Category Archives: FortiGate

FIM-7901E interface module

Leave a reply

FIM-7901E interface module

The FIM-7901E interface module is a hot swappable module that provides data, management and session sync/heartbeat interfaces, base backplane switching and fabric backplane session-aware load balancing for a FortiGate-7000 chassis. The FIM-7901E includes an integrated switch fabric and DP2 processors to load balance millions of data sessions over the chassis fabric backplane to FPM processor modules.

The FIM-7901E can be installed in any FortiGate-7000 series chassis in hub/switch slots 1 and 2. The FIM-7901E provides thirty-two 10GigE small form-factor pluggable plus (SPF+) interfaces for a FortiGate-7000 chassis.

You can also install FIM-7901Es in a second chassis and operate the chassis in HA mode with another set of processor modules to provide chassis failover protection.

FIM-7901E front panel

The FIM-7901E includes the following hardware features:

  • Thirty-two front panel 10GigE SFP+ fabric channel interfaces (A1 to A32). These interfaces are connected to 10Gbps networks to distribute sessions to the FPM processor modules installed in chassis slots 3 and up. These interfaces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers. These interfaces also support creating link aggregation groups (LAGs) that can include interfaces from both FIM-7901Es. l Two front panel 10GigE SFP+ interfaces (M1 and M2) that connect to the base backplane channel. These interfaces are used for heartbeat, session sync, and management communication between FIM-7901Es in different chassis. These interfaces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers, but should not normally be changed. If you use switches to connect these interfaces, the switch ports should be able to accept packets with a maximum frame size of at least 1526. The M1 and M2 interfaces need to be on different broadcast domains. If M1 and M2 are connected to the same switch, Q-in-Q must be enabled on the switch. l Four 10/100/1000BASE-T out of band management Ethernet interfaces (MGMT1 to MGMT4).
  • One 80Gbps fabric backplane channel for traffic distribution with each FPM module installed in the same chassis as the FIM-7901E.
  • One 1Gbps base backplane channel for base backplane with each FPM module installed in the same chassis as the FIM-7901E.
  • One 40Gbps fabric backplane channel for fabric backplane communication with the other FIM-7901E in the chassis.

FIM-7901E

  • One 1Gbps base backplane channel for base backplane communication with the other FIM-7901E in the chassis. l On-board DP2 processors and an integrated switch fabric to provide high-capacity session-aware load balancing. l One front panel USB port. l Power button. l NMI switch (for troubleshooting as recommended by Fortinet Support). l Mounting hardware. l LED status indicators.

FIM-7901E schematic

The FIM-7901E includes an integrated switch fabric (ISF) that connects the front panel interfaces to the DP2 session-aware load balancers and to the chassis backplanes. The ISF also allows the DP2 processors to distribute sessions amoung all NP6 processors on the FPM modules in the same chassis.

FIM-7901E schematic

FortiGate-7060E

Leave a reply

FortiGate-7060E

The FortiGate-7060E is a 8U 19-inch rackmount 6-slot chassis with a 80Gbps fabric and 1Gbps base backplane designed by Fortinet. The fabric backplane provides network data communication and the base backplane provides management and synch communication among the chassis slots.

FortiGate-7060E front panel

The chassis is managed by two redundant management modules. Each module includes an Ethernet connection as well as two switchable console ports that provide console connections to the modules in the chassis slots. The active management module controls chassis cooling and power management and provides an interface for managing the modules installed in the chassis.

FortiGate-7060E front panel, (example module configuration)

schematic

Power is provided to the chassis using four hot swappable 3+1 redundant 100-240 VAC, 50-60 Hz power supply units (PSUs). You can also optionally add up to six PSUs to provide 3+3 redundancy. The FortiGate-7060E can also be equipped with DC PSUs allowing you to connect the chassis to -48V DC power

The standard configuration of the FortiGate-7060E includes two FIM (interface) modules in chassis slots 1 and 2 and up to four FPM (processing) modules in chassis slots 3 to 6.

FortiGate-7060E schematic

The FortiGate-7060E chassis schematic below shows the communication channels between chassis components including the management modules (MGMT), the FIM modules (called FIM1 and FIM2) and the FPM modules (FPM3, FPM4, FPM5, and FPM6).

By default MGMT2 is the active management module and MGMT1 is inactive. The active management module always has the IPMB address 0x20 and the inactive management module always has the IPMB address 0x22.

The active management module communicates with all modules in the chassis over the base backplane. Each module, including the management modules has a Shelf Management Controller (SMC). These SMCs support Intelligent Platform Management Bus (IPMB) communication between the active management module and the FIM and FPM modules for storing and sharing sensor data that the management module uses to control chassis cooling and power distribution. The base backplane also supports serial communications to allow console access from the management module to all modules, and 1Gbps Ethernet communication for management and heartbeat communication between modules.

FIM1 and FIM2 (IPMB addresses 0x82 and 0x84) are the FIM modules in slots 1 and 2. The interfaces of these modules connect the chassis to data networks and can be used for Ethernet management access to chassis components. The FIM modules include DP2 processors that distribute sessions over the Integrated Switch Fabric FortiGate-7040E

(ISF) to the NP6 processors in the FPM modules. Data sessions are communicated to the FPM modules over the 80Gbps chassis fabric backplane.

FPM03, FPM04, FPM05, and FPM06 (IPMB addresses 0x86, 0x88, 0x8A, and 0x8C) are the FPM processor modules in slots 3 to 6. These worker modules process sessions distributed to them by the FIM modules. FPM modules include NP6 processors to offload sessions from the FPM CPU and CP9 processors that accelerate content processing.

FortiGate-7040E

The FortiGate-7040E is a 6U 19-inch rackmount 4-slot chassis with a 80Gbps fabric and 1Gbps base backplane designed by Fortinet. The fabric backplane provides network data communication and the base backplane provides management and synch communication among the chassis slots.

FortiGate-7040E front panel

The FortiGate-7040E chassis is managed by a single management module that includes an Ethernet connection as well as two switchable console ports that provide console connections to the modules in the chassis slots. The management module controls chassis cooling and power management and provides an interface for managing the modules installed in the chassis. The standard configuration of the FortiGate-7040E includes two FIM (interface) modules in chassis slots 1 and 2 and two FPM (processing) modules in chassis slots 3 and 4.

FortiGate-7040E front panel

 

FortiGate-7040E schematic

The FortiGate-7040E chassis schematic below shows the communication channels between chassis components including the management module (MGMT), the FIM modules (called FIM1 and FIM2) and the FPM modules (FPM3 and FPM4).

The management module (MGMT, with IPMB address 0x20) communicates with all modules in the chassis over the base backplane. Each module, including the management module includes a Shelf Management Controller (SMC). These SMCs support Intelligent Platform Management Bus (IPMB) communication between the management module and the FIM and FPM modules for storing and sharing sensor data that the management module uses to control chassis cooling and power distribution. The base backplane also supports serial communications to allow console access from the management module to all modules, and 1Gbps Ethernet communication for management and heartbeat communication between modules.

FIM1 and FIM2 (IPMB addresses 0x82 and 0x84) are the FIM modules in slots 1 and 2. The interfaces of these modules connect the chassis to data networks and can be used for Ethernet management access to chassis components. The FIM modules include DP2 processors that distribute sessions over the Integrated Switch Fabric (ISF) to the NP6 processors in the FPM modules. Data sessions are communicated to the FPM modules over the 80Gbps chassis fabric backplane.

FPM3 and FPM4 (IPMB addresses 0x86 and 0x88) are the FPM processor modules in slots 3 and 4. These worker modules process sessions distributed to them by the FIM modules. FPM modules include NP6 processors to offload sessions from the FPM CPU and CP9 processors that accelerate content processing.

FortiGate-7030E

The FortiGate-7030E is a 6U 19-inch rackmount 3-slot chassis with a 80Gbps fabric and 1Gbps base backplane designed by Fortinet. The fabric backplane provides network data communication and the base backplane provides management and synch communication among the chassis slots.

FortiGate-7060E

FortiGate-7030E front panel

The FortiGate-7030E chassis is managed by a single management module that includes an Ethernet connection as well as two switchable console ports that provide console connections to the modules in the chassis slots. The management module controls chassis cooling and power management and provides an interface for managing the modules installed in the chassis. The standard configuration of the FortiGate-7030E includes one FIM (interface) module in chassis slot 1 and two FPM (processing) modules in chassis slots 3 and 4. The front panel also includes a sealed blank panel. Breaking the seal or removing the panel voids your FortiGate-7030E warranty. FortiGate-7030E front panel (example module configuration)

(missing or bad snippet)

FortiGate-7030E schematic

The FortiGate-7030E chassis schematic below shows the communication channels between chassis components including the management module (MGMT), the FIM module (called FIM1) and the FPM modules (FPM3 and FPM4).

The management module (MGMT, with IPMB address 0x20) communicates with all modules in the chassis over the base backplane. Each module, including the management module includes a Shelf Management Controller (SMC). These SMCs support Intelligent Platform Management Bus (IPMB) communication between the management module and the FIM and FPM modules for storing and sharing sensor data that the management module uses to control chassis cooling and power distribution. The base backplane also supports serial communications to allow console access from the management module to all modules, and 1Gbps Ethernet communication for management and heartbeat communication between modules.

FIM1 (IPMB address 0x82) is the FIM module in slot 1. The interfaces of this module connect the chassis to data networks and can be used for Ethernet management access to chassis components. The FIM module include DP2 processors that distribute sessions over the Integrated Switch Fabric (ISF) to the NP6 processors in the FPM modules. Data sessions are communicated to the FPM modules over the 80Gbps chassis fabric backplane.

FPM3 and FPM4 (IPMB addresses 0x86 and 0x88) are the FPM processor modules in slots 3 and 4. These worker modules process sessions distributed to them by the FIM module. FPM modules include NP6 processors to offload sessions from the FPM CPU and CP9 processors that accelerate content processing.

 

FIM-7901E

FortiGate-7000 overview

Leave a reply

FortiGate-7000 overview

A FortiGate-7000 product consists of a FortiGate-7000 series chassis (for example, the FortiGate-7040E) with FortiGate-7000 modules installed in the chassis slots. A FortiGate-7040E chassis comes with two interface modules (FIM) to be installed in slots 1 and 2 to provide network connections and session-aware load balancing to two processor modules (FPM) to be installed in slots 3 and 4.

FortiGate-7000 products are sold and licensed as packages that include the chassis as well as the modules to be included in the chassis. When you receive your FortiGate-7000 series product the chassis has to be installed in a rack and the modules installed in the chassis. Interface modules always go in slots 1 and 2 and processor modules in slots 3 and up.

If your FortiGate-7000 product includes two different interfaces modules, for optimal configuration you should install the module with the lower model number in slot 1 and the module with the higher model number in slot 2. For example, if your chassis includes a FIM-7901E and a FIM-7904E, install the FIM-7901E in chassis slot 1 and the FIM-7904E in chassis slot 2. This applies to any combination of two different interface modules.

As an administrator, when you browse to the FortiGate-7000 management IP address you log into the interface module in slot 1 (the primary or master interface module or FIM) to view the status of the FortiGate-7000 and make configuration changes. The FortiOS firmware running on each module has the same configuration and when you make configuration changes to the primary interface module, the configuration changes are synchronized to all modules.

The same FortiOS firmware build runs on each module in the chassis. You can upgrade FortiGate-7000 firmware by logging into the primary interface module and performing a firmware upgrade as you would for any FortiGate. During the upgrade process the firmware of all of the modules in the chassis upgrades in one step. Firmware upgrades should be done during a quiet time because traffic will briefly be interrupted during the upgrade process.

Licenses, Device Registration, and Support

A FortiGate-7000 product is made up of a FortiGate-7000 series chassis, one or two FIM interface modules and two to four FPM processor modules. The entire package is licensed and configured as a single product under the FortiGate-7000 chassis serial number. When you receive a new FortiGate-7000 product you register it on https://support.fortinet.com using the chassis serial number. Use the chassis serial number when requesting support from Fortinet for the product.

All Fortinet licensing, including FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOM) is for the entire FortiGate-7000 product and not for individual components.

If an individual component, such as a single interface or processor fails you can RMA and replace just that component.

FortiGate 7000 FortiOS 5.4.5 Admin Guide

Leave a reply

Introduction

This document describes what you need to know to get started using a FortiGate-7000 product. Also included are details about CLI commands that are specific to FortiGate-7000 products.

This FortiOS Handbook chapter contains the following sections:

FortiGate-7000 overview provides a quick overview of FortiGate-7000 components.

Getting started with FortiGate-7000 describes how to get started with managing and configuring your FortiGate7000 product.

FortiGate-7000 Load balancing commands describes FortiGate-7000 load balancing CLI commands.

What’s new in for FortiGate-7000 v5.4.5

The following new features have been added to FortiGate-7000 v5.4.5.

M1 and M2 interfaces can use different VLANs for heartbeat traffic (408386)

The M1 and M2 interfaces can be configured to use different VLANs for HA heartbeat traffic.

The following command now configures the VLAN used by the M1 interface (default 999):

config system ha set hbdev-vlan-id 999

end

The following new command configures the VLAN used by the M2 interface (default 1999):

config system ha set hbdev-second-vlan-id 1999

end

GTP load balancing

GTP load balancing is supported for FortiGate-7000 configurations licensed for FortiOS Carrier. You can use the following command to enable GTP load balancing. This command is only available after you have licensed the FortiGate-7000 for FortiOS Carrier.

config load-balance setting set gtp-load-balance enable

end

FSSO user authentication is synchronized

FSSO user authentication is synchronized to all FIM and FPM modules. FSSO users are no longer required to reauthenticate when sessions are processed by a different FIM or FPM module.

What’s new in for FortiGate-7000 v5.4.5                                                                                                Introduction

HA Link failure threshold changes (422264 )

The link failure threshold is now determined based on the all FIM modules in a chassis. This means that the chassis with the fewest active links will become the backup chassis.

FortiGate-7000s running FortiOS v5.4.5 can be configured as dialup IPsec VPN servers

The following shows how to setup a dialup IPsec VPN configuration where the FortiGate-7000 running v5.4.5 acts as a dialup IPsec VPN server.

Configure the phase1, set type to dynamic.

config vpn ipsec phase1-interface edit dialup-server set type dynamic set interface “v0020” set peertype any set psksecret < password>

end

Configure the phase 2, to support dialup IPsec VPN, set the destination subnet to 0.0.0.0 0.0.0.0.

config vpn ipsec phase2-interface edit dialup-server set phase1name dialup-server set src-subnet 4.2.0.0 255.255.0.0 set dst-subnet 0.0.0.0 0.0.0.0

end

To configure the remote FortiGate as a dialup IPsec VPN client

The dialup IPsec VPN client should advertise its local subnet(s) using the phase 2 src-subnet option.

If there are multiple local subnets create a phase 2 for each one. Each phase 2 only advertises one local subnet to the dialup IPsec VPN server. If more than one local subnet is added to the phase 2, only the first one is advertised to the server.

Dialup client configuration:

config vpn ipsec phase1-interface

Introduction                                                                                                What’s new in for FortiGate-7000 v5.4.5

edit “to-fgt7k” set interface “v0020” set peertype any set remote-gw 1.2.0.1 set psksecret <password>

end

config vpn ipsec phase2-interface edit “to-fgt7k” set phase1name “to-fgt7k” set src-subnet 4.2.6.0 255.255.255.0 set dst-subnet 4.2.0.0 255.255.0.0

next edit “to-fgt7k-2” set phase1name “to-fgt7k” set src-subnet 4.2.7.0 255.255.255.0 set dst-subnet 4.2.0.0 255.255.0.0 end

Licenses, Device Registration, and Support                                                                         FortiGate-7000 overview

Diagnose commands for WAN Optimization

Leave a reply

Diagnose commands for WAN Optimization

The following get and diagnose commands are available for troubleshooting WAN optimization, web cache, explicit proxy and WCCP.

get test {wad | wccpd} <test_level>

Display usage information about WAN optimization, explicit proxy, web cache, and WCCP applications. Use <test_level> to display different information.

get test wad <test_level> get test wccpd <test_level>

Variable Description
wad Display information about WAN optimization, web caching, the explicit web proxy, and the explicit FTP proxy.
wccpd Display information about the WCCP application.

Examples

Enter the following command to display WAN optimization tunnel protocol statistics. The http tunnel and tcp tunnel parts of the command output below shows that WAN optimization has been processing HTTP and TCP packets.

get test wad 1

WAD manager process status: pid=113 n_workers=1 ndebug_workers=0 Enter the following command to display all test options:

get test wad

WAD process 82 test usage:

1: display process status 2: display total memory usage.

99: restart all WAD processes 1000: List all WAD processes.

1001: dispaly debug level name and values 1002: dispaly status of WANOpt storages 1068: Enable debug for all WAD workers.

1069: Disable debug for all WAD workers.

2yxx: Set No. xx process of type y as diagnosis process. 3: display all fix-sized advanced memory stats

4: display all fix-sized advanced memory stats in details

500000..599999: cmem bucket stats (599999 for usage)

800..899: mem_diag commands (800 for help & usage)

800000..899999: mem_diag commands with 1 arg (800 for help & usage) 80000000..89999999: mem_diag commands with 2 args (800 for help & usage) 60: show debug stats.

diagnose wad

61: discard all wad debug info that is currently pending

62xxx: set xxxM maximum ouput buffer size for WAD debug. 0, set back to default.

68: Enable process debug

69: Disable process debug

98: gracefully stopping WAD process

9xx: Set xx workers(0: default based on user configuration.)

diagnose wad

Display diagnostic information about the WAN optimization daemon (wad).

diagnose wad console-log {disable | enable) diagnose wad debug-url {disable | enable)

diagnose wad filter {clear | dport | dst | list | negate | protocol | sport | src | vd} diagnose wad history {clear | list} diagnose wad session {clear | list}

diagnose wad stats {cache | cifs | clear | crypto | ftp | http | list | mapi | mem | scan | scripts | summary | tcp | tunnel}

diagnose wad user {clear | list} diagnose wad tunnel {clear | list}1

diagnose wad webcache {clear | list} {10min | hour | day | 30days}

Variable Description
console-log Enable or disable displaying WAN optimization log messages on the CLI console.
filter Set a filter for listing WAN optimization daemon sessions or tunnels. clear reset or clear the current log filter settings. dport enter the destination port range to filter by. dst enter the destination address range to filter by.

list display the current log filter settings
history Display statistics for one or more WAN optimization protocols for a specified period of time (the last 10 minutes, hour, day or 30 days).
session Display diagnostics for WAN optimization sessions or clear active sessions.
stats Display statistics for various parts of WAN optimization such as cache statistics, CIFS statistics, MAPI statistics, HTTP statistics, tunnel statistics etc. You can also clear WAN optimization statistics and display a summary.
tunnel Display diagnostic information for one or all active WAN optimization tunnels. Clear all active tunnels. Clear all active tunnels.
webcache Display web cache activity for the specified time period.

wad

Example diagnose wad tunnel list

Enter the following command to list all of the running WAN optimization tunnels and display information about each one. The command output shows 10 tunnels all created by peer-to-peer WAN optimization rules (autodetect set to off).

diagnose wad tunnel list

Tunnel: id=100 type=manual vd=0 shared=no uses=0 state=3

peer name=Web_servers id=100 ip=172.20.120.141

SSL-secured-tunnel=no auth-grp= bytes_in=348 bytes_out=384

Tunnel: id=99 type=manual vd=0 shared=no uses=0 state=3

peer name=Web_servers id=99 ip=172.20.120.141

SSL-secured-tunnel=no auth-grp= bytes_in=348 bytes_out=384

Tunnel: id=98 type=manual vd=0 shared=no uses=0 state=3

peer name=Web_servers id=98 ip=172.20.120.141

SSL-secured-tunnel=no auth-grp= bytes_in=348 bytes_out=384

Tunnel: id=39 type=manual vd=0 shared=no uses=0 state=3

peer name=Web_servers id=39 ip=172.20.120.141

SSL-secured-tunnel=no auth-grp= bytes_in=1068 bytes_out=1104

Tunnel: id=7 type=manual vd=0 shared=no uses=0 state=3

peer name=Web_servers id=7 ip=172.20.120.141

SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264

Tunnel: id=8 type=manual vd=0 shared=no uses=0 state=3

peer name=Web_servers id=8 ip=172.20.120.141

SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264

Tunnel: id=5 type=manual vd=0 shared=no uses=0 state=3

peer name=Web_servers id=5 ip=172.20.120.141

SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264

Tunnel: id=4 type=manual vd=0 shared=no uses=0 state=3

peer name=Web_servers id=4 ip=172.20.120.141

SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264

diagnose wad

Tunnel: id=1 type=manual vd=0 shared=no uses=0 state=3

peer name=Web_servers id=1 ip=172.20.120.141

SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264

Tunnel: id=2 type=manual vd=0 shared=no uses=0 state=3

peer name=Web_servers id=2 ip=172.20.120.141

SSL-secured-tunnel=no auth-grp= bytes_in=1228 bytes_out=1264

Tunnels total=10 manual=10 auto=0

Example diagnose wad webcache list

This following command displays the web caching stats for the last 10 minutes of activity. The information displayed is divided into 20 slots and each slot contains stats for 30 seconds:

20 * 30 seconds = 600 seconds = 10 minutes

diagnose wad webcache list 10min web cache history vd=0 period=last 10min

The first 20 slots are for HTTP requests in the last 10 minutes. Each slot of stats has four numbers, which is the total number of HTTP requests, the number of cacheable HTTP requests, the number of HTTP requests that are processed by the web cache (hits), and the number of HTTP requests that are processed without checking the web cache (bypass). There are many reasons that a HTTP request may bypass web cache.

total        cacheable     hits         bypass

———— ————- ———— ————-
36                    10            3 1
128                    92            1 10
168                    97            2 3
79                    56            0 3
106                    64            5 3
180                    118           6 11
88                    53            7 3
80                    43            4 4
107                    44            9 2
84                    12            0 2
228                    139           52 10
32                    2             0 5
191 88           13 7
135                    25            40 3
48                    10            0 8
193                    13            7 7
67                    31            1 2
109         35             24 6
117          36           10 5
22          0              0 4

wacs

The following slots are for video requests in the last 10 minutes. Each slot has two numbers for each 30 seconds: total number of video requests, and the number of video requests that are processing using cached data.

video total video hit

———— ————-

0            0

0            0

0            0

0            0

0            0

0            0

0            0

0            0

0            0

0            0

0            0

0            0

0            0

0            0

0            0

The following 20 slots are for traffic details in last 10 minutes. Each slot has four numbers for 30 seconds each.

— LAN —                — WAN —

bytes_in     bytes_out     bytes_in     bytes_out

———— ————- ———— ————-

34360       150261        141086       32347

105408       861863        858501       100670

128359       1365919       1411849     127341

60103        602813        818075      59967

105867       1213192       1463736      97489

154961       1434784       1344911      158667

73967        370275        369847       70626

129327       602834        592399      123676

115719       663446        799445      111262

58151       724993        631721       59989

175681      2092925       1092556      166212

37805        33042        41528        37779

183686       1255118       1114646     172371

106125       904178        807152       81520

66147        473983       543507       66782

170451      1289530      1201639       165540

69196       544559       865370       68446

134142      579605        821430      132113

96895       668037       730633      89872

59576       248734     164002 59448 diagnose wacs

Display diagnostic information for the web cache database daemon (wacs).

diagnose wacs clear diagnose wacs recents diagnose wacs restart diagnose wacs stats

diagnose wadbd

Variable Description
clear Remove all entries from the web cache database.
recents Display recent web cache database activity.
restart Restart the web cache daemon and reset statistics.
stats Display web cache statistics.

diagnose wadbd

Display diagnostic information for the WAN optimization database daemon (waddb).

diagnose wadbd {check | clear | recents | restart | stats}

Variable Description
check Check WAN optimization database integrity.
clear Remove all entries from the WAN optimization database.
recents Display recent WAN optimization database activity.
restart Restart the WAN optimization daemon and reset statistics.
stats Display WAN optimization statistics.

diagnose debug application {wad | wccpd} [<debug_level>]

View or set the debug level for displaying WAN optimization and web cache-related daemon debug messages. Include a <debug_level> to change the debug level. Leave the <debug_level> out to display the current debug level. Default debug level is 0.

diagnose debug application wad [<debug_level>] diagnose debug application wccpd [<debug_level>]

Variable Description
wad Set the debug level for the WAN optimization daemon.
wccpd Set the debug level for the WCCP daemon.

test application wad 2200

diagnose test application wad 2200

The debug level 2200 switches the debug to explicit proxy mode. You have to enter this debug level first. After that you have to type the command again with a different debug level to check the different explicit proxy statistics. To list what each debug level shows, follow these steps in any FortiGate device:

  1. Enable explicit proxy globally and in one interface, to start the wad process. If the wad process is not running, you cannot list the options.
  2. Once the wad process starts, type:

diagnose test application wad 2200 diagnose test application wad ///// Do not type any debug level value to list all the options.

This is the output you will get:

# diagnose test application wad 2200

Set diagnosis process: type=wanopt index=0 pid=114 # diagnose test application wad WAD process 114 test usage:

1: display process status

2: display total memory usage

99: restart all WAD processes

1000: List all WAD processes

1001: dispaly debug level name and values

1002: dispaly status of WANOpt storages

1068: Enable debug for all WAD workers

1069: Disable debug for all WAD workers

2yxx: Set No. xx process of type y as diagnosis process

3: display all fix-sized advanced memory stats

4: display all fix-sized advanced memory stats in details

500000..599999: cmem bucket stats (599999 for usage)

800..899: mem_diag commands (800 for help & usage)

800000..899999: mem_diag commands with 1 arg (800 for help & usage)

80000000..89999999: mem_diag commands with 2 args (800 for help & usage)

60: show debug stats

61: discard all wad debug info that is currently pending

62xxx: set xxxM maximum ouput buffer size for WAD debug (0: set back to default)

68: Enable process debug

69: Disable process debug

98: gracefully stopping WAD process

20: display all listeners 21: display TCP port info

22: display SSL stats

23: flush SSL stats

24: display SSL mem stats

70: display av memory usage

71xxxx: set xxxxMiB maximum AV memory (0: set back to default)

72: toggle av memory protection

73: toggle AV conserve mode (for debug purpose)

90: set to test disk failure

91: unset to test disk failure

92: trigger a disk failure event

100: display explicit proxy settings

101: display firewall policies

102: display security profile mapping for regular firewall policy

diagnose test application wad 2200

103: display Web proxy forwarding server and group

104: display DNS stats

105: display proxy redirection scan stats

106: list all used fqdns

107: list all firewall address

110: display current web proxy users

111: flush current web proxy users

112: display current web proxy user summary

113: display WAD fsso state

114: display HTTP digest stats

115: display URL patterns list of cache exemption or forward server

116: toggle dumping URL when daemon crashes

120: display Web Cache stats

121: flush Web Cache stats

122: flush idle Web cache objects

123: display web cache cache sessions

130: display ftpproxy stats

131: clear ftpproxy stats

132: list all current ftpproxy sessions

133: display all catched webfilter profiles

200: display WANopt profiles

201: display all peers

202: display video cache rules (patterns)

203: display all ssl servers

210: toggle disk-based byte-cache

211: toggle memory-based byte-cache

212: toggle cifs read-ahead

221: display tunnel protocol stats

222: flush tunnel protocol stats

223: display http protocol stats

224: flush http protocol stats

225: display cifs protocol stats

226: flush cifs protocol stats

227: display ftp protocol stats

228: flush ftp protocol stats

229: display mapi protocol stats

230: flush mapi protocol stats

231: display tcp protocol stats

232: flush tcp protocol stats

233: display all protocols stats

234: flush all protocols stats

240: display WAD tunnel stats

241: display tunnel compressor state

242: flush tunnel compressor stats

243: display Byte Cache DB state

244: flush Byte Cache DB stats

245: display Web Cache DB state

246: flush Web Cache DB stats

247: display cache state

248: flush cache stats

249: display memory cache state

250: flush memory cache stats

261yxxx: set xxx concurrent Web Cache session for object storage y

262yxxx: set xxxK(32K, 64K,…) unconfirmed write/read size per Web Cache object for object storage y

263yxxxx: set xxxxK maximum ouput buffer size for object storage y

test application wad 2200

264yxx: set lookup lowmark (only if more to define busy status) to be xx for object storage y

265yxxx: set xxxK maximum ouput buffer size for byte storage y

266yxxx: set number of buffered add requests to be xxx for byte storage y

267yxxxx: set number of buffered query requests to be xxxx for byte storage y

268yxxxxx: set number of concurrent query requests to be xxxxx for byte storage y

FTP Proxy Configuration

Leave a reply

FTP Proxy Configuration

General explicit FTP proxy configuration steps

You can use the following general steps to configure the explicit FTP proxy.

To enable the explicit FTP proxy – web-based manager:

  1. Go to Network > Explicit Proxy > Explicit FTP Proxy Options. Select Enable Explicit FTP Proxy to turn on the explicit FTP proxy.
  2. Select Apply.

The Default Firewall Policy Action is set to Deny and requires you to add a explicit FTP proxy policy to allow access to the explicit FTP proxy. This configuration is recommended and is a best practice because you can use policies to control access to the explicit FTP proxy and also apply security features and authentication.

  1. Go to Network > Interfaces and select one or more interfaces for which to enable the explicit web proxy. Edit the interface and select Enable Explicit FTP Proxy.

Enabling the explicit FTP proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. If you enable the proxy on such an interface make sure authentication is required to use the proxy.

  1. Go to Policy & Objects > Proxy Policyand select Create New and set the Explicit Proxy Type to

You can add multiple explicit FTP proxy policies.

  1. Configure the policy as required to accept the traffic that you want to be processed by the explicit FTP proxy.

The source address of the policy should match client source IP addresses. The firewall address selected as the source address cannot be assigned to a FortiGate interface. The Interface field of the firewall address must be blank or it must be set to Any.

The destination address of the policy should match the IP addresses of FTP servers that clients are connecting to. The destination address could be all to allow connections to any FTP server.

If Default Firewall Policy Action is set to Deny, traffic sent to the explicit FTP proxy that is not accepted by an explicit FTP proxy policy is dropped. If Default Firewall Policy Action is set to Allow then all FTP proxy sessions that don’t match a policy are allowed.

For example the following explicit FTP proxy policy allows users on an internal network to access FTP servers on the Internet through the wan1 interface of a FortiGate unit.

Explicit Proxy Type FTP

 

FTP Proxy Configuration                                                                       General explicit FTP proxy configuration steps

Source Address Internal_subnet
Outgoing Interface wan1
Destination Address all
Schedule always
Action ACCEPT

The following explicit FTP proxy policy requires users on an internal network to authenticate with the FortiGate unit before accessing FTP servers on the Internet through the wan1 interface.

Explicit Proxy Type FTP
Source Address Internal_subnet
Outgoing Interface wan1
Destination Address all
Action AUTHENTICATE
  1. Select Create New to add an Authentication Rule and configure the rule as follows:
Groups Proxy-Group
Source Users (optional)
Schedule always
  1. Add security profiles as required and select OK.
  2. You can add multiple authentication rules to apply different authentication for different user groups and users and also apply different security profiles and logging settings for different users.
  3. Select OK.

To enable the explicit FTP proxy – CLI:

  1. Enter the following command to turn on the explicit FTP proxy. This command also changes the explicit FTP proxy port to 2121.

config ftp-proxy explicit set status enable set incoming-port 2121

end

The default explicit FTP proxy configuration has sec-default-action set to deny and requires you to add a security policy to allow access to the explicit FTP proxy.

  1. Enter the following command to enable the explicit FTP proxy for the internal interface. config system interface edit internal set explicit-ftp-proxy enable

end end

Restricting the IP address of the explicit FTP proxy                                                                FTP Proxy Configuration

  1. Use the following command to add a firewall address that matches the source address of users who connect to the explicit FTP proxy.

config firewall address edit Internal_subnet set type iprange set start-ip 10.31.101.1 set end-ip 10.31.101.255

end

The source address for a ftp-proxy security policy cannot be assigned to a FortiGate unit interface.

  1. Use the following command to add an explicit FTP proxy policy that allows all users on the internal subnet to use the explicit FTP proxy for connections through the wan1 interface to the Internet.

config firewall proxy-policy edit 0 set proxy ftp set dstintf wan1 set scraddr Internal_subnet

set dstaddr all set action accept set schedule always

end

  1. Use the following command to add an explicit FTP proxy policy that allows authenticated users on the internal subnet to use the explicit FTP proxy for connections through the wan1 interface to the Internet.

config firewall proxy-policy edit 0 set proxy ftp set dstintf wan1 set scraddr Internal_subnet set dstaddr Fortinet-web-sites set action accept set schedule always set groups <User group>

end

end

Restricting the IP address of the explicit FTP proxy

You can use the following command to restrict access to the explicit FTP proxy using only one IP address. The IP address that you specify must be the IP address of an interface that the explicit FTP proxy is enabled on. You might want to use this option if the explicit FTP proxy is enabled on an interface with multiple IP addresses.

For example, to require uses to connect to the IP address 10.31.101.100 to connect to the explicit FTP proxy:

config ftp-proxy explicit set incoming-ip 10.31.101.100 end

FTP Proxy Configuration                                         Restricting the outgoing source IP address of the explicit FTP proxy

Restricting the outgoing source IP address of the explicit FTP proxy

You can use the following command to restrict the source address of outgoing FTP proxy packets to a single IP address. The IP address that you specify must be the IP address of an interface that the explicit FTP proxy is enabled on. You might want to use this option if the explicit FTP proxy is enabled on an interface with multiple IP addresses.

For example, to restrict the outgoing packet source address to 172.20.120.100:

config ftp-proxy explicit set outgoing-ip 172.20.120.100

end

Example users on an internal network connecting to FTP servers on the Internet through the explicit FTP with RADIUS authentication and virus scanning

This example describes how to configure the explicit FTP proxy for the example network shown below. In this example, users on the internal network connect to the explicit FTP proxy through the Internal interface with IP address 10.31.101.100. The explicit web proxy is configured to use port 2121 so to connect to an FTP server on the Internet users must first connect to the explicit FTP proxy using IP address 10.31.101.100 and port 2121.

Example explicit FTP proxy network topology

In this example, explicit FTP proxy users must authenticate with a RADIUS server before getting access to the proxy. To apply authentication, the security policy that accepts explicit FTP proxy traffic includes an identity based policy that applies per session authentication to explicit FTP proxy users and includes a user group with the RADIUS server in it. The identity based policy also applies UTM virus scanning and DLP.

General configuration steps

This section breaks down the configuration for this example into smaller procedures. For best results, follow the procedures in the order given:

  1. Enable the explicit FTP proxy and change the FTP port to 2121.
  2. Enable the explicit FTP proxy on the internal interface.

 

Example users on an internal network connecting to FTP servers on the Internet through      explicit               FTP Proxy

FTP with RADIUS authentication and virus scanning                                                                              Configuration

  1. Add a RADIUS server and user group for the explicit FTP proxy.
  2. Add a user identity security policy for the explicit FTP proxy.
  3. Enable antivirus and DLP features for the identity-based policy.

Configuring the explicit FTP proxy – web-based manager

Use the following steps to configure the explicit FTP proxy from FortiGate web-based manager.

To enable and configure the explicit FTP proxy

  1. Go to Network > Explicit Proxy > Explicit FTP Proxy Options and change the following settings:
Enable Explicit FTP Proxy Select.
Listen on Interface No change. This field will eventually show that the explicit web proxy is enabled for the Internal interface.
FTP Port 2121
Default Firewall Policy Action Deny
  1. Select Apply.

To enable the explicit FTP proxy on the Internal interface

  1. Go to Network > Interfaces, edit the Internal interface and select Enable Explicit FTP Proxy.

To add a RADIUS server and user group for the explicit FTP proxy

  1. Go to User & Device > RADIUS Servers.
  2. Select Create New to add a new RADIUS server:
Name RADIUS_1
Primary Server Name/IP 10.31.101.200
Primary Server Secret RADIUS_server_secret
  1. Go to User > User > User Groups and select Create New.
Name Explict_proxy_user_group
Type Firewall
Remote groups RADIUS_1
Group Name ANY
  1. Select OK.

FTP Proxy               Example users on an internal network connecting to FTP servers on      Internet through the explicit

Configuration                                                                              FTP with RADIUS authentication and virus scanning

To add a security policy for the explicit FTP proxy

  1. Go to Policy & Objects > Addresses and select Create New.
  2. Add a firewall address for the internal network:
Address Name Internal_subnet
Type Subnet
Subnet / IP Range 10.31.101.0
Interface Any
  1. Go to Policy & Objects > Proxy Policyand select Create New.
  2. Configure the explicit FTP proxy security policy.
Explicit Proxy Type FTP
Source Address Internal_subnet
Outgoing Interface wan1
Destination Address all
Action AUTHENTICATE
  1. Under Configure Authentication Rules select Create New to add an authentication rule:
Groups   Explicit_policy
Users   Leave blank
Schedule   always
  1. Turn on Antivirus and Web Filter and select the default profiles for both.
  2. Select the default proxy options profile.
  3. Select OK.
  4. Make sure Enable IP Based Authentication is not selected and DefaultAuthentication Method is set to Basic.
  5. Select OK.

Configuring the explicit FTP proxy – CLI

Use the following steps to configure the example explicit web proxy configuration from the CLI.

To enable and configure the explicit FTP proxy

  1. Enter the following command to enable the explicit FTP proxy and set the TCP port that proxy accepts FTP connections on to 2121.

config ftp-proxy explicit set status enable set incoming-port 2121

Example users on an internal network connecting to FTP servers on the Internet through      explicit               FTP Proxy

FTP with RADIUS authentication and virus scanning                                                                              Configuration

set sec-default-action deny

end

To enable the explicit FTP proxy on the Internal interface

  1. Enter the following command to enable the explicit FTP proxy on the internal interface. config system interface edit internal set explicit-ftp-proxy enable

end

To add a RADIUS server and user group for the explicit FTP proxy

  1. Enter the following command to add a RADIUS server:

config user radius edit RADIUS_1 set server 10.31.101.200 set secret RADIUS_server_secret

end

  1. Enter the following command to add a user group for the RADIUS server.

config user group edit Explicit_proxy_user_group set group-type firewall set member RADIUS_1

end

To add a security policy for the explicit FTP proxy

  1. Enter the following command to add a firewall address for the internal subnet: config firewall address edit Internal_subnet set type iprange set start-ip 10.31.101.1 set end-ip 10.31.101.255

end

  1. Enter the following command to add the explicit FTP proxy security policy: config firewall proxy-policy edit 0 set proxy ftp set dstintf wan1 set srcaddr Internal_subnet

set dstaddr all set action accept set identity-based enable set ipbased disable set active-auth-method basic set groups <User group> end

FTP Proxy               Example users on an internal network connecting to FTP servers on      Internet through the explicit

Configuration                                                                              FTP with RADIUS authentication and virus scanning

Testing and troubleshooting the configuration

You can use the following steps to verify that the explicit FTP proxy configuration is working as expected. These steps use a command line FTP client.

To test the explicit web proxy configuration

  1. From a system on the internal network start an FTP client and enter the following command to connect to the FTP proxy:

ftp 10.31.101.100

The explicit FTP proxy should respond with a message similar to the following:

Connected to 10.31.101.100. 220 Welcome to Floodgate FTP proxy Name (10.31.101.100:user):

  1. At the prompt enter a valid username and password for the RADIUS server followed by a user name for an FTP server on the Internet and the address of the FTP server. For example, if a valid username and password on the RADIUS server is ex_name and ex_pass and you attempt to connect to an FTP server at ftp.example.com with user name s_name, enter the following at the prompt:

Name (10.31.101.100:user):ex_name:ex_pass:s_name@ftp.example.com

  1. You should be prompted for the password for the account on the FTP server.
  2. Enter the password and you should be able to connect to the FTP server.
  3. Attempt to explore the FTP server file system and download or upload files.
  4. To test UTM functionality, attempt to upload or download an ECAR test file. Or upload or download a text file containing text that would be matched by the DLP sensor.

For eicar test files, go to http://eicar.org.

 

get test {wad | wccpd} <test_level>

The FortiGate explicit FTP proxy

Leave a reply

The FortiGate explicit FTP proxy

You can use the FortiGate explicit FTP proxy to enable explicit FTP proxying on one or more FortiGate interfaces. The explicit web and FTP proxies can be operating at the same time on the same or on different FortiGate interfaces.

In most cases you would configure the explicit FTP proxy for users on a network by enabling the explicit FTP proxy on the FortiGate interface connected to that network. Users on the network would connect to and authenticate with the explicit FTP proxy before connecting to an FTP server. In this case the IP address of the explicit FTP proxy is the IP address of the FortiGate interface on which the explicit FTP proxy is enabled.

Enabling the explicit FTP proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address.

If the FortiGate unit is operating in Transparent mode, users would configure their browsers to use a proxy server with the FortiGate unit management IP address.

The FTP proxy receives FTP sessions to be proxied at FortiGate interfaces with the explicit FTP proxy enabled.

The FTP proxy uses FortiGate routing to route sessions through the FortiGate unit to a destination interface. Before a session leaves the exiting interface, the explicit FTP proxy changes the source addresses of the session packets to the IP address of the exiting interface. When the FortiGate unit is operating in Transparent mode the explicit web proxy changes the source addresses to the management IP address.

Example explicit FTP proxy topology

To allow anyone to anonymously log into explicit FTP proxy and connect to any FTP server you can set the explicit FTP proxy default firewall proxy action to accept. When you do this, users can log into the explicit FTP proxy with any username and password.

In most cases you would want to use explicit proxy policies to control explicit FTP proxy traffic and apply security features, access control/authentication, and logging. You can do this by keeping the default explicit FTP proxy firewall policy action to deny and then adding explicit FTP proxy policies. In most cases you would also want users to authenticate with the explicit FTP proxy. By default an anonymous FTP login is required. Usually you would add authentication to explicit FTP proxy policies. Users can then authenticate with the explicit FTP proxy according to users or user groups added to the policies. User groups added to explicit FTP proxy policies can use any authentication method supported by FortiOS including the local user database and RADIUS and other remote servers.

How to use                                 to connect to an FTP server                                   The FortiGate explicit         proxy

If you leave the default firewall policy action set to deny and add explicit FTP proxy policies, all connections to the explicit FTP proxy must match an or else they will be dropped. Sessions that are accepted are processed according to the ftp-proxy security policy settings.

You can also change the explicit FTP proxy default firewall policy action to accept and add explicit FTP proxy policies. If you do this, sessions that match explicit FTP proxy policies are processed according to the policy settings. Connections to the explicit FTP proxy that do not match an explicit FTP proxy policy are allowed and the users can authenticate with the proxy anonymously.

There are some limitations to the security features that can be applied to explicit FTP proxy sessions. See The FortiGate explicit FTP proxy on page 351.

You cannot configure IPsec, SSL VPN, or Traffic shaping for explicit FTP proxy traffic. Explicit FTP proxy policies can only include firewall addresses not assigned to a FortiGate unit interface or with interface set to any. (On the web-based manager you must set the interface to Any. In the CLI you must unset the associatedinterface.)

How to use the explicit FTP proxy to connect to an FTP server

To connect to an FTP server using the explicit FTP proxy, users must run an FTP client and connect to the IP address of a FortiGate interface on which the explicit FTP proxy is enabled. This connection attempt must use the configured explicit FTP proxy port number (default 21).

The explicit FTP proxy is not compatible with using a web browser as an FTP client. To use web browsers as FTP clients configure the explicit web proxy to accept FTP sessions.

The following steps occur when a user starts an FTP client to connect to an FTP server using the explicit FTP proxy. Any RFC-compliant FTP client can be used. This example describes using a command-line FTP client. Some FTP clients may require a custom FTP proxy connection script.

  1. The user enters a command on the FTP client to connect to the explicit FTP proxy.

For example, if the IP address of the FortiGate interface on which the explicit FTP proxy is enabled is 10.31.101.100, enter:

ftp 10.31.101.100

  1. The explicit FTP proxy responds with a welcome message and requests the user’s FTP proxy user name and password and a username and address of the FTP server to connect to: Connected to 10.31.101.100. 220 Welcome to FortiGate FTP proxy Name (10.31.101.100:user):

You can change the message by editing the FTP Explicit Banner Message replacement message.

  1. At the prompt the user enters their FTP proxy username and password and a username and address for the FTP server. The FTP server address can be a domain name or numeric IP address. This information is entered using the following syntax:

<proxy-user>:<proxy-password>:<server-user>@<server-address>

For example, if the proxy username and password are p-name and p-pass and a valid username for the FTP server is s-name and the server’s IP address is ftp.example.com the syntax would be:

p-name:p-pass:s-name@ftp.example.com

How to use the explicit FTP proxy to connect to an        server

  1. The FTP proxy forwards the connection request, including the user name, to the FTP server.
  2. If the user name is valid for the FTP server it responds with a password request prompt.
  3. The FTP proxy relays the password request to the FTP client.
  4. The user enters the FTP server password and the client sends the password to the FTP proxy.
  5. The FTP proxy relays the password to the FTP server.
  6. The FTP server sends a login successful message to the FTP proxy.
  7. The FTP proxy relays the login successful message to the FTP client.
  8. The FTP client starts the FTP session.

All commands entered by the client are relayed by the proxy to the server. Replies from the server are relayed back to the FTP client.

Explicit FTP proxy session

From a simple command line FTP client connecting to an the previous sequence could appear as follows:

 

Security profiles, threat weight, device identification, and the explicit FTP proxy             The FortiGate explicit         proxy

ftp 10.31.101.100 21 Connected to 10.31.101.100.

220 Welcome to FortiGate FTP proxy

Name (10.31.101.100:user): p-name:p-pass:s-name@ftp.example.com 331 Please specify the password. Password: s-pass 230 Login successful.

Remote system type is UNIX

Using binary mode to transfer files. ftp>

Security profiles, threat weight, device identification, and the explicit FTP proxy

You can apply antivirus, data leak prevention (DLP), and SSL/SSH inspection to explicit FTP proxy sessions. Security profiles are applied by selecting them in an explicit FTP proxy policy or an authentication rule in an FTP proxy security policy.

Traffic accepted by explicit FTP proxy policies contributes to threat weight data.

The explicit FTP proxy is not compatible with device identification.

Explicit FTP proxy options and SSL/SSH inspection

Since the traffic accepted by the explicit FTP proxy is known to be FTP and since the ports are already known by the proxy, the explicit FTP proxy does not use the FTP port proxy options settings.

When adding UTM features to an FTP proxy security policy, you must select a proxy options profile. In most cases you can select the default proxy options profile. You could also create a custom proxy options profile.

The explicit FTP proxy supports the following proxy options:

l Block Oversized File and oversized file limit

The explicit FTP proxy does not support the following protocol options: l Client comforting

Explicit FTP proxy sessions and antivirus

For explicit FTP proxy sessions, the FortiGate unit applies antivirus scanning to FTP file GET and PUT requests. The FortiGate unit starts virus scanning a file in an FTP session when it receives a file in the body of an FTP request.

Flow-based virus scanning is not available for explicit FTP proxy sessions. Even if the FortiGate unit is configured to use flow-based antivirus, explicit FTP proxy sessions use the regular virus database.

Explicit FTP proxy sessions and user limits

FTP clients do not open large numbers of sessions with the explicit FTP proxy. Most sessions stay open for a short while depending on how long a user is connected to an FTP server and how large the file uploads or explicit FTP proxy        Explicit FTP proxy sessions and user limits

downloads are. So unless you have large numbers of FTP users, the explicit FTP proxy should not be adding large numbers of sessions to the session table.

Explicit FTP proxy sessions and user limits are combined with explicit web proxy session and user limits. For information about explicit proxy session and user limits, see Explicit proxy sessions and user limits on page 1.

Transparent Proxy Configuration

Leave a reply

Transparent Proxy Configuration

To implement the Transparent proxy, go to System > Settings and scroll down to Operations Settings and set the inspection mode to Proxy.

Then go to System > Feature Visibility and enable Explicit Proxy.

Then go to Security Profiles > Proxy Options, edit a proxy options profile and under Web Options enable HTTP Policy Redirect.

Then go to Policy & Objects > IPv4 Policy and create or edit a policy that accepts traffic that you want to apply web authentication to. This can be a general policy that accepts many different types of traffic as long as it also accepts the web traffic that you want to apply web authentication to.

Select a Security Profile and select the Proxy Options profile that you enabled HTTP Policy Redirect for.

Configuration

Then go to Policy & Objects > Proxy Policy create a Transparent Proxy policy to accept the traffic that you want to apply web authentication to. Set the Proxy Type to Transparent Web. The incoming interface, outgoing interface, destination address, and schedule should either match or be a subset of the same options defined in the IPv4 policy. Addresses added to the Source must match or be a subset of the source addresses added to the IPv4 policy. You can also add the users to be authenticated by the transparent policy to the source field.

Select other transparent policy options as required.

Transparent Proxy Configuration

CLI changes due to addition of Transparent Proxy

The adding of Transparent Proxy to the existing proxy types has required some changes, removals, moves and additions to the CLI.

Changes:

 

Previous
 

New

config firewall explicit-proxy-policy       config firewall proxy-policy Configuration

New
config firewall proxy-address
Previous
config firewall explicit-proxy-address
config firewall explicit-proxy-addrgrp

config firewall proxy-addrgrp

 

config firewall explicit-proxy-policy edit <policy ID> set proxy web end
 

config firewall proxy-policy edit <policy ID> set proxy explicit-web end