTokens can be added to user accounts that are local, IPsec VPN, SSL VPN, and even Administrators.A FortiToken can be associated with only one account on one FortiPortal unit.

    If you lose your FortiToken, your account can be locked so that it will not be used to falsely access the network. Later if found, that FortiToken can be unlocked on the FortiPortal unit to allow access once again.

  6. If you want to receive an email for two-factor authentication, select Email based two-factor authentication and Email (under Contact Info) and enter an email address.

    Two-factor email authentication sends a randomly generated six digit numeric code to the specified email address. Enter that code when prompted at logon. This token code is valid for 60 seconds. If you enter this code after that time, it will not be accepted.

    A benefit is that you do not require mobile service to authenticate. However, a potential issue is if your email server does not deliver the email before the 60 second life of the token expires.

    The code will be generated and emailed at the time of logon, so you must have email access at that time to be able to receive the code.

  7. Select Save.

User Group

A user group is a list of user identities. To add or edit a user group, right-click Edit under the header row to display the Edit User Group form. Then, select group members from the Available Users list.

After you set the group type and add members, you cannot change the group type without removing its members. If you change the type, any members will be removed automatically.

Previous
Next

Types of objects

The page displays the following object categories:

  • Zone/Interface
  • Firewall Objects
  • Security Profiles
  • User & Device

These objects are described in the following sections.

Zone/Interface

You can define a dynamic interface or a dynamic zone. A dynamic zone allows you to specify multiple interfaces.

The following figure shows the Create New Interface form.

The following figure shows the Create New Zone form.

Specify the name of the dynamic interface or zone, add an optional description, and select one of the default mappings. You can also specify dynamic mapping for a device by selecting Per-Device Mapping.

Firewall Objects

Firewall objects include address, schedule, service and virtual IP. For additional information about the object types, see FortiOS Object Configuration.

Address

You can specify an address as a country, an FQDN or as an IP subnet and mask. The address can apply to all interfaces, or you can configure a specific interface.

You can also create an Address Group, which defines a group of related addresses.

Schedule

You can specify a set of days and time ranges with recurring or one-time schedules.

Service

Although numerous services are already configured, the system allows for administrators to configure their own.

The service object specifies the protocol and any additional information required to identify the service (which depends on the protocol):

  • IP—IP protocol number
  • TCP/UDP/SCP—source and destination port range

You can also create a service group, which defines a group of related services.

Virtual IP

The Virtual IP objects map external IP addresses to internal addresses.

The following figure shows the Virtual IP object display:

FortiPortal supports the following Virtual IP object types:

  • IPv4 Virtual IP—uses static NAT to map a range of external addresses to an internal address range
  • IPv4 Virtual IP Group—defines a group of one or more Virtual IPs, for ease of administration
  • IP Pool—defines an IP address or range of IP addresses to use as the source address (rather than the IP address of the interface)

Security Profiles

Security profiles are described in detail in the FortiGate Security Profiles document and in the online help files at FortiOS Security Profiles.

The following security profiles are supported on FortiPortal:

  • Antivirus Profile
  • Application Sensor
  • Data Leak Prevention Sensor
  • Email Filter Profile
  • IPS Sensor
  • Web Filter Profile
  • Local Category
  • Rating Overrides
  • DNS Filter Profile

Local Category (security profile introduced with FortiPortal 1.2.0)

You can create a local category and then use Rating Override to assign URLs to the new category.

Rating Overrides (security profile introduced with FortiPortal 1.2.0)

Use a Rating Override object to override the Fortinet rating for a URL. The Security Profiles document contains additional information about local categories and rating overrides.

The following figure displays rating overrides:

DNS Filter Profile (security profile introduced with FortiPortal 5.3.0)

The DNS filter profile only supports ADOM version 5.4 or higher.

You can configure DNS web filtering to allow, block, or monitor access to web content according to FortiGuard categories. When DNS web filtering is enabled, your FortiPortal must use the FortiGuard DNS service for DNS lookups. DNS lookup requests sent to the FortiGuard DNS service return with an IP address and a domain rating that includes the FortiGuard category of the web page.

FortiGuard maintains a database containing a list of known botnet command and control (C&C) addresses. This database is updated dynamically and stored on the FortiGate and requires a valid FortiGuard AntiVirus subscription. When you block DNS requests to known botnet C&C addresses, using IPS, DNS lookups are checked against the botnet C&C database. All matching DNS lookups are blocked. Matching uses a reverse prefix match, so all sub-domains are also blocked. To enable this feature, enable Block DNS requests to known botnet C&C in the Create New DNS Filter Profile or Edit DNS Filter Profile form.

You can also create a domain filter in the Create New DNS Filter Profile or Edit DNS Filter Profile form. The DNS domain filter allows you to block, allow, or monitor DNS requests by using IPS to look inside DNS packets and match the domain being looked up with the domains on the static URL filter list. If there is a match, the DNS request can be blocked, monitored, or allowed. If blocked, the DNS request is blocked and so the user cannot look up the address and connect to the site. If allowed, access to the site is allowed even if another method is used to block it.

The following figure displays a DNS filter profile:

User & Device

Security policies may allow access to specified users and user groups only (the object types in the User & Device category).

For additional information about users and user groups, refer to FortiOS Handbook: Authentication.

User Definition

You can create local (accounts stored on the FortiGate unit), or remote users (accounts stored on a remote authentication server). FortiGate supports LDAP, RADIUS, and TACACS+ servers.

The following figure shows the Edit User form for a local user:

For a remote user, you need to specify the remote server, as shown in the following figure:

Two-Factor Authentication

Two-factor authentication methods, including FortiToken, provide additional security. You can also enable two-factor authentication using FortiAuthenticator.

To use two-factor authentication:
  1. Go to Policy & Objects > Objects.
  2. In the User & Device tree, select User Definition.
  3. Right-click under the header row and select Create New or right-click an existing user definition and select Edit.
  4. Select Enable Two-factor Authentication.
  5. If you want to use a FortiToken for two-factor authentication, select FortiToken.

    FortiToken is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit authentication code. This code is entered with a user’s user name and password as two-factor authentication. The code displayed changes every 60 seconds, and when not in use the LCD screen is blanked to extend the battery life.

    There is also a mobile phone application, FortiToken Mobile, that performs much the same function.

    FortiTokens have a small hole in one end. This is intended for a lanyard to be inserted so the device can be worn around the neck, or easily stored with other electronic devices. Do not put the FortiToken on a key ring as the metal ring and other metal objects can damage it. The FortiToken is an electronic device like a cell phone and must be treated with similar care.

    Any time information about the FortiToken is transmitted, it is encrypted. When the FortiPortal unit receives the code that matches the serial number for a particular FortiToken, it is delivered and stored encrypted. This is in keeping with the Fortinetʼs commitment to keeping your network highly secured.

    FortiTokens can be added to user accounts that are local, IPsec VPN, SSL VPN, and even Administrators.A FortiToken can be associated with only one account on one FortiPortal unit.

    If you lose your FortiToken, your account can be locked so that it will not be used to falsely access the network. Later if found, that FortiToken can be unlocked on the FortiPortal unit to allow access once again.

  6. If you want to receive an email for two-factor authentication, select Email based two-factor authentication and Email (under Contact Info) and enter an email address.

    Two-factor email authentication sends a randomly generated six digit numeric code to the specified email address. Enter that code when prompted at logon. This token code is valid for 60 seconds. If you enter this code after that time, it will not be accepted.

    A benefit is that you do not require mobile service to authenticate. However, a potential issue is if your email server does not deliver the email before the 60 second life of the token expires.

    The code will be generated and emailed at the time of logon, so you must have email access at that time to be able to receive the code.

  7. Select Save.

User Group

A user group is a list of user identities. To add or edit a user group, right-click Edit under the header row to display the Edit User Group form. Then, select group members from the Available Users list.

After you set the group type and add members, you cannot change the group type without removing its members. If you change the type, any members will be removed automatically.

Previous
Next