Category Archives: FortiOS 5.4 Handbook

The complete handbook for FortiOS 5.4

Changing the GUI theme

You can go to System > Settings > View Settings and select a Theme. You can also use the following CLI command to change the GUI theme. The following command shows how to change the GUI to use the red theme:

config system global set gui-theme red

end

FortiOS 6_4 Red Theme

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

New options for editing policies from the policy list

Leave a reply

New options for editing policies from the policy list

All of the security policy lists (Policy & Objects > IPv4 and so on) have new options for controlling the columns displayed for policies, for editing policies, and for accessing FortiView data or log messages generated by individual policies. You can access these options clicking or right-clicking on the policy list header or on individual policies.

For example, as shown below if you click on the Security Profiles settings for a policy a list of categories and profiles appears on the left of the GUI. The list highlights the security profile options added to the policy. You can select a profile option to add it to a policy. You can deselect an option to remove it from a policy. Similar lists are available to select addresses, services, user groups, devices, and so on.

FortiOS 5_4_0 New GUI Policies

GUI Refresh

Leave a reply

GUI Refresh

The FortGate GUI now uses a new flat GUI design and framework that incorporates a simplified and modern look and feel. In addition to the new look, options have been moved around on the GUI menus:

New Dashboard and FortiView top level menus.
New top level Network menu includes networking features such as interfaces, DNS, explicit proxy, packet capture, WAN links (WAN load balancing), static routing, policy routing, dynamic routing (RIP, OSPF, BGP) and multicast routing.
New top level Monitor menu collects monitoring functions previously distributed throughout the GUI.Some former monitoring features, such as security profile-related monitoring, are now available in FortiView.
The GUI menu now has two levels only. For example the menu path for accessing IPv4 firewall policies is Policy & Objects > IPv4.
The new administrator’s menu (upper right) provides quick access to change the administrator’s password , backup the FortiGate configuration, access the CLI console and log out.
Most individual GUI pages have also been enhanced with new view options and more information.
Some functionality has moved around in the GUI. For example, Proxy Options and SSL/SSH Inspection moved from Policy & Objects to Security Profiles.

FortiOS 5_4_0 New GUI

Proxy mode and flow mode antivirus and web filter profile options

Leave a reply

Proxy mode and flow mode antivirus and web filter profile options

The following tables list the antivirus and web filter profile options available in proxy and flow modes.

Antivirus features in proxy and flow mode

Feature

Proxy

Flow

Scan Mode (Quick or Full)

yes

Detect viruses (Block or Monitor)

yes

Inspected protocols

yes

no (all relevant protocols are inspected)

Inspection Options

yes

yes (not available for quick scan mode)

Treat Windows Executables in Email Attachments as Viruses

yes

Include Mobile Malware Protection

yes

Web Filter features in proxy and flow mode

Feature Proxy Flow

FortiGuard category based filter yes yes (show, allow, monitor, block)

Category Usage Quota yes no

Allow users to override blocked categories (on some models) yes no

Search Engines yes no

Enforce ‘Safe Search’ on Google, Yahoo!, Bing, yes no

Yandex

YouTube Education Filter yes no

Log all search keywords yes no

Static URL Filter yes yes

Block invalid URLs yes no

URL Filter yes yes

Block malicious URLs discovered by FortiSand- yes yes box

Web Content Filter yes yes

Rating Options yes yes

Allow websites when a rating error occurs yes yes

Rate URLs by domain and IP Address yes yes

Block HTTP redirects by rating yes no

Rate images by URL yes no

Proxy Options yes no

Feature Proxy Flow

Restrict Google account usage to specific domains

Provide details for blocked HTTP 4xx and 5xx errors

yes no

HTTP POST Action yes no

Remove Java Applets Remove ActiveX yes no

Remove Cookies yes no

Filter Per-User Black/White List yes no

Security profile features available in flow mode

Leave a reply

Security profile features available in flow mode

When you change to flow mode, proxy mode antivirus and web filter security profiles are converted to flow mode and the following reduced set of security profiles features are available:

AntiVirus
Web Filter
Application Control
Cloud Access Security Inspection
Intrusion Protection
FortiClient Profiles

l SSL Inspection

l Web Rating Overrides

In flow mode, antivirus and web filter profiles only include flow-mode features. Web filtering and virus scanning is still done with the same engines and to the same accuracy, but some inspection options are limited or not available in flow mode. Application control, intrusion protection, and FortiClient profiles are not affected when switching between flow and proxy mode.

Unfortunately CASI does not work when using Proxy-based profiles for AV or Web fil- tering. Make sure to only use Flow-based profiles in combination with CASI on a spe- cific policy.

Even though VoIP profiles are not available from the GUI in flow mode, the FortiGate can process VoIP traffic. In this case the appropriate session helper is used (for example, the SIP session helper).

Setting flow or proxy mode doesn’t change the settings available from the CLI. However, you can’t save security profiles that are set to proxy mode.

You can also add add proxy-only security profiles to firewall policies from the CLI. So, for example, you can add a VoIP profile to a security policy that accepts VoIP traffic. This practice isn’t recommended because the setting will not be visible from the GUI.

Security profile features available in proxy mode

Leave a reply

Security profile features available in proxy mode

When set to proxy mode, the following security profiles are available:

AntiVirus
Web Filter
DNS Filter
Application Control
Intrusion Protection
Anti-Spam
Data Leak Prevention
VoIP
ICAP
Web Application Firewall
FortiClient Profiles
Proxy Options
SSL Inspection
Web Rating Overrides l Web Profile Overrides l ICAP Servers

In proxy mode, from the GUI you can only configure antivirus and web filter security profiles in proxy mode. From the CLI you can configure flow-based antivirus profiles, web filter profiles and DLP profiles and they will appear on the GUI and include their inspection mode setting. Also, flow-based profiles created when in flow mode are still available when you switch to proxy mode.

Changing between proxy and flow mode

Leave a reply

Changing between proxy and flow mode

By default proxy mode is enabled and you change to flow mode by changing the Inspection Mode on the

System Information dashboard widget. When you select Flow–based you are reminded that all proxy mode

profiles are converted to flow mode, removing any proxy settings. As well proxy-mode only features (for example, Web Application Profile) are removed from the GUI.

In addition, when you select Flow–based the Explicit Web Proxy and Explicit FTP Proxy features are removed from the GUI and the CLI. This includes Explicit Proxy firewall policies.

If required you can change back to proxy mode just as easily. As well, if your FortiGate has multiple VDOMs you can set the inspection mode independently for each VDOM.

Changing the FortiGate’s inspection mode to flow or proxy

Leave a reply

Changing the FortiGate’s inspection mode to flow or proxy

You can select flow or proxy mode from the System Information dashboard widget to control your FortiGate’s security profile inspection mode. Having control over flow and proxy mode is helpful if you want to be sure that only flow inspection mode is used (and that proxy inspection mode is not used). As well, switching to flow inspection mode also turns off the explicit web proxy and the explicit FTP proxy, making sure that no proxying can occur.

In most cases proxy mode (the default) is preferred because more security profile features are available and more configuration options for these individual features are available. Some implementations; however, may require all security profile scanning to only use flow mode. In this case, you can set your FortiGate to flow mode knowing

that proxy mode inspection will not be used.

If you select flow-based to use external servers for FortiWeb and FortiMail you must use the CLI to set a Web Application Firewall profile or Anti-Spam profile to external mode and add the Web Application Firewall profile or Anti-Spam profile to a firewall policy.