Configuring SIP Profiles

To configure a SIP profile

1. Go to Phone System > Profiles > SIP and select New.
2. Enter a name for the profile.
3. Select Auto from the DTMF dropdown menu. Alternatively, select the specific DTMF method you require.
4. Enable any services supported by your service provider (NAT, Video, T.38).
5. Enter the time interval in seconds that the FortiVoice unit will talk to the SIP server of your service provider to keep the connectivity and check its capability. 
6. Select your desired transport method. Fore more information on SIP transport methods, consult the FortiVoice Enterprise Administrator Guide.
7. Select the codecs supported by the VoIP service provider.  Choose the preferred codec for the VoIP provider. The preferred codec should be the most used codec in your area that provides the best communication quality.
8. Select Create.

Modifying Caller IDs

You can modify the display apperance of the phone number and caller’s name of outgoing calls through FVE’s calling ID modification.

To modify a caller ID

1. Go to Phone System > Profiles > Caller ID Modification.
2. Select New.
3. Enter the name of the Caller ID record.
4. Enter the extension number or number pattern you want to modify. For example, you can enter 8134 to modify a single extension or 81xx to modify all the four-digit numbers starting with 81.

   If you enter a match number:
   i. Enter a number in the Strip field to hide the starting part of an extension from displaying. For example, if your Match number is 8134 and the Strip is 2, only 34 will display.
   ii. Enter a Truncate number to hide the ending part of an extension.
   iii. Enter a Prefix number to display before an extension number.
   iv. Enter a Postfix number to display a number after an extension.

5. Enter the caller ID name you want to map to another one.
6. Enter the new caller ID name to which you want to map the one entered in the Match caller ID name field.

Mapping a Group of Extensions to a Caller ID Name

If you want to map a group of extensions to a caller ID name, you can use the pattern for the extensions to do so.

For example, if you have a technical support team that has 10 extensions (8100-8110), instead of displaying each extension when making calls, you can just display one caller ID name “Support” for the whole team.

To map a group of extensions to a caller ID name

1. Go to Phone System > Profile > Caller ID Modification.
2. Select New.
3. Enter a pattern of the extensions, such as 81xx, in the Match number field.
4. Enter the caller ID name to which you want to map, such as “Support”, in the Map to new caller ID field.
5. Select Create.

Managing Sound Files

To manage a sound file

1. Go to Phone System > Audio > Prompts.
2. Select New.
3. Enter a file name.
4. Select your desired profile type.
5. For Voice language, configure the following:
   If you select Prompt sound file for the profile type, you can click Upload to get an existing sound file, Record to make a sound file, Download to save a a sound file, and Play to listen to an uploaded or recorded file (with speakers or earphones) for the language you select.
   i. To record a sound file, click Record.
   ii. On the Send Voice Recording Call dialog box, enter the extension that you will use to record the file, and click Send to dial the extension. You can edit the extension or add a new one. For details, see “Configuring IP extensions” on page 135.
   iii. When the extension rings, record the sound file and hang up.
   iv. On the FortiVoice web-based manager, click Yes on the Voice recording request sent to specified extension dialog box.
   If you select Music on hold for the profile type, you can click Upload to get an existing sound file, Record to make a sound file, Download to save a a sound file, and Play to listen to a uploaded or recorded file (with speakers or earphones).
6. Select OK.

To configure holding music

1. Go to Phone System > Audio > Music On Hold.
2. Select New.
3. Enter a name for your hold music.
4. Select Files or Stream under Mode.

   If you select Files:
   i. Select the sound files you wish to use and then select the right arrow button to move them to the Selected list.
   ii. Select your desired play mode

   If you select Stream:
   i. Enter your Stream URL in the field and then select Test stream to make sure it functions properly.

5. Select Create.

System Settings

In order for FortiMail to intercept all SMTP sessions, regardless of the destination address, FortiMail must operate as a transparent proxy.  

For the follow procedure to work, set your FortiMail unit to transparent mode and enable proxies.

1. Go to System > System Status > Status.
2. Select Transparent from the Operation mode dropdown menu.
3. Go to Mail Settings > Proxies > Proxies.
4. Select the For outgoing SMTP connections checkbox.
5. Select Apply.

Network Configuration

With FortiMail in transparent mode we can now configure some general network settings.

First we will need to configure the SMTP interfaces in route mode and set their IP addresses.

1. Go to System > Network > Interface.
2. Select New or right click an existing port and select Edit.
3. Enter the desired IP addresses for port1, port2, and port3. For example, port1 will be the management IP address, port2 private, and port3 the internet. All other interfaces except port1 can be removed from the bridge.

Next we will need to configure gateway settings.

1. Go to System > Network > Routing.
2. Select New or right click an existing port and select Edit.
3. Enter the desired gateway number for each port and for port2 and por3, enter the destination IP/netmask.

Interfaces have two proxies listening to SMTP sessions: 
– the incoming proxies that listens to sessions destined to internal mail server.
– the outgoing proxy that picks up any other sessions.

The outgoing proxy should be enabled on the internal interface, the one that receives outgoing sessions from subscribers (for example, port2).

1. Go to System > Network > Interface.
2. Right click port2 and select Edit.
3. Select Proxy from the Outgoing connections dropdown menu in the SMTP Proxy section and then select OK.
4. Right click port3 and select Edit.
5. Select Pass through form the Outgoing connections dropdown menu in the SMTP Proxy section and then select OK.

FortiMail should be configured with two DNS servers. Fast answers from DNS servers are critical to maximize performance. 

1. Go to System > Network > DNS.
2. Enter both the primary DNS server and the Secondary DNS server in their respective fields.
3. Select Apply.

Access Control Configuration

Access control rules specify whether the FortiMail unit processes and relays, rejects, or discards email messages for SMTP sessions initiated by SMTP clients.

To configure the SMTP access controls

1. Go to Policy > Access Control > Receiving.
2. Select New. 
3. Enter the necessary IP in the Sender IP/netmask field.
4. Select Authenticated from the Authentication status dropdown menu
5. Select Relay from the Action dropdown menu.
6. Select OK.
7. Select New.
8. Enter the necessary IP in the Sender ip/netmask field.
9. Select Any from the Authentication status dropdown menu.
10. Select Reject from the Action dropdown menu.
11. Select OK.

Log Setting Configuration

To configure logging to the local hard disk

1. Go to Log and Reporting > Log Settings > Local Log Settings.
2. Enable Log to Local Disk.
3. Enter the file size limit of the current log file in megabytes in the Log file size field
4. Select Information from the Log level dropdown menu.
5. Enable Event Log in the Logging Policy Configuration section.
6. Enable AntiVirus Log, AntiSpam Log, History Log, and Encryption Log in the Logging Policy Configuration section.
7. Select Apply. 

Radius Configuration

FortiMail uses your RADIUS accounting records to combat spam and viruses, which reduces the likelihood of spam and viruses being sent from your network to other networks. By configuring the connection with the RADIUS server, we can greatly reduce the possibility of having your public IP address blacklisted.

To configure your RADIUS server

1. Configure the FortiMail unit as an auxiliary RADIUS server on your RADIUS server, to which it will send copies when its accounting records change.
2. Configure the server to send the Calling-Station-ID and the Framed-IP-Address attributes to the FortiMail unit.

   The data type of the value of Calling-Station-ID may vary. For 3G subscribers, the RADIUS server typically uses Calling-Station-ID to contain an MSISDN. For ADSL subscribers, the RADIUS server typically contains a login ID, such as an email address.

3. Determine whether your RADIUS server sends the Framed-IP-Address attribute’s value in network order (e.g. 192.168.1.10) or host order (e.g. 10.1.168.192).
4. Verify that routing and firewall policies permit RADIUS accounting records to reach the FortiMail unit.

With your RADIUS server properly configured, we now need to enable the FortiMail unit to receive RADIUS records.

1. Connect to the CLI.
2. Enter the following command to enable the FortiMail unit to receive RADIUS records by starting the endpoint reputation daemon:
   config antispam settings
       set carrier-endpoint-status enable
   end
3. Enter the following command to configure the RADIUS secret:
   config antispam settings
       set carrier-endpoint-acc-secret <secret_str>
   end
4. Enter the following command to configure whether to enable or disable the FortiMail unit to validate RADIUS requests using teh RADIUS secret:
   config antispam settings
       set carrier-endpoint-acc-validate <enable | disable>
   end
5. Enter the following command to configure whether or not the FortiMail unit will acknowledge accounting records:
   config antispam settings
       set carrier-endpoint-acc-response <enable | disable>
   end
6. Enter the following command to indicate that the RADIUS server will send the value of the Framed-IP-Address attribute in network order:
   config antispam settings
      set carrier-endpoint-framed-ip-order <host-order | network-order>

Policy and Profile Settings

Use session profiles to control outgoing traffic. To configure the session profile for connections from external SMTP clients:

1. Go to Profile > Session > Session. 
2. Select New.
3. Enter a name for the session profile in the Profile Name field (e.g. external_session_profile).
4. Enable Hide this box from the mail server.
5. Enable Enable sender reputation and enter the appropriate information.
6. Enable Prevent encryption of the session under the Session Settings section. 
7. Enable Prevent open relaying under the Unauthenticated Session Settings section.
8. Select Create. 

Before continuing, be sure to create an ntispam and antivirus profile by going to Profile > AntiSpam > AntiSpam or Profile > AntiVirus > AntiVirus.

Your session profile, once configured, applies to IP based policies governing SMTP client connections. 

To configure the IP-based policy for connections

1. Go to Policy > Policies > IP Policies
2. Select Edit for the default policy whose Match column contains 0.0.0.0/0 — > 0.0.0.0/0.
3. Select your previously created session profile from the Session dropdown menu in the Profiles section. 
4. Select your antispam and antivirus profiles from their respective dropdown menus.
5. Select OK.

System Maintenance Tips

The following are some tips to keep your system running smoothly.

1. Before you upgrade or downgrade any firmware, always perform a complete backup of configurations files and other related data, such as the Bayesian database, dictionary, and black and white lists. 

For details on how to perform a complete backup, see the corresponding chapter in the FortiMail Administrator Guide.

2.  Always keep your firmware updated.  Go to Monitor > System Status > Status and select the Update link from the FIrmware Version row. Make sure to back up the configuration data before updating.

Network Topology Tips

The following are some tips to ensure maximum safety for your network.

1. Make sure to configure your routers and firewalls to send all SMTP traffic to or through the FortiMail unit for scanning.

2. If your FortiMail unit operates in gateway mode, on public DNS servers, modify the MX records for each protected domain so that they contain only a single MX record entry that refers to the FortiMail unit.

In an attempt to avoid spam defenses, spammers will determine the lowest priority mail server and deliver spam to that server instead of to the FortiMail unit.

3. If your FortiMail unit operates in transparent mode, make sure to deploy it directly in front of your protected email servers.

If you don’t place the unit in the front it greatly limits your protection. If it is in the front, all emails can be scanned.

4. If your FortiMail unit operates in transparent mode, do not connect two ports to the same VLAN on a switch or to the same hub. Some Layer 2 switches become unstable when they detect the same media access control address originating on more than one switch interface or from more than on VLAN.

Enabling SPF checking

You can enable SPF in the antispam profile and in the session profile settings. If you select to Bypass SPF checking in the session profile, however, SPF checking will be bypassed even though you enable it in the antispam profile. 

To enable SPF in an antispam profile

1. Go to Profile > Antispam.
2. Select New or double click an existing profile.
3. Enable SPF check.

To enable SPF in a session profile

1. Go to Profile > Session.
2. Select New or double click an existing profile.
3. Select the arrow beside the Sender Validation section to expand it.
4. Enable or disable SPF by selecting the appropriate option from the dropdown menu.

   If the sender domain DNS record lists SPF authorized IP addresses, use SPF check to compare the client IP address to the IP addresses of authorized senders in the DNS record. An unauthorized client IP address increases the client sender reputation score, while an authorized client IP address decreases the client sender reputation score.

Enabling DKIM checking

Configuring DKIM Signing

Enabling DMARC

DMARC performs email authentication with SPF and DKIM checking. If either SPF or DKIM check passes, DMARC check will pass. If both of them fails, DMARC check will fail.

Enabling DMARC will enable both SPF  and DKIM.

To enable DMARC

1. Go to Profile > AntiSpam > AntiSpam.
2. Select New or modify an existing profile.
3. Enable DMARC check.

Performance Tuning Tips

To avoid performance problems and prevent FortiMail from refusing SMTP connections that are heavy mail traffic, configure the recipient address verification, located in Mail Settings > Domains > Domains with an SMTP or LDAP server. This is especially important when quarantining is enabled because of the potentially large amount of quarantined mail for invalid recipients.

A great way to limit the amount of resources required to identify spam is to enable greylisting. You can enable greylisting by going to Profile > AntiSpam > AntiSpam.

Apply spam throttling features by creating an IP-based policy in Policy > Policies > Policies, with a session profile in Profile > Session > Session. Sender reputation, session limiting, and error handling are particularly useful.

If you have FortiGuard enabled in an antispam profile, you’ll also need to enable caching and Enable Black IP to query for the blacklist status of the IP addresses of all SMTP servers appearing in the Received: lines of header lines. You can enable caching in Maintenance > FortiGuard > AntiSpam.

If logs are stored on the FortiMail unit, set logging rotation size (located in Log and Report > Log Settings > Local Log Settings) to between 10 MB and 20 MB, and set the event logging level to warning or greater. Delete or back up old logs regularly to free storage space.

Make sure to regularly delete or backup old reports, quarantined mail, and mail queue entries to reduce the number of reports on the local disk.

Be sure to schedule resource intensive and tasks that are not time critical, such as report generation to low-traffic periods .

Disable resource intensive scans, such as the heuristic scan (located in Profile > AntiSpam > AntiSpam), when spam capture rate is satisfactory.

Enable the Max message size to scan and Bypass scan on SMTP authentication in the Scan Conditions section of the antispam profile, located in Profile > AntiSpam > AntiSpam.

Regularly format the mail and log disks to improve disk performance.

Important: Make sure to back up logs and mail before formatting the hard disk. Formatting log disks deletes all log entries.

System Secruity Tips

1. The following are some tips to ensure maximum safety for your network.

 2. Only allow administrator network access to legitimate FortiMail administrators. Allowing open administrative access creates a serious risk to the safety of your networks.

You can edit administrator access under System > Administrator > Administrator.

 3. Create addition system and domain level administrators with limited permissions for less-demanding management tasks. 

There is no reason to provide administrators with access to advanced features if they never use them.

 4. Make sure all administrator passwords are at least six characters long and use both numbers and letters. Also make sure to change passwords regularly. 

You can change administrator passwords under System > Administrator > Administrator.

 5. If your FortiMail unit has an LCD panel, restrict access to the control buttons and LCD by
requiring a personal identification number.

These options are available under  System > Configuration > Options.

 6. Do not increase the administrator idle time-out from the default five minutes.

Administrator time-out settings are (located in System > Configuration > Options.

 7. Verify that the system time and time zone are correct. Many features, including FortiGuard updates, SSL connections, log timestamps and scheduled reports, rely on the correct system time.

The time zone settings are located under System > Configuration  > Time.

High Availability Tips

The following are some tips to ensure maximum safety for your network.

 1. Isolate HA interface connections from your overall network. Heartbeat and synchronization packets contain sensitive configuration information and can consume considerable network bandwidth.

For an active-passive or a config-only HA group consisting of only two FortiMail units, directly connect the HA interfaces using a crossover cable. For a config-only HA group consisting of more than two FortiMail units, connect the HA interfaces to a switch and do not connect this switch to your overall network.

 2. Use FortiMail active-passive HA to provide failover protection so that if your primary FortiMail unit fails, the backup FortiMail unit can continue processing email with only a minor interruption to your email traffic.

 7. Do not synchronize or back up the MTA spool directories. The content of the MTA spool directories is very dynamic, so synchronizing MTA spool directories between FortiMail units may use a lot of bandwidth.

 9. If you are using a NAS server, disable mail data synchronization. If mail data synchronization is enabled both the primary and backup units store the mail data to the NAS server, resulting in duplicate traffic.

Disable mail data synchronization to conserve system resources and network bandwidth.

 10. Use SNMP, syslog, or email alerts to monitor a cluster for failover messages. These alert messages may aid in quick discovery and diagnosis of network problems.

Configure SNMP  in System > Configuration > SNMP.

SMTP Connectivity Tips

The following are some tips to ensure maximum safety for your network.

 1. Configure a fully qualified domain name (FQDN) that is different than that of your protected email server (gateway mode and transparent mode).

Go to  Mail Settings > Settings > Mail Server Settings.

 2. Use a different host name for each FortiMail unit when managing multiple FortiMail units of the same model or when configuring an HA cluster.

The host name is set in Mail Settings > Settings > Mail Server Settings.

 3.  If the FortiMail unit is used as an outbound relay (gateway mode and server mode only) or if remote email users will view their per-recipient quarantines, the FortiMail unit’s FQDN must be globally DNS-resolvable.

External SMTP servers require that A records and reverse DNS records be configured on public DNS servers for both forward and reverse lookup of the FQDN and its IP address.

 5. If the FortiMail unit is operating in transparent mode, SMTP clients are configured for authentication, and you have disabled the Use client-specified SMTP Server to send email option for SMTP proxies, you must configure and apply an authentication profile.

To configure the authentication profile, go to Profile > Authentication > Authentication. Without the authentication profile, authentication with the FortiMail unit will fail.

Additionally, you must configure an access control rule to allow relay to external domains. To configure the access control rule, go to  Policy > Access Control > Receive.

Antispam Tips

The following are some tips to limit the amount of spam you receive.

3. Use a combination of recipient verification and sender reputation to prevent directory harvest attacks (DHA). DHA utilizes recipient verification in an attempt to determine an email server’s valid email address. It is a common method of attack made by spammers.

If Recipient address Verification is enabled, each recipient address is verified with the protected email server. For email destined for invalid recipient addresses, the FortiMail unit returns User Unknown messages to the SMTP client. Spammers utilize this reponse to guess and learn valid recipient address.

You can prevent this from occuring if you enable Enable sender reputation checking in session profiles, located under Profile > Session > Session. Sender reputation weighs each SMTP client’s IP address and assigns them a score. If the SMTP client sends several email messages to unknown recipients, the sender’s reputation score increases significantly. If the sender’s reputation score exceeds the threshold, the SMTP client’s SMTP sessions are terminated at connection level. 

4. Enable bounce verification to prevent delivery status notification (DSN) spam.

Spammers may use the DSN to bypass antispam measures. The spammer spoofs the email address of a legitimate sender and sends spam to an undeliverable recipient, expecting that the recipient’s email server will send a DSN back to the sender to notify him/her of the delivery failure. Many antispam mechanisms may be unable to detect the difference between a legitimate and spoofed DSN.

You can prevent this from occuring by enabling bounce address tagging and verification, located in AntiSpam > Bounce Verification > Settings. Select Use antispam profile settings for the Bounce verification action option. Disable both the Bypass bounce verification option (Mail Settings > Domains > Domains) and the Bypass bounce verification check option (Profile > Session > Session).  Finally, verify both outgoing and incoming email is routed through the FortiMail unit. The FortiMail unit cannot tag email, or recognize legitimate DSN for previously sent email, if all email does not pass through the unit.

Problem #1: Inaccessible Basic UI

An administrator account can’t connect to the basic mode of the web interface or the CLI, despite being able to connect to the advanced mode of the web UI.

The Solution

Set the administrator account’s Domain to System. Domain administers, also known as tiered administrators, cannot access the CLI or the basic mode of the GUI. For more information, see FortiMail operation modes on page 23 of the Administrator Guide.

Problem #2: Log in Issues

Administrators cannot log in to the web UI or the CLI.

The Solution

First, make sure you’re using the correct admin name and password.

Each FortiMail interface has a set of administrator access protocols. These are the methods an administrator uses to connect to FortiMail. Any or all of these protocols can be disabled on any interface.

IMPORTANT: For security purposes, you should only enable access that is required. If you open access for troubleshooting, remember to disable it when you’re done. Failure to disable access may result in a security breach.

To enable administrator access on the dmz interface

1. Log in as administrator.
2. Go to System > Network > Interface.
3. Select the interface and select
4. Select the protocols you wish to use to acess the interface in the Access
5. Select

Repeat for each interface where administrative access is required.

Problem #3: Trusted Host Issues

The trusted hosts for the admin account will not allow the current IP.

The Solution

If an external administrator login is required, a secure VPN tunnel can be established with a set IP address or range of addresses that are entered as a trusted address.

Trusted host login issues occur when an administrator attempts to log in from an IP address that is not included in the trusted host list.

To verify trusted host login issues

1. Record the IP address where the administrator is attempting to log in to the FortiMail unit.
2. Log in to the web UI and go to System > Administrator > Administrator.
3. Select the administrator account in question and click the Edit icon.
4. Compare the list of trusted hosts to the problem IP address. If there is a match, the problem is not due to trusted hosts.
5. If there is no match and the new address is valid (secure), add it to the list of trusted hosts.
6. Select OK.

If the problem was due to trusted hosts, the administrator can now log in.

1. Enabling Switch Controller on the FortiGate

Go to System > Feature Select. Under Basic Features, turn on Switch Controller and select Apply.

2. Configuring the FortiGate interface and connecting the FortiSwitch

By default, a FortiGate 90D’s internal 1 interface is part of the internal hardware switch. This interface must be removed from the switch on the Marketing FortiGate before it can be used to connect the FortiSwitch.

Go to Network > Interfaces and edit the internal interface. Removing internal 1 from the Physical Interface Members list.

Edit the internal 1 interface.

Set Addressing mode to Dedicated to FortiSwitch and enable Automatically authorize devices.

3. Setting up the FortiSwitch and connecting devices

Go to WiFi & Switch Controller > Managed FortiSwitch. The marketing FortiSwitch appears.

Double-click on the FortiSwitch to edit its Name and Description. You can also Restart the FortiSwitch, De-authorize it, or upgrade its firmware.

Go to WiFi & Switch Controller > FortiSwitch Ports. This page shows information on each physical port of the FortiSwitch, including VLAN assignment and Power over Ethernet (PoE) capabilities. By default, all FortiSwitch ports are part of the vsw.internal1 VLAN interface.

Go to WiFi & Switch Controller > FortiSwitch VLANs and edit the default vsw.internal1 VLAN.

Set Addressing mode to Manual and set the IP/Network mask to a private IP address (in the example, 10.10.201.1). Configure Administrative Access to allow FortiTelemetry.

Enable DHCP Server and Device Detection.

Connect internal Marketing network PCs and other devices to FortiSwitch interfaces that are part of the default VLAN. The devices that you connect will get their IP configuration from the DHCP server added to the default VLAN.

Go to Policy & Objects > IPv4 Policy and create a policy that allows devices on the Marketing internal network to access the Internet.

4. (Optional) Adding the default VLAN to OSPF routing table

In the example network created as part of the Cooperative Security Fabric collection, OSPF routing is used for communication between the internal Fortinet devices. If you are using OSPF routing for your network, the FortiSwitch must be added to the OSPF routing table.

For more information about the OSPF routing in this network, see Installing internal FortiGates and enabling a security fabric.

In the example, the Marketing FortiGate is a 90D, a model that does not support OSPF configuration using the GUI. To add OSPF routing, use the following CLI command:

config router ospf
  config network
    edit 0
      set prefix 10.10.201.0/255.255.255.0
    next
  end
end

5. Results

Devices on the internal Marketing network can now access the Internet.

You can view information about this traffic by going to FortiView > All Sessions and selecting the now view.

6. Additional CSF Results

1. Enabling endpoint control on the FortiGate

2. Enforcing FortiClient registration on the internal interface

Go to Network > Interfaces and edit the interface used for the internal network.

Under Administrative Access, enable FortiTelemetry.

3. Configuring the FortiClient Profile

Go to Security Profiles > FortiClient Profiles and edit the default profile.

Set Non-compliance action to Auto-update, to make sure any non-compliant endpoints will have their configurations updated to become compliant.

Enable AntiVirus, then enable both Realtime Protection and Up-do-date signatures.

Enable both Web Filter and Application Firewall and select the default filters.

Enable System compliance, then enable Minimum FortiClient version. Set both Windows endpoints and Mac endpoints to FortiClient 5.4.1 (or higher).

4. Setting up a compliant FortiClient device

5. Results

1.  Configuring External to connect to Accounting

In this example, the External FortiGate’s port 10 will connect to the Accounting FortiGate’s wan1.

On the External FortiGate, go to Network > Interfaces and edit port 10.

Set an IP/Network Mask for the interface (in the example, 192.168.10.2).

Configure Administrative Access to allow FortiTelemetry, required for communication between FortiGates in the CSF. Configure other services as required.

Go to Policy & Objects > IPv4 Policy and create a policy for traffic from the Accounting FortiGate to the Internet.

Enable NAT.

2. Configuring the Accounting FortiGate

On the Accounting FortiGate, go to Network > Interfaces and edit wan1.

Set an IP/Network Mask for the interface that is on the same subnet as the External FortiGate’s port 10 (in the example, 192.168.10.10).

Configure Administrative Access to allow FortiTelemetry.

Edit the lan interface.

Set Addressing Mode to Manual and set the IP/Netmask to a private IP address (in the example, 10.10.10.1). Configure Administrative Access to allow FortiTelemetry.

Under Networked Devices, enable Device Detection.

Go to Policy & Objects > IPv4 Policy and create a policy to allow users on the Accounting network to access the Internet.

Because OSPF routing will be used, make sure NAT is not enabled.

3. Installing and configuring the Marketing FortiGate

Connect and configure the Marketing FortiGate using the same method as the Accounting FortiGate. Make sure to include the following:

4. Configuring OSPF routing between the FortiGates 

On the External FortiGate, go to Network > OSPF. Set Router ID to 0.0.0.1 and select Apply.

Expand the Advanced Options and set Default Information to Always, to make sure the default route is broadcast from External to the ISFW FortiGates.

In Networks, select Create New. Set IP/Netmask to 192.168.10.0/255.255.255.0 (the subnet that includes Accounting’s wan1) and Area to 0.0.0.0.

Create a second entry with the IP/Netmask set to 192.168.200.0/255.255.255.0 (the subnet that includes Marketing’s wan1).

On the Accounting FortiGate, configure OSPF routing as shown. The Networks in this configuration are the subnet that includes Accounting’s wan1 and the subnet for the Accounting Network.

In the example, the Marketing FortiGate is a 90D, a model that does not support OSPF configuration using the GUI. To add OSPF routing, use the following CLI command:

config router ospf
  set router-id 0.0.0.3
  config area
    edit 0.0.0.0
    next
  end
  config network
    edit 1
      set prefix 192.168.200.0/255.255.255.0
    next
    edit 2
      set prefix 10.10.200.0/255.255.255.0
    next
  end
end

5. Enabling the Cooperative Security Fabric

On the External FortiGate, go to System > Cooperative Security Fabric. Enable Cooperative Security Fabric (CSF) and set a Group name and Group password.

On the Accounting FortiGate, go to System > Cooperative Security Fabric. Enable Cooperative Security Fabric (CSF) and enter the name and password for the fabric.

Enable Connect to upstream FortiGate and enter the IP address of External port 10.

Configure CSF on the Marketing FortiGate, using the IP address of External port 11.

6. Results

On the External FortiGate, go to FortiView > Physical Topology.

This dashboard shows a visualization of all access layer devices in the Cooperative Security Fabric.

On the External FortiGate, go to FortiView > Logical Topology.

This dashboard displays information about the interface (logical or physical) that each device in the CSF is connected to.

Go to Monitor > Routing Monitor. You will see both ISFW FortiGates listed, using OSPF routing.

7. (Optional) Adding security profiles to the fabric

CSF configurations allow you to distribute security functions to different FortiGates in the security fabric. For example, you may want to implement virus scanning on the External FortiGate but add application control and web filtering to the ISFW FortiGates.

This results in distributed processing between the FortiGates in the CSF; reducing the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network as other internal networks may have different application control and web filtering requirements.

This configuration may result in threats getting through the External FortiGate which means you should very closely limit access to the network connections between the FortiGates in the CSF.

On the External FortiGate, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from the Accounting FortiGate to the Internet.

Under Security Profiles, enable AntiVirus and select the default profile.

On the ISFW FortiGates, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from the Accounting FortiGate to the Internet.

Under Security Profiles, enable Web Filter and Application Control. Select the default profiles for both.

1. Setting up registration and licensing

Make sure both FortiGates are running the same FortiOS firmware version. Register and apply licenses to the new FortiGate unit before adding it to the cluster. This includes activation of FortiCloud and licenses for FortiGuard, FortiSandbox, FortiClient, and FortiToken, as well as entering a license key if you purchased more than 10 Virtual Domains (VDOMS).

You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate.

2. Configuring the Primary FortiGate for HA

Connect to the primary FortiGate GUI and from the System Information Dashboard widget change the Host Name to identify this as the primary FortiGate in the HA cluster.

Also on the System Information widget, configure HA Status (or go to System > HA). Set the Mode to Active-Passive. Set the Device Priority to a higher value than the default to make sure this FortiGate will always be the primary FortiGate. Also set a Group Name and Password.

Make sure that the two Heartbeat Interfaces (port3 and port4) are enabled and their priorities are both set to 50.

Since the backup FortiGate is not available, when you save the HA configuration the primary FortiGate will form a cluster of one FortiGate but will keep operating normally.

3. Connecting the backup FortiGate

Connect the backup FortiGate to the primary FortiGate and the network as shown in the network diagram at the top of the recipe. Making these network connections will disrupt traffic so you should do this when the network is quiet.

If possible, make direct Ethernet connections between the heartbeat interfaces of the two FortiGate units.

Switches must be used between the cluster and the Internet and between the cluster and the internal networks as shown in the network diagram. You can use any good quality switches to make these connections. You can also use one switch for all of these connections as long as you configure the switch to separate traffic from the different networks.

4. Configuring the backup FortiGate for HA

Connect to the backup FortiGate GUI and from the System Information Dashboard widget change the Host Name to identify this as the backup FortiGate.

Also on the System Information widget, configure HA Status (or go to System > HA) and duplicate the HA configuration of the primary FortiGate (except for the Device Priority): set the Mode to Active-Passive, set the Device Priority to a lower value than the default to make sure this FortiGate will always be the backup FortiGate. Also set the same Group Name and Password as the primary FortiGate.

Make sure that the two Heartbeat Interfaces (port3 and port4) are enabled and their priorities are both set to 50.

When you save the backup FortiGate’s HA configuration, the FortiGates will find each other and form a cluster of two FortiGates. Network traffic may be disrupted for a few seconds while the cluster is negotiating.

5. Viewing the cluster status

6. Results

Traffic is now passing through the primary FortiGate. However, if the primary FortiGate becomes unavailable, traffic should failover and the backup FortiGate will process traffic.

Failover also causes the primary and backup FortiGate to reverse roles, even when both FortiGates are available again.

7. (Optional) Upgrading the firmware for the HA cluster

When a new version of the FortiOS firmware becomes available, upgrading the firmware on the primary FortiGate automatically upgrades the backup FortiGate’s firmware. Both FortiGates are updated with minimal traffic disruption.

Always review the Release Notes and Supported Upgrade Paths documentation before installing new firmware. These documents can be found at the Fortinet Document Library.

The firmware loads onto both the primary and the backup FortiGates with minimal traffic interruption.

1. Downloading the FortiAuthenticator VM

2. Deploying package to VMware

Launch the VMware vSphere client and log in with valid credentials.

Go to File > Deploy OVF Template to launch the OVF Template wizard.

Browse to the deployment package’s OVF files. Note that two of the OVF files end with the extensions .hw04.ovf and hw07.ovf (.hw04.ovf is for VMware ESXi v3.5 servers).

Select the most appropriate OVF format of the two, based on your hardware and server settings.

You have the choice of selecting one of three available disk formats. The best choice depends on your virtualization environment:

Thick Provision Lazy Zeroed: Allocates the disk space statically; no other volumes can take the space.

Thick Provision Eager Zeroed: Allocates the disk space statically, and writes zeros to all the blocks.

Thin Provision: Allocates the disk space only when a write occurs to a block, but the total volume size is reported by VMware’s Virtual Machine File System (VMFS) to the OS. Other volumes can take the remaining space. This allows you to float space between your servers.

The most optimal method is to deploy Thick Provisioned Format because the disk space is allocated at the time of the installation. Thin Provisioning has the benefit of using less disk space initially, however performance is decreased, and issues can occur if the disk becomes filled with other VM instances.

Network 1 maps to port1 of the FortiAuthenticator VM. Make sure to set the destination network for this entry so you will have access to the device console, then select Next.

Review the deployment settings.

Select Power on after deployment (or leave it deselected if you wish to configure the VM hardware settings prior to powering it on) and select Finish.

The deployment is successfully complete.

3. Configuring basic network settings

In the VMware vSphere client, open the Inventory and expand the host icon to display your virtual machines. Select the FortiAuthenticator-VM.

Open the Console tab and log into the FortiAuthenticator VM. Login with the default administrator account: admin and no password.

Set the port1 IP address (set port1-ip) and the default gateway (set default-gw).

Open a browser, go to https://172.20.121.138/login/, and log into the FortiAuthenticator VM as administrator.

The FortiAuthenticator VM operates in evaluation mode until it is licensed. Evaluation mode only permits five users to be configured to the system.

The FortiAuthenticator VM must be registered with Fortinet Customer Service & Support, which will in turn provide you with the license file. This file will then be uploaded to the FortiAuthenticator VM.

Meanwhile, the FortiAuthenticator VM shows a default Serial Number of FAC-VM0000000000.

4. Registering FortiAuthenticator VM with Customer Service

Open a browser, go to the Fortinet Customer Service & Support portal, and log in with valid credentials.

Go to Asset > Register/Renew. This will take you to the Registration Wizard.

When the Wizard is complete, select License File Download.

A .lic file will be saved to your management computer.

5. Uploading the FortiAuthenticator VM license file

In the FortiAuthenticator VM, go to System > Administration > Licensing and select Choose File.

You are warned that the system will require a reboot in order to install the license. Select OK to continue.

6. Backing up the VM with Snapshot

At this point, it is strongly recommended that you use the VMware Snapshot utility to backup the VM instance. In the event of an issue with a future firmware upgrade, or a configuration issue, you can use the Snapshot Manager to revert back to a previous Snapshot.

7. Results

In the FortiAuthenticator GUI, confirm that the Serial Number in the System Information widget has changed.

The FortiAuthenticator VM is now ready for further configuration.

Click here for a full list of FortiAuthenticator recipes that can be applied to FortiAuthenticator appliances and VMs.