Tag Archives: kalm services

I really despise Sonic Wall

Sometimes, after a long day of work, the need to vent is so powerful that you can’t overcome it. Well, today is one of those days so I figured I would bless you guys with a little bit of information. If you use a Dell Sonic Wall…..I pity you for you know not what you do….These devices are horrible. Absolutely horrible. Go buy a FortiGate, or hell, a Palo Alto even just to stay away from these things. I seriously almost shot one today with a Springfield Armory XDS 45 ACP. It would have caused and incredibly warm feeling, like that of morphine flowing through your veins, to be experienced by myself. Speaking of which, I will be filming myself shooting AND blowing up some competitor hardware as I remove them from the client’s offices. I thought you guys might get a kick out of that and lets face it, as soon as I figure out the logistics with doing it legally, I too, will enjoy it. Keep your eyes open for some Fortinet GURU how to videos. Going to start with videos based on the Cook Book, but with better explanations than what Fortinet provided and then I will move on to tasks and encounters I have seen in the field.

Remember kids, friends don’t let friends buy SonicWall.

Web Security / Web Filter – FortiClient 5.4

Web Security/Web Filter

Web Security/Web Filter allows you to block, allow, warn, and monitor web traffic based on URL category or custom URL filters. URL categorization is handled by the FortiGuard Distribution Network (FDN). You can create a custom URL filter exclusion list which overrides the FDN category.

When FortiClient is not registered to FortiGate, you can enable or disable the Web Security feature. You can define what sites are allowed, blocked, or monitored and view violations.

Enable/Disable Web Security

To enable or disable FortiClient Web Security, toggle the Enable/Disable link in the FortiClient console. Web Security is enabled by default.

Enable/Disable Select to enable or disable Web Security.
X Violations (In the Last 7 Days) Select to view Web Security log entries of the violations that have occurred in the last 7 days.
Settings Select to configure the Web Security profile, exclusion list, and settings, and to view violations.

Web Security profile

You can configure a Web Security profile to allow, block, warn, or monitor web traffic based on website categories and sub-categories. Select the settings icon, then select the site category. Select the action icon, then select the action in the drop-down menu for each category or sub-category.

Web Security exclusion list

Allow Set the category or sub-category to Allow to allow access.
Block Set the category or sub-category to Block to block access. The user will receive a Web Page Blocked message in the web browser.
Warn Set the category or sub-category to Warn to block access. The user will receive a Web Page Blocked message in the web browser. The user can select to proceed or go back to the previous web page.
Monitor Set the category or sub-category to Monitor to allow access. The site will be logged.

You can select to enable or disable Site Categories in the Web Security settings page. When site categories are disabled, FortiClient is protected by the exclusion list.

Web Security exclusion list

To manage the exclusion list, select the settings icon then select Exclusion List from the menu. You can add websites to the exclusion list and set the permission to allow, block, monitor, or exempt. Use the add icon to add URLs to the exclusion list. If the website is part of a blocked category, an allow permission in the Exclusion List would allow the user to access the specific URL.

Web Security settings

Configure the following settings:

Exclusion List Select to exclude URLs that are explicitly blocked or allowed. Use the add icon to add URLs and the delete icon to delete URLs from the list. Select a URL and select the edit icon to edit the selection.
URL Enter a URL or IP address.
Type Select one of the following pattern types from the drop-down list:

l Simple l Wildcard l RegularExpression

Actions Select one of the following actions from the drop-down list:

Block: Block access to the web site regardless of the URL category or sub-category action.

Allow: Allow access to the web site regardless of the URL category or sub-category action.

Monitor: Allow access to the web site regardless of the URL category or sub-category action. A log message will be generated each time a matching traffic session is established.

Web Security settings

To configure web security settings, select the settings icon then select Settings from the menu.

View violations

Configure the following settings:

Enable Site Categories Select to enable Site Categories. When site categories are disabled, FortiClient is protected by the exclusion list.
Log all URLs Select to log all URLs.
Identify user initiated web browsing Select to identify web browser that is user initiated.

View violations

To view Web Security violations, either select the settings icon then select Violations from the menu, or select X Violations (In the Last 7 Days).


Website The website name or IP address.
Category The website sub-category.
Time The date and time that the website was accessed.
User The name of the user generating the traffic. Hover the mouse cursor over the column to view the complete entry in the pop-up bubble message.

Web Filter

When FortiClient is registered to a FortiGate/EMS, the Web Security tab will become the Web Filter tab.

The FortiClient Endpoint Control feature enables the site administrator to distribute a Web Filter profile from a FortiGate or add web filtering to an endpoint profile on EMS.

On a FortiGate device, the overall process is as follows:

l Create a Web Filter profile on the FortiGate, l Add the Web Filter profile to the FortiClient Profile on the FortiGate.

On EMS, web filtering is part of the endpoint profile.



Step 1: Create a Web Filter Profile on the FortiGate

Use the following steps to create a custom Web Filter profile on the FortiGate:

  1. Go to Security Profiles > Web Filter.
  2. To create a new profile, click the create new icon in the toolbar. The New Web FilterProfile page opens.
  3. Configure the following settings:


Name Enter a name for the Web Filter profile.
Comments Enter a description in the comments field. (optional)
Inspection Mode This setting is not applicable to FortiClient.
FortiGuard Categories Select category and sub-category actions.

l  In FortiClient5.4.0, the Security Risk category is part of the AntiVirus module. The Local Categories category is not applicable to FortiClient. The Authenticate and Disable actions are not applicable to FortiClient.

l  When FortiGuard Categories is disabled, FortiClient will be protected by the Exclusion List configured in the URL in the

FortiClient profile.

Categories Usage Quota This setting is not applicable to FortiClient.
Allow users to override blocked categories This setting is not applicable to FortiClient.
Search Engines  
Enforce ‘Safe Search’ Select to enable search engine Safe Search on Google, Yahoo!, Bing, and Yandex.

Education Filter

Select to enable the YouTube educational filter and enter your filter code. The filter blocks non-educational content as per your YouTube filter code.
Log all search keywords This setting is not applicable to FortiClient.
Static URL Filter  
Block invalid


This setting is not applicable to FortiClient.
URL Filter Select to enable URL filter. Select Create New to add a URL to the list. For Type, select one of Simple, Reg. Expression, or Wildcard. For Action, select one of Exempt, Block, Allow, or Monitor. For Status, select either Enable or Disable.

FortiClient does not support the Exempt action. Any URLs in the URL filter with an exempt action will be added to the FortiClient Exclusion List with an allow action.

Block malicious URLs discovered by FortiSandbox Select to block URLs that have been marked as malicious by FortiSandbox. A FortiSandbox device or cloud must be configured.


Web Content


This setting is not applicable to FortiClient.
Rating Options These settings are not applicable to FortiClient.
Proxy Options These settings are not applicable to FortiClient.
  1. Select OK to save the profile.

Step 2: Add the Web Filter profile to the FortiClient Profile

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select the FortiClient Profile then select Edit. The Edit FortiClient Profile page is displayed.
  3. Enable Web Filter, then select the Web Filter profile from the drop-down list.
  4. Optionally, select to enable Client Side when On-Net.
  5. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

The Web Filtering module is now available in FortiClient.


To add web filtering to an endpoint profile:

  1. Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
  2. Select the Web Filter
  3. Select the on/off button to add web filtering to the profile.
  4. Adjust the web filter settings as required, then select Save to save your changes.


FortiCache 4.0.1 Administration Guide


FortiCache high performance web caching appliances address bandwidth saturation, high latency, and poor performance caused by caching popular internet content locally for carriers, service providers, enterprises, and educational networks. FortiCache appliances reduce the cost and impact of cached content on the network while increasing performance and the end-user experience by improving the speed of delivery of popular repeated content.

About this document

This document contains the following sections:

  • Introduction l Concepts l System Administration l Policy & Objects l Objects l Security Profiles l User Authentication l WAN Optimization and Web Caching
  • WCCP
  • Logging


FortiCache web caching is a form of object caching that accelerates web applications and web servers by reducing bandwidth usage, server load, and perceived latency.

Web caching involves storing HTML pages, images, videos, servlet responses, and other web-based objects for later retrieval. These objects are stored in the web cache storage location defined by the config wanopt storage command. You can also go to System > Config > Disk to view the storage locations on the FortiCache unit hard disks.

There are three significant advantages to using web caching to improve HTTP performance:

  • reduced bandwidth consumption because fewer requests and responses go over the WAN or Internet l reduced web server load because there are fewer requests for web servers to handle l reduced latency because responses for cached requests are available from a local FortiCache unit instead of from across the WAN or Internet.

When enabled in a web caching policy, the FortiCache unit caches HTTP traffic processed by that policy. A web caching policy specifies the source and destination addresses and destination ports of the traffic to be cached.

Web caching caches compressed and non-compressed versions of the same file separately. If the HTTP protocol considers the compressed and uncompressed versions of a file the same object, only the compressed or uncompressed file will be cached.

You can also configure a FortiCache unit to operate as a Web Cache Communication Protocol (WCCP) client. WCCP provides the ability to offload web caching to one or more redundant web caching servers.

This chapter describes:

  • Web caching topologies l WCCP topologies l Content Analysis Service

Web caching topologies

FortiCache web caching involves one or more FortiCache units installed between users and web servers. The FortiCache unit can operate in both Network Address Translator (NAT) and transparent modes. The FortiCache unit intercepts web page requests accepted by web cache policies, requests web pages from the web servers, caches the web page contents, and returns the web page contents to the users. When the FortiCache unit intercepts subsequent requests for cached web pages, the FortiGate unit contacts the destination web server just to check for changes.

Most commonly the topology uses a router to route HTTP and HTTPS traffic to be cached to one or more FortiCache units. Traffic that should not be cached bypasses the FortiCache units. This is a scalable topology that allows you to add more FortiCache units if usage increases.

Web caching topologies                                                                                                                      Concepts

Web caching topology with web traffic routed to FortiCache units

You can also configure reverse proxy web-caching. In this configuration, users on the Internet browse to a web server installed behind a FortiCache unit. The FortiCache unit intercepts the web traffic (HTTP and HTTPS) and caches pages from the web server. Reverse proxy web caching on the FortiGate unit reduces the number of requests that the web server must handle, leaving it free to process new requests that it has not serviced before. Since all traffic is to be cached the FortiCache unit can be installed in Transparent mode directly between the web server and the Internet.

Reverse proxy web caching topology

The reverse proxy configuration can also include a router to route web traffic to a group of FortiCache units operating in Transparent Mode. This is also a scalable solution for reverse proxy web caching.

Reverse proxy web caching topology with web traffic routed to FortiCache unit

When web objects and video are cached on the FortiCache hard disk, the FortiCache unit returns traffic back to client using cached object from cache storage. The clients do not connect directly to the server.

When web objects and video are not available in the FortiCache hard disk, the FortiCache unit forwards the request to original server. If the HTTP response indicates it is a cacheable object, the object is forwarded to cache storage and the HTTP request is served from cache storage. Any other HTTP request for the same object will be served from cache storage as well.

The FortiCache unit forwards HTTP responses that cannot be cached from the server back to the client that originated the HTTP request.


Concepts                                                                                                                                 WCCP topologies

All non-HTTP traffic and HTTP traffic that is not cached by FortiCache will pass through the unit. HTTP traffic is not cached by the FortiCache unit if a web cache policy has not been added for it.

WCCP topologies

You can operate a FortiCache unit as a WCCP cache engine. As a cache engine, the FortiCache unit returns the required cached content to the client web browser. If the cache server does not have the required content, it accesses the content, caches it, and returns the content to the client web browser.

WCCP topology

WCCP is transparent to client web browsers. The web browsers do not have to be configured to use a web proxy.

Content Analysis Service

FortiGuard Content Analysis Service is a licensed feature for the real-time analysis of images in order to detect adult content. Detection of adult content in images uses various patented techniques (not just color-based), including limb and body part detection, body position, etc.

Once detected, such content can be optionally blocked or reported.

Please contact your Fortinet Account Manager should you require a trial of this service. You can purchase this service from support.fortinet.com.

For configuration information, see Content Analysis on page 101.

FortiBridge 4.0 Administration Guide


FortiBridge enables you to add traffic monitoring and security devices to your network, without any loss in network integrity.

FortiBridge supports two normal modes of operation: inline mode and TAP mode. Inline mode supports network

configurations that require in-line monitoring/security devices. TAP mode supports various traffic TAP configurations, where the main network path is mirrored to the monitoring devices.

The FortiBridge product provides monitoring features to ensure that any inline or TAP devices do not impact network integrity and availability. For example, FortiBridge runs a heartbeat probe for in-line configurations, and automatically switches to Bypass mode if the heartbeat fails.

Bypass mode provides active and passive bypass circuitry. Active bypass restores the traffic path between network ports, if the monitoring path fails. If the FortiBridge suffers a catastrophic failure such as power loss, it automatically reverts to Passive Bypass mode, so that traffic flow is not interrupted.

Hardware Configurations

The FortiBridge consists of a host system (a 1U chassis), which houses up to three bypass modules.

A bypass module supports one or more network segments. A network segment provides one inline or bypass traffic path. Each segment provides two network ports (NET0 and NET1) and two monitoring ports (MON1 and MON2).

The following bypass modules are available:

  • 40G bypass module l Supports one bypass segment.
  • Supports 40G Single mode fiber (40GBase-SR4) network standards l Provides MPO/LC ports for the network ports.
  • Provides QSFP+ ports for the monitor ports.
  • Dual-rate 1/10G bypass module l Supports two bypass segments l Supports dual rate 1/10G Multimode Fiber (10GBase-SR , 1000Base-SX) network standards l Supports dual rate 1/10G Single mode fiber (10GBase-LR, 1000Base-LX) network standards l Provides MPO/LC Duplex ports for the network ports. l Provides SFP+ ports for the monitor ports.

The network ports have built-in transceivers. The monitor ports require plug-in optical transceivers. The correct transceivers are delivered (pre-installed) with your FortiBridge product.

Product Overview

Modes of Operation

Each FortiBridge segment operates in one of the following modes:

  • Inline mode l The system diverts all incoming network traffic to the monitoring ports. No traffic flows directly between the network ports.
  • The inline network element must bridge the traffic between the monitoring ports. l The system monitors the inline traffic path using a heartbeat probe.
  • In the event of a fault, the segment transitions to one of the bypass modes (Bypass, TAP or Fail-cutoff mode, depending on configuration values).
  • When the fault condition clears, the segment can automatically transition back to Inline mode (the exact behavior is defined by configuration values). The segment transitions to Inline mode only after it detects that the heartbeat probe is working again
  • TAP mode l The system sends traffic between the network ports, and incoming traffic is mirrored to the monitoring ports.
  • The system does not provide a heartbeat probe on the mirrored path (because the network path is the primary traffic path).
  • If the system loses power, the traffic path is maintained between the network ports (the segment transitions to passive bypass mode).
  • Bypass mode l The system sends traffic only between the network ports, and not to the monitoring ports.
  • Fail-cutoff mode l The system disables the links on the network ports, to simulate cable disconnection between the network devices.

Fortinet Single Sign On – FortiAuthenticator 4.0

Fortinet Single Sign-On

FSSO is a set of methods to transparently authenticate users to FortiGate and FortiCache devices. This means that the FortiAuthenticator unit is trusting the implicit authentication of a different system, and using that to identify the user. FortiAuthenticator takes this framework and enhances it with several authentication methods:

  • Users can authenticate through a web portal and a set of embeddable widgets. l Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
  • Users authenticating against Active Directory can be automatically authenticated. l RADIUS Accounting packets can be used to trigger an FSSO authentication. l Users can be identified through the FortiAuthenticator API. This is useful for integration with third party systems.

The FortiAuthenticator unit must be configured to collect the relevant user logon data. After this basic configuration is complete, the various methods of collecting the log in information can be set up as needed.

Domain controller polling

When the FortiAuthenticator runs for the first time, it will poll the domain controller (DC) logs backwards until either the end of the log file or the logon timeout setting, whichever is reached first.

When the FortiAuthenticator is rebooted, the memory cache is written to the disk, then re-read at startup, allowing the previous state to be retained. Windows DC polling restarts on boot, then searches backwards in the DC log files until it reaches either the log that matches the last known serial number found in the login cache file, the log that is older than the last recorded read time, or the end of the log file, whichever is reached first.

The currently logged in FSSO users list is cached in memory and periodically written to disk. In an active-passive HA cluster, this file is synchronized to the slave device.

Windows management instrumentation polling

The FortiAuthenticator supports Windows Management Instrumentation (WMI) polling to detect workstation log off. This validates the currently logged on user for an IP address that has been discovered by the DC polling detection method.

Remote WMI access requires that the related ports are opened in the Windows firewall, and access to a domain account that belongs to the Domain Admin group.

To open ports in the Windows firewall in Windows 7, run gpedit.msc, go to Computerconfiguration >

Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile, go to Allow remote admin exception, then enable remote admin exception and, if necessary, configure an IP subnet/range.


General settings

General settings

The FortiAuthenticator unit listens for requests from authentication clients and can poll Windows Active Directory servers.

To configure FortiAuthenticator FSSO polling:

  1. Go to Fortinet SSO Methods > SSO > General to open the Edit SSO Configuration The Edit SSO Configuration window contains sections for FortiGate, FSSO, and user group membership.
  2. In the FortiGate section, configure the following settings:
Listening port Leave at 8000 unless your network requires you to change this. Ensure this port is allowed through the firewall.
Enable authentication Select to enable authentication, then enter a secret key, or password, in the Secret key field.
Login Expiry The length of time, in minutes, that users can remain logged in before the system logs them off automatically. The default is 480 minutes (8 hours).
Extend              user             session beyond logoff by The length of time, in seconds, that a user session is extended after the user logs off, from 0 (default) to 3600 seconds.
Enable NTLM


Select to enable NTLM authentication, then enter the NETBIOS or DNS name of the domain that the login user belongs to in the Userdomain field.
  1. In the Fortinet Single Sign-On (FSSO) section, configure the following settings:
Maximum concurrent user sessions Enter the maximum number of concurrent FSSO login sessions a user is allowed to have. Use 0 for unlimited.

Select Configure Per User/Group to configure the maximum number of concurrent sessions for each user or group. See Fine-grained controls on page 112.

Log Level Select one of Debug, Info, Warning, or Error as the minimum severity level of events to log from the drop- down list.

Select Download all logs to download all FSSO logs to your management computer.

General settings

Enable       Windows         Active

Directory domain controller polling

Select             to             enable             Windows             AD             polling.

Select to enable polling additional logon events, including from devices using Kerberos authentication or from Mac OS X systems, and from event IDs 672, 680, 4776, and 4768.

Enable polling additional logon events When additional active directory logon event IDs is enabled, event IDs 528, 540, and 4624 are also polled. These event are generated when a user attempts to access a domain service or resource. When a user logs off from the          workstation,         such      an          event     will         be               generated.

Enter the additional logon event timeout time in the Additional logon event timeout field, from 1 to 480 minutes, with 5 minutes being the default time.

Note: After a user logs off, their SSO session will stay active for the above configured period of time. During this time, if another user changes to the previous user’s IP address, they may be able to bypass the necessary authentication. For this reason, it is strongly recommended that the timeout time be kept short.

                     Enable         DNS

lookup to get IP

from workstation name

Select to use DNS lookup to get IP address information when an event contains only the workstation name.

This option is enabled by default.

Directly use domain DNS

suffix in lookup

Select to use the domain DNS suffix when doing a DNS lookup.

This option is disabled by default.

Enable  reverse DNS               lookup  to get         workstation name from IP Select to enable reverse DNS lookup. Reverse DNS lookup is used when an event contains only an IP address and no workstation name.

This option is enabled by default.

Do one more DNS lookup to get full list of IPs after reverse lookup of workstation name Reverse DNS lookup is used when an event contains only an IP address and no workstation name. Once the workstation name is determined, it is used in the DNS lookup again to get more complete IP address

information. This is useful in environments where workstations have multiple network interfaces.

This option is disabled by default.

Include     account name         ending

with $ (usually computer account)

Accounts that end in “$” used to exclusively denote computer accounts with

no actual user, but in some cases, valid accounts imported from dated systems can        feature  them.

This option is disabled by default.

Enable Radius Accounting SSO clients Select to enable the detection of users sign-ons and sign- offs from incoming RADIUS accounting (Start, Stop, and Interim-Update) records.
Use RADIUS realm as

Windows       Active

Directory domain

Select to use the RADIUS realm as the Windows AD domain.
Enable Syslog SSO Select to enable Syslog SSO.

General settings

Enable        FortiClient     SSO

Mobility Agent Service

Select to enable single sign-on (SSO) by clients running FortiClient Endpoint Security. For more information, see FortiClient SSO Mobility Agent on page 123.
FortiClient listening port Enter the FortiClient listening port number.
Enable authentication Select to enable authentication, then enter a secret key, or password, in the Secret key field.
Keep-alive interval Enter the duration between keep-alive transmissions, from 1 to 60 minutes. Default is 5 minutes.
Idle timeout Enter an amount of time after which to logoff a user if their status is not updated. The value cannot be lower than the Keep-alive interval value.
Enable NTLM Select to enable the NT LAN Manager (NTLM) to allow logon of users who are connected to a domain that does not have the FSSO DC Agent installed. Disable NTLM authentication only if your network does not support NTLM authentication for security or other reasons. Enter an amount of time after which NTLM authentication expires in the NTLM authentication expiry field, from 1 to 10080 minutes (7 days).
Enable hierarchical FSSO tiering Select to enable hierarchical FSSO tiering. Enter the collector listening port in the Collectorlistening port field.
Enable DC/TS Agent Clients Select to enable clients using DC or TS Agent. Enter the UDP port in the

DC/TS      Agent     listening     port     field.       Default       is          8002.

Select Enable authentication to enable authentication, then enter a secret key, or password, in the Secret key field.

Restrict             auto- discovered domain             controllers          to configured domain


Select to enable restricting automatically discovered domain controllers to already configured domain controllers only. See Domain controllers on page 114.
Enable       Windows         Active

Directory workstation IP


Select to enable workstation IP verification with Windows Active Directory. If enabled, select Enable IP change detection via DNS lookup to detect IP changes via DNS lookup.
  1. In the UserGroup Membership section, configure the following settings:

General settings

Group cache mode Select the group cache mode:

Passive: Items have an expiry time after which the are removed and re-queried on the next logon.

Active: Items are periodically updated for all currently logged on users.

Group cache item


Enter the amount of time after which items will expire (default = 480 minutes). This is only available when the group cache mode is set to Passive.
Do not use cached groups… Select to prevent using cached groups and to always load groups from server for the following SSO sources: l Windows Active Directory domain controller polling l RADIUS Accounting SSO l Syslog SSO

FortiClient SSO Mobility Agent l DC Agent l TS Agent

User login portal l SSO web service

Base distinguished names to search… Enter the base distinguished names to search for nesting of users or groups into cross domain and domain local groups.
  1. Select OK to apply the settings.

Port Based Network Access Control – FortiAuthenticator 4.0

Port-based Network Access Control

Port-based Network Access Control (PNAC), or 802.1X, authentication requires a client, an authenticator, and an authentication server (such as a FortiAuthenticator device).

The client is a device that wants to connect to the network. The authenticator is simply a network device, such as a wireless access point or switch. The authentication server is usually a host that supports the RADIUS and EAP protocols.

The client is not allowed access to the network until the client’s identity has been validated and authorized. Using 802.1X authentication, the client provides credentials to the authenticator, which the authenticator forwards to the authentication server for verification. If the authentication server determines that the credentials are valid, the client device is allowed access to the network.

FortiAuthenticator supports several IEEE 802.1X EAP methods.


The FortiAuthenticator unit supports several IEEE 802.1X EAP methods. These include authentication methods most commonly used in WiFi networks.

EAP is defined in RFC 3748 and updated in RFC 5247. EAP does not include security for the conversation between the client and the authentication server, so it is usually used within a secure tunnel technology such as TLS, TTLS, or MS-CHAP.

The FortiAuthenticator unit supports the following EAP methods:

Method Server Auth Client Auth Encryption Native OS Support
PEAP (MSCHAPv2) Yes Yes Yes Windows XP, Vista, 7
EAP-TTLS Yes No Yes Windows Vista, 7
EAP-TLS Yes Yes Yes Windows (XP, 7), Mac OS X, iOS,

Linux, Android

EAP-GTC Yes Yes Yes None (external supplicant required)

In addition to providing a channel for user authentication, EAP methods also provide certificate-based authentication of the server computer. EAP-TLS provides mutual authentication: the client and server authenticate each other using certificates. This is essential for authentication onto an enterprise network in a BYOD environment.

For successful EAP-TLS authentication, the user’s certificate must be bound to their account in Authentication >

UserManagement > Local Users (see Local users on page 58) and the relevant RADIUS client in Authentication > RADIUS Service > Clients (see RADIUS service on page 91) must permit that user to authenticate. By default, all local users can authenticate, but it is possible to limit authentication to specified user groups.

Port-based Network Access Control                                                                                                          EAP

The FortiAuthenticator unit and EAP

A FortiAuthenticator unit delivers all of the authentication features required for a successful EAP-TLS deployment, including:

  • Certificate Management: create and revoke certificates as a CA. See Certificate Management on page 132.
  • Simple Certificate Enrollment Protocol (SCEP) Server: exchange a Certificate Signing Request (CSR) and the resulting signed certificate, simplifying the process of obtaining a device certificate.

FortiAuthenticator unit configuration

To configure the FortiAuthenticator unit, you need to:

  1. Create a CA certificate for the FortiAuthenticator unit. See Certificate authorities on page 140.

Optionally, you can skip this step and use an external CA certificate instead. Go to Certificate Management > Certificate Authorities > Trusted CAs to import CA certificates. See Trusted CAs on page 147.

  1. Create a server certificate for the FortiAuthenticator unit, using the CA certificate you created or imported in the preceding step. See End entities on page 133.
  2. If you configure EAP-TTLS authentication, go to Authentication > RADIUS Service > EAP and configure the certificates for EAP. See Configuring certificates for EAP on page 102.
  3. If SCEP will be used:
    1. Configure an SMTP server to be used for sending SCEP notifications. Then configure the email service for the administrator to use the SMTP server that you created. See E-mail services on page 46.
    2. Go to Certificate Management > SCEP > General and select Enable SCEP. Then select the CA certificate that you created or imported in Step 1 in the Default CA field and select OK. See SCEP on page 147.
  4. Go to Authentication > Remote Auth. Servers > LDAP and add the remote LDAP server that contains your user database. See LDAP on page 88.
  5. Import users from the remote LDAP server. You can choose which specific users will be permitted to authenticate. See Remote users on page 65.
  6. Go to Authentication > RADIUS Service > Clients to add the FortiGate wireless controller as an authentication client. Be sure to select the type of EAP authentication you intend to use. See RADIUS service on page 91.

Configuring certificates for EAP

The FortiAuthenticator unit can authenticate itself to clients with a CA certificate.

  1. Go to Certificate Management > Certificate Authorities > Trusted CAs to import the certificate you will use. See Trusted CAs on page 147.
  2. Go to Authentication > RADIUS Service > EAP.
  3. Select the EAP server certificate from the EAP ServerCertificate drop-down list.
  4. Select the trusted CAs and local CAs to use for EAP authentication from their requisite lists.
  5. Select OK to apply the settings.

Configuring switches and wireless controllers to use 802.1X authentication

The 802.1X configuration will be largely vendor dependent. The key requirements are:

Device self-enrollment                                                                           Port-based Network Access Control

l RADIUS Server IP: This is the IP address of the FortiAuthenticator l Key: The preshared secret configured in the FortiAuthenticator authentication client settings l Authentication Port: By default, FortiAuthenticator listens for authentication requests on port 1812.

Device self-enrollment

Device certificate self-enrollment is a method for local and remote users to obtain certificates for their devices. It is primarily used in enabling EAP-TLS for BYOD. For example:

l A user brings their tablet to a BYOD organization. l They log in to the FortiAuthenticator unit and create a certificate for the device. l With their certificate, username, and password they can authenticate to gain access to the wireless network. l Without the certificate, they are unable to access the network.

To enable device self-enrollment and adjust self-enrollment settings, go to Authentication > Self-service Portal > Device Self-enrollment and select Enable userdevice certificate self-enrollment.

SCEP enrollment template Select a SCEP enrollment template from the drop-down list. SCEP can be configured in Certificate Management > SCEP. See SCEP on page 147 for more information.
Max. devices Set the maximum number of devices that a user can self-enroll.
Key size Select the key size for self-enrolled certificates (1024, 2048, or 4096 bits).

iOS devices only support two key size: 1024 and 2048.

Enable self-enrollment for Smart Card certificate Select to enable self-enrollment for smart card certificates.

This requires that a DNS domain name be configured, as it is used in the CRL Distribution Points (CDPs) certificate extension.

Port-based Network Access Control                                                                          Non-compliant devices

Select OK to apply any changes you have made.

Non-compliant devices

802.1X methods require interactive entry of user credentials to prove a user’s identity before allowing them access to the network. This is not possible for non-interactive devices, such as printers. MAC Authentication Bypass is supported to allow non-802.1X compliant devices to be identified and accepted onto the network using their MAC address as authentication.

This feature is only for 802.1X MAC Authentication Bypass. FortiGate Captive Portal MAC Authentication is supported by configuring the MAC address as a standard user, with the MAC address as both the username and password, and not by entering it in the MAC Devices section.

Multiple MAC devices can be imported in bulk from a CSV file. The first column of the CSV file contains the device names (maximum of 50 characters), and the second column contains the corresponding MAC addresses (0123456789AB or 01:23:45:67:89:AB).

To configure MAC-based authentication for a device:

  1. Go to Authentication > User Management > MAC Devices. The MAC device list will be shown.
  2. If you are adding a new device, select Create New to open the Create New MAC-based Authentication Device

If you are editing an already existing device, select the device from the device list.

  1. Enter the device name in the Name field, and enter the device’s MAC address in the MAC address
  2. Select OK to apply your changes.

To import MAC devices:

  1. In the MAC device list, select Import.
  2. Select Browse to locate the CSV file on your computer.
  3. Select OK to import the list.

The import will fail if the maximum number of MAC devices has already been reached, or if any of the information contained within the file does not conform, for example if the device name too long, or there is an incorrectly formatted MAC address.

FortiAuthenticator 4.0 Authentication


FortiAuthenticator provides an easy to configure authentication server for your users. Multiple FortiGate units can use a single FortiAuthenticator unit for remote authentication and FortiToken device management.

FortiAuthenticatorin a multiple FortiGate unit network

This chapter includes the following topics:

l What to configure l User account policies l User management l FortiToken devices and mobile apps l Self-service portal l Remote authentication servers l RADIUS service l LDAP service l FortiAuthenticator Agents

What to configure

You need to decide which elements of FortiAuthenticator configuration you need.

  • Determine the type of authentication you will use: password-based or token-based. Optionally, you can enable both types. This is called two-factor authentication.

What to configure

  • Determine the type of authentication server you will use: RADIUS, built-in LDAP, or Remote LDAP. You will need to use at least one of these server types.
  • Determine which FortiGate units or third party devices will use the FortiAuthenticator unit. The FortiAuthenticator unit must be configured on each FortiGate unit as an authentication server, either RADIUS or LDAP. For RADIUS authentication, each FortiGate unit or third party device must be configured on the FortiAuthenticator unit as an authentication client.

Password-based authentication

User accounts can be created on the FortiAuthenticator device in multiple ways:

l Administrator creates a user and specifies their username and password. l Administrator creates a username and a random password is automatically emailed to the user. l Users are created by importing either a CSV file or from an external LDAP server.

Users can self-register for password-based authentication. This reduces the workload for the system administrator. Users can choose their own passwords or have a randomly generated password provided in the browser or sent to them via email or SMS. Self-registration can be instant, or it can require administrator approval. See Self-registration on page 76.

Once created, users are automatically part of the RADIUS Authentication system and can be authenticated remotely.

See User management on page 57 for more information about user accounts.

Two-factor authentication

Two-factor authentication increases security by requiring multiple pieces of information on top of the username and password. There are generally two factors:

  • something the user knows, usually a password, l something the user has, such as a FortiToken device.

Requiring the two factors increases the difficulty for an unauthorized person to impersonate a legitimate user.

To enable two-factor authentication, configure both password-based and token-based authentication in the user’s account.

FortiAuthenticator token-based authentication requires the user to enter a numeric token at login. Two types of numerical tokens are supported:

  • Time based: TOTP (RFC 6238)

The token passcode is generated using a combination of the time and a secret key which is known only by the token and the FortiAuthenticator device. The token password changes at regular time intervals, and the FortiAuthenticator unit is able to validate the entered passcode using the time and the secret seed information for that token.

Passcodes can only be used a single time (one time passcodes) to prevent replay attacks. Fortinet has the following time based tokens:

  • FortiToken 200 l FortiToken Mobile, running on a compatible smartphone l Event based: HMAC-based One Time Password (HTOP) (RFC 4226) What to configure

The token passcode is generated using an event trigger and a secret key. Event tokens are supported using a valid email account and a mobile phone number with SMS service.

FortiToken devices, FortiToken Mobile apps, email addresses, and phone numbers must be configured in the user’s account.

Only the administrator can configure token-based authentication. See Configuring token based authentication on page 62.

Authentication servers

The FortiAuthenticator unit has built-in RADIUS and LDAP servers. It also supports the use of remote RADIUS and LDAP (which can include Windows AD servers).

The built-in servers are best used where there is no existing authentication infrastructure, or when a separate set of credentials is required. You build a user account database on the FortiAuthenticator unit. The database can include additional user information such as street addresses and phone numbers that cannot be stored in a FortiGate unit’s user authentication database. To authenticate, either LDAP or RADIUS can be used. The remote LDAP option adds your FortiGate units to an existing LDAP structure. Optionally, you can add two-factor authentication to remote LDAP.


If you use RADIUS, you must enable RADIUS in each user account. FortiGate units must be registered as RADIUS authentication clients in Authentication > RADIUS Service > Clients. See RADIUS service on page 91. On each FortiGate unit that will use the RADIUS protocol, the FortiAuthenticator unit must be configured as a RADIUS server in User & Device > Authentication > RADIUS Server.

Built-in LDAP

If you use built-in LDAP, you will need to configure the LDAP directory tree. You add users from the user database to the appropriate nodes in the LDAP hierarchy. See Creating the directory tree on page 96. On each FortiGate unit that will use LDAP protocol, the FortiAuthenticator unit must be configured as an LDAP server in User & Device > Authentication > LDAP Server.

Remote LDAP

Remote LDAP is used when an existing LDAP directory exists and should be used for authentication. User information can be selectively synchronised with the FortiAuthenticator unit, but the user credentials (passwords) remain on, and are validated against the LDAP directory.

To utilize remote LDAP, the authentication client (such as a FortiGate device) must connect to the

FortiAuthenticator device using RADIUS to authenticate the user information (see

User & Device > Authentication > RADIUS Server). The password is then proxied to the LDAP server for validation, while any associated token passcode is validated locally.

Machine authentication

Machine, or computer, authentication is a feature of the Windows supplicant that allows a Windows machine to authenticate to a network via 802.1X prior to user authentication.

Machine authentication is performed by the computer itself, which sends its computer object credentials before the Windows logon screen appears. User authentication is performed after the user logs in to Windows.

User account policies

Based on the computer credentials provided during machine authentication, limited access to the network can be granted. For example, access can be granted to just the Active Directory server to enable user authentication.

Following machine authentication, user authentication can take place to authenticate that the user is also valid, and to then grant further access to the network.

Machine authentication commonly occurs on boot up or log out, and not, for example, when a device awakens from hibernation. Because of this, the FortiAuthenticator caches authenticated devices based on their MAC addresses for a configurable period (see General on page 54). For more information on cached users, see Windows device logins on page 131

To configure machine authentication, see Clients on page 92.

FortiAuthenticator 4.0 System


The System tab enables you to manage and configure the basic system options for the FortiAuthenticator unit. This includes the basic network settings to connect the device to the corporate network, the configuration of administrators and their access privileges, managing and updating firmware for the device, and managing messaging servers and services.

The System tab provides access to the following menus and sub-menus:

Dashboard Select this menu to monitor, and troubleshoot your FortiAuthenticator device. Dashboard widgets include: l System Information widget l System Resources widget l Authentication Activity widget l User Inventory widget l HA Status l License Information widget l Disk Monitor l Top User Lockouts widget
Network Select this menu to configure your FortiAuthenticator interfaces and network settings. l Interfaces

l   DNS

l   Static routing l Packet capture

Administration Select this menu to configure administrative settings for the FortiAuthenticator device. l GUI access

l   High availability l Firmware l Automatic backup

l   SNMP

l   Licensing l FortiGuard l FTP servers l Administration

Messaging Select this menu to configure messaging servers and services for the FortiAuthenticator device. l SMTP servers l E-mail services l SMS gateways


When you select the System tab, it automatically opens at the System > Dashboard page.

The Dashboard page displays widgets that provide performance and status information and enable you to configure some basic system settings. These widgets appear on a single dashboard.

The following widgets are available:

System Information Displays basic information about the FortiAuthenticator system including host name, DNS domain name, serial number, system time, firmware version, architecture, system configuration, current administrator, and up time.

From this widget you can manually update the FortiAuthenticator firmware to a different release. For more information, see System Information widget on page 25.

System Resources Displays the usage status of the CPU and memory. For more information, see System Resources widget on page 29.
Authentication Activity Displays a customizable graph of the number of logins to the device. For more information, see Authentication Activity widget on page 29.
User Inventory Displays the numbers of users, groups, FortiTokens, FSSO users, and FortiClient users currently used or logged in, as well as the maximum allowed number, the number still available, and the number that are disabled.

For more information, see User Inventory widget on page 29.

HA Status Displays whether or not HA is enabled.
License Information Displays the device’s license information, as well as SMS information. For more information, see License Information widget on page 29.
Disk Monitor Displays if RAID is enabled, and the current disk usage in GB.
Top User Lockouts Displays the top user lockouts. For more information, see Top User Lockouts widget on page 30.

Customizing the dashboard

The FortiAuthenticator system settings dashboard is customizable. You can select which widgets to display, where they are located on the page, and whether they are minimized or maximized.

To move a widget

Position your mouse cursor on the widget’s title bar, then click and drag the widget to its new location.

To add a widget

In the dashboard toolbar, select Add Widget, then select the name of widget that you want to show. Multiple widgets of the same type can be added. To hide a widget, in its title bar, select the Close icon.

To see the available options for a widget

Position your mouse cursor over the icons in the widget’s title bar. Options include show/hide the widget, edit the widget, refresh the widget content, and close the widget.

The following table lists the widget options.

Show/Hide arrow Display or minimize the widget.
Widget Title The name of the widget.
Edit Select to change settings for the widget.

This option appears only in certain widgets.

Refresh Select to update the displayed information.
Close Select to remove the widget from the dashboard. You will be prompted to confirm the action. To add the widget, select Widget in the toolbar and then select the name of the widget you want to show.
To change the widget title

Widget titles can be customized by selecting the edit button in the title bar and entering a new title in the widget settings dialog box. Some widgets have more options in their respective settings dialog box.

To reset a widget title to its default name, simply leave the Custom widget title field blank.

The widget refresh interval can also be manually adjusted from this dialog box.

System Information widget

The system dashboard includes a System Information widget, which displays the current status of the FortiAuthenticator unit and enables you to configure basic system settings.

The following information is available on this widget:

Host Name The identifying name assigned to this FortiAuthenticator unit. For more information, see Changing the host name on page 26.
DNS Domain Name The DNS domain name. For more information, see Changing the DNS domain name on page 27.
Serial Number The serial number of the FortiAuthenticator unit. The serial number is unique to the FortiAuthenticator unit and does not change with firmware upgrades. The serial number is used for identification when connecting to the FortiGuard server.
System Time The current date, time, and time zone on the FortiAuthenticator internal clock or NTP server. For more information, see Configuring the system time, time zone, and date on page 27.
Firmware Version The version number and build number of the firmware installed on the FortiAuthenticator unit. To update the firmware, you must download the latest version from the Customer Service & Support portal at https://support.fortinet.com. Select Update and select the firmware image to load from your management computer.
Architecture The architecture of the device, such as 32-bit.
System Configuration The date of the last system configuration backup. Select Backup/Restore to backup or restore the system configuration. For more information, see Backing up and restoring the configuration on page 28.
Current Administrator The name of the currently logged on administrator.
Uptime The duration of time the FortiAuthenticator unit has been running since it was last started or restarted.
Shutdown/Reboot Options to shutdown or reboot the device. When rebooting or shutting down the system, you have the option to enter a message that will be added to the event log explaining the reason for the shutdown or reboot.
Changing the host name

The System Information widget will display the full host name.

To change the host name:

  1. Go to System > Dashboard.
  2. In the System Information widget, in the Host Name field, select Change. The Edit Host Name page opens.
  3. In the Host name field, type a new host name.

The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed.

  1. Select OK to save the setting.