If the FortiGate supports SSL content scanning and inspection, client illumination can be configured for HTTPS and FTPS traffic. The FortiGate can be configured to deliver traffic shaping with policing or traffic shaping with queuing.
Guaranteed and maximum bandwidth limits
Configuring outbandwidth
Traffic shaping policy
DSCP matching and DSCP marking
In a firewall shaping policy and regular firewall policy, use thetosandtos-maskfields to perform DSCP matching.
Traffic shaping policies
Overview
Configuring traffic shaping policies
Select the shared shaper to be applied to traffic in the entrance-to-exit direction. Select the reverse shaper to be applied to traffic in the exit-to-entry direction.
Local-in and local-out traffic matching
Traffic creators and class IDs can be used at the same time when configuring traffic shaping policies. Check the session list to verify that the class ID (2) matches the styling policy ID (3):.
VLAN CoS matching on a traffic shaping policy
In this example, FortiGate A forwards traffic to FortiGate B with VLAN CoS 3 that matches firewall policy 6. When FortiGate B receives the traffic, it uses the policy to shape the traffic and will prioritize based on the CoS value.
Traffic shaping profiles
If a particular session matches both the firewall policy and the firewall shaping policy, then anything configured in the firewall shaping policy overrides whatever is configured in the firewall policy.
Traffic shaping with policing
The sum of all guaranteed bandwidth of all classes within a traffic shaping profile cannot exceed 100%. The guaranteed bandwidth is always respected, even if one class has a lower priority than another.
Traffic shaping with queuing
As long as the egress bandwidth meets the metrics, the bandwidth usage should not exceed the available bandwidth of the link when using the traffic shaping profile. For more information about queuing traffic shaping, see Queuing Traffic Shaping Using a Traffic Shaping Profile on page 1400.
Configuring traffic shaping profiles
Configure the Traffic Shaping Class ID settings (Traffic Shaping Class ID, Guaranteed Bandwidth, Maximum Bandwidth, and Priority). In this example, three traffic classes are defined in the traffic shaping profile assigned to port1.
Traffic shaping with queuing using a traffic shaping profile
In this example, the outbound bandwidth of the interface is used as 1 Mbps and the maximum bandwidth of the class is 50%. This example sets a maximum of 10% of packets to be dropped when queue usage reaches the maximum value.
Traffic shapers
Shared traffic shaper
A joint traffic shaper selected in a traffic shaping policy affects traffic in the direction specified in the policy. You can define a traffic shaper for a policy in the opposite direction (reverse shaper) to affect the transfer rate of inbound traffic.
Per-IP traffic shaper
Changing traffic shaper bandwidth unit of measurement
Multi-stage DSCP marking and class ID in traffic shapers
Multi-stage VLAN CoS marking
This example configures VLAN CoS marking in multiple phases using traffic shapers on FortiGate A and FortiGate B. When traffic originates from FortiGate A with CoS 6, the traffic shaping policy is applied because the CoS matches.
Adding traffic shapers to multicast policies
Global traffic prioritization
When using DSCP, values 0 to 63 can be used, corresponding to the six bits in the DSCP value. Priority level 1 is used for traffic that is below the guaranteed bandwidth when using a traffic shaper.
CLI commands
In scenario 1, approximately 300 kbps of high-priority traffic and 300 kbps of medium-priority traffic pass through the FortiGate on port3. In scenario 2, approximately 400 kbps of high-priority traffic and 800 kbps of medium-priority traffic pass through the FortiGate on port3.
DSCP matching in firewall policies
DSCP matching in firewall shaping policies
DSCP marking in firewall shaping policies
FortiGate B uses a DSCP matching firewall design policy that limits the speed of the sales team's connection to the database to 10 MB/s. FortiGate A has a traffic shaping policy to mark traffic from the QA team with a DSCP value of 100000, while return traffic is marked with 000011.
Interface-based traffic shaping profile
Source l Address: matches the source address of the traffic to the selected address or address group. Destination l Address: matches the destination address of the traffic to the selected address or address group.
Interface-based traffic shaping with NP acceleration
QoS assignment and rate limiting for FortiSwitch quarantined VLANs
This minimizes the impact of any quarantined host on authorized network traffic.
Ingress traffic shaping profile
PC1 to PC4 traffic is marked with class ID 2 and low priority, and PC2 to PC4 traffic is marked with class ID 3 and high priority. All classes will first be allocated their guaranteed bandwidth, which uses up to 10 Mbps, 20 Mbps and 30 Mbps respectively.
Internet Services
The remaining available bandwidth (40 Mbps) is divided between Class 3 and Class 4 based on their guaranteed bandwidth ratio of 20:30.
Using Internet Service in a policy
Sample IPv4 configuration
In the CLI, first enable the Internet service and then use its ID to apply the policy. Because the IP address and services related to Google Gmail on the Internet are included in this Internet service (65646), all traffic to Google Gmail is routed through this policy.
Sample IPv6 configuration
Using custom Internet Service in policy
CLI syntax
Sample configuration
Using extension Internet Service in policy
Custom extension Internet Service CLI syntax
At the same time, the incoming traffic is dropped because this IP address and port are disabled from Google.Gmail.
Global IP address information database
IP reputation filtering
Packets from the source IP address with reputation levels three, four, or five will be forwarded by this policy. This policy only allows outbound FTP traffic if the destination server has a minimum reputation of 4.
Internet service groups in policies
In this example, the PC has access to Google, so all Google services are placed in an Internet service group. Set the Destination to the newly created custom Internet service group and apply the newly created traffic shaper.
Allow creation of ISDB objects with regional information
Go to Policies & Objects > Firewall Policies and create a new policy or edit an existing policy.
Internet service customization
Warning: The configuration will only be applied after a reboot or using the 'execute internet-service refresh' command.
Look up IP address information from the Internet Service Database page
Internet Service Database on-demand mode
Since no services have been applied to a policy, the IP range and IP address values are empty in the summary details.
Inspection modes
If you are unable to view a security profile feature, go to System > Feature Visibility to enable it.
Flow mode inspection (default mode)
Proxy mode inspection
At the same time, you also want to protect your web servers from external attacks. In this scenario, a proxy inspection policy is recommended to prioritize the security of employee emails.
Inspection mode feature comparison
You have a corporate mail server in your domain that is used by your employees for everyday business activities. By applying the antivirus and email filter in this mode, you can filter out any malware and spam emails received by the mail servers via SMTP or MAPI.
Feature comparison between Antivirus inspection modes
External Blocklist EMS Threat Feed AI/ML Based Detection
Feature comparison between Web Filter inspection modes
Feature comparison between Email Filter inspection modes
Feature comparison between DLP inspection modes
Proxy feature visibility in the GUI for entry-level models
Antivirus
Protocol comparison between antivirus inspection modes
Other antivirus differences between inspection modes
In legacy mode, stream-based scanning is disabled, so large archive files and files that cannot be handled by WAD in-process scanning are buffered and sent to the scanner daemon for processing.
AI-based malware detection
Configuring an antivirus profile
Enable the use of the explosion prevention database available with Advanced Malware Protection in FortiGuard. Use external malware block list Enable the use of one or more external block list file accesses.
Protocol options
Scan mode
Proxy mode stream-based scanning
TCP windows
The maximum stream-based uncompressed data size that will be scanned, in MB (default = 0 (unlimited)). Current-based decompression is only used under certain circumstances.).
Databases
Content disarm and reconstruction
Sample topology
File Quarantine Saves the original document file to disk (if possible) or a connected FortiAnalyzer based on the FortiGate log settings (config log fortianalyzer setting). FortiGuard Virus Outbreak Protection Service (VOS) allows the FortiGate antivirus database to be subsidized with third-party malware hash signatures compiled by FortiGuard.
External malware block list
To view entries in the malware block list on the External Connections page, hover over the malware hashmap and click View Entries. The malware threat feed is also specified (set external-blocklist-enable-all disable) for the threat socket, malhash1 (set external-blocklist "malhash1").
Malware threat feed from EMS
Checking flow antivirus statistics
HTTP Virus Detected: 1 HTTP Virus Blocked: 0 SMTP Virus Detected: 0 SMTP Virus Blocked: 0 POP3 Virus Detected: 0 POP3 Virus Blocked: 0 IMAP Virus Detected: 0 IMAP Virus Blocked: 0 NNTP- virus detected: 0 NNTP virus blocked: 0 FTP virus detected: 0 FTP virus blocked: 0 SMB virus detected: 0 SMB virus blocked: 0. HTTP virus detected: 1 HTTP virus blocked: 0 SMTP virus detected: 0 SMTP virus blocked: 0 POP3 virus detected: 0 POP3 virus blocked: 0 IMAP virus detected: 0 IMAP virus blocked: 0 NNTP virus detected: 0 NNTP virus blocked: 0 FTP virus detected: 1 FTP virus blocked: 1 SMB virus detected: 0 SMB virus blocked: 0.
CIFS support
To make a CIFS profile available for assignment in a policy, the policy must use proxy inspection mode. Please note that in proxy inspection mode, archive files with special conditions (encrypted, corrupted, mailbomb, etc.) flagged by the antivirus engine are automatically blocked.
Configure file-type filtering and antivirus scanning on CIFS traffic
Messages that are compressed with the LZNT1, LZ77 and LZ77+Huffman algorithms can be scanned in proxy mode. To decrypt CIFS traffic, FortiOS obtains the session key from the domain controller by logging in to the superuser account.
Log samples
Using FortiSandbox post-transfer scanning with antivirus
Using FortiSandbox inline scanning with antivirus
The FortiGate will block the file if there is an inline scan error or timeout. The FortiGate will log or ignore the file if there is an inline scan error or timeout, and the file is allowed to go through.
Using FortiNDR inline scanning with antivirus
When potential infections are blocked by FortiNDR inline inspection, a replacement message is displayed (see Replacement messages on page 2750 for more information). The following inspection logic applies when FortiNDR inline inspection is enabled concurrently with other AV inspection methods.
Exempt list for files based on individual hash
FortiGate can download quarantined files in an archive format (.TGZ) instead of the original raw file. At least one protocol must be enabled in the AV profile for inspection and AntiVirus scanning must be enabled for the quarantine option to work.
Web filter
URL filter
In the following example, a URL filter will be created to block the facebook.com URL with a wildcard. When the FortiGuard filter is enabled in a web filter profile and applied to firewall policies, if a request for a web page appears in traffic that is controlled by one of the firewall policies, the URL is sent to the nearest FortiGuard server.
Blocking a web category
Authenticate Require the user to authenticate with the FortiGate before allowing access to a category or group of categories. This option is only available for local or remote categories in the right-click menu.
Allowing users to override blocked categories
Issuing a warning on a web category
Authenticating a web category
Customizing the replacement message page
Customizing the CA certificate
Credential phishing prevention
Antiphishing scans only occur after the web-based URL filters and FortiGuard filters allow traffic. In this example, URLs that match FortiGuard category 37 (Social Networks) are blocked and other categories are recorded.
Additional antiphishing settings
Configuration examples
In this case, the qweranddauw9 entries use the literal type, [0-6]Dat*and[0-5]foo[1-4] use the default regular expression type.
Usage quota
Web content filter
The maximum number of web content templates in a list depends on the device model. To find the maximum number of web content models allowed for a device, go to the Max Value Table (https://docs.fortinet.com/max-value-table).
Content evaluation
You can use multiple web content filter lists and choose the best one for each web filter profile. Wildcard Use this setting to block or exclude a single word or text strings of up to 80 characters.
Advanced filters 1
Block malicious URLs discovered by FortiSandbox
Allow websites when a rating error occurs
Rate URLs by domain and IP address
Block invalid URLs
Advanced filters 2
Safe search
Restrict YouTube access
The file filter profile includes a setting to restrict access to Vimeo, which can only be configured in the CLI.
Log all search keywords
Restrict Google account usage to specific domains
HTTP POST action
Remove Java applets, ActiveX, and cookies
Web filter statistics
Proxy-based web filter statistics report
Flow-based web filter statistics report
URL certificate blocklist
Websense Integrated Services Protocol
Inspecting HTTP3 traffic
In this example, a web filter profile is created to block the words Welcome to aioquic, which are displayed on a web page that uses HTTP/3.
Configuring web filter profiles with Hebrew domain names
The content of the replacement message displayed in the browser depends on the inspection mode. When the log file is downloaded, the hostname in the raw file is displayed in Punycode.
Video filter
Configuring a video filter profile
Filtering based on FortiGuard categories
QUIC can be blocked manually (see Blocking QUIC Manually on page 1620) in application control profiles, such as in scenarios where traffic uses HTT2 over QUIC. Video Filter Enable and select filter_category Application Control Enable and select deep inspection default SSL inspection.
Verifying that the video is blocked
Troubleshooting and debugging
Filtering based on YouTube channel
Identifying the YouTube channel ID
Basic configuration
Configuration with YouTube channel override
If the category action is changed to allow and the channel action is changed to block, access to the video would be blocked.
Replacement messages displayed in blocked videos
In this example, the user visited a video on the YouTube website that belongs to a blocked FortiGuard category.
DNS filter
