Configuring firewall objects

• Configuring an address

• Configuring an address group

• Configuring a schedule

• Configuring a service

• Configuring a virtual IP

• Configuring an Antivirus profile

• Configuring an intrusion prevention profile

• Configuring a local category

• Configuring a web rating override

• Configuring a web filter profile

• Configuring application control

• Configuring a user

• Configuring a user group

Address and address group firewall objects support IPv6 addresses.

To configure an address:

1. Go to Security > Firewall Objects.
2. Select Address in the firewall object type dropdown.
3. In the Create dropdown, select Address to open the Create Address dialog.
4. In the Create Address dialog, enter the following information:

   Settings	Guidelines
   Name	Required. Enter a name for the address.
   Color	From the dropdown, select a color option.
   Type	Required. Select a type from the following options in the dropdown: Subnet (default) IP Range FQDN Geography Dynamic Device (MAC Address)
   Sub Type	Required. Select a subtype from the following options in the dropdown: ClearPass (default) Fabric Connector Address FortiNAC Tag FortiVoice Tag Fortinet Single Sign-On Switch Controller NAC Policy Tag Note: This option is only available when the Type is Dynamic.
   IP/Netmask	Required. Enter the IP address and the netmask. Note: This option is only available when the Type is Subnet.
   IP Range	Required. Enter the IP address range. Note: This option is only available when the Type is IP Range.
   FQDN	Required. Enter the Fully Qualified Domain Name (FQDN). Note: This option is only available when the Type is FQDN.
   Geography/Region	Required. Select a country/territory from the dropdown. Note: This option is only available when the Type is Geography.
   SPT(System Posture Token)	Required. Select an SPT from the following options in the dropdown: Checkup (default) Healthy Infected Quarantine Transient Unknown Note: This option is only available when the Sub Type is Clear Pass.
   Fabric Connector Address	Required. From the dropdown, select a Fabric Connector Address. Note: This option is only available when the Sub Type is Fabric Connector Address.
   Fortinet Single Sign-On (FSSO)	Required. From the dropdown, select an FSSO option. Note: This option is only available when the Sub Type is Fortinet Single Sign-On (FSSO).
   MAC Address	Select +, and enter the MAC addresses. Note: This option is only available when the MAC Address Scope is single.
   Interface	Required. From the dropdown, select an interface.
   Static route configuration	Enable static route configuration. Note: This option is not available when the Type is Geography, Dynamic, or Device (MAC Address).
   Comments	Enter comments about the address.

5. Click Save.

To configure an address group:

1. Go to Security > Firewall Objects.
2. Select Address in the firewall object type dropdown.
3. In the Create dropdown, select Address Group to open the Create Address Group dialog.
4. In the Create Address Group dialog, enter the following information:

   Settings	Guidelines
   Name	Required. Enter a name for the address group.
   Color	From the dropdow, select a color option.
   Members	Required. From the dropdown, select an address.
   Comments	Enter comments about the address group.

5. Click Save.

To configure a schedule:

1. Go to Security > Firewall Objects.
2. Select Schedule in the firewall object type dropdown.
3. Select Create to open the Create New Schedule dialog.
4. In the Create New Schedule dialog, enter the following information:

   Settings	Guidelines
   Type	Select either One Time Schedule or Recurring Schedule.
   Name	Required. Enter a name for the schedule.
   Color	From the dropdow, select a color option.
   Start Time	Enter a start date (MM//DD/YYYY) and time. Alternatively, select the calendar icon and then select the date of your choice. Similarly, select the clock icon to select a time. Note: The date option is only available when the Type is One Time Schedule.
   End Time	Enter the end date (MM//DD/YYYY) and time. Alternatively, select the calendar icon and then select the date of your choice. Similarly, select the clock icon to select a time. Note: The date option is only available when the Type is One Time Schedule.
   Days	Select days of the week the schedule applies. Note: This option is only available when the Type is Recurring Schedule.
   All Day	Select the option if the schedule applies all day. Note: This option is only available when the Type is Recurring Schedule.
   Pre-expiration event log	Select to create an event log Number of days before the End Time. Note: This option is selected by default and only available when the Type is One Time Schedule.
   Number of days before	Enter the number of days (default = 3). Note: This option is only available when the Type is One Time Schedule and Pre-expiration event log is selected.

5. Click Save.

To configure a service:

1. Go to Security > Firewall Objects.
2. Select Service in the firewall object type dropdown.
3. Select Create to open the Create Service dialog.
4. In the Create Service dialog, enter the following information:

   Settings	Guidelines
   Name	Enter a name for the service.
   Comments	Enter comments about the service.
   Color	Required. From the dropdown, select a color.
   Show in Service list	Enable to display the service in the service list. Note: This option is enabled by default.
   Category	From the dropdown, select a category from the following options: Uncategorized (default) Authentication Email File Access General Network Services Remote Access Tunneling VoIP, Messaging, & Other Application Web Access Web Proxy
   Protocol Type	Select a protocol type: TCP/UDP/SCTP—address and destination port range (default). ICMP—type and code IP—IP protocol number
   Address	Select either IP Range or FQDN and then enter the IP address range or the FQDN. Note: This option is only available when the Protocol Type is TCP/UDP/SCTP.
   Destination Port	From the dropdown, select TCP, UDP, or SCTP protocol type and enter a port range. Select + to add multiple destination ports and ranges. Select the Delete () icon to remove a destination port. Note: This option is only available when the Protocol Type is TCP/UDP/SCTP.
   Type	Enter the type number. Note: This option is only available when the Protocol Type is ICMP.
   Code	Enter the code number. Note: This option is only available when the Protocol Type is ICMP.
   Protocol Number	Enter the protocol number. Note: This option is only available when the Protocol Type is IP.

5. Click Save.

To configure a virtual IP:

1. Go to Security > Firewall Objects.
2. Select Virtual IP in the firewall object type dropdown.
3. Select Create to open the Create Service dialog.
4. In the Create New VirtualIP dialog, enter the following information:

   Settings	Guidelines
   Type	Select either Virtual IP or Virtual IP Group. Note: By default, Virtual IP is selected.
   Name	Required. Enter a name for the virtual IP or the virtual IP group.
   comment	Enter comments about the virtual IP or the virtual IP group.
   Color	From the dropdown, select a color.
   Members	From the dropdown, select members. Note: This option is only available if the Type is Virtual IP Group.
   Firewall/Network Options
   Interface	From the dropdown, select an interface.
   Type	Select either Static NAT or FQDN. Note: By default, Static NAT is selected.
   External IP Address/Range	Required. Enter the public IP address or range.
   Mapped IPV4 Address/Range	Required. Enter the IPv4 address or range the traffic is directed to. Note: This option is only available when the type is Static NAT.
   Mapped Address	From the dropdown, select a mapped address. Note: This option is only available when the type is FQDN.
   Port Forwarding	Enable/disable port forwarding. Note: This option is disabled by default.
   Protocol	Select from the following protocols: TCP (default) UDP SCTP ICMP Note: This option is only available when Port Forwarding is enabled.
   External Service Port	Required. Enter the range of the external interface ports. Note: This option is only available when Port Forwarding is enabled and the protocol is not ICMP.
   Map to IPv4 Port	Required. Enter the range of the listening ports. Note: This option is only available when Port Forwarding is enabled and the protocol is not ICMP.
   Enable ARP Reply	Select to enable Address Resolution Protocol (ARP) replies. Note: This option is enabled by default.

5. Click Save.

To configure an Antivirus profile:

1. Go to Security > Firewall Objects.
2. Select Antivirus Profile from the Security Profiles dropdown.
3. Select Create to create an Antivirus profile.
4. In the Create Antivirus Profile dialog, enter the following information:

   Settings	Guidelines
   Name	Enter a name for the Antivirus profile.
   Comments	Enter comments about the Antivirus profile.
   AntiVirus scan	Enable Antivirus scan. Note: The profile must be inspecting at least one protocol to enable the option.
   Feature set	Set the inspection mode: Flow-based: Scanning takes a snapshot of content packets and uses pattern matching to identify security threats in the content (default). Proxy-based: Scanning reconstructs content passing through the firewall unit and inspects the content for security threats.
   Inspection Protocols	Enable any of the following protocols: HTTP SMTP POP3 IMAP FTP CIFS
   apt.protection.options
   Treat Windows Executables in Email Attachments as Viruses	Enable to treat all Windows executable files in email attachments as viruses. Note: By default,Treat Windows Executables in Email Attachments as Viruses is disabled.
   Include Mobile Malware Protection	Enable to include mobile malware protection. Note: By default, Include Mobile Malware Protection is enabled.
   Send Files to FortiSandbox Appliance for Inspection	Choose from the following options: None: Do not send files to FortiSandbox (default). Suspicious Files Only: Send suspicious files to FortiSandbox. All Supported Files: Send all supported files to FortiSandbox.
   Virus Outbreak Prevention
   Use FortiGuard Outbreak Prevention Database	Enable. Block or monitor ForitGuard outbreak prevention database. Note: By default, Use FortiGuard Outbreak Prevention Database is disabled.
   Use External Malware Block List	Enable. Block or monitor external malware block list. Note: By default, Use External Malware Block List is disabled.

5. Click Save.

To configure an intrusion prevention profile:

1. Go to Security > Firewall Objects.
2. Select Intrusion Prevention Profile from the Security Profiles dropdown.
3. Select Create to create an intrusion prevention profile.
4. In the Create New IPS Sensor dialog, enter the following information:

   Settings	Guidelines
   Name	Required. Enter a name for the IPS Sensor.
   Comments	Enter comments about the IPS Sensor.
   Block malicious URLs	Select to block malicious URLs.
   Scan Outgoing Connections to Botnet Sites	Choose from the following options: Block: Scan and block outgoing connections to Botnet sites. Disable: Disable scanning outgoing connections to Botnet sites (default). Monitor: Monitor outgoing connections to Botnet sites.

5. Select Create to add an IPS signature filter to the IPS sensor.

   To edit an IPS signature filter, select an IPS signature filter from the list and then select Edit. When editing an IPS signature filter, the fields are the same as when creating it.

   Use the search box to look for an IPS signature filter.

6. In the Create IPS Signature Filter dialog, enter the following information:

   Settings	Guidelines
   Type	Select either Filter (default) or Signature type. Note: When the Type is Signature, you can select a signatures from the list and click Save. Use the Search bar to look for a signature.
   Action	From the dropdown, select one of the following actions: Default (default) Allow Monitor Block Reset Quarantine: Enter the duration of the quarantine, and click Save.
   Packet Logging	Enable or disable packet logging.
   Status	Enable, disable, or set the status as default.
   Filter	Select Edit IPS Filter to edit an IPS filter, enter the following information as shown in Edit IPS Filter. Alternatively, from the list, select a preconfigured IPS filter and click Save. Use the Search bar to look for an IPS filter.

   Edit IPS Filter

   Severity	From the dropdown, select severity levels: critical High Medium Low Info
   Target	From the dropdown, select client and/or server.
   Protocol	From the dropdown, select protocols.
   OS	From the dropdown, select OS: bsd Linux MacOS Other Solaris Windows
   Application	From the dropdown, select applications.

7. Click Save to save changes to the IPS filter.
8. Click Save to save changes to the IPS signature filter.
9. Click Save to save changes to the IPS sensor.

To configure a local category:

1. Go to Security > Firewall Objects.
2. Select Local Category from the Security Profiles dropdown.
3. Select Create to create a new local category.
4. In the Create Local Category dialog, enter the category description.
5. Click Save.

To configure a web rating override:

1. Go to Security > Firewall Objects.
2. Select Web Rating Overrides from the Security Profiles dropdown.
3. Select Create to create a new web rating override.
4. In the Create Web Rating Overrides dialog, enter the following information:

   Settings	Guidelines
   URL	Required. Enter the URL of a web site.
   Status	Enable the web rating override.
   Category	Select from the following categories: All Categories (default) Potentially Liable Adult/Mature Content Bandwidth Consuming Security Risk General Interest- Personal General Interest- Business Unrated Local Categories
   Sub Category	Required. Select a sub category for the selected category.
   Comments	Enter comments about the web rating override.

5. Click Save.

To configure a web filter profile:

1. Go to Security > Firewall Objects.
2. Select Web Filter Profile from the Security Profiles dropdown.
3. Select Create to create a new web filter profile.
4. In the Create Web Filter profile dialog, enter the following information:

   Settings	Guidelines
   Name	Enter a name for the web filter.
   Comments	Enter comments about the web filter.
   Category Based Filter	Enable and select FortiGuard category based filters from the list. Use the search bar to look for a category based filter. For the selected category, select from the following actions: Allow: Allow selected category. Monitor: Monitor selected category. Block: Block selected category. Warning: Select to open the Filter dialog. Enter the Warning Interval, select from the Available User Groups dropdown, and click Save. Authenticate: Select to open the Filter dialog. Enter the Warning Interval, select from the Available User Groups dropdown, and click Save. Disable: Disable selected category.
   Static URL Filter
   Block invalid URLs	Enable to block invalid URLs. Note: This option is disabled by default.
   URL Filter	Enable and then select Create to create a URL filter. Enter the information as shown in To create a URL filter, and click Save. To edit a URL filter, select a URL filter from the list and then select Edit. When editing a URL filter, the fields are the same as when creating it. Use the Search bar to look for URLs and narrow down the search by using criteria. You can filter results based on prefix/suffix wildcards.
   Block malicious URLs discovered by sandbox	Enable blocking malicious URLs discovered by FortiSandox. Note: This option is disabled by default.
   Rating Options
   Allow websites when a rating error occurs	Enable to allow websites when a rating error has occurred. Note: This option is disabled by default.
   Rate URLs by domain and IP Address	Enable to rate URLs by domain and IP address. Note: This option is disabled by default.
   Proxy Options
   HTTP POST Action	Select whether the HTTP Post action is Normal or Block. HTTP POST is the command used by your browser when you send information, such as a form you have filled-out or a file you are uploading, to a web server.
   Remove Cookies	Enable to remove cookies. Note: This option is disabled by default.

   To create a URL filter:

   URL	Enter the URL.
   Type	Select a type from the following: Simple (default) Regular Expression Wildcard
   Action	Select an action from the following: Exempt (default) Block Allow Monitor
   Status	Enable (default) or Disable.

5. Click Save.

To configure application control:

1. Go to Security > Firewall Objects.
2. Select Application Control from the Security Profiles dropdown.
3. Select Create to create a new application control.
4. In the Create Application Control dialog, enter the following information:

   Settings	Guidelines
   Name	Required. Enter a name for the application control.
   Comments	Enter comments about the application control.
   Category	For each category, select from the following actions: Monitor (default) Allow Block Quarantine: Enter the quarantine duration, and click Save. Traffic Shaping: Select Shaper and Shaper Reverse, and click Save.
   Application and Filter Overrides	Select Create to create application and filter overrides. To edit application and filter overrides, select an application and filter overrides from the list and then select Edit. When editing an application and filter overrides, the fields are the same as when creating it. Use the Search bar to look for overrides.

   To edit application and filter overrides:

   Type	Select either Application (default) or Filter. Note: When the Type is Application, you can select preconfigured signatures from the list, select Use selected signatures, and click Save. Use the Search bar to look for signatures.
   Action	From the dropdown, select an action: Monitor (default) Allow Block Quarantine: Enter the duration of the quarantine, and click Save.
   Category	Select a category or select Category to select all options. Note: This option is only available when the Type is Filter.
   Popularity	Order of popularity. Note: This option is only available when the Type is Filter.
   Technology	Select a technology or select Technology to select all options. Note: This option is only available when the Type is Filter.
   Behavior	Select a behavior or select Behavior to select all options. Note: This option is only available when the Type is Filter.
   Vendor	Select a vendor or select Vendor to select all options. Note: This option is only available when the Type is Filter.
   Protocols	Select a protocol select Protocol to select all options. Note: This option is only available when the Type is Filter.
   Risk	Select risk level or select Risk to select all options. Note: This option is only available when the Type is Filter.

5. Click Save to save overrides.
6. Click Save to save the application control.

To configure a user:

1. Go to Security > Firewall Objects.
2. Select User from the User & Device dropdown.
3. Select Create to create a user.
4. In the Create User dialog, enter the following information:

   Settings	Guidelines
   User Name	Required. Enter a name for the user.
   Disable	Enable to disable the user.
   Password	Enter the password.
   Contact Information
   Email	Enter the email address.
   Two-factor Authentication	Select from the following: Disable FortiToken: From the dropdown, select a ForitToken. See FortiToken. Email based two-factor authentication. See Email based two-factor authentication.

5. Click Save.

FortiToken

FortiToken is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit authentication code. This code is entered with a user’s user name and password as two-factor authentication. The code displayed changes every 60 seconds, and when not in use the LCD screen is blanked to extend the battery life.

There is also a mobile phone application, FortiToken Mobile, that performs much the same function.

FortiTokens have a small hole in one end. This is intended for a lanyard to be inserted so the device can be worn around the neck, or easily stored with other electronic devices. Do not put the FortiToken on a key ring as the metal ring and other metal objects can damage it. The FortiToken is an electronic device like a cell phone and must be treated with similar care.

Any time information about the FortiToken is transmitted, it is encrypted. When the FortiPortal unit receives the code that matches the serial number for a particular FortiToken, it is delivered and stored encrypted. This is in keeping with our commitment to keeping your network highly secured.

FortiTokens can be added to user accounts that are local, IPsec VPN, SSL VPN, and even Administrators.A FortiToken can be associated with only one account on one FortiPortal unit.

If you lose your FortiToken, your account can be locked so that it will not be used to falsely access the network. Later if found, that FortiToken can be unlocked on the FortiPortal unit to allow access once again.

Email based two-factor authentication

Two-factor email authentication sends a randomly generated six digit numeric code to the specified email address. Enter that code when prompted at logon. This token code is valid for 60 seconds. If you enter this code after that time, it will not be accepted.

A benefit is that you do not require mobile service to authenticate. However, a potential issue is if your email server does not deliver the email before the 60 second life of the token expires.

The code will be generated and emailed at the time of logon, so you must have email access at that time to be able to receive the code.

To configure a user group

1. Go to Security > Firewall Objects.
2. Select User Groups from the User & Device dropdown.
3. Select Create to create a user group.
4. In the Create User group dialog, enter the following information:

   Settings	Guidelines
   Name	Enter a name for the user group.
   Type	Select either Firewall or FSSO/SSO Connectors.
   Members	From the dropdown, select users to be added as members.
   Remote Groups	Select Create to create a remote group for the user group. From the Remote Server dropdown, select a remote server, and click Save. To edit a remote group, select a remote group from the list and then select Edit. When editing a remote group, the fields are the same as when creating it. Note: This option is only available when the Type is Firewall.

5. Click Save.