Configuring firewall objects
Address and address group firewall objects support IPv6 addresses. |
To configure an address:
- Go to Security > Firewall Objects.
- Select Address in the firewall object type dropdown.
- In the Create dropdown, select Address to open the Create Address dialog.
- In the Create Address dialog, enter the following information:
Settings
Guidelines
Name
Required. Enter a name for the address.
Color
From the dropdown, select a color option.
Type
Required. Select a type from the following options in the dropdown:
Subnet (default)
IP Range
FQDN
Geography
Dynamic
Device (MAC Address)
Sub Type
Required. Select a subtype from the following options in the dropdown:
ClearPass (default)
Fabric Connector Address
FortiNAC Tag
FortiVoice Tag
Fortinet Single Sign-On
Switch Controller NAC Policy Tag
Note: This option is only available when the Type is Dynamic.
IP/Netmask
Required. Enter the IP address and the netmask.
Note: This option is only available when the Type is Subnet.
IP Range
Required. Enter the IP address range.
Note: This option is only available when the Type is IP Range.
FQDN
Required. Enter the Fully Qualified Domain Name (FQDN).
Note: This option is only available when the Type is FQDN.
Geography/Region
Required. Select a country/territory from the dropdown.
Note: This option is only available when the Type is Geography.
SPT(System Posture Token)
Required. Select an SPT from the following options in the dropdown:
Checkup (default)
Healthy
Infected
Quarantine
Transient
Unknown
Note: This option is only available when the Sub Type is Clear Pass.
Fabric Connector Address
Required. From the dropdown, select a Fabric Connector Address.
Note: This option is only available when the Sub Type is Fabric Connector Address.
Fortinet Single Sign-On (FSSO)
Required. From the dropdown, select an FSSO option.
Note: This option is only available when the Sub Type is Fortinet Single Sign-On (FSSO).
MAC Address
Select +, and enter the MAC addresses.
Note: This option is only available when the MAC Address Scope is single.
Interface
Required. From the dropdown, select an interface.
Static route configuration
Enable static route configuration.
Note: This option is not available when the Type is Geography, Dynamic, or Device (MAC Address).
Comments
Enter comments about the address.
- Click Save.
To configure an address group:
- Go to Security > Firewall Objects.
- Select Address in the firewall object type dropdown.
- In the Create dropdown, select Address Group to open the Create Address Group dialog.
- In the Create Address Group dialog, enter the following information:
Settings
Guidelines
Name
Required. Enter a name for the address group.
Color
From the dropdow, select a color option.
Members
Required. From the dropdown, select an address.
Comments
Enter comments about the address group.
- Click Save.
To configure a schedule:
- Go to Security > Firewall Objects.
- Select Schedule in the firewall object type dropdown.
- Select Create to open the Create New Schedule dialog.
- In the Create New Schedule dialog, enter the following information:
Settings
Guidelines
Type
Select either One Time Schedule or Recurring Schedule.
Name
Required. Enter a name for the schedule.
Color
From the dropdow, select a color option.
Start Time
Enter a start date (MM//DD/YYYY) and time.
Alternatively, select the calendar icon and then select the date of your choice.
Similarly, select the clock icon to select a time.
Note: The date option is only available when the Type is One Time Schedule.
End Time
Enter the end date (MM//DD/YYYY) and time.
Alternatively, select the calendar icon and then select the date of your choice.
Similarly, select the clock icon to select a time.
Note: The date option is only available when the Type is One Time Schedule.
Days
Select days of the week the schedule applies.
Note: This option is only available when the Type is Recurring Schedule.
All Day
Select the option if the schedule applies all day.
Note: This option is only available when the Type is Recurring Schedule.
Pre-expiration event log
Select to create an event log Number of days before the End Time.
Note: This option is selected by default and only available when the Type is One Time Schedule.
Number of days before
Enter the number of days (default = 3).
Note: This option is only available when the Type is One Time Schedule and Pre-expiration event log is selected.
- Click Save.
To configure a service:
- Go to Security > Firewall Objects.
- Select Service in the firewall object type dropdown.
- Select Create to open the Create Service dialog.
- In the Create Service dialog, enter the following information:
Settings
Guidelines
Name
Enter a name for the service.
Comments
Enter comments about the service.
Color
Required. From the dropdown, select a color.
Show in Service list
Enable to display the service in the service list.
Note: This option is enabled by default.
Category
From the dropdown, select a category from the following options:
Uncategorized (default)
Authentication
Email
File Access
General
Network Services
Remote Access
Tunneling
VoIP, Messaging, & Other Application
Web Access
Web Proxy
Protocol Type
Select a protocol type:
- TCP/UDP/SCTP—address and destination port range (default).
- ICMP—type and code
- IP—IP protocol number
Address
Select either IP Range or FQDN and then enter the IP address range or the FQDN.
Note: This option is only available when the Protocol Type is TCP/UDP/SCTP.
Destination Port
From the dropdown, select TCP, UDP, or SCTP protocol type and enter a port range.
Select + to add multiple destination ports and ranges.
Select the Delete () icon to remove a destination port.
Note: This option is only available when the Protocol Type is TCP/UDP/SCTP.
Type
Enter the type number.
Note: This option is only available when the Protocol Type is ICMP.
Code
Enter the code number.
Note: This option is only available when the Protocol Type is ICMP.
Protocol Number
Enter the protocol number.
Note: This option is only available when the Protocol Type is IP.
- Click Save.
To configure a virtual IP:
- Go to Security > Firewall Objects.
- Select Virtual IP in the firewall object type dropdown.
- Select Create to open the Create Service dialog.
- In the Create New VirtualIP dialog, enter the following information:
Settings
Guidelines
Type
Select either Virtual IP or Virtual IP Group.
Note: By default, Virtual IP is selected.
Name
Required. Enter a name for the virtual IP or the virtual IP group.
comment
Enter comments about the virtual IP or the virtual IP group.
Color
From the dropdown, select a color.
Members
From the dropdown, select members.
Note: This option is only available if the Type is Virtual IP Group.
Firewall/Network Options
Interface
From the dropdown, select an interface.
Type
Select either Static NAT or FQDN.
Note: By default, Static NAT is selected.
External IP Address/Range
Required. Enter the public IP address or range.
Mapped IPV4 Address/Range
Required. Enter the IPv4 address or range the traffic is directed to.
Note: This option is only available when the type is Static NAT.
Mapped Address
From the dropdown, select a mapped address.
Note: This option is only available when the type is FQDN.
Port Forwarding
Enable/disable port forwarding.
Note: This option is disabled by default.
Protocol
Select from the following protocols:
TCP (default)
UDP
SCTP
ICMP
Note: This option is only available when Port Forwarding is enabled.
External Service Port
Required. Enter the range of the external interface ports.
Note: This option is only available when Port Forwarding is enabled and the protocol is not ICMP.
Map to IPv4 Port
Required. Enter the range of the listening ports.
Note: This option is only available when Port Forwarding is enabled and the protocol is not ICMP.
Enable ARP Reply
Select to enable Address Resolution Protocol (ARP) replies.
Note: This option is enabled by default.
- Click Save.
To configure an Antivirus profile:
- Go to Security > Firewall Objects.
- Select Antivirus Profile from the Security Profiles dropdown.
- Select Create to create an Antivirus profile.
- In the Create Antivirus Profile dialog, enter the following information:
Settings
Guidelines
Name
Enter a name for the Antivirus profile.
Comments
Enter comments about the Antivirus profile.
AntiVirus scan
Enable Antivirus scan.
Note: The profile must be inspecting at least one protocol to enable the option.
Feature set
Set the inspection mode:
Flow-based: Scanning takes a snapshot of content packets and uses pattern matching to identify security threats in the content (default).
Proxy-based: Scanning reconstructs content passing through the firewall unit and inspects the content for security threats.
Inspection Protocols Enable any of the following protocols:
HTTP
SMTP
POP3
IMAP
FTP
CIFS
apt.protection.options
Treat Windows Executables in Email Attachments as Viruses
Enable to treat all Windows executable files in email attachments as viruses.
Note: By default,Treat Windows Executables in Email Attachments as Viruses is disabled.
Include Mobile Malware Protection
Enable to include mobile malware protection.
Note: By default, Include Mobile Malware Protection is enabled.
Send Files to FortiSandbox Appliance for Inspection
Choose from the following options:
None: Do not send files to FortiSandbox (default).
Suspicious Files Only: Send suspicious files to FortiSandbox.
All Supported Files: Send all supported files to FortiSandbox.
Virus Outbreak Prevention
Use FortiGuard Outbreak Prevention Database
Enable.
Block or monitor ForitGuard outbreak prevention database.
Note: By default, Use FortiGuard Outbreak Prevention Database is disabled.
Use External Malware Block List
Enable.
Block or monitor external malware block list.
Note: By default, Use External Malware Block List is disabled.
- Click Save.
To configure an intrusion prevention profile:
- Go to Security > Firewall Objects.
- Select Intrusion Prevention Profile from the Security Profiles dropdown.
- Select Create to create an intrusion prevention profile.
- In the Create New IPS Sensor dialog, enter the following information:
Settings
Guidelines
Name
Required. Enter a name for the IPS Sensor.
Comments
Enter comments about the IPS Sensor.
Block malicious URLs
Select to block malicious URLs.
Scan Outgoing Connections to Botnet Sites
Choose from the following options:
Block: Scan and block outgoing connections to Botnet sites.
Disable: Disable scanning outgoing connections to Botnet sites (default).
Monitor: Monitor outgoing connections to Botnet sites.
- Select Create to add an IPS signature filter to the IPS sensor.
To edit an IPS signature filter, select an IPS signature filter from the list and then select Edit.
When editing an IPS signature filter, the fields are the same as when creating it.
Use the search box to look for an IPS signature filter.
- In the Create IPS Signature Filter dialog, enter the following information:
Settings
Guidelines
Type
Select either Filter (default) or Signature type.
Note: When the Type is Signature, you can select a signatures from the list and click Save.
Use the Search bar to look for a signature.
Action
From the dropdown, select one of the following actions:
Default (default)
Allow
Monitor
Block
Reset
Quarantine: Enter the duration of the quarantine, and click Save.
Packet Logging
Enable or disable packet logging.
Status
Enable, disable, or set the status as default.
Filter
Select Edit IPS Filter to edit an IPS filter, enter the following information as shown in Edit IPS Filter.
Alternatively, from the list, select a preconfigured IPS filter and click Save.
Use the Search bar to look for an IPS filter.
Edit IPS Filter
Severity
From the dropdown, select severity levels:
critical
High
Medium
Low
Info
Target
From the dropdown, select client and/or server.
Protocol
From the dropdown, select protocols.
OS
From the dropdown, select OS:
bsd
Linux
MacOS
Other
Solaris
Windows
Application
From the dropdown, select applications.
- Click Save to save changes to the IPS filter.
- Click Save to save changes to the IPS signature filter.
- Click Save to save changes to the IPS sensor.
To configure a local category:
- Go to Security > Firewall Objects.
- Select Local Category from the Security Profiles dropdown.
- Select Create to create a new local category.
- In the Create Local Category dialog, enter the category description.
- Click Save.
To configure a web rating override:
- Go to Security > Firewall Objects.
- Select Web Rating Overrides from the Security Profiles dropdown.
- Select Create to create a new web rating override.
- In the Create Web Rating Overrides dialog, enter the following information:
Settings
Guidelines
URL
Required. Enter the URL of a web site.
Status
Enable the web rating override.
Category
Select from the following categories:
All Categories (default)
Potentially Liable
Adult/Mature Content
Bandwidth Consuming
Security Risk
General Interest- Personal
General Interest- Business
Unrated
Local Categories
Sub Category
Required. Select a sub category for the selected category.
Comments
Enter comments about the web rating override.
- Click Save.
To configure a web filter profile:
- Go to Security > Firewall Objects.
- Select Web Filter Profile from the Security Profiles dropdown.
- Select Create to create a new web filter profile.
- In the Create Web Filter profile dialog, enter the following information:
Settings
Guidelines
Name
Enter a name for the web filter.
Comments
Enter comments about the web filter.
Category Based Filter
Enable and select FortiGuard category based filters from the list.
Use the search bar to look for a category based filter.
For the selected category, select from the following actions:
Allow: Allow selected category.
Monitor: Monitor selected category.
Block: Block selected category.
-
Warning: Select to open the Filter dialog.
Enter the Warning Interval, select from the Available User Groups dropdown, and click Save.
-
Authenticate: Select to open the Filter dialog.
Enter the Warning Interval, select from the Available User Groups dropdown, and click Save.
Disable: Disable selected category.
Static URL Filter
Block invalid URLs
Enable to block invalid URLs.
Note: This option is disabled by default.
URL Filter
Enable and then select Create to create a URL filter. Enter the information as shown in To create a URL filter, and click Save.
To edit a URL filter, select a URL filter from the list and then select Edit.
When editing a URL filter, the fields are the same as when creating it.
Use the Search bar to look for URLs and narrow down the search by using criteria.
You can filter results based on prefix/suffix wildcards.
Block malicious URLs discovered by sandbox
Enable blocking malicious URLs discovered by FortiSandox.
Note: This option is disabled by default.
Rating Options
Allow websites when a rating error occurs
Enable to allow websites when a rating error has occurred.
Note: This option is disabled by default.
Rate URLs by domain and IP Address
Enable to rate URLs by domain and IP address.
Note: This option is disabled by default.
Proxy Options
HTTP POST Action
Select whether the HTTP Post action is Normal or Block.
HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading, to a web server.
Remove Cookies
Enable to remove cookies.
Note: This option is disabled by default.
To create a URL filter:
URL
Enter the URL.
Type
Select a type from the following:
Simple (default)
Regular Expression
Wildcard
Action
Select an action from the following:
Exempt (default)
Block
Allow
Monitor
Status
Enable (default) or Disable.
- Click Save.
To configure application control:
- Go to Security > Firewall Objects.
- Select Application Control from the Security Profiles dropdown.
- Select Create to create a new application control.
- In the Create Application Control dialog, enter the following information:
Settings
Guidelines
Name
Required. Enter a name for the application control.
Comments
Enter comments about the application control.
Category
For each category, select from the following actions:
Monitor (default)
Allow
Block
Quarantine: Enter the quarantine duration, and click Save.
Traffic Shaping: Select Shaper and Shaper Reverse, and click Save.
Application and Filter Overrides
Select Create to create application and filter overrides.
To edit application and filter overrides, select an application and filter overrides from the list and then select Edit.
When editing an application and filter overrides, the fields are the same as when creating it.
Use the Search bar to look for overrides.
To edit application and filter overrides:
Type
Select either Application (default) or Filter.
Note: When the Type is Application, you can select preconfigured signatures from the list, select Use selected signatures, and click Save.
Use the Search bar to look for signatures.
Action
From the dropdown, select an action:
Monitor (default)
Allow
Block
Quarantine: Enter the duration of the quarantine, and click Save.
Category
Select a category or select Category to select all options.
Note: This option is only available when the Type is Filter.
Popularity
Order of popularity.
Note: This option is only available when the Type is Filter.
Technology
Select a technology or select Technology to select all options.
Note: This option is only available when the Type is Filter.
Behavior
Select a behavior or select Behavior to select all options.
Note: This option is only available when the Type is Filter.
Vendor
Select a vendor or select Vendor to select all options.
Note: This option is only available when the Type is Filter.
Protocols
Select a protocol select Protocol to select all options.
Note: This option is only available when the Type is Filter.
Risk
Select risk level or select Risk to select all options.
Note: This option is only available when the Type is Filter.
- Click Save to save overrides.
- Click Save to save the application control.
To configure a user:
- Go to Security > Firewall Objects.
- Select User from the User & Device dropdown.
- Select Create to create a user.
- In the Create User dialog, enter the following information:
Settings
Guidelines
User Name
Required. Enter a name for the user.
Disable
Enable to disable the user.
Password
Enter the password.
Contact Information
Email
Enter the email address.
Two-factor Authentication
Select from the following:
Disable
-
FortiToken: From the dropdown, select a ForitToken.
See FortiToken.
-
Email based two-factor authentication.
- Click Save.
FortiToken
FortiToken is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit authentication code. This code is entered with a user’s user name and password as two-factor authentication. The code displayed changes every 60 seconds, and when not in use the LCD screen is blanked to extend the battery life.
There is also a mobile phone application, FortiToken Mobile, that performs much the same function.
FortiTokens have a small hole in one end. This is intended for a lanyard to be inserted so the device can be worn around the neck, or easily stored with other electronic devices. Do not put the FortiToken on a key ring as the metal ring and other metal objects can damage it. The FortiToken is an electronic device like a cell phone and must be treated with similar care.
Any time information about the FortiToken is transmitted, it is encrypted. When the FortiPortal unit receives the code that matches the serial number for a particular FortiToken, it is delivered and stored encrypted. This is in keeping with our commitment to keeping your network highly secured.
FortiTokens can be added to user accounts that are local, IPsec VPN, SSL VPN, and even Administrators.A FortiToken can be associated with only one account on one FortiPortal unit.
If you lose your FortiToken, your account can be locked so that it will not be used to falsely access the network. Later if found, that FortiToken can be unlocked on the FortiPortal unit to allow access once again.
Email based two-factor authentication
Two-factor email authentication sends a randomly generated six digit numeric code to the specified email address. Enter that code when prompted at logon. This token code is valid for 60 seconds. If you enter this code after that time, it will not be accepted.
A benefit is that you do not require mobile service to authenticate. However, a potential issue is if your email server does not deliver the email before the 60 second life of the token expires.
The code will be generated and emailed at the time of logon, so you must have email access at that time to be able to receive the code.
To configure a user group
- Go to Security > Firewall Objects.
- Select User Groups from the User & Device dropdown.
- Select Create to create a user group.
- In the Create User group dialog, enter the following information:
Settings
Guidelines
Name
Enter a name for the user group.
Type
Select either Firewall or FSSO/SSO Connectors.
Members
From the dropdown, select users to be added as members.
Remote Groups
Select Create to create a remote group for the user group. From the Remote Server dropdown, select a remote server, and click Save.
To edit a remote group, select a remote group from the list and then select Edit.
When editing a remote group, the fields are the same as when creating it.
Note: This option is only available when the Type is Firewall.
- Click Save.