Solved

Need help setting up FortinetWiFi-80CM router/firewall

Posted on 2013-01-13
9
4,155 Views
Last Modified: 2013-01-30
I had this working once upon a time, but I must have done something to mess it up. I've spent litterally days trying to set up this Fortinet router with no luck. I am trying to do a very simple configuration: port forward to one of the hosts on the LAN.

I've configured the router for a static IP, netmask, gateway and DNSes - all of which work on other less sophisticated routers (Cisco, SMC). I want to forward all Internet port requests to one of the hosts on the LAN. I've created a virtual IP as shown in image virtual,IP.jpg, and a firewall policy as shown in image firewall,policy.jpg. It just doesn't work and I can't figure out what I'm doing wrong! I need to get this up ASAP as it is need for our office's interfact to the Internet. Thanks.
virtual-IP.jpg
firewall-policy.jpg
0
Comment
Question by:jmarkfoley
  • 5
  • 4
9 Comments
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
Can you post the excerpt from the actual config? (CLI/Download of the config)
Did you try to do some debugging, e.g. packet sniffer or flow debugging? e.g., do a

diag snif pack any "host SOURCEIP" 4

to get a first hint as to how far the actual packets get ... if you don't get any helpful info out of that, you could run this:

diagnose debug enable
diagnose debug flow show console enable
diagnose debug flow filter add [target or source ip address to look at]
diagnose debug flow trace start 100

Open in new window

0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Garry-G - thanks for you response. Below is the save config (it's big, I hope that's what you meant). I'll try you diag suggestion next

#config-version=FW80CM-4.00-FW-build185-091030:opmode=0:vdom=0:user=admin
#conf_file_ver=0
#buildno=6198
config system global
    set access-banner disable
    set admin-https-pki-required disable
    set admin-lockout-duration 60
    set admin-lockout-threshold 3
    set admin-maintainer enable
    set admin-port 80
    set admin-scp disable
    set admin-server-cert "self-sign"
    set admin-sport 443
    set admin-ssh-port 22
    set admin-ssh-v1 disable
    set admin-telnet-port 23
    set admintimeout 5
    set anti-replay strict
    set auth-cert "self-sign"
    set auth-http-port 1000
    set auth-https-port 1003
    set auth-keepalive disable
    set auth-policy-exact-match enable
    set av-failopen pass
    set av-failopen-session disable
    set batch-cmdb enable
    set cfg-save automatic
    set check-protocol-header loose
    set check-reset-range disable
    set clt-cert-req disable
    set daily-restart disable
    set detection-summary enable
    set dst disable
    set endpoint-control-portal-port 8009
    set failtime 5
    set fds-statistics enable
    set fsae-burst-size 300
    set fsae-rate-limit 100
    set gui-ipv6 disable
    set gui-lines-per-page 50
    set hostname "HPRSfireWall"
    set http-obfuscate modified
    set ie6workaround disable
    set internal-switch-mode switch
    set interval 5
    set ip-src-port-range 1024-25000
    set language english
    set ldapconntimeout 500
    set log-user-in-upper disable
    set loglocaldeny disable
    set management-vdom "root"
    set phase1-rekey enable
    set radius-port 1812
    set refresh 0
    set registration-notification enable
    set remoteauthtimeout 5
    set reset-sessionless-tcp disable
    set send-pmtu-icmp enable
    set service-expire-notification enable
    set sslvpn-sport 10443
    set strong-crypto disable
    set tcp-halfclose-timer 120
    set tcp-halfopen-timer 60
    set tcp-option enable
    set tcp-timewait-timer 120
    set timezone 12
    set tos-based-priority high
    set udp-idle-timer 180
    set user-server-cert "self-sign"
    set vdom-admin disable
    set vip-arp-range restricted
    set wireless-terminal disable
    set fds-statistics-period 60
end
config system accprofile
    edit "prof_admin"
        set admingrp read-write
        set authgrp read-write
        set endpoint-control-grp read-write
        set fwgrp read-write
        set loggrp read-write
        unset menu-file
        set mntgrp read-write
        set netgrp read-write
        set routegrp read-write
        set sysgrp read-write
        set updategrp read-write
        set utmgrp read-write
        set vpngrp read-write
    next
end
config system interface
    edit "wan1"
        set vdom "root"
        set ip 64.129.23.80 255.255.255.192
        set allowaccess ping https ssh snmp http telnet
        set dns-query recursive
        set type physical
        set alias "Internet"
    next
    edit "wan2"
        set vdom "root"
        set allowaccess ping
        set type physical
    next
    edit "wlan"
        set vdom "root"
        set ip 10.10.80.1 255.255.255.0
        set allowaccess ping https
        set type wireless
    next
    edit "modem"
        set vdom "root"
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
    next
    edit "internal"
        set vdom "root"
        set ip 192.168.0.1 255.255.255.0
        set allowaccess ping https ssh http
        set dns-query recursive
        set type physical
        set description "HPRS Office Lan"
        set alias "hprs LAN"
    next
    edit "dmz"
        set vdom "root"
        set type physical
    next
end
config system admin
    edit "admin"
        set accprofile "super_admin"
        set vdom "root"
            config dashboard
                edit "sysinfo"
                    set column 1
                next
                edit "licinfo"
                    set column 1
                next
                edit "jsconsole"
                    set column 1
                next
                edit "sysres"
                    set column 1
                next
                edit "sysop"
                    set column 2
                next
                edit "alert"
                    set column 2
                next
                edit "statistics"
                    set column 2
                next
                edit "sessions"
                    set column 2
                next
                edit "app-usage"
                    set column 1
                next
                edit "pol-usage"
                    set column 2
                next
            end
    next
end
config system ha
    set group-id 0
    set group-name "FGT-HA"
    set mode standalone
    set password ENC V5BjVvt0qd+fVmNnJDDTbpn9Mp30wJTpfkrWvfnq7F38v4DKPodjeMClDh7nbixLQXW+DCIBA3EXZCBQRdszlkSRwauC+KnVnKgWIg3K9FmpRPXH
    set hbdev "dmz" 50 "wan1" 50
    set route-ttl 10
    set route-wait 0
    set route-hold 10
    set sync-config enable
    set encryption disable
    set authentication disable
    set hb-interval 2
    set hb-lost-threshold 6
    set helo-holddown 20
    set arps 5
    set arps-interval 8
    set session-pickup disable
    set link-failed-signal disable
    set uninterruptable-upgrade enable
    set override disable
    set priority 128
    set pingserver-failover-threshold 0
    set pingserver-flip-timeout 60
end
config system dns
    set primary 8.8.8.8
    set secondary 66.193.88.2
    set domain ''
    set ip6-primary ::
    set ip6-secondary ::
    set dns-cache-limit 5000
    set dns-cache-ttl 1800
    set cache-notfound-responses disable
end
config system replacemsg mail "email-block"
    set buffer "Potentially Dangerous Attachment Removed. The file \"%%FILE%%\" has been blocked.  File quarantined as: \"%%QUARFILENAME%%\"."
    set header 8bit
    set format text
end
config system replacemsg mail "email-virus"
    set buffer "Dangerous Attachment has been Removed.  The file \"%%FILE%%\" has been removed because of a virus.  It was infected with the \"%%VIRUS%%\" virus.  File quarantined as: \"%%QUARFILENAME%%\"."
    set header 8bit
    set format text
end
config system replacemsg mail "email-dlp"
    set buffer "This email has been blocked.  The email message appeared to contain a data leak."
    set header 8bit
    set format text
end
config system replacemsg mail "email-dlp-subject"
    set buffer "Data leak detected!"
    set header 8bit
    set format text
end
config system replacemsg mail "email-dlp-ban"
    set buffer "This email has been blocked because a data leak was detected.  Please contact your admin to be re-enabled."
    set header 8bit
    set format text
end
config system replacemsg mail "email-dlp-ban-sender"
    set buffer "This email has been blocked because the sender has sent a data leak.  Please contact your admin to be re-enabled."
    set header 8bit
    set format text
end
config system replacemsg mail "email-filesize"
    set buffer "This email has been blocked.  The email message is larger than the configured file size limit."
    set header 8bit
    set format text
end
config system replacemsg mail "partial"
    set buffer "Fragmented emails are blocked."
    set header 8bit
    set format text
end
config system replacemsg mail "smtp-block"
    set buffer "The file %%FILE%% has been blocked. File quarantined as: %%QUARFILENAME%%"
    set header none
    set format text
end
config system replacemsg mail "smtp-virus"
    set buffer "The file %%FILE%% has been infected with the virus %%VIRUS%% File quarantined as %%QUARFILENAME%%"
    set header none
    set format text
end
config system replacemsg mail "smtp-filesize"
    set buffer "This message is larger than the configured limit and has been blocked."
    set header none
    set format text
end
config system replacemsg http "bannedword"
    set buffer "<HTML><BODY>The page you requested has been blocked because it contains a banned word. URL = http://%%URL%%</BODY></HTML>"
    set header http
    set format html
end
config system replacemsg http "url-block"
    set buffer "<HTML><BODY>The URL you requested has been blocked. URL = %%URL%%</BODY></HTML>"
    set header http
    set format html
end
config system replacemsg http "infcache-block"
    set buffer "<HTML><BODY><H2>High security alert!!!</h2><p>The URL you requested was previously found to be infected.</p><p>URL = http://%%URL%%</p></BODY></HTML>"
    set header http
    set format html
end
config system replacemsg http "http-block"
    set buffer "<HTML> <BODY> <h2>High security alert!!!</h2> <p>You are not permitted to download the file \"%%FILE%%\".</p> <p>URL = http://%%URL%%</p> </BODY> </HTML>"
    set header http
    set format html
end
config system replacemsg http "http-virus"
    set buffer "<HTML><BODY><h2>High security alert!!!</h2><p>You are not permitted to download the file \"%%FILE%%\" because it is infected with the virus \"%%VIRUS%%\". </p><p>URL = http://%%URL%%</p><p>File quarantined as: %%QUARFILENAME%%.</p></BODY></HTML>"
    set header http
    set format html
end
config system replacemsg http "http-filesize"
    set buffer "<HTML><BODY>  <h2>Attention!!!</h2><p>The file \"%%FILE%%\" has been blocked.  The file is larger than the configured file size limit.</p> <p>URL = http://%%URL%%</p> </BODY></HTML>"
    set header http
    set format html
end
config system replacemsg http "http-dlp"
    set buffer "<HTML><BODY>  <h2>Attention!!!</h2><p>The transfer attempted appeared to contain a data leak!</p><p>URL = http://%%URL%%</p> </BODY></HTML>"
    set header http
    set format html
end
config system replacemsg http "http-dlp-ban"
    set buffer "<HTML><BODY>  <h2>Attention!!!</h2><p>Your user authentication or IP address has been  banned due to a detected data leak.  You need an admin to re-enable your computer</p><p>URL = http://%%URL%%</p> </BODY></HTML>"
    set header http
    set format html
end
config system replacemsg http "http-contenttypeblock"
    set buffer "<HTML><BODY>  <h2>Attention!!!</h2><p>Content-type not permitted.</BODY></HTML>"
    set header http
    set format html
end
config system replacemsg http "http-client-block"
    set buffer "<HTML> <BODY> <h2>High security alert!!!</h2> <p>You are not permitted to upload the file \"%%FILE%%\".</p> <p>URL = http://%%URL%%</p> </BODY> </HTML>"
    set header http
    set format html
end
config system replacemsg http "http-client-virus"
    set buffer "<HTML><BODY><h2>High security alert!!!</h2><p>You are not permitted to upload the file \"%%FILE%%\" because it is infected with the virus \"%%VIRUS%%\". </p><p>URL = http://%%URL%%</p><p>File quarantined as: %%QUARFILENAME%%.</p></BODY></HTML>"
    set header http
    set format html
end
config system replacemsg http "http-client-filesize"
    set buffer "<HTML><BODY>  <h2>Attention!!!</h2><p>Your request has been blocked.  The request is larger than the configured file size limit.</p> <p>URL = http://%%URL%%</p> </BODY></HTML>"
    set header http
    set format html
end
config system replacemsg http "http-client-bannedword"
    set buffer "<HTML><BODY>The page you uploaded has been blocked because it contains a banned word. URL = http://%%URL%%</BODY></HTML>"
    set header http
    set format html
end
config system replacemsg http "http-post-block"
    set buffer "<HTML><BODY>HTTP POST action is not allowed for policy reasons.</BODY></HTML>"
    set header http
    set format html
end
config system replacemsg ftp "ftp-dl-infected"
    set buffer "Transfer failed.  The file %%FILE%% is infected with the virus %%VIRUS%%. File quarantined as %%QUARFILENAME%%."
    set header none
    set format text
end
config system replacemsg ftp "ftp-dl-blocked"
    set buffer "Transfer failed.  You are not permitted to transfer the file \"%%FILE%%\"."
    set header none
    set format text
end
config system replacemsg ftp "ftp-dl-filesize"
    set buffer "File size limit exceeded."
    set header none
    set format text
end
config system replacemsg ftp "ftp-dl-dlp"
    set buffer "Transfer failed.  Data leak detected \"%%FILE%%\"."
    set header none
    set format text
end
config system replacemsg ftp "ftp-dl-dlp-ban"
    set buffer "Transfer failed.  You are banned from transmitting due to a detected data leak.  Contact your admin to be re-enabled."
    set header none
    set format text
end
config system replacemsg nntp "nntp-dl-infected"
    set buffer "Dangerous Attachment has been Removed.  The file \"%%FILE%%\" has been removed because of a virus.  It was infected with the \"%%VIRUS%%\" virus.  File quarantined as: \"%%QUARFILENAME%%\"."
    set header none
    set format text
end
config system replacemsg nntp "nntp-dl-blocked"
    set buffer "The file %%FILE%% has been blocked. File quarantined as: %%QUARFILENAME%%"
    set header none
    set format text
end
config system replacemsg nntp "nntp-dl-filesize"
    set buffer "This article has been blocked.  The article is larger than the configured file size limit."
    set header none
    set format text
end
config system replacemsg nntp "nntp-dlp"
    set buffer "This article has been blocked.  It appears to contain a data leak."
    set header none
    set format text
end
config system replacemsg nntp "nntp-dlp-subject"
    set buffer "Data leak detected!"
    set header none
    set format text
end
config system replacemsg nntp "nntp-dlp-ban"
    set buffer "this article has been blocked.  The user is banned for sending a data leak.  Please contact your admin to be re-enabled."
    set header none
    set format text
end
config system replacemsg fortiguard-wf "ftgd-block"
    set buffer "<html><head><title>Web Filter Violation</title></head><body><font size=2><table width=\"100%\"><tr><td>%%FORTIGUARD_WF%%</td><td align=\"right\">%%FORTINET%%</td></tr><tr><td bgcolor=#ff6600 align=\"center\" colspan=2><font color=#ffffff><b>Web Page Blocked</b></font></td></tr></table><br><br>You have tried to access a web page which is in violation of your internet usage policy.<br><br>URL:&nbsp;%%URL%%<br>Category:&nbsp;%%CATEGORY%%<br><br>To have the rating of this web page re-evaluated <u><a href=\"%%FTGD_RE_EVAL%%\">please click here</a></u>.<br>%%OVERRIDE%%<br><hr><br>Powered by %%SERVICE%%.</font></body></html>"
    set header http
    set format html
end
config system replacemsg fortiguard-wf "http-err"
    set buffer "<html><head><title>%%HTTP_ERR_CODE%% %%HTTP_ERR_DESC%%</title></head><body><font size=2><table width=\"100%\"><tr><td>%%FORTIGUARD_WF%%</td><td align=\"right\">%%FORTINET%%</td></tr><tr><td bgcolor=#3300cc align=\"center\" colspan=2><font color=#ffffff><b>%%HTTP_ERR_CODE%% %%HTTP_ERR_DESC%%</b></font></td></tr></table><br><br>The webserver for %%URL%% reported that an error occurred while trying to access the website.  Please click <u><a onclick=\"history.back()\">here</a></u> to return to the previous page.<br><br><hr><br>Powered by %%SERVICE%%.</font></body></html>"
    set header http
    set format html
end
config system replacemsg fortiguard-wf "ftgd-ovrd"
    set buffer "<html><head><title>Web Filter Block Override</title></head><body><font size=2><table width=\"100%\"><tr><td>%%FORTIGUARD_WF%%</td><td align=\"right\">%%FORTINET%%</td></tr><tr><td bgcolor=#3300cc align=\"center\" colspan=2><font color=#ffffff><b>Web Filter Block Override</b></font></td></tr><tr><td colspan=2><br><br>If you have been granted override creation privileges by your administrator, you can enter your username and password here to gain immediate access to the blocked web-page.  If you do not have these privileges, please contact your administrator to gain access to the web-page.<br><br></td></tr><tr><td align=\"center\" colspan=2>%%OVRD_FORM%%</td></tr></table><br><br><hr><br>Powered by %%SERVICE%%.</font></body></html>"
    set header http
    set format html
end
config system replacemsg spam "ipblocklist"
    set buffer "Mail from this IP address is not allowed and has been blocked."
    set header none
    set format text
end
config system replacemsg spam "smtp-spam-dnsbl"
    set buffer "This message has been blocked because it is from a DNSBL/ORDBL IP address."
    set header none
    set format text
end
config system replacemsg spam "smtp-spam-feip"
    set buffer "This message has been blocked because it is from a FortiGuard - AntiSpam black IP address."
    set header none
    set format text
end
config system replacemsg spam "smtp-spam-helo"
    set buffer "This message has been blocked because the HELO/EHLO domain is invalid."
    set header none
    set format text
end
config system replacemsg spam "smtp-spam-emailblack"
    set buffer "Mail from this email address is not allowed and  has been blocked."
    set header none
    set format text
end
config system replacemsg spam "smtp-spam-mimeheader"
    set buffer "This message has been blocked because it contains an invalid header."
    set header none
    set format text
end
config system replacemsg spam "reversedns"
    set buffer "This message has been blocked because the return email domain is invalid."
    set header none
    set format text
end
config system replacemsg spam "smtp-spam-bannedword"
    set buffer "This message has been blocked because it contains a banned word."
    set header none
    set format text
end
config system replacemsg spam "smtp-spam-ase"
    set buffer "This message has been blocked because ASE reports it as spam. "
    set header none
    set format text
end
config system replacemsg spam "submit"
    set buffer "If this email is not spam, click here to submit the signatures to FortiGuard - AntiSpam Service."
    set header none
    set format text
end
config system replacemsg im "im-file-xfer-block"
    set buffer "Transfer failed.  You are not permitted to transfer the file \"%%FILE%%\"."
    set header none
    set format text
end
config system replacemsg im "im-file-xfer-name"
    set buffer "Transfer %%ACTION%%.  The file name \"%%FILE%%\" matches the configured file name block list."
    set header none
    set format text
end
config system replacemsg im "im-file-xfer-infected"
    set buffer "Transfer %%ACTION%%.  The file \"%%FILE%%\" is infected with the virus %%VIRUS%%.  File quarantined as %%QUARFILENAME%%."
    set header none
    set format text
end
config system replacemsg im "im-file-xfer-size"
    set buffer "Transfer %%ACTION%%.  The file \"%%FILE%%\" is larger than the configured limit."
    set header none
    set format text
end
config system replacemsg im "im-dlp"
    set buffer "Transfer %%ACTION%%.  The file \"%%FILE%%\" contains a data leak."
    set header none
    set format text
end
config system replacemsg im "im-dlp-ban"
    set buffer "Transfer %%ACTION%%.  The user is banned because of a detected data leak."
    set header none
    set format text
end
config system replacemsg im "im-voice-chat-block"
    set buffer "Connection failed.  You are not permitted to use voice chat."
    set header none
    set format text
end
config system replacemsg im "im-photo-share-block"
    set buffer "Photo sharing failed.  You are not permitted to share photo."
    set header none
    set format text
end
config system replacemsg im "im-long-chat-block"
    set buffer "Message blocked.  The message is longer than the configured limit."
    set header none
    set format text
end
config system replacemsg alertmail "alertmail-virus"
    set buffer "Virus/Worm detected: %%VIRUS%% Protocol: %%PROTOCOL%% Source IP: %%SOURCE_IP%% Destination IP: %%DEST_IP%% Email Address From: %%EMAIL_FROM%% Email Address To: %%EMAIL_TO%% "
    set header none
    set format text
end
config system replacemsg alertmail "alertmail-block"
    set buffer "File Block Detected: %%FILE%% Protocol: %%PROTOCOL%% Source IP: %%SOURCE_IP%% Destination IP: %%DEST_IP%% Email Address From: %%EMAIL_FROM%% Email Address To: %%EMAIL_TO%% "
    set header none
    set format text
end
config system replacemsg alertmail "alertmail-nids-event"
    set buffer "The following intrusion was observed: %%NIDS_EVENT%%."
    set header none
    set format text
end
config system replacemsg alertmail "alertmail-crit-event"
    set buffer "The following critical firewall event was detected: %%CRITICAL_EVENT%%."
    set header none
    set format text
end
config system replacemsg alertmail "alertmail-disk-full"
    set buffer "The log disk is Full."
    set header none
    set format text
end
config system replacemsg admin "admin-disclaimer-text"
    set buffer "W A R N I N G W A R N I N G W A R N I N G W A R N I N G
This is a private computer system. Unauthorized access or use
is prohibited and subject to prosecution and/or disciplinary
action. All use of this system constitutes consent to
monitoring at all times and users are not entitled to any
expectation of privacy. If monitoring reveals possible evidence
of violation of criminal statutes, this evidence and any other
related information, including identification information about
the user, may be provided to law enforcement officials.
If monitoring reveals violations of security regulations or
unauthorized use, employees who violate security regulations or
make unauthorized use of this system are subject to appropriate
disciplinary action.
W A R N I N G W A R N I N G W A R N I N G W A R N I N G
"
    set header none
    set format text
end
config system replacemsg auth "auth-disclaimer-page-1"
    set buffer "<HTML><HEAD><TITLE>Firewall Disclaimer</TITLE></HEAD><BODY><FORM ACTION=\"/\" method=\"POST\"><INPUT TYPE=\"hidden\" NAME=\"%%MAGICID%%\" VALUE=\"%%MAGICVAL%%\"><INPUT TYPE=\"hidden\" NAME=\"%%ANSWERID%%\" VALUE=\"%%DECLINEVAL%%\"><INPUT TYPE=\"hidden\" NAME=\"%%REDIRID%%\" VALUE=\"%%PROTURI%%\"><TABLE ALIGN=\"CENTER\" width=400 height=250 cellpadding=2 cellspacing=0 border=0 bgcolor=\"#008080\"><TR><TD><TABLE border=0 width=\"100%\" height=\"100%\" cellpadding=0 cellspacing=0 bgcolor=\"#9dc8c6\"><TR height=30 bgcolor=\"#008080\"><TD><b><font size=2 face=\"Verdana\" color=\"#ffffff\">Disclaimer Agreement</font></b></TD><TR><TR height=\"100%\"><TD><TABLE border=0 cellpadding=5 cellspacing=0 width=\"320\" align=center><TR><TD colspan=2><font size=2 face=\"Times New Roman\">You are about to access Internet content that is not under the control of the network access provider.  The network access provider is therefore not responsible for any of these sites, their content or their privacy policies. The network access provider and its staff do not endorse nor make any representations about these sites, or any information, software or other products or materials found there, or any results that may be obtained from using them. If you decide to access any Internet content, you do this entirely at your own risk and you are responsible for ensuring that any accessed material does not infringe the laws governing, but not exhaustively covering, copyright, trademarks, pornography, or any other material which is slanderous, defamatory or might cause offence in any other way.</font></TD></TR><TR><TD>Do you agree to the above terms?</TD></TR><TR><TD><INPUT CLASS=\"button\" TYPE=\"button\" VALUE=\"Yes, I agree\" ONCLICK=\"agree()\"><INPUT CLASS=\"button\" TYPE=\"button\" VALUE=\"No, I decline\" ONCLICK=\"decline()\"></TD></TR></TABLE></TD></TR></TABLE></TD></TR></TABLE></FORM><SCRIPT LANGUAGE=\"JavaScript\">function agree(){document.forms[0].%%ANSWERID%%.value=\"%%AGREEVAL%%\";document.forms[0].submit();}function decline(){document.forms[0].submit();}</SCRIPT></BODY></HTML>"
    set header http
    set format html
end
config system replacemsg auth "auth-disclaimer-page-2"
    set buffer ''
    set header http
    set format html
end
config system replacemsg auth "auth-disclaimer-page-3"
    set buffer ''
    set header http
    set format html
end
config system replacemsg auth "auth-reject-page"
    set buffer "<HTML><HEAD><TITLE>Firewall Disclaimer Declined</TITLE></HEAD><BODY><FORM ACTION=\"/\" method=\"POST\"><INPUT TYPE=\"hidden\" NAME=\"%%MAGICID%%\" VALUE=\"%%MAGICVAL%%\"><INPUT TYPE=\"hidden\" NAME=\"%%REDIRID%%\" VALUE=\"%%PROTURI%%\"><TABLE ALIGN=\"CENTER\" width=400 height=250 cellpadding=2 cellspacing=0 border=0 bgcolor=\"#008080\"><TR><TD><TABLE border=0 width=\"100%\" height=\"100%\" cellpadding=0 cellspacing=0 bgcolor=\"#9dc8c6\"><TR height=30 bgcolor=\"#008080\"><TD><b><font size=2 face=\"Verdana\" color=\"#ffffff\">Disclaimer Declined</font></b></TD><TR><TR height=\"100%\"><TD><TABLE border=0 cellpadding=5 cellspacing=0 width=\"320\" align=center><TR><TD colspan=2><font size=2 face=\"Times New Roman\">Sorry, network access cannot be granted unless you agree to the disclaimer.</font></TD><TR><TR><TD></TD><TD><INPUT TYPE=\"submit\" VALUE=\"Return to Disclaimer\"></TD></TR></TABLE></TD></TR></TABLE></TD></TR></TABLE></FORM></BODY></HTML>"
    set header http
    set format html
end
config system replacemsg auth "auth-login-page"
    set buffer "<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD><BODY><FORM ACTION=\"/\" method=\"POST\"><INPUT TYPE=\"hidden\" NAME=\"%%MAGICID%%\" VALUE=\"%%MAGICVAL%%\"><TABLE ALIGN=\"CENTER\" width=400 height=250 cellpadding=2 cellspacing=0 border=0 bgcolor=\"#008080\"><TR><TD><TABLE border=0 cellpadding=0 cellspacing=0 bgcolor=\"#9dc8c6\"><TR height=30 bgcolor=\"#008080\"><TD><b><font size=2 face=\"Verdana\" color=\"#ffffff\">Authentication Required</font></b></TD></TR><TR><TD><TABLE border=0 cellpadding=5 cellspacing=0 width=\"320\" align=center><TR><TD colspan=2><font size=2 face=\"Times New Roman\">%%QUESTION%%</font></TD></TR><TR><TD><font size=2 face=\"Times New Roman\">Username:</font></TD><TD><INPUT TYPE=\"text\" NAME=\"%%USERNAMEID%%\" size=25></TD></TR><TR><TD><font size=2 face=\"Times New Roman\">Password:</font></TD><TD><INPUT TYPE=\"password\" NAME=\"%%PASSWORDID%%\" size=25></TD></TR><TR><TD><INPUT TYPE=\"hidden\" NAME=\"%%REDIRID%%\" VALUE=\"%%PROTURI%%\"><INPUT TYPE=\"submit\" VALUE=\"Continue\"></TD></TR></TABLE></TD></TR></TABLE></TD></TR></TABLE></FORM></BODY></HTML>"
    set header http
    set format html
end
config system replacemsg auth "auth-login-failed-page"
    set buffer "<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD><BODY><FORM ACTION=\"/\" method=\"POST\"><INPUT TYPE=\"hidden\" NAME=\"%%MAGICID%%\" VALUE=\"%%MAGICVAL%%\"><TABLE ALIGN=\"CENTER\" width=400 height=250 cellpadding=2 cellspacing=0 border=0 bgcolor=\"#008080\"><TR><TD><TABLE border=0 cellpadding=0 cellspacing=0 bgcolor=\"#9dc8c6\"><TR height=30 bgcolor=\"#008080\"><TD><b><font size=2 face=\"Verdana\" color=\"#ffffff\">Authentication Failed</font></b></TD></TR><TR><TD><TABLE border=0 cellpadding=5 cellspacing=0 width=\"320\" align=center><TR><TD colspan=2><font size=2 face=\"Times New Roman\">%%FAILED_MESSAGE%%</font></TD></TR><TR><TD><font size=2 face=\"Times New Roman\">Username:</font></TD><TD><INPUT TYPE=\"text\" NAME=\"%%USERNAMEID%%\" size=25></TD></TR><TR><TD><font size=2 face=\"Times New Roman\">Password:</font></TD><TD><INPUT TYPE=\"password\" NAME=\"%%PASSWORDID%%\" size=25></TD></TR><TR><TD><INPUT TYPE=\"hidden\" NAME=\"%%REDIRID%%\" VALUE=\"%%PROTURI%%\"><INPUT TYPE=\"submit\" VALUE=\"Continue\"></TD></TR></TABLE></TD></TR></TABLE></TD></TR></TABLE></FORM></BODY></HTML>"
    set header http
    set format html
end
config system replacemsg auth "auth-challenge-page"
    set buffer "<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD><BODY><FORM ACTION=\"/\" method=\"POST\"><INPUT TYPE=\"hidden\" NAME=\"%%MAGICID%%\" VALUE=\"%%MAGICVAL%%\"><TABLE ALIGN=\"CENTER\" width=400 height=250 cellpadding=2 cellspacing=0 border=0 bgcolor=\"#008080\"><TR><TD><TABLE border=0 cellpadding=0 cellspacing=0 bgcolor=\"#9dc8c6\"><TR height=30 bgcolor=\"#008080\"><TD><b><font size=2 face=\"Verdana\" color=\"#ffffff\">Authentication Required</font></b></TD></TR><TR><TD><TABLE border=0 cellpadding=5 cellspacing=0 width=\"320\" align=center><TR><TD colspan=2><font size=2 face=\"Times New Roman\">%%QUESTION%%</font></TD></TR><TR><TD><font size=2 face=\"Times New Roman\">Answer:</font></TD><TD><INPUT TYPE=\"password\" NAME=\"%%PASSWORDID%%\" size=25></TD></TR><TR><TD><INPUT TYPE=\"hidden\" NAME=\"%%USERNAMEID%%\" VALUE=\"%%USERNAMEVAL%%\"><INPUT TYPE=\"hidden\" NAME=\"%%REQUESTID%%\" VALUE=\"%%REQUESTVAL%%\"><INPUT TYPE=\"hidden\" NAME=\"%%REDIRID%%\" VALUE=\"%%PROTURI%%\"><INPUT TYPE=\"hidden\" NAME=\"%%USERGROUPID%%\" VALUE=\"%%USERGROUPVAL%%\"><INPUT TYPE=\"submit\" VALUE=\"Continue\"></TD></TR></TABLE></TD></TR></TABLE></TD></TR></TABLE></FORM></BODY></HTML>"
    set header http
    set format html
end
config system replacemsg auth "auth-keepalive-page"
    set buffer "<HTML>
<HEAD>
<TITLE>Firewall Authentication Keepalive Window</TITLE>
</HEAD>
<BODY>
<SCRIPT LANGUAGE=\"JavaScript\">
var countDownTime=%%TIMEOUT%% + 1;
function countDown(){
countDownTime--;
if (countDownTime <= 0){
    location.href=\"%%KEEPALIVEURL%%\";
    return;
}
document.getElementById(\'countdown\').innerHTML = countDownTime;
counter=setTimeout(\"countDown()\", 1000);
}
function startit(){
    countDown();
}
window.onload=startit
</SCRIPT>
<table width=\"100%\" height=\"100%\"><tr><td align=\"center\">
<H3>This browser window is used to keep your authentication session active.</H3>
<H3>Please leave it open in the background and open a <a href=\"%%AUTH_REDIR_URL%%\" target=\"_blank\">new window</a> to continue.</H3>
<p>Authentication Refresh in <b id=countdown>%%TIMEOUT%%</b> seconds</p>
<p><a href=\"%%AUTH_LOGOUT%%\">logout</a></p>
</td></tr></table>
</BODY>
</HTML>
"
    set header http
    set format html
end
config system replacemsg sslvpn "sslvpn-login"
    set buffer "<html><head><title>login</title><meta http-equiv=\"Pragma\" content=\"no-cache\"><meta http-equiv=\"cache-control\" content=\"no-cache\"><meta http-equiv=\"cache-control\" content=\"must-revalidate\"><link href=\"/sslvpn/css/login.css\" rel=\"stylesheet\" type=\"text/css\"><script type=\"text/javascript\">if (top && top.location != window.location) top.location = top.location;if (window.opener && window.opener.top) { window.opener.top.location = window.opener.top.location; self.close(); }</script></head><body class=\"main\"><center><table width=\"100%\" height=\"100%\" align=\"center\" class=\"container\" valign=\"middle\" cellpadding=\"0\" cellspacing=\"0\"><tr valign=middle><td><form action=\"%%SSL_ACT%%\" method=\"%%SSL_METHOD%%\" name=\"f\"><table class=\"list\" cellpadding=10 cellspacing=0 align=center width=400 height=180>%%SSL_LOGIN%%</table>%%SSL_HIDDEN%%</td></tr></table></form></center></body><script>document.forms[0].username.focus();</script></html>"
    set header http
    set format html
end
config system replacemsg sslvpn "sslvpn-limit"
    set buffer "<html><head><title>Already Logged In</title><meta http-equiv=\"Pragma\" content=\"no-cache\"><meta http-equiv=\"cache-control\" content=\"no-cache\"><meta http-equiv=\"cache-control\" content=\"must-revalidate\"><link href=\"/sslvpn/css/login.css\" rel=\"stylesheet\" type=\"text/css\"><script type=\"text/javascript\">if (top && top.location != window.location) top.location = top.location;if (window.opener && window.opener.top) { window.opener.top.location = window.opener.top.location; self.close(); }</script></head><body class=\"main\"><center><table class=\"container\" height=\"100%\" cellspacing=\"0\" cellpadding=\"0\" align=\"center\" width=\"100%\" valign=\"middle\"><tbody><tr valign=\"middle\"><td><table class=\"list\" height=\"180\" cellspacing=\"0\" cellpadding=\"10\" align=\"center\" width=\"400\"><tbody><tr class=\"dark\"><td colspan=\"2\"> <b>Already Logged In</b></td></tr><tr><td colspan=\"2\"><p>You already have an open SSL VPN connection. Opening multiple connections is not permitted.</p><p>If you proceed, your other connection will be disconnected.</p><p>Please contact your administrator if you blevieve there is a problem.</p></td></tr><tr><td style=\"text-align:center\">%%SSL_LOGIN_ANYWAY%%</td><td style=\"text-align:center\">%%SSL_LOGIN_CANCEL%%</td></tr></tbody></table></td></tr></tbody></table></center></body></html>"
    set header http
    set format html
end
config system replacemsg ec "endpt-download-portal"
    set buffer "<HTML><HEAD><TITLE>Endpoint Security Required</TITLE></HEAD><BODY><TABLE ALIGN=\"CENTER\" width=500 height=250 cellpadding=2 cellspacing=0 border=0 bgcolor=\"#008080\"><TR><TD><TABLE border=0 width=\"100%\" height=\"100%\" cellpadding=0 cellspacing=0 bgcolor=\"#9dc8c6\"><TR height=30 bgcolor=\"#008080\"><TD style=\"text-align: center\"><b><font size=2 face=\"Verdana\" color=\"#ffffff\">Endpoint Security Required</font></b></TD><TR><TR height=\"100%\"><TD><TABLE border=0 cellpadding=5 cellspacing=0 width=\"500\" align=center><TR><TD><font size=2 face=\"Times New Roman\">The security policy requires the latest FortiClient Endpoint Security software and antivirus signature package to be installed.<br><br>Installing FortiClient requires that you have administrator privileges on your computer. If you do not, please contact your network administrator to have FortiClient installed.<br><br>The installer may be downloaded using the following link:<br>%%LINK%%<br>Installation instructions:<br><ul><li><span style=\"font-style:italic\">For Internet Explorer:</span></li><ol><li>Click the above link to download the installer</li><li>When Internet Explorer asks what action you would like to take, click \"Run\"</li></ol><br><li><span style=\"font-style:italic\">For Firefox:</span></li><ol><li>Click the above link to download the installer</li><li>Save the installer and note the location it is saved to</li><li>Open the folder containing the installer and run it</li></ol></ul>FortiClient installation may take a few minutes. Thank you for your patience.<br><br></font></TD></TR><TR><TD></TD></TR></TABLE></TD></TR></TABLE></TD></TR></TABLE></BODY></HTML>"
    set header http
    set format html
end
config system replacemsg ec "endpt-recommendation-portal"
    set buffer "<HTML><HEAD><TITLE>Endpoint Security Required</TITLE></HEAD><BODY><TABLE ALIGN=\"CENTER\" width=500 height=250 cellpadding=2 cellspacing=0 border=0 bgcolor=\"#008080\"><TR><TD><TABLE border=0 width=\"100%\" height=\"100%\" cellpadding=0 cellspacing=0 bgcolor=\"#9dc8c6\"><TR height=30 bgcolor=\"#008080\"><TD style=\"text-align: center\"><b><font size=2 face=\"Verdana\" color=\"#ffffff\">Endpoint Security Required</font></b></TD><TR><TR height=\"100%\"><TD><TABLE border=0 cellpadding=5 cellspacing=0 width=\"500\" align=center><TR><TD><font size=2 face=\"Times New Roman\">The use of this security policy recommends that the latest FortiClient Endpoint Security software and antivirus signature package are installed.<br><br>Installing FortiClient requires that you have administrator privileges on your computer. If you do not, please contact your network administrator to have FortiClient installed.<br><br>The installer may be downloaded using the following link:<br>%%LINK%%<br>Installation instructions:<br><ul><li><span style=\"font-style:italic\">For Internet Explorer:</span></li><ol><li>Click the above link to download the installer</li><li>When Internet Explorer asks what action you would like to take, click \"Run\"</li></ol><br><li><span style=\"font-style:italic\">For Firefox:</span></li><ol><li>Click the above link to download the installer</li><li>Save the installer and note the location it is saved to</li><li>Open the folder containing the installer and run it</li></ol></ul>FortiClient installation may take a few minutes. Thank you for your patience.<br><br></font></TD></TR><TR><TD></TD></TR></TABLE><TR height=30 bgcolor=\"#9dc8c6\"><TD style=\"text-align: center\"><b><font size=2 face=\"Verdana\" color=\"#ffffff\"><a href=\"%%DST_ADDR_LINK%%\"> Continue to %%DST_ADDR_LABEL%% </a></font></b></TD><TR></TD></TR></TABLE></TD></TR></TABLE></BODY></HTML>"
    set header http
    set format html
end
config system replacemsg nac-quar "nac-quar-virus"
    set buffer "<html><head><title>Virus Quarantine</title></head><body><font size=2><table width=\"100%\"><tr><td bgcolor=#3300cc align=\"center\" colspan=2><font color=#ffffff><b>Blocked because of virus</b></font></td></tr></table><br><br>A virus was detected, originating from your system. Please contact the system administrator.<br><br><hr></font></body></html>"
    set header http
    set format html
end
config system replacemsg nac-quar "nac-quar-dos"
    set buffer "<html><head><title>Attack Detected</title></head><body><font size=2><table width=\"100%\"><tr><td bgcolor=#3300cc align=\"center\" colspan=2><font color=#ffffff><b>Blocked because of DoS Attack</b></font></td></tr></table><br><br>A DoS attack was detected, originating from your system. Please contact the system administrator.<br><br><hr></font></body></html>"
    set header http
    set format html
end
config system replacemsg nac-quar "nac-quar-ips"
    set buffer "<html><head><title>Attack Detected</title></head><body><font size=2><table width=\"100%\"><tr><td bgcolor=#3300cc align=\"center\" colspan=2><font color=#ffffff><b>Blocked because of IPS attack</b></font></td></tr></table><br><br>An attack was detected, originating from your system. Please contact the system administrator.<br><br><hr></font></body></html>"
    set header http
    set format html
end
config system replacemsg nac-quar "nac-quar-dlp"
    set buffer "<html><head><title>Data Leak Detected</title></head><body><font size=2><table width=\"100%\"><tr><td bgcolor=#3300cc align=\"center\" colspan=2><font color=#ffffff><b>Blocked because of data leak</b></font></td></tr></table><br><br>A data leak was detected, originating from your system. Please contact the system administrator.<br><br><hr></font></body></html>"
    set header http
    set format html
end
config system replacemsg traffic-quota "per-ip-shaper-block"
    set buffer "<html><head><title>Traffic Quota Control</title></head><body><font size=2><table width=\"100%\"><tr><td bgcolor=#3300cc align=\"center\" colspan=2><font color=#ffffff><b>Traffic blocked because of exceed quota</b></font></td></tr></table><br><br>Traffic blocked because of exceed per IP traffic shaper quota. Please contact the system administrator.<br>%%QUOTA_INFO%%<br><br><hr></font></body></html>"
    set header http
    set format html
end
config system replacemsg traffic-quota "traffic-shaper-block"
    set buffer "<html><head><title>Traffic Quota Control</title></head><body><font size=2><table width=\"100%\"><tr><td bgcolor=#3300cc align=\"center\" colspan=2><font color=#ffffff><b>Traffic blocked because of exceed quota</b></font></td></tr></table><br><br>Traffic blocked because of exceed shared traffic shaper quota. Please contact the system administrator.<br>%%QUOTA_INFO%%<br><br><hr></font></body></html>"
    set header http
    set format html
end
config vpn certificate ca
end
config vpn certificate local
    edit "Fortinet_CA_SSLProxy"
        set password ENC sTe4Aqe/9RABmWoiylPNJoC7QTUXnMTlUT1snXM7kKGuRvQbGRxLZ2G8TvUJvVBzu6Chc88AZFkzSmW9PwAwx8QxByocl/tSIN/iinU0QlD/R3Nv
        set comments "This certificate is embedded in the firmware and is the same on every unit (not unique). This is the default CA certificate the SSL Inspection will use when generating new server certificates."
        set private-key "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,AB81DDCD9ECD0421

lZu4z8dL4Yuafj4WvAWepuxJBYePuhi+EWZmxJbzJP69BiJ54tPA6UHyWDka9ucP
+jXkirTO6h+fi2NAoNx7rMxtZxGqHsn6g0sUHpu6WTEXseKIiCnPVtt50YSlrkRD
wfantFcRj2KXmFXNDrOa+gxsmrHVr+50IXkxhuFccwnygY4Xd1Q6mtJvbrBYk3rD
1EyWPOWv0Xsg9zvvSXbmPTT3ArkNXbhJsRtBTcpSzHJfBTfU4bamASxIPUGQ7dll
CFT92AStCzuEpmcMToMRb1LS6egPd4YXj0JhtIfV4mKl3U6wmdNYCHEW7zO7Iqvx
rYMzhw3uOoGJj2D9jVp/wjsK2a5UAgcpW88jdwLessmv8a53dn5yQnLbrXnJCQ/H
KoxhPbZNcLLXBNn6GED1TUIBG40j7BBod+HkXwV4+4beESw5vaHmMqD1dybMIgbT
BLqgsBc/Pcs7kQoNkAdzYpZ7SB0swTe74auO2KDFrIfVfcC6oM9C22Myhwur5wsy
lsq1QV7lRkZPqMHY3vZ0IhcbSEH2olNdp7SrixgozRyvzpOJ2/O8wL/ApO2H8veY
6UOJj/E7VRWUJiCOwbn/5bjmrKhXnAhADy79K/AoWeewY4hA8wboGe2RKLc3NLZO
/Dt9hX5SgkuPKg8ibMqt6vM2W0M8R3inMAaGAzPLS1lshhkycaDKBoAoZ7CDNkEZ
bGF937S2tKONxPtIvQSenvs8yWOcB18qzmnzN20vrffeBdEBTlSyMYTcSHU4ciXB
Oa/+Lb7h2W1RghAKU+4pBQepi6O/pzjnSQHal91XR9CzCDCi11yqyYcO2kjUgum0
WDtWmjZxNib5Oh3J2P8zDVGmkqpnMQR5IAhe82YQedZA0Yei8xCRA0Fw7pSdM2Y6
cjgx6dsbxkoM+EjNgfJ/g01jkt842d4RDSXAgGlr6N3kMuC8rtTuYf6Oq94+RPfM
AU2kujcbfPz3+gYH9AjoW1omSus34zRmddpHS8qKCkwYQJPrUAVKMLZMbJrJx+b2
fc7hUCMQpiYpZ/hHTNWRoIxHKKYHhHrN1rgIdDIP2KornOoMpCfXXP0m1NfHTfEd
EoBh4UgBGuLBWIDf57MUXQmRjk+ixW6ndIJkOFORIrBeCzZ0eWqoXAI5+etLsIod
vxL85Q0ggQzOLqdCi72oivgrrVRDZjl02YO9qX6iaVCWeRpjqTihj/YMt98pd5dk
gcTbiu2FLDukW9Q3J4O+J39A552YK5MIXgUOkJhfd253FCp5OGmUAuMdS2qxE5lj
mTuadC3s1kGE75d9Ypcb1W5kZVqEGy9LFGhg3oJStJCHbUyA92LyELyH1SbQXLp0
kypFNjbxf/76EXhYoc/Yc0RWFkSYPcQ2okNUa1Ly8zcfadojzsuIYzBKQJa4aKgp
FNWM4CLDImHSzFTDOxVx1DtYXPUfzhZO1g1jyZNt8+2BStif8iuCeLlUVsM7TO1M
HAihhqGwXyKsJTOUh1+cSlM4bFqrLN8FvHcx5MAPvqqJSUbaTMv9WAf03yS3xJE+
UdEOhNZAVgQQEO1FIZddMluwTokBaWKG+bm7mN4EHyqk3O0T+AlS8Q==
-----END RSA PRIVATE KEY-----"
        set certificate "-----BEGIN CERTIFICATE-----
MIID1zCCAr+gAwIBAgIBADANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTERMA8GA1UE
ChMIRm9ydGluZXQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMG
A1UEAxMMRm9ydGlHYXRlIENBMSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRp
bmV0LmNvbTAeFw0wODEwMTgwMDQ2MzlaFw0yODEwMTMwMDQ2MzlaMIGlMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxl
MREwDwYDVQQKEwhGb3J0aW5ldDEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MRUwEwYDVQQDEwxGb3J0aUdhdGUgQ0ExIzAhBgkqhkiG9w0BCQEWFHN1cHBv
cnRAZm9ydGluZXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tveDq5vViSsRgHROaylt0qMdteLi1D/L0AWct+j5Y+N+HskBqsK5eGHrgytW6Jr3
dtQ/53/usTI+8HHpPXj8gWune6ivjQcOAmGsB/gfwLPCa98+kLgo9wpu0NxLVbyU
i5F9OjFtMpEGsYlnu6jtrsIR8EonAnaUtYKCqPLNSVc/U97ZX9m7zyjLYEGENt2M
elnAeTDNy2VHdxvjCkHBZYuI8lygtQsFvAGdvHsoIGEKgnLHbycLCWUk1j9mTkYB
0QFKWdy45jsvrUEnaEuWBlIKNZEgy8uI1wW/Rtv1HHbofuWr/2gTIaggPjIWshak
sPA5wXth1N5pBMrPOxNoHwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQBrAfI+ULwg3M+k4s3FB6//6sPG5TcrvPdrQ8gArEeYJJCzHnVY
tknIPPx1K5V+QueAXRpLiuWphFP5w9OxWuDqHw8zwb24wJc7BD4CeFKUyYinbpDi
Yg035SKYl4TSGMOTiYRoTxqgkfzcmTFfpfD1pOJQ08Kh+1yle35WqG9Ab1jrO0Y/
vltGReZckwh9e95SPzNA43xGZPSIgxZ8007EUqYBekoSKGAQPqTalHBkzpB1Us3F
5yCZzxA4WYT9UGVwPhIVgMlZvm5NL29/5dFgts51U+P4OZ0Or+xQfWYIxTzCWtAC
1ikZ/6HeIvet27H4CPP1rolBTXw4z6olP32T
-----END CERTIFICATE-----"
    next
end
config gui console
    unset preferences
end
config system session-helper
    edit 1
        set name pptp
        set port 1723
        set protocol 6
    next
    edit 2
        set name h323
        set port 1720
        set protocol 6
    next
    edit 3
        set name ras
        set port 1719
        set protocol 17
    next
    edit 4
        set name tns
        set port 1521
        set protocol 6
    next
    edit 5
        set name tftp
        set port 69
        set protocol 17
    next
    edit 6
        set name rtsp
        set port 554
        set protocol 6
    next
    edit 7
        set name rtsp
        set port 7070
        set protocol 6
    next
    edit 8
        set name rtsp
        set port 8554
        set protocol 6
    next
    edit 9
        set name ftp
        set port 21
        set protocol 6
    next
    edit 10
        set name mms
        set port 1863
        set protocol 6
    next
    edit 11
        set name pmap
        set port 111
        set protocol 6
    next
    edit 12
        set name pmap
        set port 111
        set protocol 17
    next
    edit 13
        set name sip
        set port 5060
        set protocol 17
    next
    edit 14
        set name dns-udp
        set port 53
        set protocol 17
    next
    edit 15
        set name rsh
        set port 514
        set protocol 6
    next
    edit 16
        set name rsh
        set port 512
        set protocol 6
    next
    edit 17
        set name dcerpc
        set port 135
        set protocol 6
    next
    edit 18
        set name dcerpc
        set port 135
        set protocol 17
    next
    edit 19
        set name mgcp
        set port 2427
        set protocol 17
    next
    edit 20
        set name mgcp
        set port 2727
        set protocol 17
    next
end
config system wireless settings
    set mode CLIENT
    set short-guard-interval disable
    set channel-bonding disable
end
config system auto-install
    set auto-install-config enable
    set auto-install-image enable
    set default-config-file "fgt_system.conf"
    set default-image-file "image.out"
end
config system ntp
        config ntpserver
            edit 1
                set server "pool.ntp.org"
            next
        end
    set ntpsync disable
    set syncinterval 60
end
config antivirus service "http"
    set scan-bzip2 disable
    set uncompnestlimit 12
    set uncompsizelimit 10
end
config antivirus service "https"
end
config antivirus service "ftp"
    set scan-bzip2 disable
    set uncompnestlimit 12
    set uncompsizelimit 10
end
config antivirus service "pop3"
    set scan-bzip2 disable
    set uncompnestlimit 12
    set uncompsizelimit 10
end
config antivirus service "pop3s"
    set scan-bzip2 disable
    set uncompnestlimit 12
    set uncompsizelimit 10
end
config antivirus service "imap"
    set scan-bzip2 disable
    set uncompnestlimit 12
    set uncompsizelimit 10
end
config antivirus service "imaps"
    set scan-bzip2 disable
    set uncompnestlimit 12
    set uncompsizelimit 10
end
config antivirus service "smtp"
    set scan-bzip2 disable
    set uncompnestlimit 12
    set uncompsizelimit 10
end
config antivirus service "smtps"
    set scan-bzip2 disable
    set uncompnestlimit 12
    set uncompsizelimit 10
end
config antivirus service "nntp"
    set scan-bzip2 disable
    set uncompnestlimit 12
    set uncompsizelimit 10
end
config antivirus service "im"
    set scan-bzip2 disable
    set uncompnestlimit 12
    set uncompsizelimit 10
end
config system dhcp server
    edit "internal_dhcp_server"
        set default-gateway 192.168.0.1
        set dns-server1 192.168.0.1
        set dns-server2 192.168.0.2
        set dns-server3 65.24.0.168
        set enable disable
        set interface "internal"
        set lease-time 0
        set netmask 255.255.255.0
        set wins-server1 192.168.0.1
        set end-ip 192.168.0.30
        set start-ip 192.168.0.10
    next
end
config firewall address
    edit "all"
    next
    edit "SSLVPN_TUNNEL_ADDR1"
        set type iprange
        set end-ip 10.0.0.10
        set start-ip 10.0.0.1
    next
end
config firewall address6
    edit "all"
    next
end
config ips sensor
    edit "all_default"
        set comment "all predefined signatures with default setting"
            config filter
                edit "1"
                next
            end
    next
    edit "all_default_pass"
        set comment "all predefined signatures with PASS action"
            config filter
                edit "1"
                    set action pass
                next
            end
    next
    edit "protect_http_server"
        set comment "protect against HTTP server-side vulnerabilities"
            config filter
                edit "1"
                    set location server
                    set protocol HTTP
                next
            end
    next
    edit "protect_email_server"
        set comment "protect against EMail server-side vulnerabilities"
            config filter
                edit "1"
                    set location server
                    set protocol SMTP POP3 IMAP
                next
            end
    next
    edit "protect_client"
        set comment "protect against client-side vulnerabilities"
            config filter
                edit "1"
                    set location client
                next
            end
    next
end
config ips DoS
    edit "all_default"
            config anomaly
                edit "tcp_syn_flood"
                    set status enable
                    set threshold 2000
                next
                edit "tcp_port_scan"
                    set status enable
                    set threshold 1000
                next
                edit "tcp_src_session"
                    set status enable
                    set threshold 5000
                next
                edit "tcp_dst_session"
                    set status enable
                    set threshold 5000
                next
                edit "udp_flood"
                    set status enable
                    set threshold 2000
                next
                edit "udp_scan"
                    set status enable
                    set threshold 2000
                next
                edit "udp_src_session"
                    set status enable
                    set threshold 5000
                next
                edit "udp_dst_session"
                    set status enable
                    set threshold 5000
                next
                edit "icmp_flood"
                    set status enable
                    set threshold 250
                next
                edit "icmp_sweep"
                    set status enable
                    set threshold 100
                next
                edit "icmp_src_session"
                    set status enable
                    set threshold 300
                next
                edit "icmp_dst_session"
                    set status enable
                    set threshold 1000
                next
            end
    next
    edit "block_flood"
            config anomaly
                edit "tcp_syn_flood"
                    set status enable
                    set action block
                    set threshold 2000
                next
                edit "tcp_port_scan"
                    set threshold 1000
                next
                edit "tcp_src_session"
                    set threshold 5000
                next
                edit "tcp_dst_session"
                    set threshold 5000
                next
                edit "udp_flood"
                    set status enable
                    set action block
                    set threshold 2000
                next
                edit "udp_scan"
                    set threshold 2000
                next
                edit "udp_src_session"
                    set threshold 5000
                next
                edit "udp_dst_session"
                    set threshold 5000
                next
                edit "icmp_flood"
                    set status enable
                    set action block
                    set threshold 250
                next
                edit "icmp_sweep"
                    set threshold 100
                next
                edit "icmp_src_session"
                    set threshold 300
                next
                edit "icmp_dst_session"
                    set threshold 1000
                next
            end
    next
end
config firewall shaper traffic-shaper
    edit "high-priority"
        set maximum-bandwidth 131072
        set per-policy enable
    next
    edit "medium-priority"
        set maximum-bandwidth 131072
        set per-policy enable
        set priority medium
    next
    edit "low-priority"
        set maximum-bandwidth 131072
        set per-policy enable
        set priority low
    next
    edit "guarantee-100kbps"
        set guaranteed-bandwidth 12
        set maximum-bandwidth 131072
        set per-policy enable
    next
    edit "shared-1M-pipe"
        set maximum-bandwidth 128
    next
end
config antivirus filepattern
    edit 1
            config entries
                edit "*.bat"
                next
                edit "*.com"
                next
                edit "*.dll"
                next
                edit "*.doc"
                next
                edit "*.exe"
                next
                edit "*.gz"
                next
                edit "*.hta"
                next
                edit "*.ppt"
                next
                edit "*.rar"
                next
                edit "*.scr"
                next
                edit "*.tar"
                next
                edit "*.tgz"
                next
                edit "*.vb?"
                next
                edit "*.wps"
                next
                edit "*.xl?"
                next
                edit "*.zip"
                next
                edit "*.pif"
                next
                edit "*.cpl"
                next
            end
        set name "builtin-patterns"
    next
end
config dlp rule
    edit "All-Email"
        set protocol email
        set sub-protocol smtp pop3 imap
        set field always
    next
    edit "All-HTTP"
        set protocol http
        set sub-protocol http-get http-post
        set field always
    next
    edit "All-FTP"
        set protocol ftp
        set sub-protocol ftp-get ftp-put
        set field always
    next
    edit "All-NNTP"
        set protocol nntp
        set field always
    next
    edit "All-IM"
        set protocol im
        set sub-protocol aim icq msn ym
        set field always
    next
    edit "All-Session-Control"
        set protocol session-ctrl
        set sub-protocol sip simple sccp
        set field always
    next
    edit "HTTP-Visa-Mastercard"
        set protocol http
        set sub-protocol http-post
        set regexp "(\\W|\\b)(4\\d|5[1-5])\\d{2}([ \\-]?\\d{4}[ \\-]?){3}(\\W|\\b)"
    next
    edit "HTTP-AmEx"
        set protocol http
        set sub-protocol http-post
        set regexp "(\\W|\\b)3[47]\\d{2}([ \\-]?)\\d{6}\\2\\d{5}(\\W|\\b)"
    next
    edit "HTTP-Canada-SIN"
        set protocol http
        set sub-protocol http-post
        set regexp "(\\b|\\W)[1-79]\\d{2}([ \\-]?)\\d{3}\\2\\d{3}(\\b|\\W)"
    next
    edit "HTTP-US-SSN"
        set protocol http
        set sub-protocol http-post
        set regexp "\\b(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}(\\b|\\W)"
    next
    edit "HTTP-Post-Not-Webex"
        set protocol http
        set sub-protocol http-post
        set regexp "WebEx"
        set regexp-negated enable
        set regexp-wildcard enable
    next
    edit "Email-AmEx"
        set protocol email
        set sub-protocol smtp pop3 imap
        set regexp "(\\W|\\b)(4\\d|5[1-5])\\d{2}([ \\-]?\\d{4}[ \\-]?){3}(\\W|\\b)"
    next
    edit "Email-Visa-Mastercard"
        set protocol email
        set sub-protocol smtp pop3 imap
        set regexp "(\\W|\\b)(4\\d|5[1-5])\\d{2}([ \\-]?)\\d{4}(\\3\\d{4}){2}(\\W|\\b)"
    next
    edit "Email-Canada-SIN"
        set protocol email
        set sub-protocol smtp pop3 imap
        set regexp "(\\b|\\W)[1-79]\\d{2}([ \\-]?)\\d{3}\\2\\d{3}(\\b|\\W)"
    next
    edit "Email-US-SSN"
        set protocol email
        set sub-protocol smtp pop3 imap
        set regexp "\\b(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}(\\b|\\W)"
    next
    edit "Email-Not-Webex"
        set protocol email
        set sub-protocol smtp pop3 imap
        set regexp "WebEx"
        set regexp-negated enable
        set regexp-wildcard enable
    next
    edit "Large-Attachment"
        set protocol email
        set sub-protocol smtp pop3 imap
        set field attachment-size
        set value 5120
        set operator greater-equal
    next
    edit "Large-FTP-Put"
        set protocol ftp
        set sub-protocol ftp-put
        set field transfer-size
        set value 5120
        set operator greater-equal
    next
    edit "Large-HTTP-Post"
        set protocol http
        set sub-protocol http-post
        set field transfer-size
        set value 5120
        set operator greater-equal
    next
end
config dlp compound
    edit "Email-SIN"
        set comment "Emails containing canadian SIN but are not WebEx invites"
        set protocol email
        set sub-protocol smtp pop3 imap
            set member "Email-Canada-SIN" "Email-Not-Webex"            
    next
    edit "HTTP-Post-SIN"
        set comment "Posts containing canadian SIN but are not WebEx invites"
        set protocol http
        set sub-protocol http-post
            set member "HTTP-Canada-SIN" "HTTP-Post-Not-Webex"            
    next
end
config dlp sensor
    edit "Content_Summary"
            config rule
                edit "All-Email"
                next
                edit "All-FTP"
                next
                edit "All-HTTP"
                next
                edit "All-IM"
                next
                edit "All-NNTP"
                next
            end
    next
    edit "Content_Archive"
            config rule
                edit "All-Email"
                    set archive enable
                next
                edit "All-FTP"
                    set archive enable
                next
                edit "All-HTTP"
                    set archive enable
                next
                edit "All-IM"
                    set archive enable
                next
                edit "All-NNTP"
                next
            end
    next
    edit "Large-File"
            config rule
                edit "Large-Attachment"
                next
                edit "Large-FTP-Put"
                next
                edit "Large-HTTP-Post"
                next
            end
    next
    edit "Credit-Card"
            config rule
                edit "Email-AmEx"
                next
                edit "Email-Visa-Mastercard"
                next
                edit "HTTP-AmEx"
                next
                edit "HTTP-Visa-Mastercard"
                next
            end
    next
    edit "SSN-Sensor"
            config rule
                edit "Email-US-SSN"
                next
                edit "HTTP-US-SSN"
                next
            end
            config compound-rule
                edit "Email-SIN"
                    set status enable
                next
                edit "HTTP-Post-SIN"
                    set status enable
                next
            end
    next
end
config webfilter content
end
config webfilter urlfilter
end
config spamfilter bword
end
config spamfilter emailbwl
end
config spamfilter ipbwl
end
config spamfilter mheader
end
config spamfilter dnsbl
end
config spamfilter iptrust
end
config firewall profile
    edit "strict"
            config log
                set log-web-ftgd-err enable
            end
        set ftp block oversize scan splice
        set http block oversize scan activexfilter bannedword cookiefilter javafilter rangeblock urlfilter
        unset https
        set imap block oversize scan bannedword spamemailbwl spamfsip spamfschksum spamfssubmit spamfsurl spamhdrcheck spamraddrdns
        set imaps spamfssubmit
        set pop3 block oversize scan bannedword spamemailbwl spamfsip spamfschksum spamfssubmit spamfsurl spamhdrcheck spamraddrdns
        set pop3s spamfssubmit
        set smtp block oversize scan bannedword spamemailbwl spamfsip spamfschksum spamfssubmit spamfsurl spamhdrcheck spamhelodns spamipbwl spamraddrdns spamrbl splice
        set smtps spamfssubmit splice
        set nntp block oversize scan
            config app-recognition
                edit "http"
                    set port 80
                next
                edit "https"
                    set port 443
                next
                edit "smtp"
                    set port 25
                next
                edit "pop3"
                    set port 110
                next
                edit "imap"
                    set port 143
                next
                edit "nntp"
                    set port 119
                next
                edit "ftp"
                    set port 21
                next
                edit "smtps"
                    set port 465
                next
                edit "pop3s"
                    set port 995
                next
                edit "imaps"
                    set port 993
                next
            end
        set im block oversize scan
        unset http-post-lang
        set http-avdb extended
        set smtp-avdb extended
        set pop3-avdb extended
        set imap-avdb extended
        set ftp-avdb extended
        set im-avdb extended
        set nntp-avdb extended
        set ftgd-wf-options strict-blocking
        set ftgd-wf-https-options strict-blocking
    next
    edit "scan"
            config log
                set log-web-ftgd-err enable
            end
        set ftp scan splice
        set http scan rangeblock
        unset https
        set imap scan
        set imaps spamfssubmit
        set pop3 scan
        set pop3s spamfssubmit
        set smtp scan splice
        set smtps spamfssubmit splice
        set nntp scan
            config app-recognition
                edit "http"
                    set port 80
                next
                edit "https"
                    set port 443
                next
                edit "smtp"
                    set port 25
                next
                edit "pop3"
                    set port 110
                next
                edit "imap"
                    set port 143
                next
                edit "nntp"
                    set port 119
                next
                edit "ftp"
                    set port 21
                next
                edit "smtps"
                    set port 465
                next
                edit "pop3s"
                    set port 995
                next
                edit "imaps"
                    set port 993
                next
            end
        set im scan
        unset http-post-lang
        set ftgd-wf-options strict-blocking
        set ftgd-wf-https-options strict-blocking
    next
    edit "web"
            config log
                set log-web-ftgd-err enable
            end
        set ftp splice
        set http scan bannedword rangeblock urlfilter
        unset https
        set imap fragmail
        set imaps fragmail spamfssubmit
        set pop3 fragmail
        set pop3s fragmail spamfssubmit
        set smtp fragmail splice
        set smtps fragmail spamfssubmit splice
        unset nntp
            config app-recognition
                edit "http"
                    set port 80
                next
                edit "https"
                    set port 443
                next
                edit "smtp"
                    set port 25
                next
                edit "pop3"
                    set port 110
                next
                edit "imap"
                    set port 143
                next
                edit "nntp"
                    set port 119
                next
                edit "ftp"
                    set port 21
                next
                edit "smtps"
                    set port 465
                next
                edit "pop3s"
                    set port 995
                next
                edit "imaps"
                    set port 993
                next
            end
        unset im
        unset http-post-lang
        set ftgd-wf-options strict-blocking
        set ftgd-wf-https-options strict-blocking
    next
    edit "unfiltered"
            config log
                set log-web-ftgd-err enable
            end
        set ftp no-content-summary
        set http no-content-summary
        set https no-content-summary
        set imap fragmail no-content-summary
        set imaps fragmail spamfssubmit
        set pop3 fragmail no-content-summary
        set pop3s fragmail spamfssubmit
        set smtp fragmail no-content-summary splice
        set smtps fragmail spamfssubmit splice
        set nntp no-content-summary
            config app-recognition
                edit "http"
                    set port 80
                next
                edit "https"
                    set port 443
                next
                edit "smtp"
                    set port 25
                next
                edit "pop3"
                    set port 110
                next
                edit "imap"
                    set port 143
                next
                edit "nntp"
                    set port 119
                next
                edit "ftp"
                    set port 21
                next
                edit "smtps"
                    set port 465
                next
                edit "pop3s"
                    set port 995
                next
                edit "imaps"
                    set port 993
                next
            end
        unset im
        unset http-post-lang
        set ftgd-wf-options strict-blocking
        set ftgd-wf-https-options strict-blocking
    next
end
config vpn ssl web host-check-software
    edit "FortiClient-AV"
        set guid "C86EC76D-5A4C-40E7-BD94-59358E544D81"
    next
    edit "FortiClient-FW"
        set guid "528CB157-D384-4593-AAAA-E42DFF111CED"
        set type fw
    next
    edit "AVG-Internet-Security-AV"
        set guid "17DDD097-36FF-435F-9E1B-52D74245D6BF"
    next
    edit "CA-Anti-Virus"
        set guid "17CFD1EA-56CF-40B5-A06B-BD3A27397C93"
    next
    edit "F-Secure-Internet-Security-AV"
        set guid "E7512ED5-4245-4B4D-AF3A-382D3F313F15"
    next
    edit "Kaspersky-AV"
        set guid "2C4D4BC6-0793-4956-A9F9-E252435469C0"
    next
    edit "McAfee-Internet-Security-Suite-AV"
        set guid "84B5EE75-6421-4CDE-A33A-DD43BA9FAD83"
    next
    edit "McAfee-Virus-Scan-Enterprise"
        set guid "918A2B0B-2C60-4016-A4AB-E868DEABF7F0"
    next
    edit "Norton-360-2.0-AV"
        set guid "A5F1BC7C-EA33-4247-961C-0217208396C4"
    next
    edit "Norton-360-3.0-AV"
        set guid "E10A9785-9598-4754-B552-92431C1C35F8"
    next
    edit "Norton-Internet-Security-AV"
        set guid "E10A9785-9598-4754-B552-92431C1C35F8"
    next
    edit "Symantec-Endpoint-Protection-AV"
        set guid "FB06448E-52B8-493A-90F3-E43226D3305C"
    next
    edit "Panda-Antivirus+Firewall-2008-AV"
        set guid "EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A"
    next
    edit "Panda-Internet-Security-AV"
        set guid "4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0"
    next
    edit "Sophos-Anti-Virus"
        set guid "3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD"
    next
    edit "Trend-Micro-AV"
        set guid "7D2296BC-32CC-4519-917E-52E652474AF5"
    next
    edit "ZoneAlarm-AV"
        set guid "5D467B10-818C-4CAB-9FF7-6893B5B8F3CF"
    next
    edit "AVG-Internet-Security-FW"
        set guid "8DECF618-9569-4340-B34A-D78D28969B66"
        set type fw
    next
    edit "CA-Personal-Firewall"
        set guid "14CB4B80-8E52-45EA-905E-67C1267B4160"
        set type fw
    next
    edit "F-Secure-Internet-Security-FW"
        set guid "D4747503-0346-49EB-9262-997542F79BF4"
        set type fw
    next
    edit "Kaspersky-FW"
        set guid "2C4D4BC6-0793-4956-A9F9-E252435469C0"
        set type fw
    next
    edit "McAfee-Internet-Security-Suite-FW"
        set guid "94894B63-8C7F-4050-BDA4-813CA00DA3E8"
        set type fw
    next
    edit "Norton-360-2.0-FW"
        set guid "371C0A40-5A0C-4AD2-A6E5-69C02037FBF3"
        set type fw
    next
    edit "Norton-360-3.0-FW"
        set guid "7C21A4C9-F61F-4AC4-B722-A6E19C16F220"
        set type fw
    next
    edit "Norton-Internet-Security-FW"
        set guid "7C21A4C9-F61F-4AC4-B722-A6E19C16F220"
        set type fw
    next
    edit "Symantec-Endpoint-Protection-FW"
        set guid "BE898FE3-CD0B-4014-85A9-03DB9923DDB6"
        set type fw
    next
    edit "Panda-Antivirus+Firewall-2008-FW"
        set guid "7B090DC0-8905-4BAF-8040-FD98A41C8FB8"
        set type fw
    next
    edit "Panda-Internet-Security-2006~2007-FW"
        set guid "4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0"
        set type fw
    next
    edit "Panda-Internet-Security-2008~2009-FW"
        set guid "7B090DC0-8905-4BAF-8040-FD98A41C8FB8"
        set type fw
    next
    edit "Trend-Micro-FW"
        set guid "3E790E9E-6A5D-4303-A7F9-185EC20F3EB6"
        set type fw
    next
    edit "ZoneAlarm-FW"
        set guid "829BDA32-94B3-44F4-8446-F8FCFF809F8B"
        set type fw
    next
end
config vpn ssl web portal
    edit "full-access"
        set allow-access web ftp smb telnet ssh vnc rdp
        set heading "Welcome to SSL VPN Service"
        set page-layout double-column
            config widget
                edit 4
                    set name "Session Information"
                    set type info
                next
                edit 2
                    set name "Bookmarks"
                    set allow-apps web ftp smb telnet ssh vnc rdp
                next
                edit 3
                    set name "Connection Tool"
                    set type tool
                    set column two
                    set allow-apps web ftp smb telnet ssh vnc rdp
                next
                edit 1
                    set name "Tunnel Mode"
                    set type tunnel
                    set column two
                    set tunnel-status enable
                        set ip-pools "SSLVPN_TUNNEL_ADDR1"                        
                next
            end
    next
    edit "web-access"
        set allow-access web ftp smb telnet ssh vnc rdp
        set heading "Welcome to SSL VPN Service"
            config widget
                edit 4
                    set name "Session Information"
                    set type info
                next
                edit 1
                    set name "Bookmarks"
                    set allow-apps web ftp smb telnet ssh vnc rdp
                next
            end
    next
    edit "tunnel-access"
        set heading "Welcome to SSL VPN Service"
            config widget
                edit 4
                    set name "Session Information"
                    set type info
                next
                edit 1
                    set name "Tunnel Mode"
                    set type tunnel
                    set tunnel-status enable
                        set ip-pools "SSLVPN_TUNNEL_ADDR1"                        
                next
            end
    next
end
config user group
    edit "FSAE_Guest_Users"
        set group-type directory-service
    next
end
config webfilter ftgd-ovrd
end
config webfilter ftgd-ovrd-user
end
config webfilter ftgd-local-rating
end
config endpoint-control app-detect rule-list
    edit "Block_P2P_application"
            config entries
                edit 1
                    set category 15
                    set status running
                next
            end
        set comment "deny access from endpoints running P2P applications"
        set other-application-action allow
    next
    edit "Monitor_Microsoft_Office"
            config entries
                edit 1
                    set category 31
                    set vendor 53
                    set action monitor
                next
            end
        set comment "monitor installed Microsoft Office applications"
        set other-application-action allow
    next
    edit "Monitor_game"
            config entries
                edit 1
                    set category 20
                    set action monitor
                    set status running
                next
            end
        set comment "monitor running games"
        set other-application-action allow
    next
    edit "Monitor_Internet_browser"
            config entries
                edit 1
                    set category 12
                    set action monitor
                next
            end
        set comment "monitor installed Internet browsers"
        set other-application-action allow
    next
end
config endpoint-control profile
    edit "Recommend_FortiClient"
    next
    edit "Enforce_FortiClient_AV"
        set feature-enforcement enable
        set recommendation-disclaimer disable
        set require-av enable
    next
    edit "P2P_application_detection"
        set application-detection enable
        set application-detection-rule-list "Block_P2P_application"
    next
end
config firewall service custom
    edit "Windows Sharepoint Services"
        set protocol TCP/UDP
        set tcp-portrange 987-987:987-987
        set udp-portrange 987-987:987-987
    next
end
config firewall schedule recurring
    edit "always"
        set day sunday monday tuesday wednesday thursday friday saturday
    next
end
config firewall vip
    edit "Port  fwd NAT"
        set extip 64.129.23.80
        set extintf "wan1"
        set mappedip 192.168.0.2
    next
end
config firewall policy
    edit 2
        set srcintf "wlan"
        set dstintf "wan1"
            set srcaddr "all"            
            set dstaddr "all"            
        set schedule "always"
            set service "ANY"            
    next
    edit 3
        set srcintf "wlan"
        set dstintf "internal"
            set srcaddr "all"            
            set dstaddr "all"            
        set schedule "always"
            set service "ANY"            
    next
    edit 4
        set srcintf "internal"
        set dstintf "wlan"
            set srcaddr "all"            
            set dstaddr "all"            
        set action accept
        set schedule "always"
            set service "ANY"            
    next
    edit 5
        set srcintf "wan1"
        set dstintf "internal"
            set srcaddr "all"            
            set dstaddr "Port  fwd NAT"            
        set action accept
        set schedule "always"
            set service "ANY"            
    next
end
config firewall policy6
end
config firewall interface-policy
end
config firewall interface-policy6
end
config firewall sniff-interface-policy
end
config firewall sniff-interface-policy6
end
config router rip
        config redistribute "connected"
        end
        config redistribute "static"
        end
        config redistribute "ospf"
        end
        config redistribute "bgp"
        end
end
config router ripng
        config redistribute "connected"
        end
        config redistribute "static"
        end
        config redistribute "ospf"
        end
        config redistribute "bgp"
        end
end
config router static
    edit 1
        set device "wan1"
        set dst 0.0.0.0 255.255.255.255
        set gateway 64.129.23.65
        set weight 50
    next
end
config router ospf
        config redistribute "connected"
        end
        config redistribute "static"
        end
        config redistribute "rip"
        end
        config redistribute "bgp"
        end
end
config router ospf6
        config redistribute "connected"
        end
        config redistribute "static"
        end
        config redistribute "rip"
        end
        config redistribute "bgp"
        end
end
config router bgp
        config redistribute "connected"
        end
        config redistribute "rip"
        end
        config redistribute "ospf"
        end
        config redistribute "static"
        end
        config redistribute6 "connected"
        end
        config redistribute6 "rip"
        end
        config redistribute6 "ospf"
        end
        config redistribute6 "static"
        end
end
config router multicast
end
0
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
An excerpt would have been sufficient ;) shouldn't really be posting stuff like RSA keys or (even encrypted) passwords publicly ...

from what I can see, the setup ought to be working ... only thing I'm not exactly sure how the FW is handling it is that you are using the FW's IP as full VIP nat, without limiting it to certain ports/services ... can you try to change the VIP to just forward a single port instead of anything? I don't have a spare box handy right now to give it a try ...

If forwarding just a single port still doesn't work, please do try the packet sniffer to see how far the packets get through the firewall ...
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Well, I wasn't sure what you would or would not need in an "except". Anyway, I can change PWs and such. It's just too bad that config listing takes up so much space! Way more than I thought. Sorry.

Interesting testing: on Firewall > Policy, WAN1 -> Internal; if I have service ANY or HTTPS I can connect from the Internet to our domain server via Remote Web Workplace. If I select service SMTP only, I lose the HTTPS connection and cannot reconnect (but neither does mail work). If I set the services to HTTPS and SMTP I can again connect to the domain server, but still no mail. I cannot telnet to ports 25 of 443 using any of the service settings described above, even when I can connect via https (!?). When I replace the old SMC router instead of the Fortinet, I can telnet to both ports, no problem. None of the internal LAN workstations can connect to the Internet with these policy settings.

Does this tell you anything?

I tried your 'diag' command. I wasn't sure what I should use as the SOURCEIP address, so I used the public IP of the firewall:

HPRSfireWall # diag snif pack any "host 64.129.23.80" 4
 
interfaces=[any]
 
filters=[host 64.129.23.80]
 
0.593684 wan1 out 64.129.23.80.443 -> 64.129.23.124.49554: psh 3369885501 ack 4249349249
 
0.595966 wan1 in 64.129.23.124.49554 -> 64.129.23.80.443: ack 3369885618
 
1.140511 wan1 out 64.129.23.80.443 -> 64.129.23.124.49554: psh 3369885618 ack 4249349249
 
1.171648 wan1 in 64.129.23.124.49553 -> 64.129.23.80.443: psh 3517302747 ack 654966339
 
1.249595 wan1 out 64.129.23.80.443 -> 64.129.23.124.49554: psh 3369885751 ack 4249349249
 
1.251980 wan1 in 64.129.23.124.49554 -> 64.129.23.80.443: ack 3369885868
 
1.368144 wan1 out 64.129.23.80.443 -> 64.129.23.124.49553: ack 3517302869
 
1.812256 wan1 out 64.129.23.80.443 -> 64.129.23.124.49554: psh 3369885868 ack 4249349249
 
1.911118 wan1 in arp who-has 64.129.23.80 tell 64.129.23.124
 
1.911149 wan1 out arp reply 64.129.23.80 is-at 0:9:f:c9:3d:7a
 
1.921578 wan1 out 64.129.23.80.443 -> 64.129.23.124.49554: psh 3369885985 ack 4249349249
 
1.924107 wan1 in 64.129.23.124.49554 -> 64.129.23.80.443: ack 3369886102
 
2.140356 wan1 out 64.129.23.80.443 -> 64.129.23.124.49554: psh 3369886102 ack 4249349249

The above is the first several lines of output. It doesn't tell me much. Does it you? I don't know where the IP 64.129.23.124 comes from. It's not one of our IPs and I am puzzled as to why it is interacting with the Fortinet at all. There were LOTS AND LOTS of dia lines with this IP. Does that mean anything to you?

I want to try your  'diagnose debug' commands, but you're giving me more tech-credit than I deserve. Can you suggest IPs for "target or source ip address to look at"?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
any more thoughts on this? I'll have to buy a new (non-fortinet) router if I can't get this going soon.
0
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
The IP to use as the "host ..." option would be the external IP from which you'd try to connect to your internal server to ...

As of now, SMTP connections to your IP seem to work ...

 # telnet 64.129.23.80 25
Trying 64.129.23.80...
Connected to 64.129.23.80.
Escape character is '^]'.
220 mail.ohprs.org Microsoft ESMTP MAIL Service ready at Wed, 16 Jan 2013 14:14:17 -0500
quit
221 2.0.0 Service closing transmission channel
Connection closed by foreign host.

Open in new window


As for the VIP addresses, if you re-use the firewall's external IP, you should set up specific port VIPs, e.g. setting up one VIP for SMTP, one for web access to your DC (remember to move the Fortigate admin port from 443 to something else, e.g 8443), and so on ... then, configure the policy to allow incoming connections to the appropriate VIPs ...
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Thanks for your response, but I'm not sure I understand what you're saying:

> As of now, SMTP connections to your IP seem to work ...

Yes. Of course I cannot leave the Fortinet in the LAN if I can't get it to work. Meanwhile, I have a cheap, old SMC standing in for it, litterally salvaged from the junk-pile. It has no troubles port-forwarding.

> The IP to use as the "host ..." option would be the external IP from which you'd try to connect to your internal server to ...

Where exactly should I be setting this IP? Can you give me the menu selection and tab, or a screen shot? I've looked at the previous postings and the Fortinet setup page and I don't get where you mean for me to put this.

> As for the VIP addresses, if you re-use the firewall's external IP, you should set up specific port VIPs, e.g. setting up one VIP for SMTP, one for web access to your DC

Yes, I did that. I didn't set them all up (80, 53, 443, 25), but when I set up two of them 443 and 25), only 443 worked. But 443 worked without ANY ports set up. See my post ID: 38776648 above. If that's the only thing left to try (setting up all my ports) I'll try it, but the DC only needs 443 and 25. It doesn't host web pages (the 443 port is for Remote web workplace) and doesn't really to DNS from the WAN (it uses the router), so the bare essentials, 443 and 25 don't work (well, 443 works).
0
 
LVL 17

Accepted Solution

by:
Garry-G earned 500 total points
Comment Utility
According to the config dump, you had a VIP setup without port limitations/port forwarding configured ... change the VIP to do only port 25 outside to port 25 inside and see what that does. Then add another VIP with forwarding for port 443 and add the appropriate policy entry with it ...

As for the packet sniffer, if you have an outside system that you try the SMTP connection from, that's the IP you'd use in the sniffer command ... alternatively, you could use "tcp port 25" instead, which would then capture all the SMTP traffic in and out ... depending on the usage of your line, this might be more than what you're testing from.
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Garry-G, thanks for your help on this, but I've taken the easy way out and replaced the for Fortinet with a simpler to configure device. I've configured lots of routers, but I'm no network guru and have never been through any networking classes. I think a higher level of expertise than what I have is needed for this class of device. And if I'm not around, forget about any office staff figuring it out!

thanks
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now