FortiCache - Administration Guide VERSION 4.2.0

Transcription

1 FortiCache - Administration Guide VERSION 4.2.0

2 FORTINET DOCUMENT LIBRARY FORTINET VIDEO GUIDE FORTINET BLOG CUSTOMER SERVICE & SUPPORT FORTIGATE COOKBOOK FORTINET TRAINING SERVICES FORTIGUARD CENTER FORTICAST END USER LICENSE AGREEMENT FEEDBACK 01/20/2017 FortiCache Administration Guide

3 TABLE OF CONTENTS Change Log 6 Introduction 7 About this document 7 Concepts 8 Web caching topologies 9 WCCP topologies 10 Content Analysis Service 11 System Administration 12 Working with system dashboards 12 Managing dashboards 13 System information widget 14 License information widget 18 Unit operation widget 18 System resources widget 19 Alert message console widget 20 CLI console widget 21 Features widget 22 Interface history widget 23 Network settings 24 Interfaces 24 DNS settings 28 Routing table 28 Configuration 29 High availability 30 SNMP settings 31 Replacement messages 39 FortiGuard settings 45 Disk management 47 Features 51 Messaging servers 52 Administration settings 52 Administrators 53 Administrative profiles 56 Settings 58

4 Certificates 60 Local CA Certificates 60 Certificates 64 External CA Certificates 64 Policy & Objects 65 Policy 65 Proxy options 74 SSL inspection 76 Socks Authentication 77 Objects 78 Addresses 78 Services 81 Schedules 84 IP pools 86 Explicit 87 Forward Server 89 Web proxy global 91 Web proxy profile 92 Security Profiles 94 Antivirus 94 Web Filter 95 Profile list 99 Managing web filter profiles 99 Web site filters 100 Data Leak Prevention 101 DLP sensors 101 File filter 105 ICAP 106 Server 108 Content Analysis 109 User Authentication 111 User 111 User definition 111 User groups 113 Authentication 116 Single sign-on 116 LDAP servers 119 RADIUS servers 121 TACACS+ servers 124 Settings 126 Monitor 127 Firewall 127

5 User Quarantine 128 WAN Optimization and Web Caching 129 WAN optimization profiles 129 Profile list 131 Managing WAN optimization profiles 132 WAN optimization peers 132 Peers 132 Authentication groups 133 Cache 136 Settings 136 URL match list 138 Monitor 139 HTTP traffic caching reports 140 WCCP 142 WCCP service groups, numbers, IDs, and well known services 142 WCCP configuration overview 143 Caching HTTP sessions 144 Configure a WCCP server 145 Configure a WCCP client 146 Verify the WCCP status 147 WCCP packet flow 149 Configuring forward and return methods and adding authentication 149 Purging specific cached content 149 WCCP messages 150 Troubleshooting WCCP 150 Real time debugging 150 Application debugging 150 Logging 152 Log settings 154 Memory debugging 155 Local logging and archiving 156 Remote logging to a syslog server 156 Appendix A - Perl Regular Expressions 157 Block common spam phrases 158 Block purposely misspelled words 158 Block any word in a phrase 158 Appendix B - Preload cache content and Webcrawler 159 execute preload list 159 execute preload show-log 159 execute preload url 159 execute preload url-delete 160

6 Change Log Change Log Date Change Description Updated web cache settings image to update max cache object size value Various minor typo updates Updated for FortiCache initial release. Administration Guide 6

7 Introduction FortiCache high performance web caching appliances address bandwidth saturation, high latency, and poor performance caused by caching popular internet content locally for carriers, service providers, enterprises, and educational networks. FortiCache appliances reduce the cost and impact of cached content on the network while increasing performance and the end-user experience by improving the speed of delivery of popular repeated content. About this document This document contains the following sections: Introduction Concepts System Administration Policy & Objects Objects Security Profiles User Authentication WAN Optimization and Web Caching WCCP Logging 7 Administration Guide

8 Concepts FortiCache web caching is a form of object caching that accelerates web applications and web servers by reducing bandwidth usage, server load, and perceived latency. Web caching involves storing HTML pages, images, videos, servlet responses, and other web-based objects for later retrieval. These objects are stored in the web cache storage location defined by the config wanopt storage command (see Disk management changes in FortiCache on page 1 to see how this command, and others, have changed since the release of FortiCache 4.1.0). You can also go to System > Config > Disk to view the storage locations on the FortiCache unit hard disks. There are three significant advantages to using web caching to improve HTTP performance: reduced bandwidth consumption because fewer requests and responses go over the WAN or Internet reduced web server load because there are fewer requests for web servers to handle reduced latency because responses for cached requests are available from a local FortiCache unit instead of from across the WAN or Internet. When enabled in a web caching policy, the FortiCache unit caches HTTP traffic processed by that policy. A web caching policy specifies the source and destination addresses and destination ports of the traffic to be cached. Web caching caches compressed and non-compressed versions of the same file separately. If the HTTP protocol considers the compressed and uncompressed versions of a file the same object, only the compressed or uncompressed file will be cached. You can also configure a FortiCache unit to operate as a Web Cache Communication Protocol (WCCP) client. WCCP provides the ability to offload web caching to one or more redundant web caching servers. With the addition of virtual appliances from Fortinet, you can deploy a mix of hardware and virtual appliances, operating together and managed from a common centralized management platform. Support has been added for the KVM hypervisor format. FortiCache high performance Web Caching virtual appliances address bandwidth saturation, high latency, and poor performance caused by caching popular internet content locally for carriers, service providers, enterprises and educational networks. For more information about FortiCache VM, see the FortiCache VM Install Guide for VMware. As of version 4.2, Low Encryption for LENC models is supported. This chapter describes: Web caching topologies WCCP topologies Content Analysis Service Administration Guide 8

9 Web caching topologies Concepts Web caching topologies FortiCache web caching involves one or more FortiCache units installed between users and web servers. The FortiCache unit can operate in both Network Address Translator (NAT) and transparent modes. The FortiCache unit intercepts web page requests accepted by web cache policies, requests web pages from the web servers, caches the web page contents, and returns the web page contents to the users. When the FortiCache unit intercepts subsequent requests for cached web pages, the FortiGate unit contacts the destination web server just to check for changes. Most commonly the topology uses a router to route HTTP and HTTPS traffic to be cached to one or more FortiCache units. Traffic that should not be cached bypasses the FortiCache units. This is a scalable topology that allows you to add more FortiCache units if usage increases. Web caching topology with web traffic routed to FortiCache units You can also configure reverse proxy web-caching. In this configuration, users on the Internet browse to a web server installed behind a FortiCache unit. The FortiCache unit intercepts the web traffic (HTTP and HTTPS) and caches pages from the web server. Reverse proxy web caching on the FortiGate unit reduces the number of requests that the web server must handle, leaving it free to process new requests that it has not serviced before. Since all traffic is to be cached the FortiCache unit can be installed in Transparent mode directly between the web server and the Internet. Reverse proxy web caching topology The reverse proxy configuration can also include a router to route web traffic to a group of FortiCache units operating in Transparent Mode. This is also a scalable solution for reverse proxy web caching. 9 Administration Guide

10 Concepts WCCP topologies Reverse proxy web caching topology with web traffic routed to FortiCache unit When web objects and video are cached on the FortiCache hard disk, the FortiCache unit returns traffic back to client using cached object from cache storage. The clients do not connect directly to the server. When web objects and video are not available in the FortiCache hard disk, the FortiCache unit forwards the request to original server. If the HTTP response indicates it is a cacheable object, the object is forwarded to cache storage and the HTTP request is served from cache storage. Any other HTTP request for the same object will be served from cache storage as well. The FortiCache unit forwards HTTP responses that cannot be cached from the server back to the client that originated the HTTP request. All non-http traffic and HTTP traffic that is not cached by FortiCache will pass through the unit. HTTP traffic is not cached by the FortiCache unit if a web cache policy has not been added for it. WCCP topologies You can operate a FortiCache unit as a WCCP cache engine. As a cache engine, the FortiCache unit returns the required cached content to the client web browser. If the cache server does not have the required content, it accesses the content, caches it, and returns the content to the client web browser. WCCP topology WCCP is transparent to client web browsers. The web browsers do not have to be configured to use a web proxy. FortiCache is now supported by FortiCache Manager. Administration Guide 10

11 Content Analysis Service Concepts Content Analysis Service FortiGuard Content Analysis Service is a licensed feature for the real-time analysis of images in order to detect adult content. Detection of adult content in images uses various patented techniques (not just color-based), including limb and body part detection, body position, etc. Once detected, such content can be optionally blocked or reported. Please contact your Fortinet Account Manager should you require a trial of this service. You can purchase this service from support.fortinet.com. For configuration information, see Content Analysis on page Administration Guide

12 System Administration This section introduces you to the system administration. This section contains the following topics: Working with system dashboards Network settings Configuration Administration settings Certificates Working with system dashboards The dashboard provides a quick look at the FortiCachesystem status. It provides a way to access information about network activity and events, as well as configure basic system settings. The dashboard contains widgets that display information and provide access to various system functions. You can customize which widgets are available on the dashboard and how they operate. To access the default dashboard go to System > Dashboard > Status. Your browser must support javascript to view the dashboard. Administrators must have read and write privileges for configuring dashboards as well as adding widgets to dashboards. This section describes: Administration Guide 12

13 Working with system dashboards System Administration Managing dashboards System information widget License information widget Unit operation widget System resources widget Alert message console widget CLI console widget Features widget Interface history widget Managing dashboards Dashboards can be added, renamed, edited, and deleted, and widgets can be added to and removed from individual dashboards. You can add widgets to any dashboard and customize the configuration of most widgets. You cannot add the same widget more than once, except for the Interface History widget, which can be added as many times as required. To add a new dashboard: 1. Go to System > Dashboard > Status. 2. Select Dashboard > Add Dashboard (located at the top of the dashboard screen). 3. Enter a name for the dashboard, select the number of columns, then select OK. 4. Select the new dashboard and select Widget to begin adding widgets to the dashboard. Except for the Interface History widget, a widget can only appear a single time, regardless of how many dashboards are created. To add widgets to a dashboard: 1. Go to System > Dashboard > Status. 2. Select a dashboard to add widgets to. 3. Select Widget (located at the top of the dashboard screen). 4. Select a widget to add to the dashboard. The pop-up window closes automatically. 5. Drag the widgets by their title bars to arrange them in the dashboard. 6. Optionally, customize widgets by selecting Edit (the pencil icon). See also the following title bar options: Open/Close arrow Widget Title History Open or close the widget. The name of the widget. Select to show an expanded set of data. Only available for the Alert Message Console widget. 13 Administration Guide

14 System Administration Working with system dashboards Detach Edit (pencil icon) Refresh (refresh icon) Close (X icon) Convert the widget into a pop-up window detached from the main browser window that you can scale a move independently of the dashboard. Only available for the CLI Console widget. Select to change widget settings. Select to refresh or update the information displayed by the widget. Not available on all widgets. Remove the widget from the dashboard. To reset all dashboards to the factory default configuration: Use the following procedure to remove all of the dashboards that you have added and reset the widget configuration of the default dashboard. 1. Go to System > Dashboard > Status. 2. Select Dashboard > Reset Dashboards and select OK in the confirmation dialog box. System information widget The System Information widget displays general system information, such as the FortiCache unit serial number, firmware version, host name, and system time. You can use this widget to change the system time, host name, firmware, operation mode, and change the password of the current administrator. You can also use this widget to backup and restore the configuration and view current administrators. You must register your unit with Fortinet Customer Support to access firmware updates for your model. For more information, go to or contact Fortinet Customer Service & Support. Host Name Serial Number HA Status The host name of the current FortiCache unit. When you select Change, you are redirected to the Edit Host Name page. See Changing the host name on page 15. The serial number of the FortiCache unit. The serial number is specific to that unit and does not change with firmware upgrades. The status of High Availability (HA) within the cluster. Standalone indicates that the FortiCache unit is not operating in HA mode. Active indicates that the FortiCache unit is operating in HA mode. Select Configure, to change the HA configuration. See High availability on page 1. Administration Guide 14

15 Working with system dashboards System Administration System Time Firmware Version The current date and time according to the FortiCache unit s internal clock. When you select Change, you are redirected to the Time Settings page where you can change the unit s system time. See Configuring system time on page 15. The version of the firmware currently installed on the FortiCache unit. When you select Update, you are redirected to the Firmware Update/Downgrade page. By installing an older firmware image, some system settings may be lost. You should always back up your configuration before changing the firmware image. System Configuration Operation Mode Current Administrators Uptime The date and time of the last configuration file backup. You can select Backup to back up the current configuration; when you select Backup, you are redirected to the Backup page. See Backing up the configuration on page 16. If you want to restore a configuration file, select Restore to be redirected to the Restore page. See Restoring your firmware configuration on page 17. The current operating mode of the FortiCache unit. A unit can operate in NAT mode or Transparent mode. Select Change to switch between NAT and Transparent mode. The name of the admin account that you have used to log into the FortiCache unit and the number of administrator accounts. If you are authenticated locally by password, not by PKI or remote authentication, you can select Change Password to change the password for this account. When you change the password, you are logged out and must log back in with the new password. See Changing the currently logged in administrator s password on page 17. Select Details to view more information about each administrator that is currently logged in. See Monitoring administrators on page 17 The time in days, hours, and minutes since the FortiCache unit was started. Changing the host name The host name appears in the Host Name row, in the System Information widget, at the CLI prompt and is used as the SNMP system name. The default host name is the FortiCache unit s serial number. Change the host name by selecting Change beside the host name field in the System Information dashboard widget. Configuring system time Use the following options to change the FortiCache unit s system time. Change the system time by selecting Change beside the system time field in the System Information dashboard widget. 15 Administration Guide

16 System Administration Working with system dashboards Configure the following settings: System Time Refresh Time Zone Set Time Synchronize with NTP Server Enable NTP Server The current system date and time. Update the display of the current system date and time. Select the FortiCache unit s time zone. Select to set the system date and time to the values you set in the Hour, Minute, Second, Year, Month, and Day fields. Select to use a Network Time Protocol (NTP) server to automatically set the system date and time. Select Use FortiGuard Servers, or select Specify, then enter the server address and synchronization interval in the Server and Sync Interval fields. The interval can be 1 to 1440 minutes (default = 1 minute). FortiCache units use NTP Version 4. No RFC is currently available for NTP version 4. The RCF for NTP Version 3 is RFC For more information about NTP, or to find an NTP server that you can use, see Select to enable the NTP server, then select one or more interfaces from the Listen on Interfaces drop-down list. Backing up the configuration Administrators can back up the FortiCache unit s configuration file from the System Information widget. You can back up the firmware configuration file to a local computer, and also encrypt the configuration file for added security. You should always back up your configuration whenever you are: restoring the unit back to factory defaults installing a patch release installing a new firmware image re-installing an earlier firmware image rebooting the unit. Configure the following settings: Local PC Encrypt configuration file Select to back up the configuration file to a local management computer. Select to enable a password to the configuration file for added security. If you lose the password, the configuration file will not be accessible. Administration Guide 16

17 Working with system dashboards System Administration Password Confirm Enter the password that will be used to restore the configuration file. Re-enter the password. Restoring your firmware configuration You can restore a configuration file that was created by doing a back up by selecting Restore in the System Configuration row of the System Information widget. If the configuration file was encrypted, you will need the password that was used to encrypt the configuration file. Local PC Filename Password Select to restore the configuration file from the local computer. Browse to the location of the backup file on your local hard disk. Enter the password that will be used to restore the configuration file. Changing the currently logged in administrator s password From within the System Information widget you can change your own admin account password by selecting Change Password in the Current Administrator row. Administrator Old Password New Password Confirm Password The name of the administrator account. Enter the password that you usually use to log in. Enter the new password that you will be using to log in. Enter the new password again. Monitoring administrators You can view detailed information about each administrator that is logged into the FortiCache unit from the System Information widget by selecting Details in the Current Administrator row. Disconnect Refresh Close User Name Select to disconnect the selected administrators. This is available only if your admin profile gives you System Configuration write permission. You cannot log off the default admin user. Select to update the list. Select to close the window. The administrator account name. 17 Administration Guide

18 System Administration Working with system dashboards Access Profile Type From Time The access profile of the administrator. The type of access: http, https, jsconsole, sshv2. If Type is jsconsole, the value in From is N/A. Otherwise, From contains the administrator s IP address. The date and time that the administrator logged on. License information widget The License Information widget displays the statuses of your licenses and FortiGuard subscriptions. It also allows you to update your device s registration status and FortiGuard definitions. You can update your registration status by selecting Update in the Registration Status row and loading the license file from a location on your management computer. You can update the antivirus definitions by selecting Update in the AV Definitions row. Selecting Configure in the Web Filtering or AntiVirus rows will take you to the FortiGuard Distribution Network page. See FortiGuard settings on page 1. Manually updating FortiGuard definitions You can update the definition files for a number of FortiGuard services from the License Information widget. To update FortiGuard definitions manually: 1. Download the latest update files from Fortinet support site and copy it to the computer that you use to connect to the GUI. 2. Log in to the GUI, locate the License Information widget, and in the AV Definitions row select Update. 3. Select Browse and locate the update file, or type the path and filename. 4. Select OK. 5. Verify the update was successful by locating the License Information widget and viewing the date given in the row. Unit operation widget The Unit Operation widget shows the FortiCache unit s front panel and displays the status of the unit s front panel network interfaces. If a network interface is green, that interface is connected. 1 / 2 / 3 / 4 etc... The network interfaces on the unit. The names and number of these interfaces vary by model. The icon below the interface name indicates its up/down status by color. Green indicates the interface is connected. Gray indicates there is no connection. For more information about the configuration and status of an interface, pause the mouse over the icon for that interface. Pause the mouse pointer over the interface to view the status of the interface. Administration Guide 18

19 Working with system dashboards System Administration System resources widget The System Resources widget displays the FortiCache unit s percent CPU and memory usage. The CPU usage can be viewed by CPU. You can also view historical system usage graphs. If you select Reboot or Shutdown, a pop-up window opens allowing you to enter the reason for the system event. Your reason will be added to the log message that is included in the event-system log. Powering off a FortiCache unit before shutting it down may corrupt its configuration. Use the shutdown options here or in the CLI to make sure that proper shutdown procedures are followed to prevent any loss of configuration. Edit CPU Usage Memory Usage Disk Usage Reboot Shutdown Select to configure the widget. See Configure the system resource widget on page 19. The CPU usage percent displayed graphically and in text. The memory usage percent displayed graphically and in text. The disk usage percent displayed graphically and in text. Select to shutdown and restart the unit. You will be prompted to enter a reason for the reboot that will be entered into the logs. Select to shutdown the unit. You will be prompted for confirmation, and also prompted to enter a reason for the shutdown that will be entered into the logs. Configure the system resource widget To configure the system resource widget, select Edit in the widget title bar to open the Custom System Resource Display window. Configure the following settings: Custom Widget Name Chart Color Mutli-core CPU display Enter a custom widget name to change the name of the widget. Change the color of the data shown on the charts. To reset to the default color, select Reset. This option is only available when View Type is set to Historical. Select Average to view the CPU usage for all cores, or select Each Core to view the usage for each core individually. 19 Administration Guide

20 System Administration Working with system dashboards View Type Time Period Select Real Time to view real time CPU and memory usage date, or select Historical to view historical usage data. Select the time period for the displayed data from the drop-down list. The options are: Last minute, Last 10 minutes, Last 30 minutes, Last 60 minutes, Last 12 hours, and Last 24 hours. This option is only available when View Type is set to Historical. Reclaimable memory and improved memory debugging For optimal disk performance, memory is used as a temporary cache for objects before writing to disk. This means that Memory Usage can appear to be close to 100%, however this memory is reclaimable at any time if it is required for system processes. As of version 4.2, this reclaimable memory is highlighted in the GUI (shown in the image below), and CLI commands have been introduced to aid in debugging. To enable debugging of memory status, in cases of high memory and to confirm there is no issue, use the following two CLI commands to show memory utilization by each WAD-worker and cache-service memory usages: diagnose wad memory stats {basic misc} diagnose wad {worker csvc} memory stats {basic misc} The TAC report generated by exe tac report has ben changed to include the WAD memory usage stats. Alert message console widget The Alert Message Console widget displays log-based alert messages for both the FortiCache unit. Alert messages help you track system events on your FortiCache unit, such as firmware changes. Each message shows the date and time that the event occurred. Alert message history The widget displays only the most recent alerts. For a complete list of unacknowledged alert messages, select the History icon in the widget s title bar to open the Alert Message Console history pop-up window. To clear the list, select Clear Alert Messages. Custom alert display Select the Edit icon in the title bar to open the Custom Alert Display dialog box. Configure the following settings, then select OK to apply your changes. Administration Guide 20

21 Working with system dashboards System Administration Custom Widget Name Display the following message on the alert console Number of alerts to display on the dashboard Enter a custom widget name to change the name of the widget. Select the types of messages that are displayed on the alert console. The options include: System shutdown and restart Firmware upgrade and downgrade Conserver mode Updates from FortiGuard Device found or lost FortiCloud quota details Log disk failure Power supply events Admin authentication failures FortiGuard security alerts Policy configuration errors Select the number of alerts that are displayed in the dashboard widget from the drop-down list. Options include: 10, 20, 30, 40, 50, 60, 70, 80, 90, and 100. CLI console widget The CLI Console widget allows you to access the FortiCache CLI from the GUI. This widget can also be customized, providing greater flexibility about how the CLI Console appears to administrators. The two controls located on the CLI Console widget title bar are Edit and Detach. Detach: move the CLI Console widget into a seperate browser window that you can resize and reposition. The two controls on the detached CLI Console are Customize and Attach. Attach moves the widget back to the dashboard s page. Edit or Customize: Change the appearance of the console by defining fonts and colors for the text and background. The Console Preferences window provides settings for modifying the widget s appearance, font, and the option to include an external command input box. 21 Administration Guide

22 System Administration Working with system dashboards Configure the following settings: Preview Text Background Use external command input box Console buffer length Font Size Reset Defaults A preview of your changes to the CLI Console s appearance. Select the current color swatch next to this label, then select a color from the color palette to the right to change the color of the text in the console. Select the current color swatch next to this label, then select a color from the color palette to the right to change the color of the background in the console. Select to display a command input field below the normal console emulation area. When this option is enabled, you can enter commands by typing them into either the console emulation area or the external command input field. Enter the number of lines the console buffer keeps in memory. Valid numbers range from 20 to Select a font from the list to change the display font of the CLI Console. Select the size of the font. The default size is 10 points. Select to reset all values to their default values. Features widget The Features widget allows you to disable or enable a collection of FortiCache features. Disable features are not shown in the GUI. Select the On/Off button to turn the feature off or on, respectively. Administration Guide 22

23 Working with system dashboards System Administration More options can also be disabled by selecting the edit button in the widget title bar to open the Feature Settings window. See. Interface history widget The Interface History widget shows the traffic on one selected interface over three specified time periods. This feature can help you locate peaks in traffic that you need to address, as well as their frequency and duration. Only one interface can be monitored per widget, but multiple history widgets can be added to the dasboards. You can change the interface being monitored by selecting Edit. All traffic history data is cleared when you select Apply. Hovering the cursor over a section of the graph will give you specific details on the traffic in and out of the selected port. Select Edit in this widget title bar to open the Traffic History Settings window. Configure the following settings, then select OK to save your changes: Custom Widget Name Select Network Interface Enable Refresh Time Period 0 Time Period 1 Time Period 2 Enter a new name for the widget. This is optional. Select an interface (FortiCache unit s interfaces) from the drop-down list. The interface you choose displays the traffic occurring on it. Select to enable the information to refresh. The time period for the first line chart. Enter a number in the first field, then select Hour(s), Minute(s), or Day(s) from the drop-down list beside the field. Use zero to disable the time period. The time period for the second line chart. Enter a number in the first field, then select Hour(s), Minute(s), or Day(s) from the drop-down list beside the field. Use zero to disable the time period. The time period for the third line chart. Enter a number in the first field, then select Hour(s), Minute(s), or Day(s) from the drop-down list beside the field. Use zero to disable the time period. 23 Administration Guide

24 System Administration Network settings Network settings The Network menu allows you to configure the unit to operate on the network. This menu provides features for configuring and viewing basic network settings, such as the unit s interfaces, Domain Name System (DNS) options, and routing table. This section describes: Interfaces DNS settings Routing table Unless stated otherwise, the term interface refers to a physical FortiCache interface. Interfaces In System > Network > Interfaces, you can configure the interfaces that handle incoming and outgoing traffic. The following information is available: Create New Edit Delete Column Settings Name Type IP/Netmask Access Select to create a new interface. Modifies settings within the interface. When you select Edit, you are automatically redirected to the Edit Interface page. Removes an interface from the list. To remove multiple interfaces from within the list, on the interface page, in each of the rows of the interfaces you want removed, select the check box and then select Delete. To remove all interfaces from the list, on the Interface page, select the check box in the check box column and then select Delete. Select to change the columns that are displayed on the interface list. The names of the physical interfaces on your FortiCache unit. This includes any alias names that have been configured. The type of the interface. The current IP address/netmask of the interface. When IPv6 Support is enabled on the GUI, IPv6 addresses may be displayed in this column. The administrative access configuration for the interface. Administration Guide 24

25 Network settings System Administration Administrative Status Link Status MTU Mode Secondary IP Ref. The administrative status for the interface. If the administrative status is a green arrow, the interface is up and can accept network traffic. If the administrative status is a red arrow, the interface is administratively down and cannot accept traffic. To change the administrative status of an interface, select the Edit icon to edit the interface and change the Administrative Status setting for the interface. The status of the interface physical connection. Link status can be either up or down. If link status is up there is an active physical connection between the physical interface and a network switch. If link status is down the interface is not connected to the network or there is a problem with the connection. You cannot change link status from the GUI. Link status is only displayed for physical interfaces. The maximum number of bytes per transmission unit (MTU) for the interface. Shows the addressing mode of the interface. The addressing mode can be manual, DHCP, or PPPoE. Displays the secondary IP addresses added to the interface. Displays the number of times the object is referenced to other objects. To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object. Interface settings Selecting Create New opens the New Interface page provides settings for configuring a new interface. Selecting an interface from the interface list opens the Edit Interface page. Configure the following settings: 25 Administration Guide

26 System Administration Network settings Name Alias Link Status Type Dedicated Management Port Physical Interface Members Addressing mode IP/Netmask IPv6 Address Enable Explicit Web Proxy Enter a name of the interface. Physical interface names cannot be changed. Enter an alternate name for a physical interface on the FortiCache unit. The alias can be a maximum of 25 characters. The alias name will not appears in logs. This field appears when editing an existing physical interface. Indicates whether the interface is connected to a network (link status is Up) or not (link status is Down). This field appears when editing an existing physical interface. Select the type of the interface you want to add from the drop-down list. The options include: 802.3ad Aggregate, Redundant Interface, Loopback Interface, and Software Switch. You cannot change the interface type except when adding a new interface. Dedicate an interface for management to simplify configuration in transparent network deployments. This includes the ability to specify Trusted Hosts. See below. This section has two different forms depending on the interface type: Software switch interface: this section is a display-only field showing the interfaces that belong to the software switch virtual interface ad aggregate interface: select interfaces from the drop-down list, and add more interfaces as required. The only addressing mode available on FortiCache units is Manual. If IPv6 configuration is enabled you can add both a IPv4 and an IPv6 IP address. Enter an IPv4 address/subnet mask for the interface. FortiCache interfaces cannot have IP addresses on the same subnet. If IPv6 support is enabled on the GUI, enter an IPv6 address/subnet mask for the interface. A single interface can have both an IPv4 and IPv6 address or just one or the other. Select to enable explicit web proxying on this interface. When enabled, this interface will be displayed on System > Network > Web Proxy under Listen on Interfaces and web traffic on this interface will be proxied according to the Web Proxy settings. Administration Guide 26

27 Network settings System Administration Override Default MTU Value To change the MTU, select Override default MTU value (1 500) and enter the MTU size based on the addressing mode of the interface. 68 to bytes for static mode 576 to bytes for DHCP mode 576 to bytes for PPPoE mode larger frame sizes if supported by the FortiCache model Only available on physical interfaces. Virtual interfaces associated with a physical interface inherit the physical interface MTU size. In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU. This option is not available if Type is set to Loopback Interface. Administrative Access IPv6 Administrative Access HTTPS PING HTTP FMG-Access SSH SNMP TELNET Enable Explicit Web Proxy Listen for RADIUS Accounting Messages Secondary IP Address Comments Administrative Status Select the types of administrative access permitted for IPv4/IPv6 connections to this interface. Allow secure HTTPS connections to the GUI through this interface. Interface responds to pings. Use this setting to verify your installation and for testing. Allow HTTP connections to the GUI through this interface. HTTP connections are not secure and can be intercepted by a third party. Allow FortiCache Manager access on this interface. Allow SSH connections to the CLI through this interface. Allow a remote SNMP manager to request SNMP information by connecting to this interface. Allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party. Select to enable explicit web proxy on the interface. Select to listen for Remote Authentication and Dial-in User Service (RADIUS) accounting messages on the interface. Add additional IPv4 addresses to this interface. Enter a description up to 63 characters to describe the interface. Select either Up (green arrow) or Down (red arrow) as the status of this interface. Up indicates the interface is active and can accept network traffic. Down indicates the interface is not active and cannot accept traffic. 27 Administration Guide

28 System Administration Network settings Dedicated management interface The ability to dedicate an interface for management simplifies configuration in transparent network deployments. The management interface can be fixed to an interface and a specific routing policy defined, separate to the transparent bridge. IPv6 is supported. To dedicate an interface to management 1. Go to System > Network > Interfaces. 2. Select an interface to edit, and enable Dedicated Management Port. 3. If necessary, specify Trusted Hosts. DNS settings Several FortiCache functions use DNS, including alert . You can specify the IP addresses of the DNS servers to which your unit connects. DNS server IP addresses are usually supplied by your ISP. To configure DNS settings select System > Network > DNS. Configure the following settings: Primary DNS Server Secondary DNS Server Local Domain Name Enter the primary DNS server IP address. Enter the secondary DNS server IP address. Enter the domain name to append to addresses with no domain portion when performing DNS lookups. Routing table If the unit is operating in Transparent mode, you can go to System > Network > Routing Table to add static routes to control the flow of traffic through the unit. Create New Edit Delete Column Settings IP/Netmask Creates a new static or IPv6 route. Modifies settings within the static route. Removes a static route from the list. To remove multiple static routes from within the list, on the Static Route page, in each of the rows of the routes you want removed, select the check box and then select Delete. To remove all static routes from the list, on the Static Route page, select the check box in the check box column and then select Delete. Select to add, remove, or change the order of information columns. By default, the Distance Priority and Distance columns are not displayed. The destination IP addresses and network masks of packets that the FortiCache unit intercepts. Administration Guide 28

29 Configuration System Administration Gateway Device Comment Distance Priority The IP addresses of the next-hop routers to which intercepted packets are forwarded. The interface or port number the static route is configured to. A description of the route (optional). The number of hops the static route has to the configured gateway. Routes with the same distance will be considered as equal-cost multi-path (ECMP) A number for the priority of the static route. Routes with a larger number will have a lower priority. Routes with the same priority will be considered as ECMP. Adding a static route Selecting Create New opens the New Static Route page, which provides settings for configuring a new static route. Selecting a route from the route list opens the Edit Static Route page. Destination IP/Mask Device Gateway Administrative Distance Comments Advanced Options Priority Enter the IP address and netmask of the new static route. To create a default route, set the IP and netmask to / Select the static route's interface or port number. Enter the gateway IP address for those packets that you intend the unit to intercept. Enter a number to determine the cost of the route. When multiple paths exist to the same destination, smaller distances are preferred. Enter a description up to 63 characters to describe the new interface. Select to show the Priority option. Enter a number for the priority of the static route. Routes with a larger number will have a lower priority. Configuration This section provides features for configuring and viewing advanced network settings, such as HA cluster and interface settings, SNMPv1/v2 and v3, FortiGuard Web Filtering settings, replacement messages, and messaging servers. This section describes: High availability SNMP settings Replacement messages 29 Administration Guide

30 System Administration Configuration FortiGuard settings Disk management Features Features High availability FortiCache HA provides a system management solution which synchronizes configuration changes among the clustering members. You can fine tune the performance of the HA cluster to change how a cluster forms and shares information among clustering members. The HA heartbeat keeps cluster units communicating with each other. The heartbeat consists of hello packets that are sent at regular intervals by the heartbeat interface of all cluster units. These hello packets describe the state of the cluster unit and are used by other cluster units to keep all the units synchronized. HA heartbeat packets are non-tcp packets that use Ethertype values 0x8890, 0x8891, and 0x8893. The default time interval between HA heartbeats is 200 ms. Your FortiCache can be configured as a Standalone unit or you can pair multiple FortiCache devices in an Active- Active HA cluster for load balancing and failover protection. To configure HA and cluster settings, or to view the cliuster member list, select System > Config > HA. Configure the following settings: Mode Device Priority Enter the mode. Select Standalone or Active-Active from the drop-down menu. You can set a different device priority to each cluster member to control the order in which cluster units become the primary unit when the primary unit fails. The device with the highest device priority becomes the primary unit. The default value is 128. Administration Guide 30

31 Configuration System Administration Cluster Settings Group Name Password Port Monitor Heartbeat Interface Use the group name to identify the cluster. Enter a password to identify the HA cluster. The maximum password length is 15 characters. The password must be the same for all cluster FortiCache units before the FortiCache units can form the HA cluster. The default is no password. When the cluster is operating, you can add a password, if required. Two clusters on the same network must have different passwords. Select the specific ports to monitor. Select to enable or disable the HA heartbeat communication for each interface in the cluster, then set the heartbeat interface priority. The heartbeat interface with the highest priority processes all heartbeat traffic. You must select at least one heartbeat interface. If the interface functioning as the heartbeat fails, the heartbeat is transferred to another interface configured as an Heartbeat interface. If heartbeat communication is interrupted, the cluster stops processing traffic. Priority ranges from 0 to 512. Cache Collaboration When deployed in a cluster, prior to 4.2 depending on the deployed architecture, requests for the same URL may have hit each cache device and been cached separately on each. Methods were available to mitigate this through load balancing with FortiADC or WCCP. FortiCache 4.2 introduces the Cache Collaboration feature, where the storage of all devices within the FortiCache HA Cluster is accessible as a shared entity. This allows content cached by one device to be shared by other FortiCache devices within the cluster, significantly increasing the cache rate. CLI syntax config wanopt cache-service set prefer-senario {balance prefer-speed prefer-cache} Default is balance. set cluster {enable disable} Default is disable. set device-id <name> set acceptable-cluster {any peers} Default is any. end SNMP settings The Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure the hardware, such as the FortiCache SNMP agent, to report system information and traps. SNMP traps alert you to events that happen, such as a log disk becoming full, or a virus being detected. These traps are sent to the SNMP managers. An SNMP manager (or host) is typically a computer running an application that can read the incoming traps and event messages from the agent, and send out SNMP queries to the SNMP agents. A FortiManager unit can act as an SNMP manager to one or more FortiCache units. 31 Administration Guide

32 System Administration Configuration By using an SNMP manager, you can access SNMP traps and data from any FortiCache interface configured for SNMP management access. Part of configuring an SNMP manager is to list it as a host in a community on the FortiCache unit it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from, and be unable to query, that FortiCache unit. When using SNMP, you must also ensure you have added the correct Management Information Base (MIB) files to the unit, regardless of whether or not your SNMP manager already includes standard and private MIBs in a ready to use, compiled database. A MIB is a text file that describes a list of SNMP data objects used by the SNMP manager. See for more information. The FortiCache SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to FortiCache system information through queries, and can receive trap messages from the unit. The FortiCache SNMP v3 implementation includes support for queries, traps, authentication, and privacy. Authentication and encryption are configured in the CLI. Version supports Low crypto (LENC) mode for LENC models. SNMP configuration Before a remote SNMP manager can connect to the FortiCache agent, you must configure one or more FortiCache interfaces to accept SNMP connections. Interfaces are configured in System > Network > Interface, see Interfaces on page 1. For security reasons it is recommended that neither public nor private be used for SNMP community names. When the unit is in virtual domain mode, SNMP traps can only be sent on interfaces in the management virtual domain. If you want to allow SNMP access on an interface, you must go to System > Network > Interfaces, and select SNMP in the Administrative Access field in the settings for the interface that you want the SNMP manager to connect to. The following are SNMP configuration settings in System > Config > SNMP. Administration Guide 32

33 Configuration System Administration Configure the following settings: SNMP Agent Description Location Contact Apply SNMP v1/v2c Create New Edit Delete Community Name Queries Enable the FortiCache SNMP agent. Enter descriptive information about the unit. The description can be up to 35 characters long. Enter the physical location of the unit. The system location description can be up to 35 characters long. Enter the contact information for the person responsible for this unit. The contact information can be up to 35 characters. Saves changes made to the description, location, and contact information. Lists the communities for SNMP v1/v2c. From within this section you can create, edit or remove SNMP communities. Creates a new SNMP community. When you select Create New, you are automatically redirected to the New SNMP Community page. See. Modifies settings within an SNMP community. When you select Edit, you are automatically redirected to the Edit SNMP Community page. Removes an SNMP community from the list. To remove multiple SNMP communities from the list, select all the rows you want removed, then select Delete. To remove all communities from the list, select the check box in the check box column and then select Delete. The name of the community. Indicates whether queries protocols (v1 and v2c) are enabled or disabled. A green checkmark indicates that queries are enabled; a gray x indicates that queries are disabled. If one query is disabled and another one enabled, there will still be a green checkmark. 33 Administration Guide

34 System Administration Configuration Traps Enable SNMP v3 Create New Edit Delete User Name Security Level Notification Host Queries FortiCache SNMP MIB Indicates whether trap protocols (v1 and v2c) are enabled or disabled. A green checkmark indicates that traps are enabled; a gray x indicates that traps are disabled. If one query is disabled and another one enabled, there will still be a green checkmark. Select the check box to enable or disable the community. Lists the SNMPv3 users. From within this section, you can edit, create or remove an SNMPv3 user. Creates a new SNMPv3 user. When you select Create New, you are automatically redirected the Create New SNMPv3 User page. Modifies settings within the SNMPv3 user. When you select Edit, you are automatically redirected to the Edit SNMPv3 User page. Removes an SNMPv3 user from the page. To remove multiple SNMPv3 users from the list, select all the rows you want removed, then select Delete. To remove all users from the list, select the check box in the check box column and then select Delete. The name of the SNMPv3 user. The security level of the user. The IP address or addresses of the host. Indicates whether queries are enabled or disabled. A green checkmark indicates that queries are enabled; a gray x indicates that queries are disabled. Download the FortiCache MIB file by selecting Download FortiCache MIB File. See Fortinet MIBs on page 38. SNMP agent The FortiCache SNMP agent must be enabled before configuring other SNMP options. Enter information about the FortiCache unit to identify it so that when your SNMP manager receives traps from the FortiCache unit, you will know which unit sent the information. To configure the SNMP agent: 1. Go to System > Config > SNMP. 2. Enable the SNMP agent by selecting Enable in the SNMP Agent field. 3. Enter a descriptive name for the agent and the location of the FortiCache unit 4. Enter a contact or administrator for the SNMP Agent or FortiCache unit. 5. Select Apply. Administration Guide 34

35 Configuration System Administration To configure the SNMP agent with the CLI: Enter the following CLI commands: config system snmp sysinfo set status enable set contact-info <contact_information> set description <description_of_forticache> set location <FortiCache_location> end Manage SNMP communities An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community, devices can communicate by sending and receiving traps and other information. One device can belong to multiple communities, such as one administrator terminal monitoring both a firewall SNMP and a printer SNMP community. Add SNMP communities to your FortiCache unit so that SNMP managers can view system information and receive SNMP traps. You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps, and can be configured to monitor the FortiCache unit for a different set of events. You can also add the IP addresses of up to 8 SNMP managers to each community. Selecting Create New on the SNMP v1/v2c table opens the New SNMP Community page, which provides settings for configuring a new SNMP community. Selecting a community from the list opens the Edit SNMP Community page. Configure the following settings: 35 Administration Guide

36 System Administration Configuration Community Name Hosts Queries Traps IP Address / Netmask Interface Delete Add Protocol Port Enable Protocol Local Remote Enable Enter a name to identify the SNMP community. Settings for configuring the hosts of an SNMP community. Enter the IP address / netmask of the SNMP managers that can use the settings in this SNMP community to monitor the unit. You can also set the IP address to to so that any SNMP manager can use this SNMP community. Optionally select the name of the interface that this SNMP manager uses to connect to the unit. You only have to select the interface if the SNMP manager is not on the same subnet as the unit. This can occur if the SNMP manager is on the Internet or behind a router. Removes an SNMP manager from the list within the Hosts section. Select to add a blank line to the Hosts list. You can add up to eight SNMP managers to a single community. Settings for configuring ports for both v1 and v2c. The SNMP protocol. Enter the port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the unit. The SNMP client software and the unit must use the same port for queries Select to activate queries for the SNMP version. Settings for configuring local and remote ports for both v1 and v2c. The SNMP protocol. Enter the remote port numbers (162 by default) that the unit uses to send SNMP v1 or SNMP v2c traps to the SNMP managers in this community. The SNMP client software and the unit must use the same port for traps. Enter the remote port number (162 by default) that the unit uses to send SNMP traps to the SNMP managers in this community. The SNMP client software and the unit must use the same port for traps. Select to activate traps for each SNMP version. Administration Guide 36

37 Configuration System Administration Enable each SNMP event for which the unit should send traps to the SNMP managers in this community. Notes: SNMP Event The CPU Overusage traps sensitivity is slightly reduced, by spreading values out over 8 polling cycles. This prevents sharp spikes due to CPU intensive short-term events such as changing a policy. The Power Supply Failure event trap is available only on some models. The AMC interfaces enter bypass mode event trap is available only on models that support AMC modules. As of FortiCache 4.1.0, a new SNMP trap has been added to allow monitoring for Disk failure. Manage SNMP v3 users Selecting Create New on the SNMP v3 table opens the Create New SNMP V3 User page, which provides settings for configuring a new SNMP v3 user. Selecting a user name from the route list opens the Edit SNMP V3 User page. Configure the following settings: User Name Enter the name of the user. Select the type of security level the user will have. The options include: Security Level No Authentication, No Private Authentication, No Private Authentication, Private 37 Administration Guide

38 System Administration Configuration Auth Algorithm Private Algorithm Notification Host Enable Query Events Select an authentication algorithm from the drop-down list; either MD5 or SHA1. Enter a password in the requisite Password field. This option is not available if the security level is set to No Authentication, No Private. Select a private algorithm from the drop-down list; either AES or DES. Enter a password in the requisite Password field. This option is only available if the security level is set to Authentication, Private. Enter the IP address of the notification host. If you want to add more than one host, select the plus sign to add another host. Up to 16 hosts can be added. Select to enable or disable the query. By default, the query is enabled. Enter the port number in the Port field (161 by default). Select the SNMP events that will be associated with the user. Fortinet MIBs The FortiCache SNMP agent supports Fortinet proprietary MIBs, as well as standard RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiCache unit configuration. There are two MIB files for FortiCache units; both files are required for proper SNMP data collection: The Fortinet MIB: contains traps, fields, and information that is common to all Fortinet products. The FortiCache MIB: contains traps, fields, and information that is specific to FortiCache units. The Fortinet and FortiCache MIB files are available for download on the Fortinet Customer Support site. Each Fortinet product has its own MIB if you use other Fortinet products, you need to download their MIB files as well. The Fortinet MIB and FortiCache MIB, along with the two RFC MIBs,are listed in. To download the MIB files, go to System > Config > SNMP and select a MIB link in the FortiCache SNMP MIB section. See. Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database to have access to the Fortinet specific information. MIB files are updated for each version of FortiCache. When upgrading the firmware ensure that you update the Fortinet FortiCache MIB file compiled in your SNMP manager as well. Administration Guide 38

39 Configuration System Administration MIB file name or RFC FORTINET-CORE-MIB.mib FORTINET-FORTICACHE- MIB.mib RFC-1213 (MIB II) RFC-2665 (Ethernet-like MIB) Description The Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products. Your SNMP manager requires this information to monitor FortiCache unit configuration settings and receive traps from the FortiCache SNMP agent. The FortiCache MIB includes all system configuration information and trap information that is specific to FortiCache units. Your SNMP manager requires this information to monitor FortiCache configuration settings and receive traps from the FortiCache SNMP agent. FortiManager systems require this MIB to monitor FortiCache units. The FortiCache SNMP agent supports the majority of MIB II OIDs The FortiCache SNMP agent supports Ethernet-like MIB information. FortiCache SNMP does not support for the dot3tests and dot3errors groups. SNMP get command syntax Normally, to get configuration and status information for a FortiCache unit, an SNMP manager would use an SNMP get command to get the information in a MIB field. The SNMP get command syntax would be similar to: snmpget -v2c -c <community_name> <address_ipv4> {<OID> <MIB_field>} where: <community_name> refers to the SNMP community name added to the FortiCache configuration. You can add more than one community name to a FortiCache SNMP configuration. The most commonly used community name is public. <address_ipv4> is the IP address of the FortiCache interface that the SNMP manager connects to {<OID> <MIB_field>} is the object identifier (OID) for the MIB field or the MIB field name itself. For example, to query the firmware version running on the FortiCache unit, the following command could be issued snmpget -v2c -c public In this example, the community name is public, the IP address of the interface configured for SNMP management access is The firmware version is queried via the MIB field fchsysversion, the OID for which is The value returned is a string with a value of v2.0,build0225, Replacement messages Replacement pages can be customized as required from System > Config > Replacement Messages. 39 Administration Guide

40 System Administration Configuration The following settings are available: Manage Images Simple View / Extended View Name Description Modified Save Restore Default Preview Message HTML Select to view the available images and their respective tags. Select the view. Simple View displays a selection of Security and Authentication messages. Extended View displays all messages. See for a list of all the messages. The message name. The message description. A checkmark is shown is the message has been modified. Save any customizations that you made to the message. Restore the message back to its default state. A preview of how the message looks. The HTML code for the message that you can edit. The following table outlines all of the messages that can be customized, as shown in Extended View: Administration Guide 40

41 Configuration System Administration Category Messages Description Administrator Alert Post-login Disclaimer Message Pre-login Disclaimer Message Block Message Critical Event Message Disk Full Message Intrusion Message Virus Message Authentication Success Page Block Notification Page Replacement message for post-login disclaimer. Replacement message for pre-login disclaimer. Alert text for block incidents. Alert text for critical event notification. Alert text for disk full events. Alert text for IPS events. Alert text for virus incidents. Replacement HTML for authentication success page. Replacement HTML for certificate password page. 41 Administration Guide

42 System Administration Configuration Category Messages Description Authentication Certificate Password Page Declined Disclaimer Page Disclaimer Page Collection Collection Invalid Token Page FortiToken Page Guest User Template Guest User Print Template Keepalive Page Login Challenge Page Login Failed Page Login Page Next FortiToken Page Password Expiration Page Portal Page SMS Token Page Success Message Two-Factor Login Failed Two-Factor Login Page Replacement HTML for certificate password page. Replacement HTML for user declined disclaimer page. Replacement HTML for authentication disclaimer page. Replacement HTML for collection page. Replacement HTML for collection page after user enters invalid . Replacement HTML for -token authentication page. Replacement HTML for FortiToken authentication page. Replacement text for guest-user credentials message. Replacement HTML for guest-user credentials print out. Replacement HTML for authentication keep-alive page. Replacement HTML for authentication login-challenge page. Replacement HTML for authentication failed page. Replacement HTML for authentication login page. Replacement HTML for next FortiToken authentication page. Replacement HTML for password expiration page. Replacement HTML for post-authentication portal page. Replacement HTML for SMS-token authentication page. Replacement text for authentication success message. Replacement HTML for two-factor authentication failed page. Replacement HTML for two-factor authentication login page Administration Guide 42

43 Configuration System Administration Category Messages Description FortiGuard Web Filtering FortiGuard Block Page FortiGuard HTTP Error Page FortiGuard Override Page FortiGuard Quota Page FortiGuard Warning Page Replacement HTML for FortiGuard Webfilter block page. Replacement HTML for FortiGuard Webfilter HTTP error page. Replacement HTML for FortiGuard Webfilter override page. Replacement HTML for FortiGuard Webfilter quota exceeded block page. Replacement HTML for FortiGuard Webfilter warning page. 43 Administration Guide

44 System Administration Configuration Category Messages Description HTTP Archive Block Message Block Message Content Block Message Content Block Page Content Upload Block Page DLP Ban Message Invalid Certificate Message Oversized File Message Oversized Upload Message POST Block Message Previously Infected Block Page Switching Protocols Blocked Upload Archive Block Message Upload Block Message URL Block Page URL Filter Error Message Replacement HTML for HTTP archive block message. Replacement HTML for HTTP file block message. Replacement HTML for content-type block message. Replacement HTML for HTTP file content block page. Replacement HTML for HTTP file upload content block page. Replacement HTML for HTTP data-leak detected ban message. Replacement HTML for invalid certificate message. Replacement HTML for HTTP oversized file block message. Replacement HTML for HTTP oversized file upload block message. Replacement HTML for HTTP POST block message. Replacement HTML for HTTP URL previously-infected block page. Replacement HTML for Switching Protocols Blocked page. Replacement HTML for HTTP archive upload block message. Replacement HTML for HTTP file upload block message. Replacement HTML for HTTP url blocked page. Replacement HTML for webfilter service error message. Administration Guide 44

45 Configuration System Administration Category Messages Description Network Quarantine Security Web-proxy Network Quarantine Administrative Block Page Network Quarantine AV Block Page Network Quarantine DLP Block Page Network Quarantine DOS Block Page Network Quarantine IPS Block Page Application Control Block Page DLP Block Message DLP Block Page Virus Block Message Virus Block Page Web-proxy Authentication Failed Page Web-proxy Authorization Failed Page Web-proxy Block Page Web-proxy Challenge Page Web-proxy HTTP Error Page Web-proxy IP Blackout Page Web-proxy User Limit Page Replacement HTML for network quarantine administrative block page. Replacement HTML for network quarantine antivirus block page. Replacement HTML for network quarantine DLP block page. Replacement HTML for network quarantine DOS block page. Replacement HTML for network quarantine IPS block page. Replacement HTML for application control block page. Replacement text for DLP block message. Replacement HTML for DLP block page. Replacement text for antivirus block message. Replacement HTML for antivirus block page. Replacement HTML for web-proxy authentication failed page. Replacement HTML for web-proxy authorization failed page. Replacement HTML for web-proxy block page. Replacement HTML for web-proxy authentication required block page. Replacement HTML for web-proxy HTTP error page. Replacement HTML for web-proxy IP Blackout page. Replacement HTML for web-proxy user limit block page. FortiGuard settings The FortiGuard Distribution Network page provides information and configuration settings for FortiGuard subscription services. For more information about FortiGuard services, see the FortiGuard Center web page. To view and configure FortiGuard connections, go to System > Config > FortiGuard. 45 Administration Guide

46 System Administration Configuration Configure the following settings: Support Contract FortiGuard Subscription Services AV & IPS Download Options Allow Push Update Schedule Update Web Filtering Options The availability or status of your unit s support contract. The status displays can be Unreachable, Not Registered, or Valid Contract. You can update your registration status by selecting Update in the Registration Status row and loading the license file from a location on your management computer. The availability or status of your FortiGuard subscription services. The status displays can be Unreachable, Not Registered, or Valid Contract. You can update the antivirus definitions by selecting Update in the AV Definitions row. Select the expand arrow to expand or hide the section. Select to allow updates to be pushed. If a specific override push IP address is required, select Use override push IP and enter an IP address and port number in the requisite field. Select to have scheduled updates, then select when said updates occur: Every 1-23 hours, Daily at a specific hour, or Weekly on a specific day at a specific hour. Select Update Now to send an update request. Select the expand arrow to expand or hide the section. Administration Guide 46

47 Configuration System Administration Enable webfilter cache Enable antispam cache Port Selection To have a URL's category rating re-evaluated... Enable webfilter cache. Enter the Time To Live (TTL) value. This is the number of seconds the FortiCache unit will store blocked IP addresses or URLs locally, saving time and network access traffic by not checking the FortiGuard server. Once the TTL has expired, the FortiCache unit will contact the FDN server to verify a web address. The TTL must be between 300 and seconds (3600 by default). Enable antispam cache, then enter the TTL value. Select the port assignments for contacting the FortiGuard servers, either the default port (53) or the alternate port (8888). Select Test Availability to verify the connection using the selected port. Select to re-evaluate a URL s category rating using the Fortinet Live URL Rating system (opens in a new browser window). Disk management The Disk page shows information about the storage space for different features for each hard disk, and allows you to edit quota and storage settings. Go to System > Config > Disk to view the disk information. Feature Storage Size Allocated Used Quota Usage Edit The feature that will be storing information on the disk. The size of the storage space on the disk. The amount of space that is allowed for storage for a feature. The current amount of space that has been used to store information of a feature. The percentage of the quota that is currently being used. If there is no quota being used, the number is 100 percent. Select to modify the current amount of space that is being used. See Disk configuration on page 47. Disk configuration When possible, performance can be improved by logging to a disk that is not used for caching. A disk can be reserved for logging by setting the quota storage setting to 0 MB. For optimal performance, avoid allowing the disks used for caching from reaching 100% capacity. This can be achieved by limiting the cache file size to 70% of the total disk capacity. Select Edit in the Logging and Archiving row to edit the quota settings for logging and archiving. 47 Administration Guide

48 System Administration Configuration Select Storage Disk Logging DLP Archive Historic Reports Select a storage device from the drop-down list; either Default, or one of the available hard disks. Enter the quota, in MB, for disk logging. Enter the quota, in MB, for the DLP archive. Enter the quota, in MB, for historic reports. Select Edit in the WAN Optimization & Web Cache row to change the WAN optimization storage settings. Enter a value, in MB, to be used for WAN optimization storage, then select Apply to apply your changes. Cache and WAN optimization enhancement in FortiCache The webcache and wanopt in cache-service daemon has been split and multiple processes are now allowed for the wanopt cache. This increase in the maximum number of peers results in increased WAN optimization performance. Disk management changes since FortiCache As of FortiCache 4.1.0, the way in which disk storage is configured in the web-interface and CLI has been updated. The following information below shows the various options and commands changed. In the GUI, you can create new, edit, and delete wanopt storage usage types, list all the disks (including unformatted disks), and format all disks at once under System > Config > Disk. The following information below shows the updated CLI commands. It's recommended to run the execute disk format-all command after upgrading to FortiCache execute disk list Instead of listing only the first partition of the disks, this command now lists all the partitions of the disks. If a disk is formatted for wanopt storage, it will have three partitions. Before being formatted, HD1 and HD2 have no partitions: FortiCache # execute disk list Disk HD1 ref: GB type: SSD [ATA QEMU HARDDISK] dev: /dev/sdb Disk HD2 ref: GB type: SSD [ATA QEMU HARDDISK] dev: /dev/sdc execute disk format This command formats a disk using the reference number of the disk. If the disk is already configured in wanopt storage, the formatting uses its usage_type, otherwise the default usage type wanopt_webcache is used. To format HD1, whose reference number is 16: FortiCache # execute disk format 16 Request format for: 16 (device=/dev/sdb) Formatting this storage will erase all data on it, including WanOpt caches; This action requires the unit to reboot. Administration Guide 48

49 Configuration System Administration Do you want to continue? (y/n)y Performing format on the requested disk(s) and rebooting, please wait... FortiCache # Formatting the disk... DEBUG: recieved request /dev/sdb Recieved Partitioning request for device=/dev/sdb wanopt_req=1 pct[0]=30, pct[1]=30, pct [2]=40. Partitioning and formatting /dev/sdb... Sending request for partno=0 start=63 stop= Sending request for partno=1 start= stop= Sending request for partno=2 start= stop= done After HD1 has been formatted, you can view all the partitions of HD1 by entering execute disk list, as shown below: FortiCache # execute disk list Disk HD1 ref: GB type: SSD [ATA QEMU HARDDISK] dev: /dev/sdb partition ref: GB, 2.4GB free mounted: Y label: 4D68BE0D506A2939 dev: /dev/sdb1 partition ref: GB, 2.5GB free mounted: N label: dev: /dev/sdb2 partition ref: GB, 3.4GB free mounted: N label: dev: /dev/sdb3 Disk HD2 ref: GB type: SSD [ATA QEMU HARDDISK] dev: /dev/sdc execute disk format-all This command formats all user disks for wanopt storage. If a disk is already configured in wanopt storage, the formatting uses its usage_type, otherwise the default usage type wanopt_webcache is used. FortiCache # execute disk format-all Request format for: 16 (device=/dev/sdb) 32 (device=/dev/sdc) Formatting this storage will erase all data on it, including logs, quarantine files; WanOpt caches; This action requires the unit to reboot. Do you want to continue? (y/n)y Performing format on the requested disk(s) and rebooting, please wait... FortiCache # Formatting the disk... - unmounting /var/log : ok - unmounting /var/storage/hd1-4d68be0d506a2939 : ok DEBUG: recieved request /dev/sdb Recieved Partitioning request for device=/dev/sdb wanopt_req=1 pct[0]=30, pct[1]=30, pct [2]=40. Partitioning and formatting /dev/sdb... Sending request for partno=0 start=63 stop= Sending request for partno=1 start= stop= Sending request for partno=2 start= stop= done DEBUG: recieved request /dev/sdc Recieved Partitioning request for device=/dev/sdc wanopt_req=1 pct[0]=30, pct[1]=30, pct [2]= Administration Guide

50 System Administration Configuration Partitioning and formatting /dev/sdc... Sending request for partno=0 start=63 stop= Sending request for partno=1 start= stop= Sending request for partno=2 start= stop= done config wanopt storage This command is used to store objects in the web cache storage location. Among this command's attributes were size and webcache-storage-percentage these have now been replace by a new attribute: usage-type. Before continuing, the following should be taken into consideration with regards to the config wanopt storage command: All disks with three partitions are automatically added in wanopt storage Entries of disks in wanopt storage cannot be deleted. The status attribute of a disk can be set to disable, but only if the disk is not to be used for WAN Opt. Because of this, if status is set to disable, its usage_type cannot be changed. By default, status of a disk is set to enable in wanopt storage. The purge command is disabled in wanopt storage. Note that, upon setting the usage_type of a particular disk to a different value, you agree to formatting the disk. Otherwise, the new value of usage_type is discarded (see below): FortiCache # config wanopt storage FortiCache (storage) # show full config wanopt storage edit "HD1" set usage_type wanopt_webcache set status enable next edit "HD2" set usage_type wanopt_webcache set status enable next end FortiCache (storage) # edit HD1 FortiCache (HD1) # set usage_type webcache_only FortiCache (HD1) # next Formatting this storage will erase all data on it, including logs, quarantine files; WanOpt caches; This action requires the unit to reboot. Do you want to continue? (y/n)y FortiCache (storage) # Request format for: 16 (device=/dev/sdb) Formatting this storage will erase all data on it, including logs, quarantine files; WanOpt caches; Performing format on the requested disk(s) and rebooting, please wait... Formatting the disk... - unmounting /var/log : ok - unmounting /var/storage/hd1-4d68be0d506a2939 : ok Administration Guide 50

51 Configuration System Administration - unmounting /var/storage/hd2-128f7ce56a4abdc8 : ok DEBUG: recieved request /dev/sdb Recieved Partitioning request for device=/dev/sdb wanopt_req=1 pct[0]=30, pct[1]=5, pct [2]=65. Partitioning and formatting /dev/sdb... Sending request for partno=0 start=63 stop= Sending request for partno=1 start= stop= Sending request for partno=2 start= stop= done Features Various FortiCache features can be enabled or disabled as required. Disable features are not shown in the GUI. Go to System > Config > Features to configure the visibility of the features. The following options can be turned on or off by clicking anywhere within their rectangles: WAN Opt. & Cache AntiVirus DLP Controls the visibility of the WAN Opt. and Cache menu. WAN optimization and web caching is used to reduce the amount of bandwidth used by traffic on your WAN. See. Controls the visiblity of the Security Profiles > AntiVirus menu. Remove viruses, analyze suspicious files with FortiGuard Sandbox, apply botnet protection to network traffic, and setup antivirus profiles and add them to firewall policies. See. Controls the visibility of the Security Profiles > Data Leak Prevention menu. Prevent sensitive date, like credit card numbers, from leaving or entering your network, and to setup Data Leak Prevention (DLP) sensors and add them to firewall policies. 51 Administration Guide

52 System Administration Administration settings Explicit Proxy Web Filter Certificates ICAP Implicit Firewall Policies Controls the visibility of the Enable Explicit Web Proxy option on the Edit Interface page. Enable HTTP, HTTPS, or FTP proxies for your network, that can be added to interfaces. Create security policies to control access to the proxy and apply UTM and other features to proxy traffic. Users on the network must configure their browsers to use the proxy. Controls the visibility of the Security Profiles > Web Filter menu. Apply web category, URL, and content filtering to control users access to web resources. Setup profiles and add them to firewall policies. Controls the visibility of the System > Certificates menu.change the certificates used for SSL inspection, SSL load balancing, SSL-VPN, IPsec VPN, and authentication. If not enabled, default FortiCache certificates will be used. Controls the visibility of the Security Profiles > ICAP (Internet Content Adaptation Protocol) menu. Offload services to an external server. These services can include: Ad insertion, virus scanning, content and language translation, HTTP header or URL manipulation, and content filtering. Setup profiles and add them to security policies. Controls the visibility of implicit firewall policies that deny all traffic. You can edit an implicit policy and enable logging to record log messages when the implicit policy denies a session. Messaging servers To configure a messaging server, use the following CLI commands: config system -server set type set reply-to set server <IP or hostname> set port set source-ip set source-ip6 set authenticate set security next end --Configure a custom server. --Enter the default reply to address. --Enter the name or address of the SMTP server. --Set the SMTP server port. --Set the SMTP server source IP. --Set the SMTP server source IP. --Enable/disable authentication. --Set connection security. Administration settings The Admin menu provides settings for configuring administrators and their profiles, as well as basic administrative settings such as changing the default language. This section describes: Administration Guide 52

53 Administration settings System Administration Administrators Administrative profiles Settings Always end your FortiCache session by logging out, regardless of whether you are in the CLI or the GUI. If you do not log out, the session remains open. Administrators Administrators are configured in System > Admin > Administrators. There is already a default administrator account on the unit named admin that uses the super_admin administrator profile. You need to use the default admin account, an account with the super_admin admin profile, or an administrator with read-write access control to add new administrator accounts and control their permission levels. If you log in with an administrator account that does not have the super_admin admin profile, the administrators list will show only the administrators for the current virtual domain. The Administrators page lists the default super-admin administrator account, and all administrator accounts that you have created. Create New Edit Delete Name Trusted Hosts Profile Creates a new administrator account. Modifies settings within an administrator s account. When you select Edit, you are automatically redirected to the Edit Administrator page. Remove an administrator account. You cannot delete the original admin account until you create another user with the super_admin profile, log out of the admin account, and log in with the alternate user that has the super_admin profile. To remove multiple administrator accounts, select multiple rows in the list by holding down the Ctrl of Shift keys, then select Delete. The login name for an administrator account. The IP address and netmask of trusted hosts from which the administrator can log in. The admin profile for the administrator. 53 Administration Guide

54 System Administration Administration settings Type The type of authentication for this administrator, one of: Local: Authentication of an account with a local password stored on the FortiCache unit. Remote: Authentication of a specific account on a RADIUS, Lightweight Directory Access Protocol (LDAP), or Terminal Access Controller Access- Control System (TACACS+) server Remote+Wildcard: Authentication of any account on an LDAP, RADIUS, or TACACS+ server. PKI: PKI-based certificate authentication of an account. Comments The comments about the administrator account. Right-click on any column heading to adjusts the visible columns or reset all the columns to their default settings. Adding a new administrator Select Create New to open the New Administrator page. It provides settings for configuring an administrator account. When you are configuring an administrator account, you can enable authentication for an admin from an LDAP, RADIUS, or local server. Configure the following settings: Administrator Type Regular Remote Enter the login name for the administrator account. The name of the administrator should not contain the characters <, >, (, ), #, ", or '. Using these characters in the administrator account name can result in a cross site scripting (XSS) vulnerability. Select the type of administrator account: Regular, Remote, or PKI. Select to create a Local administrator account. Select to authenticate the administrator using a RADIUS, LDAP, or TACACS+ server. Server authentication for administrators must be configured first. Administration Guide 54

55 Administration settings System Administration User Group Wildcard Password PKI Backup Password Confirm Password Comments Admin Profile Restrict this Admin Login from Trusted Hosts Only Select to enable certificate-based authentication for the administrator. Only one administrator can be logged in with PKI authentication enabled. Select the administrator user group that includes the Remote server/pki (peer) users as members of the User Group. The administrator user group cannot be deleted once the group is selected for authentication. This option is only available if Type is Remote or PKI. Select to allow all accounts on the RADIUS, LDAP, or TACACS+ server to be administrators. This option is only available if Type is Remote. Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. This option is only available if Type is Regular. Enter a backup password for the administrator account. For improved security, the password should be at least 6 characters long. This option is only available if Type is Remote and Wildcard is not selected. Type the password for the administrator account a second time to confirm that you have typed it correctly. This option is not available if Type is PKI or Wildcard is selected. Optionally, enter comments about the administrator. Select the admin profile for the administrator. You can also select Create New to create a new admin profile. Select to restrict this administrator login to specific trusted hosts, then enter the trusted hosts IP addresses and netmasks. You can specify up to ten trusted hosts. These addresses all default to /0 or / Regular (password) authentication for administrators You can use a password stored on the local unit to authenticate an administrator. When you select Regular for Type, you will see Local as the entry in the Type column when you view the list of administrators. Using trusted hosts Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator can connect only through the subnet or subnets that you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of When you set trusted hosts for all administrators, the unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access. 55 Administration Guide

56 System Administration Administration settings The trusted hosts you define apply to the GUI, Ping, SNMP, and the CLI when accessed through Telnet or SSH. CLI access through the console port is not affected. The trusted host addresses all default to / If you set one of the zero addresses to a non-zero address, the other zero addresses will be ignored. The only way to use a wildcard entry is to leave the trusted hosts at / However, this configuration is less secure. Administrative profiles Each administrator account belongs to an admin profile. The admin profile separates FortiCache features into access control categories for which an administrator with read-write access can enable none (deny), read only, or read-write access. Read-only access for a GUI page enables the administrator to view that page. However, the administrator needs write access to change the settings on the page. The admin profile has a similar effect on administrator access to CLI commands. You can access get and show commands with Read Only access, but access to config commands requires Read-Write access. When an administrator has read-only access to a feature, the administrator can access the GUI page for that feature but cannot make changes to the configuration. There are no Create or Apply buttons and lists display only the View icon instead of icons for Edit, Delete, or other modification commands. You need to use the admin account or an account with read-write access to create or edit admin profiles. Administrative profile settings The Admin Profile page lists all administration profiles that you created as well as the default admin profiles. On this page, you can edit, delete, or create a new admin profile. To view administrator profiles, go to System > Admin > Admin Profile. The following options are available: Create New Creates a new profile. See Adding an administrator profile on page 57. Edit Delete Name Comments Ref. Modifies the selected admin profile s settings. When you select Edit, you are automatically redirected to the Edit Admin Profile page. Removes the admin profile from the list on the page. You cannot delete an admin profile that has administrators assigned to it. To remove multiple admin profiles, select multiple rows in the list by holding down the Ctrl of Shift keys, then select Delete. The name of the admin profile. Comments about the admin profile. Displays the number of times the object is referenced to other objects. To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object. Administration Guide 56

57 Administration settings System Administration Adding an administrator profile Select Create New to open the New Admin Profile page. It provides settings for configuring an administrator profile. When you are editing an existing admin profile, you are automatically redirected to the Edit Admin Profile page. Configure the following settings, then select OK to create the new administrator profile: Profile Name Comments Access Control None Read Only Read-Write Enter a name for the new admin profile. Optionally, add comments about the admin profile. List of the items that can customize access control settings if configured. Deny access to all Access Control categories. Enable read only access in all Access Control categories. Select to allow read-write access in all Access Control categories. 57 Administration Guide

58 System Administration Administration settings Access Control (categories) Make specific access control selections as required. System Configuration Network Configuration Administrator Users FortiGuard Update Maintenance Router Configuration Firewall Configuration Policy Configuration Address Configuration Service Configuration Schedule Configuration Other Configuration Security Profile Configuration AntiVirus Web Filter Data Leak Prevention ICAP Content Analysis User & Device WAN Opt & Cache Log & Report Configuration Data Access Settings Use admin settings to configure general settings for web administration access, password policies, idle timeout settings, and display settings. You can also configure FortiCache Manager support. Go to System > Admin > Settings to configure administrator settings. Configure the following settings: Central Management FortiCache Manager > IP/ Domain Name FortiCloud None Provides support for the upcoming FortiCache Manager. You can enable the communication in FortiCache the same way you would handle a FortiGate connecting to a FortiManager. Enable this option to use FortiCloud for all FortiGuard communications. Enable this option to have no central management. Administration Guide 58

59 Administration settings System Administration Administration Settings HTTP Port HTTPS Port Telnet Port SSH Port Idle Timeout Enable Password Policy Minimum Length Must Contain at Least TCP port to be used for administrative HTTP access. The default is 80. Select Redirect to HTTPS to force redirection to HTTPS. TCP port to be used for administrative HTTPS access. The default is 443. TCP port to be used for administrative telnet access. The default is 23. TCP port to be used for administrative SSH access. The default is 22. Change the time after which the GUI logs out idle system administration settings, from 1 to 480 minutes. Select to enable a password policy. Set the minimum acceptable length for passwords, from 8 to 128 characters. Select to enable special character types, upper or lower case letters, or numbers. Enter information for one or all of the following. Each selected type must occur at least once in the password. Upper Case Letters - A, B, C,... Z Lower Case Letters - a, b, c,... z Numbers (0-9) - 0, 1, 2,... 9 Special characters #,... % Apply Password Policy to Enable Password Expiration Select to apply the password policy to the Administrator Password. If any password does not conform to the policy, require that administrator to change the password at the next login. Require administrators to change password after a specified number of days. Enter the number of days in the field. The default is 90 days. View Settings Language The language the GUI uses: English, French, Spanish, Portuguese, Japanese, Traditional Chinese, Simplified Chinese, or Korean. You should select the language that the operating system of the management computer uses. 59 Administration Guide

60 System Administration Certificates Lines per Page Number of lines per page to display in table lists. From 20 to 1000, default = 50. Certificates The FortiCache unit generates a certificate request based on the information you entered to identify the FortiCache unit. After you generate a certificate request, you can download the request to a computer that has management access to the FortiCache unit and then forward the request to a CA. The certificate window also enables you to export certificates for authentication, importing, and viewing. This section includes: Local CA Certificates Certificates External CA Certificates Local CA Certificates Local certificates are issued for a specific server or website. Generally they are very specific, and often for an internal enterprise network. To manage local certificates, go to System > Certificates. The following information is available: Generate Generate a CSR. See To generate a CSR: on page 61. Edit Delete Highlight a certificate and select to edit the certificate. Select the checkbox next to a certificate entry and select Delete to remove the selected certificate or CSR. Select OK in the confirmation dialog box to proceed with the delete action. Import a certificate. Select any of the options under the dropdown: Import Local Certificate Remote Certificate CA Certificate CRL See Import a certificate on page 63. View Details View a certificate. See View certificate details on page 64. Download Select a certificate or CSR, then select Download to download that certificate or CSR to your management computer. Administration Guide 60

61 Certificates System Administration Name Subject Comments Issuer Expires The name of the certificate. The subject of the certificate. Comments. The issuer of the certificate. Displays the certificate's expiry date and time. The status of the certificate or CSR. Status Ref. OK: the certificate is okay. NOT AVAILABLE: the certificate is not available, or the request was rejected. PENDING: the certificate request is pending. Displays the number of times the certificate or CSRis referenced to other objects. To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object. Whether you create certificates locally or obtain them from an external certificate service, a Certificate Signing Request (CSR) will need to be generated. When a CSR is generated, a private and public key pair is created for the FortiCache unit. The generated request includes the public key of the device, and information such as the unit s public static IP address, domain name, or address. The device s private key remains confidential on the unit. After the request is submitted to a CA, the CA will verify the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate, after which you can install the certificate on the FortiCache device. To generate a CSR: 1. From the local certificates list, select Generate. The Generate Certificate Signing Request page opens. 61 Administration Guide

62 System Administration Certificates 2. Enter the following information: Certificate Name Enter a unique name for the certificate request, such as the host name, or the serial number of the device. Do not include spaces in the certificate to ensure compatibility as a PKCS12 file. Select the ID type from the drop-down list: Subject Information Optional Information Organization Unit Organization Locality (City) State/Province Country/Region Host IP: Select if the unit has a static IP address. Enter the device s IP address in the IP Address field. Domain Name: Enter the device s domain name or FQDN in the Domain Name field. Enter the address of the device s administrator in the E- mail field. Optional information to further identify the device. The name of the department. Up to 5 OUs can be added. The legal name of the company or organization. The name of the city where the unit is located. The name of the state or province where the unit is located. The country where the unit is located. Select from the drop-down list. The contact address. Administration Guide 62

63 Certificates System Administration Subject Alternative Name One or more alternative names, seperate by commas, for which the certificate is also valid. An alternative name can be: address, IP address, URI, DNS name, or a directory name. Each name must be preceded by it s type, for example: IP:1/2/3/4, or URL: Key Type Key Size Enrollment Method The key type is RSA. It cannot be changed. Select the key size from the drop-down list: 1024, 1536, or 2048 bits. Larger key sizes are more secure, but slower to generate. Select the enrollment method: File Based: Generate the certificate request. Online SCEP: Obtain a signed, Simple Certificate Enrollment Protocol (SCEP) based certificate automatically over the network. Enter CA server URL and challenge password in their respective fields. 3. Select OK to generate the CSR. Import a certificate Signed local certificates can be imported to the FortiCache unit. To import a certificate: 1. From the local certificates list, select Import. The Import Certificate page opens. 2. Select the Type from the drop-down list: a. Local Certificate: If the Type is Local Certificate, select Choose File and locate the certificate file on your computer. If the Type is PKCS #12 Certificate, select Choose File and locate the certificate with key file on your computer. Enter the password into the Password field. If the Type is Certificate, select Choose File and locate the certificate file on your computer. Select Choose File and locate the key file on your computer. Enter the password into the Password field. b. Remote Certificate: Select Choose File and locate the remote certificate file on your computer. c. CA Certificate: Select SCEP (Simple Certificate Enrollment Protocol) and enter the URLof the SCEP, or select Local PC > Choose File and locate the certificate file on your computer. d. CRL: Select HTTP and enter the URL of the HTTP server. Select LDAP and choose the LDAP server from the dropdown menu. Select SCEP and choose the certificate from the dropdown menu or enter the URL of the SCEP server. Select Local PC > Choose File and locate the certificate file on your computer. Select OK to import the certificate. 63 Administration Guide

64 System Administration Certificates View certificate details Certificate details can be viewed by selecting a certificate, then selecting View Details from the toolbar. The following information is displayed: Certificate Name Serial Number Subject Information The name of the certificate. The serial number of the certificate. The subject information of the certificate, including: Common Name (CN) Organization (O) Organization Unit (OU) Locality (L) State (ST) Country (C) Address Issuer Validity Period Fingerprints Extension The issuer information of the certificate, including most information from Subject Information. Displays the Valid From and the expiry Valid To date of the certificate. The certificate should be renewed before this expiry date. The identifying fingerprint of the certificate. The certificate extension information. Select Close to return to the certificate list. Certificates These remote certificates are public certificates without private keys. They can be deleted, imported, and downloaded, and their details can be viewed in the same way as local certificates. External CA Certificates External CA certificates are similar to local certificates, except they apply to a broader range of addresses or to whole company. A CA certificate would be issued for an entire web domain, instead just a single web page. External CA certificates can be deleted, downloaded, and their details can be viewed, in the same way as local certificates. Administration Guide 64

65 Policy & Objects The Policy menu provides options for configuring policies, proxy options, SSL inspection options, and firewall objects. Policy The policy list displays web cache policies in their order of matching precedence. Web cache policy order affects policy matching. For details about arranging policies in the policy list, see Managing the policy list. You can add web cache policies that match HTTP traffic to be cached according to source and destination addresses, and the destination port of the traffic. Various right-click menus are hidden throughout the policy list. The columns displayed in the policy list can be customized, and filters can be added in a variety of ways to filter the information that is displayed. See. To view the policy list, go to Policy & Objects > Policy > Policy. Configure the following settings: Create New Edit Delete Section/Global View Search Seq.# Source Address Destination Add a new policy. New policies are added to the bottom of the list. Edit the selected policy. Delete the selected policy. Select whether to view the policies based on sections, or in a single list (Global View). Enter a search term to search the policy list. The policy sequence number. The source address or address range that the policy matches. For more information, see Web cache policy address formats on page 73. The destination address or address range that the policy matches. For more information, see Web cache policy address formats on page Administration Guide

66 Policy & Objects Policy Schedule The policy schedule. See Schedules on page 1. Service The service affected by the policy. See Services on page 1. Authentication Action The action to be taken by the policy, such as ACCEPT or DENY. AV The antivirus profile used by the policy. See Antivirus on page 1. CA Comments The certificate used by the policy. Comments about the policy. DLP The DLP sensor used by the policy. See Data Leak Prevention on page 1. From ICAP The ICAP profile used by the policy. See ICAP on page 1. ID The policy identifier. Policies are numbered in the order they are added to the configuration. Last Used Log NAT The logging level of the policy. Options vary depending on the policy type. Whether or not NAT is enabled. Proxy Options The proxy options used by the policy. See Proxy options on page 1. Security Profiles Sessions SSL Inspection Status All the profiles used by the policy, such as AntiVirus, Web Filter, DLP Sensor, ICAP, SSL Inspection, and Content Analysis options. See Security Profiles on page 1. The number of sessions. The SSL inspection options used by the policy. See SSL inspection on page 1. Select to enable a policy or clear to disable a policy. A disabled policy is out of service. To Web Filter The web filter profile used be the policy. See Web Filter on page 1. Managing the policy list To customize the displayed columns, right-click on any column heading, then select the columns that are to be added or removed. Select Reset All Columns to return to the default column view. Administration Guide 66

67 Policy Policy & Objects The displayed policies can be filtered by either using the search field in the toolbar, or by selecting the filter icon in a column heading. The available filter options will vary depending on the type of data that the selected column contains. How list order affects policy matching The FortiCache unit uses the first-matching technique to select which policy to apply to a communication session. When policies have been added, each time the FortiCache unit accepts a communication session, it then searches the policy list for a matching policy. Matching policies are determined by comparing the policy with the session source and destination addresses, and the destination port. The search begins at the top of the policy list and progresses in order towards the bottom. Each policy in the policy list is compared with the communication session until a match is found. When the FortiCache unit finds the first matching policy, it applies that policy and disregards subsequent policies. If no policy matches, the session is accepted. As a general rule, you should order the policy list from most specific to most general because of the order in which policies are evaluated for a match, and because only the first matching policy is applied to a session. Subsequent possible matches are not considered or applied. Ordering policies from most specific to most general prevents policies that match a wide range of traffic from superseding and effectively masking policies that match exceptions. Configuring policies Policies can be added, edited, copied, moved, and deleted. To help organize your policies, you can also create sections to group policies together. Policies can be inserted above or below existing policies, and can also be disabled if needed. Creating a new policy New policies can be created at the bottom of the policy list by selecting Create New in the toolbar. New policies can be created above or below an existing policy by right-clicking a policy sequence number and selecting Insert Policy Above or Insert Policy Below, or by copying or cutting an existing policy and then selecting Paste Before or Paste After from the right-click menu. Note, as of version 4.2, Dynamic IP Pool support has been extended to the explicit web proxy allowing such traffic to be sourced from a range of IP addresses. This is configurable in policy creation upon enabling NAT. To create a new address policy: 1. From the policy list, select Create New from the toolbar, or right-click on a sequence number and select Insert Policy Above, Insert Policy Below or, if applicable, Paste Before or Paste After. The New Policy window opens. 2. Select Address in the Policy Subtype field. 67 Administration Guide

68 Policy & Objects Policy 3. Configure the following settings: Incoming Interface Source Address Source IPv6 Address Select the name of the network interface on which IP packets are received. For more information, see Interfaces on page 1. You can also create a web proxy by selecting web-proxy in Incoming Interface. For more information, see Web proxy on page 1. Multiple incoming interfaces can be added to a policy. If you select any, the policy matches all interfaces as sources, and the policy list is then displayed only in global view. Fortinet does not recommend this option, because it can have unexpected results. It should be used rarely, and only by a knowledgeable administrator. When any is used as the incoming interface, the implicit security policy includes any as well. Select a source address or address group. Only packets whose header contains an IPv4/IPv6 address matching the selected address will be subject to this policy. For more information, see Web cache policy address formats on page 73. You can also create addresses by selecting Create New from this list. For more information, see Address on page 1. Multiple addresses or address groups can be added to the policy. Administration Guide 68

69 Policy Policy & Objects Outgoing Interface Destination Address Destination IPv6 Address Schedule Service Action NAT Use Dynamic IP Pool Logging Options Security Profiles AntiVirus Web Filter Select the name of the network interface to which IP packets are forwarded. For more information, see Interfaces on page 1. Multiple outgoing interfaces can be added to a policy. If you select any, the policy matches all interfaces as destination, and the policy list is then displayed only in global view. Fortinet does not recommend this option, because it can have unexpected results. It should be used rarely, and only by a knowledgeable administrator. Select a destination address or address group. Only packets whose header contains an IPv4/IPv6 address matching the selected address will be subject to this policy. For more information, see Web cache policy address formats on page 73. You can also create addresses by selecting Create New from this list. For more information, see Address on page 1. Multiple destination addresses can be added. Select a schedule from the drop down list. Select Create New to create a new schedule. For more information see Schedules on page 1. Select a service or service group that packets must match to trigger this policy. Select Create New to create a new servicelist. See Services on page 1. Multiple services can be added. Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will vary widely depending on this selection. ACCEPT - Accept traffic matched by the policy. DENY - Reject traffic matched by the policy. Select to enable NAT. This option is only available if Action is set to ACCEPT. Select an IP pool to apply to the policy, including a range for explicit web proxy. If Action is set to ACCEPT, select one of the following options: No Log, Log Security Events, or Log All Sessions. If Action is set to DENY, enable Log Violation Traffic to log violation traffic. Select the security profiles to apply to the policy. This option is only available if Action is set to ACCEPT. Enable antivirus and select or create a new profile from the dropdown list. See Antivirus on page 1. Enable web filter and select or create a new profile from the dropdown list. See Web Filter on page Administration Guide

70 Policy & Objects Policy Web Cache DLP Sensor ICAP SSL Inspection Web Cache For HTTPS Traffic Enable WAN Optimization Comments Enable DLP sensors and select or create a new sensor from the drop-down list. See Data Leak Prevention on page 1. Enable ICAP and select or create a new profile from the drop-down list. See ICAP on page 1. Enable SSL inspection and select or create a new option from the drop-down list. See SSL inspection on page 1. Select to enable web caching. This option is only available if Action is set to ACCEPT. Select to enable web caching for HTTPS traffic. Select to enable WAN Optimization for traffic accepted by the policy. If enabled, select active or passive from the drop down list, then select or create a new profile to use for the optimization. See WAN Optimization and Web Caching on page 1. This option is only available if Action is set to ACCEPT. Enter a description up to 1023 characters to describe the policy. 4. Select OK to create the new address policy. To create a new user identity policy: 1. From the policy list, select Create New from the toolbar, or right-click on a sequence number and select Insert Policy Above, Insert Policy Below or, if applicable, Paste Before or Paste After. The New Policy window opens. 2. Select User Identity in the Policy Subtype field. 3. Configure the following settings: Administration Guide 70

71 Policy Policy & Objects Incoming Interface Source Address Source IPv6 Address Outgoing Interface Destination Address Destination IPv6 Address Service Enable Web cache Web Proxy Forwarding Server Select the name of the network interface on which IP packets are received. For more information, see Interfaces on page 1. You can also create a web proxy by selecting web-proxy in Incoming Interface. For more information, see Web proxy on page 1. Multiple incoming interfaces can be added to a policy. If you select any, the policy matches all interfaces as sources, and the policy list is then displayed only in global view. Fortinet does not recommend this option, because it can have unexpected results. It should be used rarely, and only by a knowledgeable administrator. When any is used as the incoming interface, the implicit security policy includes any as well. Select a source address or address group. Only packets whose header contains an IPv4/IPv6 address matching the selected address will be subject to this policy. For more information, see Web cache policy address formats on page 73. You can also create addresses by selecting Create New from this list. For more information, see Address on page 1. Multiple addresses or address groups can be added to the policy. Select the name of the network interface to which IP packets are forwarded. For more information, see Interfaces on page 1. Multiple outgoing interfaces can be added to a policy. If you select any, the policy matches all interfaces as sources, and the policy list is then displayed only in global view. Fortinet does not recommend this option, because it can have unexpected results. It should be used rarely, and only by a knowledgeable administrator. Select a destination address or address group. Only packets whose header contains an IPv4/IPv6 address matching the selected address will be subject to this policy. For more information, see Web cache policy address formats on page 73. You can also create addresses by selecting Create New from this list. For more information, see Address on page 1. Multiple destination addresses can be added. Select a service or service group that packets must match to trigger this policy. Select Create New to create a new servicelist. See Service on page 1. Multiple services can be added. Select to enable web caching. This option is only available if Action is set to ACCEPT. Enable a web proxy forwarding server, then select a server from the drop-down list. See Forwarding servers on page Administration Guide

72 Policy & Objects Policy Explicit Proxy Authentication Options Comments Enable IP based Authentication Default Authentication Method Select to enable IP based authentication, then select the single sign-on method from the Single Sign-On Method drop-down list. Select the default authentication method from the drop-down list. Enter a description up to 1023 characters to describe the policy. 4. Select OK to create the new user identity policy. In FortiCache 4.0, user authentication was available on explicit proxy traffic but not on transparent policies. This limitation has been removed allowing authentication on transparent policies also. Creating a section Sections can be used to help organize your policy list. To create a new section: 1. Right-click on the sequence number of a policy in the policy list and select Insert Section. The Insert Section dialog box opens. 2. Enter a name for the section title in the Section Title field. 3. Select OK to create the section. Editing policies Policy information can be edited as required by either double clicking on the policy, selecting a policy then selecting Edit from the toolbar, or by right-clicking on the sequence number of the the policy and selecting Edit from the right-click menu. The editing window for regular policies contains the same information as when creating new policies. See Creating a new policy on page 67. There are only two options that can be edited for the implicit policy rule: enabling or disabling violation traffic logging by selecting or deselecting Log Violation Traffic the Action field Policies can also be edited inline, by right and left clicking on the text or blank space within specific cells. For example, you can right-click in the blank space in a Schedule cell to select a new schedule from the right-click menu, but if you right or left-click on the text in the cell and then select Edit Schedule from the pop-up menu, the Edit Recurring Schedule window opens, allowing you to edit the selected schedule, or create a new one. Moving policies When more than one policy has been defined, the first matching policy is applied to the traffic session. You can arrange the policy list to influence the order in which policies are evaluated for matches with incoming traffic. See How list order affects policy matching on page 67 for more information. Administration Guide 72

73 Policy Policy & Objects Moving a policy in the policy list does not change its ID, which only indicates the order in which the policies were created. To move a policy, click and drag the policy to a new location. You can also move a policy by cutting and pasting it into a new location. Copy and paste Policies can be copied and pasted to create clones. Right-click on the policy sequence number then select Copy Policy from the pop-up menu. Right-click in the sequence number cell of the policy that the new clone policy will be placed next to and select Paste Before or Paste After to insert the new policy before or after the selected policy. Web cache policy address formats A source or destination address can contain one or more network addresses. Network addresses can be represented by an IP address with a netmask or an IP address range. When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a source or destination address can be: a single computer, for example, a subnetwork, for example, * for a class C subnet , matches any IP address. The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiCache unit automatically converts CIDR-formatted netmasks to dotted decimal format. Example formats: netmask for a single computer: , or /32 netmask for a class A subnet: , or /8 netmask for a class B subnet: , or /16 netmask for a class C subnet: , or /24 netmask including all IP addresses: Valid IP address and netmask formats include: x.x.x.x/x.x.x.x, such as / x.x.x.x/x, such as /24 An IP address with netmask is not a valid source or destination address. When representing hosts by an IP range, the range indicates hosts with continuous IP addresses in a subnet, such as [2-10], or * to indicate the complete range of hosts on that subnet. You can also indicate the complete range of hosts on a subnet by entering [0-255] or Valid IP range formats include: x.x.x.x-x.x.x.x, for example, x.x.x.[x-x], for example, [ ] x.x.x.*, for a complete subnet, for example: * 73 Administration Guide

74 Policy & Objects Policy x.x.x.[0-255] for a complete subnet, such as [0-255] x.x.x.0 -x.x.x.255 for a complete subnet, such as You cannot use square brackets [ ] or asterisks * when adding addresses to the CLI. Instead you must enter the start and end addresses of the subnet range separated by a dash -. For example, for a complete subnet and for a range of addresses. Proxy options The Proxy Options menu allows you to configure settings for specific proxies, which can then be applied to policies. Protocol options are configured in Policy & Objects > Policy > Proxy Options. Configure the following settings: Create New Select to open the New Proxy Options window, where you can create a new proxy option. Administration Guide 74

75 Policy Policy & Objects Clone View List Name Comments Protocol Port Mapping Clone the current policy option. View the proxy list. The proxy options list lists all the proxy options. From the list, you can create new options, edit or delete existing options, and view the number of times the policy option is referenced to other objects. The name of the proxy option. A description given to the option. This is an optional setting. Enable a protocol, then enter the inspections port or ports. Common Options Select to enable. Configure the following: Comfort Clients Interval (seconds) enter the interval time in seconds. Amount (bytes) enter the amount in bytes. Block Oversized File/ Enable to block oversized files or s, and configure the size threshold: Threshold (MB) enter the threshold amount for an oversized message or file in MB. Web Options Enable Chunked Bypass Select to enable the chunked bypass setting. Video RTMP/RTMPT stream splitting support If several browsers within the network are viewing live RTMP/RTMPT video content, the stream will be downloaded and cached once and distributed out to multiple users. This feature is useful for corporate webcasts and other live broadcast events. To enable in the GUI, go to Policies & Objects > Policy > Proxy Options, enable RTMP under Protocol Port Mapping, then enter the inspections port or ports (default is 1935). To enable in the CLI, enter the following: config firewall profile-protocol-options edit <name> config rtmp set status enable end end To check RTMP status in the CLI, enter the following: diag test app wad Administration Guide

76 Policy & Objects Policy As of version 4.2, FortiCache also supports detection and caching of HLS traffic. SSL inspection To configure deep inspection options, go to Policy & Objects > Policy > SSL Inspection. SSL inspection options can be used in policies. Select a deep or certificate inspection option from the drop-down list in the toolbar and edit the settings as required, or create new options, then select apply to apply your changes. Create New Name Comments SSL Inspection Options Enable SSL Inspection of CA Certificate Inspection Method Exempt from SSL Inspection Web Categories Addresses Common Options Allow Invalid SSL Certificates Log Invalid Certificates Select to open the New Deep Inspection Options window, where you can create a new deep inspection option. The name of the deep inspection option. A description given to the option. This is an optional setting. SSL inspection options. Multiple Clients Connecting to Multiple Servers - The Exempt from SSL Inspection and Common Options options below are only available with this option enabled. Protecting SSL Server Select a CA certificate from the drop-down menu. SSL Certificate Inspection Full SSL Inspection - you can optionally enable HTTPS and set which port the protocol uses. Exempt web categories or specific addresses from SSL inspection. Add web categories to be exempt from SSL inspection. Add any pre-configured addresses to be exempt from SSL inspection. Common options. Select to allow invalid SSL certificates. Select to log invalid certificates. Administration Guide 76

77 Policy Policy & Objects SSL exemption of domains enforcing HSTS For domains enforcing HTTP Strict Transport Security (HSTS) it may be necessary to exempt domains from inspection and caching. A default list of common enforcing domains is now specified, and can be extended via the following CLI command: config firewall ssl exemption Socks Authentication SOCKSv5 authentication has been added to the existing SOCKSv5 proxy capability. Authentication takes place first, then once the destination is obtained, a policy match is implemented, to which the authenticated credentials are used to perform authorization. To configure in the GUI, go to Policies & Objects > Policy > SOCKS Authentication. Configure the following settings: Create New ID Proxy Original Address Action Enable IP Based Authentication Select to open the New Socks Authentication window, where you can create a new Socks Authentication option. Enter an ID number. Select a web proxy from the dropdown menu (default choice is web-proxy). Enter an address for the policy. Select either no-auth to deny authentication or auth to grant authentication from the dropdown menu. Select to enable IP based authentication. To configure in the CLI, enter the following: config firewall socks-authentication 77 Administration Guide

78 Objects The firewall objects menu provides options for configuring addresses, services, schedules, explicit web proxy, forwarding servers, and web proxy settings. This chapter contains the following sections: Addresses Services Schedules Explicit Forward server Web proxy global Addresses Web cache addresses and address groups define network addresses that you use when configuring source and destination addresses for security policies. The FortiCache unit compares the IP addresses contained in packet headers with security policy source and destination addresses to determine if the security policy matches the traffic. Addresses can be IPv4 addresses and address ranges, IPv6 addresses, and fully qualified domain names (FQDNs). Be careful if employing FQDN web cache addresses. Using a fully qualified domain name in a security policy, while convenient, does present some security risks because policy matching then relies on a trusted DNS server. If the DNS server should ever be compromised, security policies requiring domain name resolution may no longer function properly. Web cache addresses in the address list are grouped by type: IP/Netmask, FQDN, or IPv6. A FortiCache unit s default configurations include the all address, which represents any IPv4 IP address on any network. You can also add a firewall address list when configuring a security policy. To view the address list, go to Policy & Objects > Objects > Addresses. Configure the following settings: Create New > Address Edit Address Delete Name Address Add a new address. Edit the selected address. Remove the selected address or addresses. This icon appears only if a policy or address group is not currently using the address. The name of the address. The IP address and mask, IP address range, or FQDN of the address. Administration Guide 78

79 Objects Interface Type Comments Ref. The interface to which the address is bound. The type of address: Subnet, IP Range, FQDN. Optional description of the address. Displays the number of times the address is referenced to other objects. To view the location of the referenced address, select the number in Ref. The Object Usage window appears displaying the various locations of the referenced object. Show in Address List Tags To create a new address: 1. Go to Policy & Objects > Objects > Addresses and select Create New > Address. The New Address window opens. 2. Configure the following settings: Name Type Subnet / IP Range FQDN Interface Comments Enter a name for the address. Addresses must have unique names. Select the type of address: Subnet, IP Range, or FQDN. You can enter either an IP range or an IP address with subnet mask. Enter the IP address, followed by a forward slash (/), then subnet mask, or enter an IP address range separated by a hyphen. See Web cache policy address formats on page 1. Enter the FQDN. This option is only available when Type is FQDN. Select the interface to which you want to bind the IP address. Select Any if you want to bind the IP address with the interface when you create a policy. Optionally, enter a description of the address. 3. Select OK to create the new address. To edit an address: 1. Select the address you would like to edit then select Edit from the toolbar, or double-click on the address in the address table. The Edit Address window opens. 2. Edit the address information as required and select OK to apply your changes. To delete an address or addresses: 1. Select the address or addresses that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected address or addresses. 79 Administration Guide

80 Objects Address groups You can organize multiple addresses into an address group to simplify your policy list. For example, instead of having five identical policies for five different but related addresses, you might combine the five addresses into a single address group, which is used by a single policy. To view the address group list, go to Policy & Objects > Objects > Addresses. Create New > Address Group Edit Delete Group Name Members Comments Ref. Show in Address List Add an address group. Select the edit the address group. Select to remove the address group. This icon appears only if the address group is not currently being used by a policy. The name of the address group. The addresses in the address group. Option description of the address group. Displays the number of times the address group is referenced to other objects. To view the location of the referenced address group, select the number in Ref. The Object Usage window appears displaying the various locations of the referenced object. Whether or not the group is shown in the address list. Tags To create a new address group: 1. Select Create New > Address Group. The New Address Group window opens. 2. Configure the following information: Group Name Comments Show in Address List Members Enter a name to identify the address group. Addresses, address groups, and virtual IPs must have unique names. Optionally, enter a description of the address group. Select to show the address group is the address list. Select the addresses to add to the address group. 3. Select OK to create the new address group. To edit an address group: 1. Select the group you would like to edit, then select Edit from the toolbar, or double-click on the address group. The Edit Address Group window opens. 2. Edit the address group information as required and select OK to apply your changes. Administration Guide 80

81 Objects To delete an address group or groups: 1. Select the address or addresses that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected address or addresses. Services Web cache services define one or more protocols and port numbers associated with each service. Web cache policies use service definitions to match session types. You can organize related services into service groups to simplify your policy list. If you need to create a web cache policy for a service that is not in the predefined service list, you can add a custom service. Custom services are configured in Policy & Objects > Objects > Services. The following options are available: Create New Edit Delete Category Settings By Category Alphabetically Service Name Ports IP/FQDN Show in Service List Comments Protocol Ref. Type Create a new custom service or category. See To create a new service: on page 82 and Adding a service category on page 83. Edit the selected service. Remove the selected custom service. This icon appears only if a service is not currently being used in a web cache policy. Edit the order in which the categories are displayed in the list when viewing the list by category. View the list organized by categories. View the list organized alphabetically. The name of the custom service. The port numbers for each service. The IP address or FQDN of the service. Whether or not the service is shown in the service list. Optional description of the service. The protocl type for the service. Displays the number of times the service is referenced to other objects. To view the location of the referenced service, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. The type of service. 81 Administration Guide

82 Objects To create a new service: 1. Go to Policy & Objects > Objects > Services and select Create New > Service. The New Service window opens. 2. Configure the following settings: Name Comments Service Type Show in Service List Category Protocol Type IP/FQDN Protocol Type Enter a name for the custom service. Optionally, enter a description of the service. Select the service type: Firewall or Explicit Proxy. Select to show the service in the service list. Select the category for the service: Uncategorized, General, or Web Proxy. Select the type of protocol for the service. If Service Type is Firewall, select one of: TCP/UDP/SCTP, ICMP, ICMP6, or IP. If Service Type is Explicit Proxy, select one of: ALL, CONNECT, FTP, HTTP, SOCKS-TCP, or SOCKS-UDP. Enter the IP address or FQDN for the service. This option is only available if Protocol Type is set to TCP/UDP/SCTP, ALL, CONNECT, FTP, HTTP, or SOCKS. Select the protocol from the drop-down list that you are configuring settings for: TCP, UDP, or SCTP. Then, enter the low and high destination and sources ports in the requisite fields. Up to 16 protocols can be added. When Service Type is Explicit Proxy, the protocol is TCP. This option is only available if Protocol Type is set to TCP/UDP/SCTP, ALL, CONNECT, FTP, HTTP, or SOCKS. Enter the ICMP type number for the ICMP protocol configuration. This option is only available if Protocol Type is set to ICMP, or ICMP6. Administration Guide 82

83 Objects Code Protocol Number Enter the ICMP code number for the ICMP protocol configuration. This option is only available if Protocol Type is set to ICMP, or ICMP6. Enter the protocol number for the IP protocol configuration. This option is only available if Protocol Type is set to IP. 3. Select OK to create the new service. To edit a service: 1. Select the service you would like to edit then select Edit in the toolbar, or double-click on the service in the table. The Edit Service window opens. 2. Edit the service as required, then select OK to apply your changes. To delete a service or services: 1. Select the address or addresses that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected service or services. Adding a service category 1. From Policy & Objects > Objects > Services, select Create New > Category. The New Service Category window opens. 2. Enter a name for the new category in the Name field. 3. Optionally, enter a description of the category in the Comments field. 4. Select OK to create the new service category. Services groups You can organize multiple services into a service group to simplify your policy list. For example, instead of having five identical policies for five different but related services, you can combine the five services into a single address group that is used by a single policy. Service groups cannot contain other service groups. Configure a service group using the following CLI command: config firewall service group edit <name> set member --Address group member. set explicit-proxy --Enable/disable explicit web proxy service group. set comment --Comment. set color --GUI icon color. next end 83 Administration Guide

84 Objects Schedules When you add security policies on a FortiCache unit, those policies are always on, policing the traffic through the device. Schedules control when policies are in effect. The schedule list lists all the schedules. Recurring and one-time schedules can be created, edited, and deleted as needed. You can create a recurring schedule that activates a policy during a specified period of time. If a recurring schedule has a stop time that is earlier than the start time, the schedule will take effect at the start time but end at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next. To create a recurring schedule that runs for 24 hours, set the start and stop times to 00. You can create one-time schedules which are schedules that are in effect only once for the period of time specified in the schedule. To manage schedules, go to Policy & Objects > Objects > Schedules. Create New Edit Delete Search Name Days/Members Start End Ref. Type Create a new recurring schedule, one-time schedule, or a schedule group. See To create a new recurring schedule: and To create a new one-time schedule:. Edit the selected schedule. Remove the selected schedule. This icon is only available if the selected schedule is not currently being used in a policy. Enter a search term to search the schedules list. The name of the schedule. The days of the week that the schedule is configured to be active. The time of day that the schedule is configured to start. The time of day that the schedule is configured to end. Displays the number of times the schedule is referenced to other objects. To view the location of the referenced schedule, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. The type of schedule, either Recurring or One-Time. To create a new recurring schedule: 1. Go to Policy & Objects > Objects > Schedules and select Create New > Schedule. The New Schedule window opens. Administration Guide 84

85 Objects 2. Configure the following settings: Type Name Days Start Time Stop Time Set to Recurring. Enter the name of the recurring schedule. Select the days of the week when the schedule will be active. Select the start time for the schedule. Select the stop time for the schedule. If the stop time is set earlier than the start time, the stop time will be during the next day. If the start time is equal to the stop time, the schedule will run for 24 hours. 3. Select OK to create the recurring schedule. To create a new one-time schedule: 1. Go to Policy & Objects > Objects > Schedules and select Create New > Schedule. The New Schedule window opens. 2. Configure the following settings: Type Name Start Date End Date Start Time Stop Time Pre-expiration event log Set to One-time. Enter the name of the one-time schedule. Select the year, month, day, hour, and minute that the schedule will start. Select the year, month, and day that the schedule will stop. The stop time must be later than the start time. Select the hour and minute that the schedule will start. Select the hour and minute that the schedule will stop. The stop time must be later than the start time. Select to generate an event log prior to the schedule expiring. Enter the number of days prior to the expiry that the event log will be generated, from 1 to Select OK to create the one-time schedule. To edit a schedule: 1. Select the schedule you would like to edit, then select Edit from the toolbar, or double-click on the schedule in the table. The Edit Recurring Schedule or Edit One-time Schedule window opens. 2. Edit the information as required, then select OK to apply your changes. 85 Administration Guide

86 Objects To delete schedules: 1. Select the schedule or schedules that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected schedule or schedules. Schedule groups You can organize multiple schedules into a schedule group to simplify your security policy list. For example, instead of having five identical policies for five different but related schedules, you might combine the five schedules into a single schedule group that is used by a single security policy. Schedule groups can contain both recurring and one-time schedules. Schedule groups cannot contain other schedule groups To configure schedule groups go to Policy & Objects > Objects > Schedules. To create a new schedule group: 1. Go to Policy & Objects > Objects > Schedules and select Create New > Schedule Group. The New Schedule Group window opens. 2. Configure the following settings: Name Members Enter the name of the schedule group. Select the schedules that you would like to have included in the group from the dropdown menu. 3. Select OK to create the schedule group. To edit a schedule group: 1. Select the schedule group you would like to edit, then select Edit from the toolbar, or double-click on the schedule group in the table. The Edit Schedule Group window opens. 2. Edit the information as required, then select OK to apply your changes. To delete schedule groups: 1. Select the group or groups that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected group or groups. IP pools IP pools are a mechanism that allow sessions leaving the FortiCache to use NAT. An IP pool defines a single IP address or a range of IP addresses to be used as the source address for the duration of a session. These assigned addresses will be used instead of the IP address assigned to that FortiCache interface. 1. Go to Policy & Objects > Objects > IP Pools and select Create New. 2. Configure the following: Administration Guide 86

87 Objects Name Interfaces IP Network Mask Enter a name for the IP pool in the Name field. Select the interface to which you want to assign addresses. Enter the desired IP address or IP range to use in the IP pool. Enter the required network mask for the IP range. Explicit Use the explicit web proxy to enable explicit HTTP proxying on one or more Fortinet interfaces. IPv6 is supported. As of version 4.2.0, IP Pool support has been extended to the explicit web proxy allowing such traffic to be sourced from a range of IP addresses. To configure the explicit web proxies, go to Policy & Objects > Objects > Explicit. Configure the following settings: Create New Edit Delete Status Name Interface Ref. Create a new explicit web proxy. Modify settings to an explicit web proxy. Remove a proxy from the list. The status of the explicit web proxy. The name of the explicit web proxy. The interface to which the proxy applies. Displays the number of times the proxy is referenced to other objects. To view the location of the referenced proxy, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. To create a new explicit web proxy: 1. Go to Policy & Objects > Objects > Explicit and select Create New. The New Web Proxy Explicit window opens. 87 Administration Guide

88 Objects 2. Configure the following settings: Name Interface Enable FTP over HTTP HTTP Port HTTPS Port PAC Port Realm Enable SOCKS proxy Unknown HTTP version Enter the name of the explicit web proxy. Select the interface that are being monitored by the explicit web proxy from the drop-down list. Select to enable FTP over HTTP for the explicit web proxy. Enter the HTTP port number that traffic from client web browsers use to connect to the explicit proxy for the specific protocol. Explicit proxy users must configure their web browser s protocols proxy settings to use this port (default = 8080). Enter the HTTPS port number that traffic from client web browsers use to connect to the explicit proxy for the specific protocol. Explicit proxy users must configure their web browser s protocols proxy settings to use this port. Enter 0 to use the HTTP port. Enter the Proxy Auto-Config (PAC) port number that traffic from client web browsers use to connect to the explicit proxy for the specific protocol. Explicit proxy users must configure their web browser s protocols proxy settings to use this port. Enter 0 to use the HTTP port. The authentication realm to identify the explicit web proxy. The realm is a text string of up to 63 characters. If the realm includes spaces, the name must be enclosed in quotation marks When a user authenticates with the explicit proxy, the HTTP authentication dialog includes the realm, so it can be used to identify the explicitly web proxy for your users. Select to enable the SOCKS proxy protocol. The SOCKS proxy protocol is an optional protocol that routes packets between a client and a server through a proxy. SOCKS is supported by many major web browsers. The SOCKS proxy protocol does not support authentication. Select the action to take when the proxy must handle a request or message from an unknown HTTP version. Best Effort : Attempt to handle the HTTP traffic as well as possible. Reject : Treat the traffic as malformed and drop it. This option is more secure and it the default setting. 3. Select OK to create the explicit web proxy. Note that, as of version 4.2, the FTP over HTTP proxy engine has been enhanced, adding a range of extended FTP features including support for PORT mode, FTP over HTTP CONNECT, and support for uploads through PUT (UTM scanning). Administration Guide 88

89 Objects To edit an explicit web proxy: 1. Select the explicit web proxy you would like to edit, then select Edit from the toolbar, or double-click on the schedule group in the table. The Edit Web Proxy Explicit window opens. 2. Edit the information as required, then select OK to apply your changes. To delete explicit web proxies: 1. Select the explicit web proxy or proxies that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected group or groups. Forward Server By default, the FortiCache unit monitors a web proxy forwarding server by forwarding a connection to the remote server every 10 seconds. If the remote server does not respond, it is assumed to be down. Checking will continue until, when the server does send a response, the server is assumed to be back up. If health checking is enabled, the FortiCache unit will attempt to get a response from a web server by connecting through the remote forwarding server every 10 seconds. You can enable health checking for each remote server, and specify a different website to check for each one. If the remote server is found to be down, you can configure the FortiCache unit to either block sessions until the server comes back up, or allow sessions to connect to their destination using the original server. You cannot configure the FortiCache unit to fail over to another remote forwarding server. To configure the server down action and enable health monitoring, go to Policy & Objects > Objects > Forward Server. Configure the following settings: Create New Edit Delete Server Name Address Port Health Check Server Down Create a new forwarding server. Edit a forwarding server. Remove a forwarding server setting from the list. The name of the forwarding server. The IP address of the forwarding server. The port number of the forwarding server. Indicates whether the health check is disabled or enabled for that forwarding server. A green checkmark indicates that health check is enabled; a gray x indicates that health check is disabled. The action that the FortiCache unit will take when the server is down. 89 Administration Guide

90 Objects Ref. Displays the number of times the forwarding server is referenced to other objects. To view the location of the referenced forwarding server, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. Use the following CLI command to enable health checking for a web proxy forwarding server and set the server down option to use the original server if it is down. config web-proxy forward-server edit fwd-srv set healthcheck enable set monitor set server-down-option pass end To create a new forwarding server: 1. Go to Policy & Objects > Objects > Forward Server and select Create New. The Add Forwarding Server window opens. 2. Configure the following settings: Server Name Proxy Address Type Proxy Address Port Server Down Action Enable Health Monitor Health Check Monitor Site Enter the name of the forwarding server. Select the type of IP address of the forwarding server, either IP or FQDN. Enter the IP address or FQDN of the forwarding server. Enter the port number. Select what action the FortiCache unit will take if the forwarding server is down, either Block or Use Original Server. Select to enable health check monitoring. Enter the URL address of the health check monitoring site. 3. Select OK to create the forwarding server. To edit a forwarding server: 1. Select the server you would like to edit then select Edit from the toolbar, or double-click on the schedule group in the table. The Edit Forwarding Server window opens. 2. Edit the information as required, then select OK to apply your changes. Administration Guide 90

91 Objects To delete forwarding servers: 1. Select the server or servers that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected server or servers. Web proxy global Use the global explicit web proxy settings to change the configuration of explicit web proxies. Go to Policy & Objects > Objects > Web Proxy Global to change the global explicit web proxy settings. Configure the following settings: Proxy FQDN Max HTTP request length Max HTTP message length Enable Strict Web Check Enable Forward Proxy Authentication Webproxy Profile The FQDN for the global proxy server. This is the domain name to enter into browsers to access the proxy server. The maximum length of an HTTP request that can be cached, in Kb. Larger requests will be rejected (default = 4Kb). The maximum length of an HTTP message that can be cached, in Kb. Larger messages will be rejected (default = 32Kb). Close the connection if errors are found in the HTTP header. For example, the connection would be closed if a single line header becomes a multiple line header, or if a request header shows up in a response. Include proxy-authentication information in packets sent to the HTTP proxy behind the FortiCache explicit proxy. Select a web proxy profile, if one has been configured under Policy & Objects > Objects > Web Proxy Profile. See Web proxy profile. Proxy auto-config configuration A PAC file defines how a web browser can select a proxy server for receiving HTTP content. PAC files include the FindProxyForURL (url, host) JavaScript function that returns a string with one or more access method 91 Administration Guide

92 Objects specifications. These specifications cause the web browser to either use a particular proxy server, or to connect directly to retrieve the content. The FortiCache can be configured to serve a PAC file to define the proxy network and how it should be used by the client. The browser must be configured appropriately to point at the FortiCache device to retrieve the PAC file, for example: IP>:8080/proxy.pac Web proxy auto-discovery protocol The Web Proxy Auto-Discovery Protocol (WPAD) is a method for a browser to automatically discover the proxy configuration file, without any browser configuration, using settings in DNS or DHCP. For more information about this method, refer to the following Internet Engineering Task Force (IETF) draft: When using DNS, the most widely supported resolution method, an entry is made in the local authoritative zone to map the name wpad (such as wpad.example.com) to one or more IP addresses. The browser is configured to automatically look in the following locations to find the WPAD configuration, which is in effect a PAC file, as described in Proxy auto-config configuration on page 91: To configure the FortiCache unit to issue a wpad.dat file, use the following CLI commands: config web-proxy explicit edit "web-proxy" set ftp-over-http enable set interface "port1" set pac-file-name "wpad.dat" set pac-file-server-port 80 set pac-file-server-status enable set pac-file-data "<Put your PAD file content here, escaping quotes with \>" next end If you are configuring the wpad file on port 80, you will receive an error, as the GUI is also configured on port 80 (even when not in use). To avoid this error, first move the GUI to a different port with the following commands: config system global set admin-port 81 end Web proxy profile You can create web proxy profiles that can add, remove, and change HTTP headers. The web proxy profile can be added to the web proxy global configuration. You can change the following HTTP headers: Administration Guide 92

93 Objects Client IP Header via request Header via response Header x forwarded for Header Front End HTTPS For each of these headers you can set the action to: Forward the same HTTP header Add the HTTP header Remove the HTTP header You can also configure how the web proxy handles custom headers under Profile Headers > Create New. The proxy can add or remove custom headers from requests or responses. If you are adding a header you can specify the content to be included in the added header. 93 Administration Guide

94 Security Profiles The Security Profiles menu provides access to antivirus, web filter, and ICAP profiles, as well as DLP sensors and filters, and ICAP server settings. This chapter includes the following sections: Antivirus Web filter Data leak prevention ICAP Content Analysis Antivirus A profile is specific configuration information that defines how the traffic within a policy is examined and what action may be taken based on the examination. Multiple antivirus profiles can be created for different antivirus scanning requirements. These profiles can then be applied to firewall policies. To manage antivirus profiles, go to Security Profiles > Antivirus > View List. To enable antivirus scanning: 1. Go to Policy & Objects > Policy > Policy and either add or select the security policy that accepts the traffic to be virus scanned. See Configuring policies on page In the New Policy or Edit Policy window, under Security Profiles, select AntiVirus, then select an antivirus profile from the drop-down list. 3. Select OK to save the policy. To create a new antivirus profile: 1. Go to Security Profiles > AntiVirus > View List and select Create New. The New AntiVirus Profile Server window opens. Administration Guide 94

95 Web Filter Security Profiles 2. Configure the following settings: Name Comments Protocol Virus Scan and Block Monitor Enter the name of the antivirus profile. Optional enter a description of the profile. The protocols for which virus scan and removal can be enabled. Select to enable virus scan and monitoring. 3. Select OK to create the antivirus profile. To edit an antivirus profile: 1. Select the profile you would like to edit then select Edit from the toolbar, or double-click on the schedule group in the table. The Edit AntiVirus Server window opens. 2. Edit the information as required, then select OK to apply your changes. To delete antivirus profiles: 1. Select the profile or profiles that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected profile or profiles. Web Filter This section describes how to configure web filters for HTTP traffic, and URL filters to allow or block caching of specific URLs. The web filter profiles menu allows you to configure a web filter profile to apply to a policy. A profile is specific information that defines how the traffic within a policy is examined and what action may be taken based on the examination. To configure web filter profiles, go to Security Profiles > Web Filter. The Edit Web Filter Profile page is displayed. 95 Administration Guide

96 Security Profiles Web Filter Configure the following settings, then select Apply to apply any changes: Name Comments FortiGuard Categories Show The name of the web filter profile. Optional description of the profile. Select to enable Fortiguard categories. If the device is not licensed for the FortiGuard web filtering service, traffic may be blocked by enabling this option. In the category list, right-click on a specific category, then select the action to take from the pop-up menu: Allow, Block, Monitor, Warning, or Authenticate. Administration Guide 96

97 Web Filter Security Profiles Quota Quotas can be configured on categories set to the Monitor, Warning, or Authenticate actions. 1. Expand the quota list then select Create New in the table to open the New/Edit Quota window. 2. Select categories from the list 3. Select the length of the quota, 4. Select OK to create the new quota. Quotas can also be edited and deleted as required. Enable Safe Search Search Engine... YouTube Education Filter Log All Search Keywords Block Invalid URLs Select to enable safe search. When enabled, the supported search engines exclude offensive material from search results. Supported search engines include: Google, Yahoo!, Bing, and Yandex. Select to enable YouTube education filter, then enter the filter in the text field. Enable to log all searched keywords. Enable to block web sites when their SSL certificate CN field does not contain a valid domain name. Enable URL Filter Select to enable URL or web site filters. See Web site filters on page 100. Enable Web Content Filter Allow Websites When a Rating Error Occurs Rate URLs by Domain and IP Address Block HTTP Redirects by Rating Enable to block access to web pages that include the words included in the selected web content filter list. Enable to allow access to web pages that return a rating error from the web filter service. If your unit is temporarily unable to contact the FortiGuard service, this setting determines what access the unit allows until contact is reestablished. If enabled, users will have full unfiltered access to all web sites. If disabled, users will not be allowed access to any web sites. Enable to have the unit request site ratings by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter. FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause the unit to allow access to sites that should be blocked, or to block sites that should be allowed. Enable to block HTTP redirects. Many web sites use HTTP redirects legitimately, but, in some cases, redirects may be designed specifically to circumvent web filtering, as the initial web page could have a different rating than the destination web page of the redirect. 97 Administration Guide

98 Security Profiles Web Filter Rate Images by URL (Blocked images will be replaced with blanks) Restrict Google Account Usage to Specific Domains Web Resume Download Block Provide Details for Blocked HTTP 4xx and 5xx Errors Enable to have the unit retrieve ratings for individual images in addition to web sites. Images in a blocked category are not displayed even if they are part of a site in an allowed category. Blocked images are replaced on the originating web pages with blank place-holders. Rated image file types include GIF, JPEG, PNG, BMP, and TIFF. Enable to have users logged in to their Google account to browse only specific domains or web sites. Enable to prevent a download from resuming after it has been interrupted. With this filter enabled, any attempt to restart an aborted download will download the file from the beginning rather than resuming from where it left off. This prevents the unintentional download of viruses hidden in fragmented files. Some types of files, such as PDF, fragment files to increase download speed. Enabling this option can cause download interruptions and may also break certain applications that use the Range Header in the HTTP protocol, such as YUM, a Linux update manager. Enable to have the unit to display its own replacement message for 400 and 500-series HTTP errors. If the server error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web filtering. See. Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send information, such as a filled out form or a file you are uploading, to a web server. The available actions include: HTTP POST Action Remove Java Applet Filter Remove ActiveX Filter Remove Cookie Filter Comfort: Use client comforting to slowly send data to the web server as the FortiCache unit scans the file. This option prevents a server time-out when scanning or other filtering is enabled for outgoing traffic. The client comforting settings used are those defined in the protocol options profile selected in the security policy. Block: Block the HTTP POST command. This will limit users from sending information and files to web sites. When the post request is blocked, the unit sends the http-post-block replacement message to the web browser attempting to use the command. Enable to filter java applets from web traffic. Web sites using java applets may not function properly when this filter is enabled. Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX may not function properly when this filter is enabled. Enable to filter cookies from web traffic. Web sites using cookies may not function properly when this filter is enabled. Administration Guide 98

99 Web Filter Security Profiles Profile list The web filter profile list can be viewed by selecting View List in the Edit Web Filter Profile page toolbar. Create New Edit Delete Name Comments Ref. Create a new web filter profile. Modify the web filter profile. Remove the web filter profile. The name of the web filter profile. An optional description of the web filter profile. Displays the number of times the profile is referenced to other objects. To view the location of the referenced profile, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. Managing web filter profiles Web filter profiles can be added, edited, cloned, and deleted as required. To create a new web filter profile: 1. From either the Edit Web Filter Profile page or the web filter profile list, select Create New. 2. Enter the required information, then select OK to create the new web filter profile. To edit a web filter profile: 1. From the Edit Web Filter Profile page, select the profile you need to edit from the profile drop-down list. From the profile list, either select the profile you would like to edit then select Edit from the toolbar, or double-click on the profile name in the list. The Edit Web Filter Profile window opens. 2. Edit the information as required, then select Apply to apply your changes. To clone a web filter profile: 1. From the Edit Web Filter Profile page, select the profile you need to clone from the profile drop-down list. 2. Select Clone from the toolbar. 3. Enter a name for the profile in the dialog box, then select OK. The profile list opens, with the clone added. 4. Edit the clone as required. To delete a profile or profiles: 1. From the profile list, select the profile or profiles that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected profile or profiles. 99 Administration Guide

100 Security Profiles Web Filter Web site filters You can allow or block access to specific web sites by adding them to the URL filter list. You add the web sites by using patterns containing text and regular expressions. The unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead. Web site blocking does not block access to other services that users can access with a web browser. For example, web site blocking does not block access to ftp://ftp.example.com. Instead, use firewall policies to deny ftp connections. When adding a URL to the web site filter list, follow these rules: Type a top-level URL or IP address to control access to all pages on a web site. For example, or controls access to all pages at this web site. Enter a top-level URL followed by the path and file name to control access to a single page on a web site. For example, or /monkey.html controls access to the monkey page on this web site. To control access to all pages with a URL that ends with example.com, add example.com to the filter list. For example, adding example.com controls access to mail.example.com, and so on. Control access to all URLs that match patterns using text and regular expressions (or wildcard characters). For example, example.* matches example.com, example.org, example.net and so on. URLs with an action set to exempt or pass are not scanned for viruses. If users on the network download files through the unit from a trusted web site, add the URL of this web site to the URL filter list with an action to pass it so the unit does not virus scan files downloaded from this URL. To create a new web site filter: 1. In either the New Web Filter Profile or Edit Web Filter Profile page, select Enable Web Site Filter. 2. In the filter table, select Create New to add a new row to the table. 3. Enter the URL to filter in the URL column. Enter a top-level domain suffix (for example, com without the leading period) to block access to all web sites with this suffix. 4. Select the type from the drop-down list in the Type column. One of: Simple, Reg. Expression, or Wildcard. 5. Select the action to take from the drop-down list in the Action column. One of: Exempt: Allow trusted traffic to bypass the antivirus proxy operations. Block: Block access to any URLs matching the URL pattern and display a replacement message. See Replacement messages on page 1. Allow: Allow access to any URL that matches the URL pattern. Monitor: Monitor traffic to and from URLs matching the URL pattern. 6. Select the status of the filter from the drop-down list in the Status column, either Enable or Disable, to enable or disable the filter. To edit a web site filter: 1. In either the New Web Filter Profile or Edit Web Filter Profile page, select Enable Web Site Filter. 2. In the filter table, double-click on a filter, or select the filter then select Edit in the toolbar. Administration Guide 100

101 Data Leak Prevention Security Profiles 3. Edit the filter settings as required. To delete a filter or filters: 1. In either the New Web Filter Profile or Edit Web Filter Profile page, select Enable Web Site Filter. 2. In the filter table, select the filter or filters that need to be deleted, then select delete in the toolbar. 3. Select OK in the confirmation dialog box to delete the selected filter or filters. Data Leak Prevention The DLP system allows you to prevent sensitive data from leaving your network. Once sensitive data patterns are defined, data matching the patterns will either be blocked, or logged then allowed. The DLP system is configured by creating filters based on various attributes and expressions within DLP sensors, then assigning the sensors to security policies. DLP can also be used to prevent unwanted data from entering your network, and to archive content passing through the FortiCache device. DLP sensors A DLP sensor is a package of filters. To use DLP, a DLP sensor must be selected and enabled in a security policy. The traffic controlled by the security policy will be searched for the patterns defined in the filters contained in the DLP sensor. Matching traffic will be passed or blocked according to the filters. To configure DLP sensors, go to Security Profiles > Data Leak Prevention. Create New Edit Delete Name Comment Create a new sensor. Edit the selected sensor. Delete the selected sensor or sensors. The name of the sensor. Optional description of the sensor. # Filters The number of filters used by the sensor. Ref. Displays the number of times the sensor is referenced to other objects. To view the location of the referenced sensor, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. To create a new DLP sensor: 1. Go to Security Profiles > Data Leak Prevention and select Create New from the toolbar. The New Sensor window opens. 101 Administration Guide

102 Security Profiles Data Leak Prevention 2. Enter a name for the new sensor in the Name field and, optionally, enter a description of the sensor in the Comment field. 3. Add filters to the sensor. See To create a new sensor filter: on page Select OK to create the new sensor. To edit a DLP sensor: 1. Select the sensor you would like to edit then select Edit from the toolbar, or double-click on the sensor group in the table. The Edit Sensor window opens. 2. Edit the sensor name and comments as required. 3. Edit, create new, or delete sensor filters as required. See Sensor filters on page Select OK to apply your changes. To delete a sensor or sensors: 1. From the sensor list, select the sensor or sensors that you would like to delete, then select Delete from the toolbar. 2. Select OK in the confirmation dialog box to delete the selected sensor or sensors. To clone a sensor: 1. From the sensor list, right-click a sensor and select Clone. 2. Enter a name for the sensor in the dialog box, then select OK. The sensor list opens, with the clone added. 3. Edit the clone as required. Sensor filters Each DLP sensor must have one or more filters configured within it. Filters can examine traffic for: Known files using DLP fingerprints Files of a particular name or type Files larger than a specified size Data matching a specified regular expression Traffic matching an advanced or compound rule. To create a new sensor filter: 1. From the New Sensor or Edit Sensor window, select Create New in the filter table toolbar. The New Filter window opens. Administration Guide 102

103 Data Leak Prevention Security Profiles 2. Configure the following information: Filter Select Messages or Files to filter for specific messages or based on file attributes, respectively. Containing File Size >= Specify File Types Watermark Sensitivity Regular Expression Encrypted Examine the Following Services Select, then select Credit Card # or SSN from the drop-down list. Select, then enter the maximum file size allowed, in KB. This option is only available when filtering files. Select, then select File Types and File Name Patterns from the dropdown menus provided. See File filter on page 105. This option is only available when filtering files. If you are using watermarking on your files you can use this filter to check for watermarks that correspond to sensitivity categories that you have setup. See Watermarking on page 104. The Corporate Identifier ensures that you are only blocking watermarks that your company has placed on files, not watermarks with the same name from other companies. This option is only available when filtering files. Network traffic is examined for the pattern described by the regular expression. See Regular expressions on page 104 Select to cause encrypted files to trigger the filter. This option is only available when filtering files. Select the services whose traffic the filter will examine. This allows resources to be optimized by only examining relevant traffic. The available services are: Web Access: HTTP-POST and HTTP-GET SMTP, POP3, IMAP, and MAPI Others: FTP and NNTP Action Select an action to take if the filter is triggered from the drop-down list. 103 Administration Guide

104 Security Profiles Data Leak Prevention None Log Only Block Quarantine IP Address No action is taken when the filter is triggered. When the filter is triggered, the match is logged, but no other action is taken. Traffic matching the filter is blocked and replaced with a replacement message. See Replacement messages on page 1. Block access for any IP address that sends traffic matching the filter. The IP address is added to the banned user list (see ), and an appropriate replacement message is sent for all connection attempts until the quarantine time expires. Enter the amount of time that the IP address will be quarantined for (>= 1 minute). Archive Select Enable to enable archiving. 3. Select OK to create the new filter. To edit a sensor filter: 1. From the New Sensor or Edit Sensor window, either double-click on a filter, or select a filter then select Edit in the filter table toolbar. The Edit Filter window opens. 2. Edit the filter as required and select OK to apply your changes. To delete sensor filters: 1. From the New Sensor or Edit Sensor window, select the filter or filters that you would like to delete, then select Delete from the filter table toolbar. 2. Select OK in the confirmation dialog box to delete the selected filter or filters. Regular expressions Network traffic is examined for the pattern described by the regular expression specified in the DLP sensor filters. Fortinet uses a variation of the Perl Compatible Regular Expressions (PCRE) library. For some examples of Perl expressions, see Appendix A - Perl Regular Expressions on page 1. For more information about using Perl regular expressions, go to By adding multiple filters containing regular expressions to a sensor, a dictionary can be developed within the sensor. The filters can include expressions that accomodate copmlex variations of words or target phrases. Within the sensors each expression can be assigned a different action, allowing for a very granular implementation. Watermarking Watermarking means marking files with a digital pattern to designate them as proprietary to a specific company. Fortinet s watermarking tool is built in to FortiExplorer. It can add watermarks to single files as well as entire directories. The tool adds a small (~178B) pattern to a file that is recognized by the DLP watermark filter configured on your device. The DLP system only works with Fortinet s watermaking tool. For more information, see the FortiExplorer User Guide, available from the Fortinet Document Library. Administration Guide 104

105 Data Leak Prevention Security Profiles File filter File filters allow you to block files based on their file names and types. When a file filter list is applied to a DLP sensor filter, the network traffic is examined against the list entries, and, if the sensor filter is triggered, the predefined action is taken by the DLP sensor filter. The general steps for configuring file filters are as follows: 1. Create a DLP sensor. 2. Edit the sensor to filter either messages or specific file types. 3. Select the DLP sensor in a security policy. To edit a file filter: 1. From the Edit DLP Sensor window, either double-click on a filter in the file filter table, or select a filter then select Edit Filter in the table toolbar. The Edit Filter window opens. 2. Edit the filter settings as required, then select OK to apply your changes. To delete a file filter or filters: 1. From the Edit File Filter Table window, select the file filter or filters that you need to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected file filter or filters. File type filter In this example, the file filter senses for specific file types. 1. Go to Security Profiles > Data Leak Prevention and edit the desired sensor. 2. Select Create New from the file filters table. 3. In the New Filter window, select the Files filter type. 105 Administration Guide

106 Security Profiles ICAP 4. Select to Specify File Types and select the file types to filter. 5. Configure the remaining options as desired. File types Archive (arj) Archive (bzip) Archive (bzip2) Archive (cab) Archive (gzip) Archive (lzh) Archive (rar) Archive (tar) Archive (zip) Audio (avi) Audio (mp3) Audio (wav) Audio (wma) BMP Image (bmp) Batch File (bat) Common Console Document (msc) Encoded Data (base64) Encoded Data (binhex) Encoded Data (mime) Encoded Data (uue) Executable (elf) Executable (exe) GIF Image (gif) HTML Application (hta) HTML File (html) Ignored Filetype (ignored) JPEG Image (jpeg) Java Application Descriptor (jad) Java Class File (class) Java Compiled Bytecode (cod) JavaScript File (javascript) Microsoft Active Mime Object (activemime) Microsoft Office (msoffice) PDF (pdf) PNG Image (png) Packer (aspack) Packer (fsg) Packer (petite) Packer (upx) PalmOS Application (prc) Real Media Streaming (rm) Symbian Installer System File (sis) TIFF Image (tiff) Torrent (torrent) Unknown Filetype (unknown) Video (mov) Video (mpeg) Windows Help File (hlp) ICAP The ICAP is supported in this release. The ICAP is a light-weight response/request protocol that allows the FortiCache unit to offload HTTP and HTTPS traffic to external servers for different kinds of processing. You can offload HTTP responses or HTTP requests (or both) to the same or different ICAP servers. ICAP does not appear by default in the GUI. You must enable it in System > Admin > Settings to display ICAP in the GUI. See Settings on page 1. The ICAP menu allows you to view and configure ICAP profiles and ICAP servers which can then be applied to a policy. Administration Guide 106

107 ICAP Security Profiles If you enable ICAP in a security policy, HTTP traffic intercepted by the policy is transferred to the ICAP servers in the ICAP profile added to the policy. The FortiCache unit acts as the surrogate, or middle-man, and carries the ICAP responses from the ICAP server to the ICAP client. The ICAP client then responds back, and the FortiCache unit determines the action that should be taken with these ICAP responses and requests. ICAP profiles are configured under Security Profiles > Advanced > ICAP Servers. Create New Edit Delete Name Request Processing Response Processing Bypass Streaming Media Ref. Create a new ICAP profile. Edit an ICAP profile. Delete a profile or profiles. The name of the ICAP profile. If request processing is enabled, a green circle with a check mark is shown. If disabled, a gray circle with an x is shown. If response processing is enabled, a green circle with a check mark is shown. If disabled, a gray circle with an x is shown. If media streaming is bypassed, a green circle with a check mark is shown. If it is not bypassed, a gray circle with an x is shown. Displays the number of times the profile is referenced to other objects. To view the location of the referenced profile, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. To create a new ICAP profile: 1. In the ICAP profile list, select Create New from the toolbar. The New ICAP Profile page opens. 2. Configure the following settings: Name Specify a name for the ICAP profile. 107 Administration Guide

108 Security Profiles ICAP Enable Request Processing Select to enable request processing. Enable Processing Response Select a server from the dropdown menu, specify the path on the server to the processing component, and then select the behavior on failure, either Error or Bypass. Select to enable request processing. Select a server from the drop down menu, specify the path on the server to the processing component, and then select the behavior on failure, either Error or Bypass. Enable Streaming Media Bypass Select to allow streaming media to ignore offloading to the ICAP server. 3. Select Apply to create the new profile. To edit an ICAP profile: 1. Select the profile you would like to edit then select Edit from the toolbar, or double-click on the profile. The Edit ICAP Profile window opens. 2. Edit the profile information as required and select Apply to apply your changes. To delete an ICAP profile or profiles: 1. Select the profile or profiles that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected profile or profiles. Server To view the ICAP server list, go to Security Profiles > Advanced > ICAP Servers. To create a new ICAP server: 1. In the ICAP Server list, select Create New from the dropdown. The New ICAP Server window opens. 2. Configure the following settings: Name IP Address Port Enter a name for the ICAP server. Enter the ICAP server IP address. Enter the TCP port number used by the ICAP server, from 1 to (default = 1344). 3. Select OK to create the new ICAP server. Administration Guide 108

109 Content Analysis Security Profiles To edit an ICAP server: 1. Select the server you would like to edit then select Edit from the toolbar, or double-click on the server. The Edit ICAP Server window opens. 2. Edit the ICAP server information as required and select OK to apply your changes. To delete an ICAP server or servers: 1. Select the ICAP server or servers that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected server or servers. Content Analysis Content Analysis is a licensed feature that allows you to detect adult content in real-time. This service is a real time analysis of the content passing through the FortiCache. Unlike other image analysis tools, this one does not just look for skin tone colors but can detect limbs, body parts, and the position of bodies. Once detected, such content can be optionally blocked or reported. In general, the procedure is similar to the HTTP AV scanning procedure. When a client HTTP requests an image, the HTTP header content-type determines the image type. Then the WAD process holds the image content from the server for scanning prior to sending it to the client. If the scan results are larger than the configurable threshold, the requested image will be blocked and the client will receive a replacement image. This replacement image will keep the same image type and size if you enable the option to re-size images. The FortiCache will store the results to improve performance for future requests. The default settings provide a good balance, but they will never be 100% and may require some adjustment. In order to use Content Analysis you need to setup at least one profile and apply it to a policy. Content Analysis profiles are configured under Security Profiles > Content Analysis. When you select Create New or Edit, the following attributes can be configured: Name Comments Enter a name for this profile. Optional description of the profile. 109 Administration Guide

110 Security Profiles Content Analysis Image Score Threshold Enter a value between 0 and The higher the image score, the more chance of the image being explicit. The challenge with this is that if you set it too high, it will block legitimate images. If you set it too low it will allow explicit images through. If the image score is above the Image Score Threshold setting, the Rating Error Action is taken (see below). The default value is 600. Enter a value between 0 and Image Skip Size This value represents the size of image that will be skipped by the image scan unit, in kilobytes. Images that are too small are difficult to scan and are more likely to be rated incorrectly by the image scan engine. The default value is 1. Image Rating Sensitivity This value determines the strictness of the Image Score Threshold. The higher the sensitivity, the more strict it will be on the threshold. Make it too strict and you end up blocking legitimate images. The default, but balanced value is 75. Rating Error Action Replace Image Action Replace Image Set to either pass or block the image when it exceeds the rating threshold. The default is pass. If you choose to display a replacement image (see below), you can set the Replace Image Action value to re-size the replacement image to match the original (resize), or leave the replacement image at its default size (no-resize). Choose whether or not to display a replacement image. Validating content analysis You can use the following debug commands to validate the service licensing and image cache: get system fortiguard - Display licensing information. diag test app wad Display image cache. diag test app wad Clear image cache. Displaying and clearing the image cache require a license, otherwise these commands will not be available. Administration Guide 110

111 User Authentication The User menu allows you to configure authentication settings and user accounts. Users can also be monitored, and user groups and remote servers can be configured. The following topics are included in this section: User Authentication Monitor User A user is a user account that consists of a user name, password and, in some cases, other information that can be configured on the unit or on an external authentication server. Users can access resources that require authentication only if they are members of an allowed user group. User definition A local user is a user configured on a unit. The user can be authenticated with a password stored on the unit or with a password stored on an authentication server. The user name must match a user account stored on the unit and the user name and password must match a user account stored on the authentication server associated with the user. New users can be created using the Users/Groups Creation Wizard. To configure users, go to User > User > User Definition. Create New Edit Delete Search User Name Type Two-factor Authentication Ref. Run the new user wizard and create a new user. Edit a user. Delete a user or users. Enter a search term to search the user list. The name of the user. The type of user, such as Local or LDAP. Displays whether the user has token two-factor authentication enabled. Displays the number of times the user is referenced to other objects. To view the location of the referenced user, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. 111 Administration Guide

112 User Authentication User To edit a user: 1. Select the user you would like to edit then select Edit from the toolbar, or double-click on the user in the table. The Edit User window opens. 2. Edit the user information as required, or select Disable to disable the user. 3. Select OK to apply your changes. To delete a user or users: 1. Select the user or users that you would like to delete. You cannot delete a user that is currently in a group. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected user or users. New user wizard The Users/Groups Creation Wizard is used to create new user accounts. From the user list, select Create New to start the wizard. To create a new local user: 1. In the User Type page, select Local User, then select Next. 2. In the Login Credentials page, enter a User Name and Password for the user, then select Next. 3. In the Contact Info page, enter an Address for the user, then select Next. Alternatively, you can supply the user's SMS contact information. The Contact Info page is optional. 4. In the Extra Info page, select Enable to enable the new user. To assign a FortiToken to the user, enable Twofactor Authentication and select a token from the dropdown menu provided. To place the user into a group, select User Group, then select a group from the dropdown menu. For information on user groups, see User on page Select Create to create the new local user. To create a new remote RADIUS user: 1. In the User Type page, select Remote RADIUS User, then select Next. 2. In the RADIUS Server page, enter a User Name and select a RADIUS Server from the dropdown menu, then select Next. For information on RADIUS servers, see RADIUS server on page In the Contact Info page, enter the user's information as required. 4. In the Extra Info page, configure additional settings for the user as required, including placing the user into a group. For information on user groups, see User on page Select Create to create the new RADIUS user. Administration Guide 112

113 User User Authentication To create a new remote TACACS+ user: Note that, by default, the TACACS+ Servers option under User > Authentication is not visible unless you add a server using the following CLI command: config user tacacs+ edit <name> set server <IP> next end 1. In the User Type page, select Remote TACACS+ User, then select Next. 2. In the TACACS+ Server page, enter a User Name and select a TACACS+ Server from the dropdown menu, then select Next. For information on TACACS+ servers, see TACACS+ server on page In the Contact Info page, enter the user's information as required. 4. In the Extra Info page, configure additional settings for the user as required, including placing the user into a group. For information on user groups, see User on page Select Create to create the new TACACS+ user. To create a new remote LDAP user: 1. In the User Type page, select Remote LDAP User, then select Next. 2. In the LDAP Server page, choose an existing LDAP server from the dropdown menu, or create a new LDAP server and enter the required information, then select Next. For information on LDAP servers, see LDAP server on page In the Remote Users page, enter and apply the LDAP filter, enter a search term to search the server and select a user from the results. 4. Select Create to create the remote LDAP user. User groups A user group is a list of user identities. An identity can be: a local user account (user name and password) stored on the Fortinet unit a local user account with a password stored on a RADIUS, LDAP, or TACACS+ server a RADIUS, LDAP, or TACACS+ server (all identities on the server can authenticate) a user or user group defined on a Directory Service server. Each user group belongs to one of three types: Firewall, FSSO, Guest, or RADIUS Single Sign-On (RSSO). For each resource that requires authentication, you specify which user groups are permitted access. You need to determine the number and membership of user groups appropriate to your authentication needs. Users that are associated with multiple groups have access to all services within all the user groups that they are associated with. This is only available in the CLI. The command used is auth-multi-group, which is enabled by default. This feature checks all groups a user belongs to for firewall authentication. To configure user groups, go to User > User Group. 113 Administration Guide

114 User Authentication User Create New Edit Delete Search Group Name Group Type Members Ref. Create a new user group. Edit a user group. Delete a group or groups. Enter a search term to search the user group list. The name of the group. The type of group. The names of the members in the group. To adjust the way users are listed in the column, see To configure the member column: on page 116. Displays the number of times the group is referenced to other objects. To view the location of the referenced group, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. To create a new user group: 1. In the user group list, select Create New from the toolbar. The New User Group window opens. 2. Enter a name for the group in the Name field. 3. Select the group type in the Type field, one of: Firewall, FSSO, Guest, or RSSO. 4. Enter the following information, depending on the group type selected: Firewall This type of group can be selected in any security policy that requires firewall authentication. Members Remote groups Select users to add to the group from the drop-down list. Add remote authentication servers to the group. Select Create New, then select the server from the dropdown menu. If required, select a group for the server. Administration Guide 114

115 User User Authentication Fortinet Single Sign- On (FSSO) Guest Members This type of group can be selected in any security policy that requires Fortinet Single Sign-On (FSSO) authentication. Select users to add to the group from the drop-down list. This type of group can be selected in any security policy that allows guest authentication. Enable Guest Creation User ID Batch Account Select to enable the creation of batches of guest accounts. When enabled, only the Expire Type and Default Expire Time options will be available. Select a user ID option from the drop-down list. Auto-Generate: The user ID is generated automatically. The user ID is ed. Specify: The user ID must be specified. Select a password option from the drop-down list. Password Expire Type Auto-Generate: The password is generated automatically. Specify: The password must be specified. Disable: No password is required. Select the expire type, either After first login, or Immediately. Default Time Expire Select the default expire time in Days, Hours, Minutes, or Seconds. Enable Name Enable Sponsor Enable Company Enable Enable SMS RADIUS Signle Sign- On (RSSO) RADIUS Attribute Value Select to enable name. Select to enable sponsor. Select Required to make a sponsor a requirement. Select to enable company. Select Required to make a company a requirement. Select to enable . Select to enable SMS, then select a service type from the Service Type dropdown menu. This type of group can be selected in any security policy that requires RSSO authentication. Enter the RADIUS attribute value. This value matches the value from the RADIUS Accounting-Start attribute Class. 5. Select OK to create the new user group. To edit a user group: 1. Select the group you would like to edit then select Edit from the toolbar, or double-click on the group in the table. The Edit User Group window opens. 115 Administration Guide

116 User Authentication Authentication 2. Edit the information as required, then select OK to apply your changes. To delete a user group or groups: 1. Select the group or groups that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected group or groups. To configure the member column: 1. In the user group list, right-click anywhere on the column headings and select Members Column Option. The Member Column Option window opens. 2. Enter the number of subcolumns that the member column will contain in the Number of Sub-Columns field, from 1 to 12 (default = 4). 3. Enter the number of lines to display in the Lines of Objects to Display field, from 1 to 100 (default = 6). If more users are in a group than can be displayed in accordance with the member column settings, a Display More option will be added to the row that also shows how many users are hidden and how many users are contained in the group in total. Authentication FortiCache units support the use of external authentication servers. An authentication server can provide password checking for selected FortiCache users or it can be added as a member of a FortiCache user group. If you are going to use authentication servers, you must configure the servers before you configure FortiCache users or user groups that require them. The following menus are available: Single sign-on LDAP servers RADIUS servers TACACS+ servers Settings Single sign-on Fortinet units use security policies to control access to resources based on user groups configured in the policies. Each Fortinet user group is associated with one or more Directory Service user groups. When a user logs in to the Windows or Novell domain, an FSSO agent sends the user s IP address, and the names of the Directory Service user groups that the user belongs to, to the FortiCache unit. The FSSO agent has two components that must be installed on your network: The domain controller agent must be installed on every domain controller to monitor user logins and send information about them to the collector agent. The Collector agent must be installed on at least one domain controller to send the information received from the domain controller agents to the Fortinet unit. Alternately a FortiAuthenticator server can take the place of the Collector agent in an FSSO polling mode configuration. Administration Guide 116

117 Authentication User Authentication The unit uses this information to maintain a copy of the domain controller user group database. Because the domain controller authenticates users, the unit does not perform authentication. It recognizes group members by their IP address. You must install the FSSO Agent on the network and configure the unit to retrieve information from the Directory Service server. To manage single sign-on (SSO) servers, go to User > Authentication > Single Sign-on. Create New Edit Delete Name Type LDAP Server Users/Groups FSSO Agent IP/Name Status Ref. Create a new FSSO server. Edit an FSSO server. Delete an FSSO server or servers. The name of the FSSO server. An icon representing the type of server. Hover your cursor over the icon to view the type. The LDAP server associated with the FSSO server. The users and groups associated with the server. The IP address or name of the FSSO agent. The status of the FSSO server. Displays the number of times the server is referenced to other objects. To view the location of the referenced server, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. To create a new SSO server: 1. In the single sign-on server list, select Create New from the toolbar. The New Single Sign-On Server page opens. 2. Select the type of server that will be created in the Type field. One of: Poll Active Directory Server, Fortinet Single Sign-On Agent, or RADIUS Single Sign-On Agent. Only one RADIUS single sign- on agent can be created on the FortiCache device. 117 Administration Guide

118 User Authentication Authentication 3. Enter the following information, depending on the type selected: Poll Active Directory Server Server IP/Name User Password LDAP Server Enable Polling Users/Groups Enter the server name or IP address. Enter the user name. Enter the password for the user. Select an LDAP server from the drop-down list to access the Directory Service. Select to enable polling. If an LDAP server is selected, view or edit the users or groups associated with the server. Fortinet Single Sign-On Agent Name Primary IP/Name Agent Enter a name for the agent. Enter the IP address or name for the primary agent. Then enter the password in the Password field. Secondary Agent IP/Name Enter the IP address or name for the secondary agent. Then enter the password in the Password field. More agents FSSO Select More FSSO agents to add up to three more FSSO agents. Enter the IP address or name of the Directory Service server where the collector agent is installed. The maximum number of characters is 63. Then enter the password for the collector agent. This is required only if you configured your FSSO agent collector agent to require authenticated access. Administration Guide 118

119 Authentication User Authentication LDAP Server Users/Groups Select an LDAP server from the drop-down list to access the Directory Service. If an LDAP server is selected, view or edit the users or groups associated with the server. RADIUS Single Sign-On Agent Use RADIUS Shared Secret Send RADIUS Responses Select to use a RADIUS shared secret, then enter the shared secret in the Shared Secret field. Select to send RADIUS responses. 4. Select OK to create the new single sign-on server. To edit an SSO server: 1. Select the server you would like to edit, then select Edit from the toolbar, or double-click on the address group. The Edit Single Sign-On Server window opens. 2. Edit the server information as required and select OK to apply your changes. To delete a server or servers: 1. Select the server or servers that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected server or servers. LDAP servers LDAP is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, addresses, and printers. LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network. To manage LDAP servers, go to User > Authentication > LDAP Servers. The following information is available: Create New Edit Delete Name Server Name/IP Port Create a new LDAP server. Edit an LDAP server. Delete a server or servers. The name that identifies the LDAP server on the Fortinet unit. The domain name or IP address of the LDAP server. The TCP port used to communicate with the LDAP server. By default, LDAP uses port Administration Guide

120 User Authentication Authentication Common Name Identifier Distinguished Names Ref. The common name identifier for the LDAP server. The base distinguished name for the server using the correct X.500 or LDAP format. The unit passes this distinguished name unchanged to the server. Displays the number of times the server is referenced to other objects. To view the location of the referenced server, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. To add a new LDAP server: 1. In the LDAP server list, select Create New from the toolbar. The New LDAP Server window opens. 2. Configure the following: Name Server IP/Name Server Port Common Name Identifier Enter the name that identifies the LDAP server on the Fortinet unit. Enter the domain name or IP address of the LDAP server. Enter the TCP port used to communicate with the LDAP server. By default, LDAP uses port 389. If you use a secure LDAP server, the default port changes if you select Secure Connection. Enter the common name identifier for the LDAP server. The maximum number of characters is 20. Administration Guide 120

121 Authentication User Authentication Distinguished Name Bind Type Enter the base distinguished name for the server using the correct X.500 or LDAP format. The unit passes this distinguished name unchanged to the server. The maximum number of characters is 512. You can also select Fetch DN to contact and retrieve the specified LDAP server. Select the type of binding for LDAP authentication. Simple: Connect directly to the LDAP server with user name/password authentication. Anonymous: Connect as an anonymous user on the LDAP server, then retrieve the user name/password and compare them to given values. Regular: Connect to the LDAP server directly with user name/password, then receive accept or reject based on search of given values. Enter the distinguished name and password of the user to be authenticated in the User DN and Password fields. Secure Connection Protocol Select to use a secure LDAP server connection for authentication. Select a secure LDAP protocol to use for authentication, either LDAPS or STARTTLS. Depending on your selection, the server port will change to the default port for the selected protocol: LDAPS: port 636 STARTTLS: port 389 Certificate Select a certificate to use for authentication from the list. Test Select Test to test the LDAP query. 3. Select OK to create the new LDAP server. To edit an LDAP server: 1. Select the LDAP server you would like to edit then select Edit from the toolbar, or double-click on the address in the address table. The Edit LDAP Server window opens. 2. Edit the server information as required and select OK to apply your changes. To delete a server or servers: 1. Select the server or servers that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected server or servers. RADIUS servers RADIUS is a broadly supported client server protocol that provides centralized authentication, authorization, and accounting functions. RADIUS clients are built into gateways that allow access to networks such as Virtual Private Network (VPN) servers, Network Access Servers (NAS), as well as network switches and firewalls that use authentication. FortiCache units fall into the last category. 121 Administration Guide

122 User Authentication Authentication RADIUS servers use UDP packets to communicate with the RADIUS clients on the network to: Authenticate users before allowing them access to the network Authorize access to resources by appropriate users Account or bill for those resources that are used. RADIUS servers are currently defined by RFC 2865 (RADIUS) and RFC 2866 (Accounting), and listen on either UDP ports 1812 (authentication) and 1813 (accounting) or ports 1645 (authentication) and 1646 (accounting) requests. RADIUS servers exist for all major operating systems. You must configure the RADIUS server to accept the FortiCache unit as a client. FortiCache units use the authentication and accounting functions of the RADIUS server. When a configured user attempts to access the network, the FortiCache unit will forward the authentication request to the RADIUS server, which will then match the username and password remotely. Once authenticated, the RADIUS server passes the Authorization Granted message to the FortiCache unit, which then grants the user permission to access the network. The RADIUS server uses a shared secret key, along with MD5 hashing, to encrypt information passed between RADIUS servers and clients, including the FortiCache unit. Typically, only user credentials are encrypted. To manage RADIUS servers, go to User > Authentication > RADIUS Servers. Create New Edit Delete Name Server IP/Name Ref. Create a new RADIUS server. Edit an RADIUS server. Delete a server or servers. The name that identifies the RADIUS server on the unit. The domain name or IP address of the primary and, if applicable, secondary, RADIUS server. Displays the number of times the server is referenced to other objects. To view the location of the referenced server, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. To add a new RADIUS server: 1. In the RADIUS server list, select Create New from the toolbar. The New RADIUS Server window opens. Administration Guide 122

123 Authentication User Authentication 2. Configure the following: Name Primary Server IP/Name Primary Server Secret Secondary Server IP/Name Secondary Server Secret Authentication Method NAS IP/Called Station ID Include in every User Group Enter the name that is used to identify the RADIUS server on the unit. Enter the domain name or IP address of the primary RADIUS server. Enter the RADIUS server secret key for the primary RADIUS server. The primary server secret key length can be up to a maximum of 16 characters. For security reason, it is recommended that the server secret key be the maximum length. Enter the domain name or IP address of the secondary RADIUS server, if applicable. Enter the RADIUS server secret key for the secondary RADIUS server. The secondary server secret key can be up to a maximum length of 16 characters. Select Default to authenticate with the default method. Select Specify to override the default authentication method, then choose the protocol from the list: MSCHAP-V2, MS-CHAP, CHAP, or PAP. Optionally, enter the NAS IP address (RADIUS Attribute 31, outlined in RFC 2548). In this configuration, the FortiCache unit is the NAS and this is how the RADIUS server registers all valid servers that use its records. If you do not enter an IP address, the IP address that the Fortinet interface uses to communicate with the RADIUS server will be applied. Select Enable to have the RADIUS server automatically included in all user groups. 3. Select OK to create the new RADIUS server. To edit a RADIUS server: 1. Select the RADIUS server you would like to edit then select Edit from the toolbar, or double-click on the address in the address table. The Edit RADIUS Server window opens. 2. Edit the server information as required and select OK to apply your changes. To delete a server or servers: 1. Select the server or servers that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected server or servers. 123 Administration Guide

124 User Authentication Authentication TACACS+ servers TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. TACACS+ allows a client to accept a username and password and send a query to a TACACS+ authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies the user access to the network. TACACS+ offers fully encrypted packet bodies, and supports both IP and AppleTalk protocols. TACACS+ uses TCP port 49, which is seen as more reliable than RADIUS s UDP protocol. By default, the TACACS+ Servers option is not visible unless you add a server using the following CLI command: config user tacacs+ edit <name> set server <IP> next end To manage TACACS+ servers, go to User > Authentication > TACACS+ Servers. Create New Edit Delete Name Server Authentication Type Ref. Create a new TACACS+ server. Edit an TACACS+ server. Delete a server or servers. The name that identifies the TACACS+ server on the unit. The domain name or IP address of the TACACS+ server. The authentication type used by the server. Displays the number of times the server is referenced to other objects. To view the location of the referenced server, select the number in Ref. The Object Usage window appears displaying the various locations of the referenced object. To add a new TACACS+ server: 1. In the TACACS+ server list, select Create New from the toolbar. The New TACACS+ Server window opens. Administration Guide 124

125 Authentication User Authentication There are several different authentication protocols that TACACS+ can use during the authentication process. ASCII PAP CHAP MS-CHAP Auto Machine-independent technique that uses representations of English characters. Requires user to type a username and password that are sent in clear text (unencrypted) and matched with an entry in the user database stored in ASCII format. Password Authentication Protocol (PAP) Used to authenticate PPP connections. Transmits passwords and other user information in clear text. Challenge-Handshake Authentication Protocol (CHAP) Provides the same functionality as PAP, but is more secure as it does not send the password and other user information over the network to the security server. MS-CHAP MicroSoft Challenge-Handshake Authentication Protocol v1 (MSCHAP) Microsoft-specific version of CHAP. The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order. Configure the following: Name Server IP/Name Server Secret Authentication Type Enter the name of the TACACS+ server. Enter the server domain name or IP address of the TACACS+ server. Enter the key to access the TACACS+ server. The server key can be a maximum of 16 characters in length. Select the authentication type to use for the TACACS+ server: Auto, MSCHAP, CHAP, PAP, or ASCII. Auto authenticates using PAP, MSCHAP, then CHAP (in that order). 1. Select OK to create the new TACACS+ server. To edit a TACACS+ server: 1. Select the TACACS+ server you would like to edit then select Edit from the toolbar, or double-click on the address in the address table. The Edit TACACS+ Server window opens. 2. Edit the server information as required and select OK to apply your changes. To delete a server or servers: 1. Select the server or servers that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected server or servers. 125 Administration Guide

126 User Authentication Authentication Settings This submenu provides settings for configuring authentication timeout, protocol support, and authentication certificates. When user authentication is enabled within a security policy, the authentication challenge is normally issued for any of the four protocols (depending on the connection protocol): HTTP (can also be set to redirect to HTTPS) HTTPS FTP Telnet. The selections control which protocols support the authentication challenge. Users must connect with a supported protocol first so that they can subsequently connect with other protocols. If HTTPS is selected as a method of protocol support, it allows the user to authenticate with a customized local certificate. When you enable user authentication within a security policy, the security policy user will be challenged to authenticate. For user ID and password authentication, users must provide their user names and passwords. For certificate authentication (HTTPS or HTTP redirected to HTTPS only), you can install customized certificates on the unit, and the users can also have customized certificates installed on their browsers. Otherwise, users will see a warning message and have to accept a default Fortinet certificate. To configure authentication settings, go to User > Authentication > Settings. Configure the following settings, then select Apply to save your changes: Authentication Timeout Enter the amount of time, in minutes, that an authenticated firewall connection can be idle before the user must authenticate again. From 1 to 480 minutes (default = 5). Select the protocols to challenge during firewall user authentication from the following: Protocol Support Certificate HTTP Redirect HTTP Challenge to a Secure Channel (HTTPS) HTTPS FTP TELNET Select the local certificate to use for authentication. This option is only available if HTTPS or HTTP redirected to HTTPS is selected. Administration Guide 126

127 Monitor User Authentication Monitor You can go to the Monitor menu to view lists of currently authenticated users, and banned users. For each authenticated user, the list includes the user name, user group, how long the user has been authenticated (Duration), how long until the user s session times out (Time left), and the method of authentication used. The Banned User list includes users configured by administrators. Firewall In some environments, it is useful to determine which users are authenticated by the FortiCache unit and allow the system administrator to de-authenticate (stop current session) users. With the firewall monitor, you can deauthenticate all currently authenticated users, or select individual users to de-authenticate. To permanently stop a user from re-authenticating, change the configuration (disable a user account) and then use the user monitor to immediately end the user s current session. Monitored firewall users can be viewed from User > Monitor > Firewall. This page lists all authenticated firewall users that are currently authenticated by the unit and active. This page allows you to refresh the information on the page, as well as filter the information. Refresh De-authenticate User Name User Group Policy ID Duration IP Address Traffic Volume Method Time-left Refresh the Firewall user monitor list. Stop authenticated sessions for all selected users in the Firewall user monitor list. Users must re-authenticate with the firewall to resume their communication session. The names of all connected remote users. The group that the remote user is a member of. The policy identification number of the user. The length of time since the user was authenticated. The user s source IP address. The amount of traffic going through the unit that is generated by the user. The authentication method used for the user by the unit, such as FSSO Agent, firewall authentication, or NTLM. Shows the amount of time remaining for the user. This column is not visible by default. Right-click in the column headings to add it. In FortiCache 4.0 and lower, if while negotiating authentication levels the client sent back an NTLM token, FortiCache would not fall back to NTLM authentication method and deny the request. FortiCache now detects this situation and will effectively fall back to the NTLM authentication method. 127 Administration Guide

128 User Authentication Monitor User Quarantine The user quarantine shows all IP addresses and interfaces blocked by Network Access Control (NAC) quarantine. The list also shows all IP addresses, authenticated users, senders, and interfaces blocked by DLP. The system administrator can selectively release users or interfaces from quarantine, or configure quarantine to expire after a selected time period. All sessions started by users or IP addresses on the banned user list are blocked until the user or IP address is removed from the list. All sessions to an interface on the list are blocked until the interface is removed from the list. The user quarantine is viewed from User > Monitor > User Quarantine. Delete Remove All IP Address Source Created Expires Removes the user from the list. Remove all users and IP addresses from the list. The IP address of the user in the list. The source of the user in the list. The date and time that the user or IP address was added to the list. The date and time that the user or IP address will be automatically removed from the list. If Expires is Indefinite, the entry must be manually removed from the list. Administration Guide 128

129 WAN Optimization and Web Caching You can use web caching to cache web pages from any web server. All traffic between a client network and one or more web servers is then intercepted by a web cache policy. This policy causes the FortiCache unit to cache pages from the web servers on the FortiCache unit and makes the cached pages available to users on the client network. Web caching can be configured for standard and reverse web caching. In a standard web caching configuration, the FortiCache unit caches pages for users on a client network. A router sends HTTP traffic to be cached to the FortiCache unit. You can also create a reverse proxy web caching configuration where the FortiCache unit is dedicated to providing web caching for a single web server or server farm. In this second configuration, the one or more FortiCache units can be installed between the server network and the WAN or Internet or traffic to be cached can be routed to the FortiCache units. You can add WAN Optimization to improve traffic performance and efficiency as it crosses the WAN. FortiCache WAN optimization consists of a number of techniques that you can apply to improve the efficiency of communication across your WAN. These techniques include protocol optimization, byte caching, SSL offloading, and secure tunneling. Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or MAPI protocol, as well as general TCP traffic. Byte caching caches files and other data on FortiCache units to reduce the amount of data transmitted across the WAN. Web caching stores web pages on FortiCache units to reduce latency and delays between the WAN and web servers. SSL offloading offloads SSL decryption and encryption from web servers onto FortiCache SSL acceleration hardware. Secure tunneling secures traffic as it crosses the WAN. You can apply different combinations of these WAN optimization techniques to a single traffic stream depending on the traffic type. For example, you can apply byte caching and secure tunneling to any TCP traffic. For HTTP and HTTPS traffic, you can also apply protocol optimization and web caching. This chapter describes: WAN optimization profiles WAN optimization peers Cache Monitor WAN optimization profiles FortiCacheWAN optimization consists of a number of techniques that you can apply to improve the efficiency of communication across your WAN. These techniques include protocol optimization, byte caching, web caching, SSL offloading, and secure tunneling. Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or MAPI protocol, as well as general TCP traffic. Byte caching caches files and other data on FortiCache units to reduce the amount of data transmitted across the WAN. Web caching stores web pages on FortiCache units to reduce latency and delays between the WAN and web servers. SSL offloading offloads SSL decryption and encryption from web servers onto FortiCache SSL acceleration hardware. Secure tunneling secures traffic as it crosses the WAN. 129 Administration Guide

130 WAN Optimization and Web Caching WAN optimization profiles You can apply different combinations of these WAN optimization techniques to a single traffic stream depending on the traffic type. For example, you can apply byte caching and secure tunneling to any TCP traffic. For HTTP and HTTPS traffic, you can also apply protocol optimization and web caching. To configure WAN optimization profiles, go to WAN Opt. & Cache > WAN Opt. Profiles > Profiles. The Edit WAN Optimization Profile page is displayed. Configure the following settings, then select Apply to apply any changes: Profile Create New Clone Delete Select a profile to edit from the drop-down list. Create a new WAN optimization profile. Clone the current profile. Delete the current profile. View List View the web filter profile list. See Profile list on page 131. Name Comments Transparent Mode Authentication Group Protocol SSL Offloading Enter a name for the WAN optimization profile. Optionally, enater a description of the profile. Select checkbox to enable transparent mode. Enable to select the authentication group from the dropdown menu that will be applied to the WAN optimization profile. Select the protocols that are enabled for this profile: CIFS, FTP, HTTP, MAPI, and TCP. Select to enable SSL offloading. SSL offloading offloads SSL decryption and encryption from web servers onto FortiCache SSL acceleration hardware. It is only available for HTTP and TCP protocols. Administration Guide 130

131 WAN optimization profiles WAN Optimization and Web Caching Secure Tunneling Byte Caching Select to enable secure tunneling. To use secure tunneling, it must be enabled for a protocol, and an authentication group must be added. The authentication group specifies the certificate or pre-shared key used to set up the secure tunnel. The Peer Acceptance setting of the authentication group does not affect secure tunneling. The FortiCache units at each end of the secure tunnel must have the same authentication group with the same name and the same configuration, including the same pre-shared key or certificate. Select to enable byte caching. Byte caching breaks large units of application data (for example, a file being downloaded from a web page) into small chunks of data, labelling each chunk of data with a hash of the chunk and storing those chunks and their hashes in a database. The database is stored on a WAN optimization storage device. Specify the port number for the protocol. The default values are: Port CIFS: 445 FTP: 21 HTTP: 80 MAPI: 135 TCP: Profile list The WAN optimization profile list can be viewed by selecting View List in the Edit WAN Optimization Profile page toolbar. Create New Edit Delete Name Ports Transparent Authentication Goup Comments Create a new WAN optimization profile. Modify the profile. Remove the profile. The name of the WAN optimization profile. The ports used by the profile. Whether or not transparent mode is enabled. The authentication group used by the profile, if any. See Authentication groups on page 1. Optional description of the WAN optimization profile. 131 Administration Guide

132 WAN Optimization and Web Caching WAN optimization peers Managing WAN optimization profiles WAN optimization profiles can be added, edited, cloned, and deleted as required. To create a new WAN optimization profile: 1. From either the Edit WAN Optimization Profile page or the WAN optimization profile list, select Create New. 2. Enter the required information, then select OK to create the new WAN optimization profile. To edit a WAN optimization profile: 1. From the Edit WAN Optimization Profile page, select the profile you need to edit from the profile drop-down list. From the profile list, either select the profile you would like to edit then select Edit from the toolbar, or double-click on the profile name in the list. The Edit WAN Optimization Profile window opens. 2. Edit the information as required, then select Apply to apply your changes. To clone a WAN optimization profile: 1. From the Edit WAN Optimization Profile page, select the profile you need to clone from the profile drop-down list. 2. Select Clone from the toolbar. 3. Enter a name for the profile in the dialog box, then select OK. 4. Edit the clone as required. To delete a profile or profiles: 1. From the profile list, select the profile or profiles that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected profile or profiles. WAN optimization peers The client-side and server-side FortiCache units are called WAN optimization peers because all of the FortiCache units in a WAN optimization network have the same peer relationship with each other. The client and server roles relate to how a session is started. Any FortiCache unit configured for WAN optimization can be both a client-side and a server-side FortiCache unit at the same time, depending on the direction of the traffic. Client-side FortiCache units initiate WAN optimization sessions and server-side FortiCache units respond to the session requests. Any FortiCache unit can be a client-side FortiCache unit for some sessions and a server-side FortiCache unit for others. To identify all of the WAN optimization peers that a FortiCache unit can perform WAN optimization with, host IDs and IP addresses of all of the peers are added to the FortiCache unit configuration. The peer IP address is actually the IP address of the peer unit interface that communicates with the FortiCache unit. Peers Go to WAN Opt. & Cache > WAN Opt. Peers > Peers to view the WAN optimization peer list. Administration Guide 132

133 WAN optimization peers WAN Optimization and Web Caching Create New Edit Delete Local Host ID Search Peer Host ID IP Address Ref. Create a new WAN optimization peer. Edit a WAN optimization peer. Delete a WAN optimization peer or peers. The local host ID. Enter an ID, then select Apply to apply the ID. Enter a search term to search the peer list. The peer host ID of the WAN optimization peer. The IP address of the peer. Displays the number of times the peer is referenced to other objects. To view the location of the referenced peer, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. To create a new WAN optimization peer: 1. From the peer list, select Create New in the toolbar. The New WAN Optimization Peer window opens. 2. Enter the Peer Host ID and IP Address. 3. Select OK to create the new peer. To edit a WAN optimization peer: 1. Select the peer you would like to edit then select Edit from the toolbar, or double-click on the peer in the peer list. The Edit WAN Optimization Peer window opens. 2. Edit the peer as required and select OK to apply your changes. To delete a WAN optimization peer or peers: 1. Select the peer or peers that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected peer or peers. Authentication groups You need to add authentication groups to support authentication and secure tunneling between WAN optimization peers. To perform authentication, WAN optimization peers use a certificate or a pre-shared key added to an authentication group so they can identify each other before forming a WAN optimization tunnel. Both peers must 133 Administration Guide

134 WAN Optimization and Web Caching WAN optimization peers have an authentication group with the same name and settings. The authentication group is added to a peer-topeer or active rule on the client-side FortiCache unit. When the server-side FortiCache unit receives a tunnel start request that includes an authentication group from the client-side unit, the server-side unit finds an authentication group in its configuration with the same name. If both authentication groups have the same certificate or preshared key, the peers can authenticate and set up the tunnel. Go to WAN Opt. & Cache > WAN Opt. Peers > Authentication Groups to manage the authentication groups. Create New Edit Delete Search Name Authentication Method Peer(s) Ref. Create a new authentication group. Edit an authentication group. Delete an authentication group or groups. Enter a search term to search the group list. The name of the group. The authentication used by the group, either Certificate or Pre-shared key. The peer or peers in the group. Displays the number of times the group is referenced to other objects. To view the location of the referenced group, select the number in Ref.; the Object Usage window appears displaying the various locations of the referenced object. To create a new authentication group: 1. Select Create New from the toolbar. The New Authentication Group window opens. 2. Enter the following information: Name Enter a name for the authentication group. Administration Guide 134

135 WAN optimization peers WAN Optimization and Web Caching Authentication Method Select the authentication method to use. Certificate: Use a certificate to authenticate and encrypt WAN optimization tunnels. Then select a local certificate that has been added to this FortiCache unit from the drop-down list. Pre-shared Key: Use a pre-shared key or password to authenticate and encrypt WAN optimization tunnels. Then enter the password (or preshared key) in the Password field. Other FortiCache units that participate in WAN optimization tunnels with this unit must have an authentication group with the same name and password. The password must contain at least 6 printable characters and should be known only by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 alphanumeric characters. Accept Peer(s) Select the peer acceptance method for the authentication group. Any: If you do not know the peer host IDs or IP addresses of the peers that will use this authentication group. This setting is most often used for WAN optimization with FortiCache units that do not have static IP addresses, such as units that use DHCP. Defined Only: Authenticate with peers that have added to the peer list only. Specify: Select a peer from the drop-down list to authenticate with the selected peer only. Select Create New from the drop-down list to create a new peer; see To create a new WAN optimization peer: on page Select OK to create the new authentication group. The authentication group can now be added to WAN optimization profiles to apply the authentication settings in the authentication group to the profile. See Managing WAN optimization profiles on page 1. To edit an authentication group: 1. Select the group you would like to edit then select Edit from the toolbar, or double-click on the group in the authentication group list. The Edit Authentication Group window opens. 2. Edit the group information as required and select OK to apply your changes. To delete an authentication group or groups: 1. Select the group or groups that you would like to delete. 2. Select Delete from the toolbar. 3. Select OK in the confirmation dialog box to delete the selected group or groups. 135 Administration Guide

136 WAN Optimization and Web Caching Cache Cache Web cache settings can be optimized to improve performance and specific URL patterns can be exempt from caching and/or forwarded to a web proxy server. Settings In most cases, the default settings for the WAN optimization web cache are acceptable. However, you may want to change them to improve performance or optimize the cache for your configuration. Go to WAN Opt. & Cache > Cache > Settings to configure web cache settings. Configure the following settings, then select Apply to apply your changes: Always Revalidate Max Cache Object Size Negative Response Duration Always re-validate requested cached objects with content on the server before serving them to the client. The maximum size of objects (files) that are cached (default = KB). Objects that are larger than this size are still delivered to the client but are not stored in the FortiCache web cache. The amount of time, in minutes, that the FortiCache unit caches error responses from web servers (default = 0 minutes). The content server might send a client error code (4xx HTTP response) or a server error code (5xx HTTP response) as a response to some requests. If the web cache is configured to cache these negative responses, it returns that response in subsequent requests for that page or image for the specified number of minutes, regardless of the actual object status. Administration Guide 136

137 Cache WAN Optimization and Web Caching Fresh Factor Max TTL Min TTL Default TTL Proxy FQDN Max HTTP request length Max HTTP message length For cached objects that do not have an expiry time, the web cache periodically checks the server to see if the objects have expired. The higher the fresh factor the less often the checks occur (default = 100%). For example, if you set Max TTL and Default TTL to 7200 minutes (5 days) and set Fresh Factor to 20, the web cache check the cached objects 5 times before they expire, but if you set the Fresh Factor to 100, the web cache will only check once. The maximum amount of time (Time to Live), in minutes, an object can stay in the web cache without the cache checking to see if it has expired on the server. From 1 to minutes (one year) (default = 7200 minutes). The minimum amount of time an object can stay in the web cache before the web cache checks to see if it has expired on the server. From 1 to minutes (default = 5 minutes). The default expiry time for objects that do not have an expiry time set by the web server. From 1 to minutes (default = 1440 minutes). This option cannot be changed from the default: default.fqdn. This option cannot be changed from the default: 4KB. This option cannot be changed from the default: 32KB. Ignore If-modified-since HTTP 1.1 Conditionals If the time specified by the if-modified-since (IMS) header in the client's conditional request is greater than the last modified time of the object in the cache, it is a strong indication that the copy in the cache is stale. If so, HTTP does a conditional GET to the original content source, based on the last modified time of the cached object. Enable ignoring if-modified-since to override this behavior. HTTP 1.1 provides additional controls to the client for the behavior of caches toward stale objects. Depending on various cache-control headers, the FortiCache unit can be forced to consult the OCS before serving the object from the cache. For more information about the behavior of cachecontrol header values, see RFC Enable ignoring HTTP 1.1 conditionals to override this behavior. 137 Administration Guide

138 WAN Optimization and Web Caching Cache Pragma-no-cache Typically, if a client sends an HTTP GET request with a pragma no-cache (PNC) or cache-control no-cache header, a cache must consult the OCS before serving the content. This means that the unit always re-fetches the entire object from the OCS, even if the cached copy of the object is fresh. Because of this behavior, PNC requests can degrade performance and increase server-side bandwidth utilization. Enable ignoring Pragma-no-cache so that the PNC header from the client request is ignored. The FortiCache unit treats the request as if the PNC header is not present. IE Reload Cache Expired Objects Revalidated Pragma-nocache Enable to cache expired type-1 objects (if all other conditions make the object cacheable). The PNC header in a request can affect how efficiently the device uses bandwidth. If you do not want to completely ignor PNC in client requests by selecting Ignore > Pragma-no-cache, you can lower the impact on bandwidth usage with this option. When selected, a client's non-conditional PNC-GET request results in a conditional GET request sent to the OCS, if the object is already in the cache. This gives the OCS a chance to return the 304 Not Modified response, which consumes less server-side bandwidth as the OCS has not been forced to return full content. By default, Revalidate Pragma-no-cache is disabled and is not affected by changes in the top-level profile. When the Substitute Get for PNC configuration is enabled, the revalidate PNC configuration has no effect. Most download managers make byte-range requests with a PNC header. To serve such requests from the cache, you should also configure byterange support when you configure the Revalidate pragma-no-cache option. URL match list The URL match list is used to exempt URLs from caching and to enable forwarding specific URLs to a web proxy server. URLs, URL patterns, and numeric IP addresses can be added to the match list. For example, if your users access websites that are not compatible with FortiCache web caching, you can add the URLs of these web sites to the web caching exempt list, and all traffic accepted by a web cache policy for these websites will not be cached. To configure a URL match list, use the following CLI command: config web-proxy url-match edit <name> set url-pattern <value> set cache-exemption [enable disable] next end Administration Guide 138

139 Monitor WAN Optimization and Web Caching Monitor Using the web cache and WAN optimization monitors, you can confirm that the FortiCache unit is accepting and caching traffic and view web caching and WAN optimization performance. The monitor presents collected log information in a graphical format to show network traffic and bandwidth optimization information. To view the WAN optimization monitor, go to WAN Opt. & Cache > Monitor > WAN Opt. Monitor. Traffic Summary Refresh icon Period Protocol Reduction Rate LAN WAN This section provides traffic optimization information. It displays how much traffic has been reduced by web caching by comparing the amount of client and server traffic. Refresh the Traffic Summary. Select a time period to show traffic summary for: Last 10 Minutes, Last 1 Hour, Last 1 Day, Last 1 Week, or Last 1 Month. Lists the protocols shown in the pie chart, including: HTTP, MAPI, CIFS, FTP, TCP, and WEBPROXY. The reduction rate for each protocol, in percent. The number of LAN connections for that protocol. The number of WAN connections for that protocol. 139 Administration Guide

140 WAN Optimization and Web Caching Monitor Bandwidth Optimization Refresh icon Period Protocol Chart Type This section shows the bandwidth optimization. A line graph compares an application s pre-optimized (LAN data) size with its optimized size (WAN data). Select to refresh the Bandwidth Optimization display. Select a time period to show bandwidth optimization for: Last 10 Minutes, Last 1 Hour, Last 1 Day, Last 1 Week, or Last 1 Month. Select the protocol to show in the graph. Select the chart type: Column Chart or Line Chart. To view the web cache monitor, go to WAN Opt. & Cache > Monitor > Cache Monitor. You can select a time period to show web cache monitoring for: Last 10 Minutes, Last 1 Hour, Last 1 Day, or Last 1 Month. The Peer Monitor page under Wan Opt. & Cache > Monitor > Peer Monitor provides peer statistics including Peer name, IP, Type, and Traffic Reduction. HTTP traffic caching reports As of version 4.2, another way to review traffic caching is to generate top-entry reports. To use this feature, enable the following command: config system global set http-view {enable disable} end Once enabled, you can execute and generate six different kinds of report, depending upon what statistics you're interested in. Enter the following command: execute http-view report { } Each report will report HTTP traffic details depending upon which report you enter: 00: Top entries by total HTTP requests 01: Top entries by bandwidth consumed 02: Top entries by cachable % of total requests 03: Top entries by cache hit % of total requests Administration Guide 140

141 Monitor WAN Optimization and Web Caching 04: Top entries by cache hit % of cachable requests 05: Top entries by bandwidth saved via cache hits A report will be generated showing the appropriate domain traffic within the last hour. An example report is shown below: 141 Administration Guide