Pim Sparse Mode With Snat Potential Bug

Above, we are using SPARSE mode.
Design goal:
FW upon receiving MCAST 2.2.2.20, 238.2.2.2 on port2, must perform SRC NAT i.e. 200.200.200.200,
238.2.2.2
Current state:
When source is not active:
Rp has a downstream listener on 238.2.2.2
Test starts:
R1 (source) sends multicast stream (2.2.2.20, 238.2.2.2).
Expected behavior:
1) FW should perform SRC NAT i.e. 200.200.200.200, 238.2.2.2
2) FW should encapsulate this stream (200.200.200.200, 238.2.2.2) in Register message and unicast this
REGISTER message to RP.
3) RP, since it has ( *,238.2.2.2) state with outgoing interface is not null, therefore RP will should PIM
JOIN ( 200.200.200.200,238.2.2.2) towards FW.
Upon receiving this PIM JOIN, FW should update its multicast state table with outgoing interface P3.
FW now should send two copies of each MCAST packet received (200.200.200.200, 238.2.2.2)
1) One in REGSITER message
2) One without Register message i.e. natively, out of port3.
RP, upon receiving MCAST (200.200.200.200, 238.2.2.2) natively, send should REGSITER stop message to
FW.
4) Upon receiving REGISTER STOP, FW should stop sending REGISTER message. Now, FW should send
MCAST natively i.e. no more two copies of each MCAST packet received (200.200.200.200, 238.2.2.2).
Observed behavior:
FW does not perform SRC NAT, as a result original packet (2.2.2.20,238.2.2.2.) is carried in REGISTER
Message:
Capture taken on port3:
Since RP does not know about the source (2.2.2.2), therefore no PIM JOIN ( 2.2.2.20,238.2.2.2) can be
sent.
As a result, FW continue to send packet without NAT in REGISTER message.
What needs to be fixed?
1) FW must perform SNAT when encapsulating payload i.e. 200.200.200.200, 238.2.2.2 instead of
2.2.2.20, 238.2.2.2.2
2) FW must act upon PIM JOIN (200.200.200.200, 238.2.2.2) sent by RP and join ( S,G) tree.
The 2nd item cannot be verified as we never progressed to that stage. I mentioned it to ensure when you
guys fixed the natting issue, you should t also ensure FW does demonstrate behavior mentioned in (2).
ADDITIONAL INFO:
FW CONFIG:
FortiGate-VM64 # show
#config-version=FGVM64-6.2.3-FW-build1066-191218:opmode=1:vdom=0:user=admin
#conf_file_ver=179714316608366
#buildno=1066
#global_vdom=1
config system global
set alias "FortiGate-VM64"
set hostname "FortiGate-VM64"
set timezone 04
end
config system accprofile
edit "prof_admin"
set secfabgrp read-write
set ftviewgrp read-write
set authgrp read-write
set sysgrp read-write
set netgrp read-write
set loggrp read-write
set fwgrp read-write
set vpngrp read-write

set utmgrp read-write
set wanoptgrp read-write
set wifi read-write
next
end
config system interface
edit "port1"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 2.2.2.2 255.255.255.0
set allowaccess ping
--More--
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set ip 3.3.3.3 255.255.255.0
set allowaccess ping

set type physical
set snmp-index 3
next
edit "port4"
set vdom "root"
set type physical
set snmp-index 4
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 5
next
end
config system custom-language
edit "en"
set filename "en"
next
edit "fr"
set filename "fr"
next
edit "sp"
set filename "sp"
next
edit "pg"
set filename "pg"
next
edit "x-sjis"
--More--
set filename "x-sjis"
next
edit "big5"
set filename "big5"
next
edit "GB2312"
set filename "GB2312"
next
edit "euc-kr"
set filename "euc-kr"
next
end
config system admin
edit "admin"
set accprofile "super_admin"
set vdom "root"
set password ENC SH22ySxjo/6mWx1nrHHKzMDTYwG2Jhq0R04lRaUCV6DpDiCqTnROSK5vIOYJiw=
next
end
config system sso-admin

end
config system ha
set override disable
end
config system storage
edit "Virtual-Disk"
set status enable
set media-status enable
set order 1
set partition "LOGUSEDXE101E90C"
set device "/dev/sdb1"
set size 30235
set usage log
next
end
config system dns
--More--
set primary 208.91.112.53
set secondary 208.91.112.52
end
config system replacemsg-image
edit "logo_fnet"
set image-type gif
set image-base64 ''
next
edit "logo_fguard_wf"
set image-type gif
set image-base64 ''
next
edit "logo_fw_auth"
set image-base64 ''
next
edit "logo_v2_fnet"
set image-base64 ''
next
edit "logo_v2_fguard_wf"
set image-base64 ''
next
edit "logo_v2_fguard_app"
set image-base64 ''
next
end
config system replacemsg mail "email-av-fail"
end
config system replacemsg mail "email-block"
end
config system replacemsg mail "email-dlp-subject"
end
config system replacemsg mail "email-dlp-ban"
end
config system replacemsg mail "email-filesize"
end
config system replacemsg mail "email-file-filter"
--More--
end
config system replacemsg mail "partial"
end
config system replacemsg mail "smtp-block"
end
config system replacemsg mail "smtp-filesize"
end
config system replacemsg mail "email-decompress-limit"
end
config system replacemsg mail "smtp-decompress-limit"
end
config system replacemsg http "bannedword"
end
config system replacemsg http "url-block"
end
config system replacemsg http "urlfilter-err"
end
config system replacemsg http "infcache-block"
end
config system replacemsg http "http-block"
end
config system replacemsg http "http-filesize"
end
config system replacemsg http "http-dlp-ban"
end
config system replacemsg http "http-archive-block"
end
config system replacemsg http "http-contenttypeblock"
end
config system replacemsg http "https-invalid-cert-block"
end
config system replacemsg http "https-untrusted-cert-block"
end
config system replacemsg http "https-blacklisted-cert-block"
end
config system replacemsg http "http-client-block"
--More--
end
config system replacemsg http "http-client-filesize"
end
config system replacemsg http "http-client-bannedword"
end
config system replacemsg http "http-post-block"
end
config system replacemsg http "http-client-archive-block"
end
config system replacemsg http "switching-protocols-block"
end
config system replacemsg webproxy "deny"
end
config system replacemsg webproxy "user-limit"
end
config system replacemsg webproxy "auth-challenge"
end
config system replacemsg webproxy "auth-login-fail"
end
config system replacemsg webproxy "auth-group-info-fail"
end
config system replacemsg webproxy "http-err"
end
config system replacemsg webproxy "auth-ip-blackout"
end
config system replacemsg ftp "ftp-av-fail"
end
config system replacemsg ftp "ftp-dl-blocked"
end
config system replacemsg ftp "ftp-dl-filesize"
end
config system replacemsg ftp "ftp-dl-dlp-ban"
end
config system replacemsg ftp "ftp-explicit-banner"

end
config system replacemsg ftp "ftp-dl-archive-block"
--More--
end
config system replacemsg ftp "ftp-file-filter-block"
end
config system replacemsg nntp "nntp-av-fail"
end
config system replacemsg nntp "nntp-dl-blocked"
end
config system replacemsg nntp "nntp-dl-filesize"
end
config system replacemsg nntp "nntp-dlp-subject"
end
config system replacemsg nntp "nntp-dlp-ban"
end
config system replacemsg nntp "email-decompress-limit"
end
config system replacemsg fortiguard-wf "ftgd-block"
end
config system replacemsg fortiguard-wf "http-err"
end
config system replacemsg fortiguard-wf "ftgd-ovrd"
end
config system replacemsg fortiguard-wf "ftgd-quota"

end
config system replacemsg fortiguard-wf "ftgd-warning"
end
config system replacemsg spam "ipblocklist"
end
config system replacemsg spam "smtp-spam-dnsbl"
end
config system replacemsg spam "smtp-spam-feip"
end
config system replacemsg spam "smtp-spam-helo"
end
config system replacemsg spam "smtp-spam-emailblack"
end
config system replacemsg spam "smtp-spam-mimeheader"
--More--
end
config system replacemsg spam "reversedns"
end
config system replacemsg spam "smtp-spam-bannedword"
end
config system replacemsg spam "smtp-spam-ase"
end
config system replacemsg spam "submit"
end
config system replacemsg alertmail "alertmail-virus"

end
config system replacemsg alertmail "alertmail-block"
end
config system replacemsg alertmail "alertmail-nids-event"
end
config system replacemsg alertmail "alertmail-crit-event"
end
config system replacemsg alertmail "alertmail-disk-full"
end
config system replacemsg admin "pre_admin-disclaimer-text"
end
config system replacemsg admin "post_admin-disclaimer-text"
end
config system replacemsg auth "auth-disclaimer-page-1"
end
end
end
config system replacemsg auth "auth-reject-page"
end
config system replacemsg auth "auth-login-page"
end
config system replacemsg auth "auth-login-failed-page"
end
config system replacemsg auth "auth-token-login-page"
--More--
end
config system replacemsg auth "auth-token-login-failed-page"
end
config system replacemsg auth "auth-success-msg"
end
config system replacemsg auth "auth-challenge-page"
end
config system replacemsg auth "auth-keepalive-page"
end
config system replacemsg auth "auth-portal-page"
end
config system replacemsg auth "auth-password-page"
end
config system replacemsg auth "auth-fortitoken-page"
end
config system replacemsg auth "auth-next-fortitoken-page"
end
config system replacemsg auth "auth-email-token-page"
end
config system replacemsg auth "auth-sms-token-page"
end
config system replacemsg auth "auth-email-harvesting-page"
end
config system replacemsg auth "auth-email-failed-page"
end
config system replacemsg auth "auth-cert-passwd-page"
end
config system replacemsg auth "auth-guest-print-page"
end
config system replacemsg auth "auth-guest-email-page"
end
config system replacemsg auth "auth-success-page"
end
config system replacemsg auth "auth-block-notification-page"
end
config system replacemsg auth "auth-quarantine-page"
--More--
end
config system replacemsg auth "auth-qtn-reject-page"
end
config system replacemsg auth "auth-saml-page"
end
config system replacemsg sslvpn "sslvpn-login"
end
config system replacemsg sslvpn "sslvpn-header"
end
config system replacemsg sslvpn "sslvpn-limit"
end
config system replacemsg sslvpn "hostcheck-error"
end
config system replacemsg device-detection-portal "device-detection-failure"
end
config system replacemsg nac-quar "nac-quar-virus"
end
config system replacemsg nac-quar "nac-quar-dos"
end
config system replacemsg nac-quar "nac-quar-ips"
end
config system replacemsg nac-quar "nac-quar-dlp"
end
config system replacemsg nac-quar "nac-quar-admin"
end
config system replacemsg nac-quar "nac-quar-app"
end
config system replacemsg traffic-quota "per-ip-shaper-block"
end
config system replacemsg utm "virus-html"
end
config system replacemsg utm "client-virus-html"
end
config system replacemsg utm "virus-text"
end
config system replacemsg utm "dlp-html"

--More--
end
config system replacemsg utm "dlp-text"
end
config system replacemsg utm "appblk-html"
end
config system replacemsg utm "ipsblk-html"
end
config system replacemsg utm "ipsfail-html"
end
config system replacemsg utm "exe-text"
end
config system replacemsg utm "waf-html"
end
config system replacemsg utm "outbreak-prevention-html"
end
config system replacemsg utm "outbreak-prevention-text"
end
config system replacemsg utm "file-filter-text"
end
config system replacemsg utm "file-size-text"
end
config system replacemsg utm "internal-error-text"
end
config system replacemsg icap "icap-req-resp"

end
config system snmp sysinfo
end
config firewall internet-service-definition
end
config wanopt content-delivery-network-rule
edit "vcache://"
set comment "Static entries are not allowed to change except disable."
set response-expires enable
config rules
edit "rule1"
config match-entries
--More--
edit 1
set pattern "/*.m3u8"
next
end
config content-id
set target hls-manifest
set start-str "/"
end
next
edit "rule2"
edit 1
set pattern "/*.mpd"
next
end
config content-id
set target dash-manifest
set start-str "/"
end
next
edit "rule3"
edit 1
set pattern "/*.ts"
next
end
config content-id
set target hls-fragment
set start-str "/"
end
next
edit "rule4"
edit 1
set pattern "/*.*"
next
--More--
end
config content-id
set target dash-fragment
set start-str "/"
end
next
end
next
edit "vcache://youtube/"
set host-domain-name-suffix "youtube.com"
set category youtube
config rules
edit "rule1"
edit 1
set pattern "/videoplayback"
next
end
config content-id
set target youtube-id
set start-str "v="
set start-skip 2
set end-str "&"

end
next
edit "rule2"
edit 1
next
end
config content-id
set start-str "v="
set start-skip 2
--More--
end
next
edit "rule3"
set match-mode any
edit 1
set pattern "/stream_204"
next
edit 2
set pattern "/ptracking"
next
edit 3
set pattern "/get_video_info"
next
end
config content-id
set target youtube-map
set start-str "/"
end
next
end
next
edit "vcache://googlevideo/"
set host-domain-name-suffix "googlevideo.com"
set category youtube
config rules
edit "rule1"
edit 1
next
end
config content-id
set start-str "v="

--More--
set start-skip 2
set end-str "&"
end
next
edit "rule2"
edit 1
next
end
config content-id
set start-str "v="
set start-skip 2
end
next
edit "rule3"
set match-mode any
edit 1
set pattern "/stream_204"
next
edit 2
set pattern "/ptracking"

next
edit 3
set pattern "/get_video_info"
next
end
config content-id
set target youtube-map
set start-str "/"
end
next
end
next
--More--
edit "vcache://metacafe/"
set host-domain-name-suffix "mccont.com" "akvideos.metacafe.com" "cdn.metacafe.com"
config rules
edit "rule1"
set match-mode any
set skip-rule-mode any
edit 1
set pattern "/*.flv"
next
edit 2
set pattern "/*.mp4"
next
edit 3
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://facebook/"
set host-domain-name-suffix "fbcdn.net" "facebook.com"
config rules
edit "rule1"
set match-mode any
edit 1
--More--
next
edit 2
next
edit 3
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://dailymotion/"
set host-domain-name-suffix "dailymotion.com" "dmcdn.net"
config rules
edit "rule1"
set match-mode any
edit 1
set pattern "/video/*.mp4"
next
edit 2
set pattern "/video/*.flv"
next
edit 3
set pattern "/video/*.ts"
next
edit 4
set pattern "/video/*.on2"
next
--More--
edit 5
set pattern "/video/*.aac"
next
edit 6
set pattern "/video/*.h264"
next
edit 7
set pattern "/video/*.h263"
next
edit 8
set pattern "/sec*.mp4"
next
edit 9
set pattern "/sec*.flv"
next
edit 10
set pattern "/sec*.on2"
next
edit 11
set pattern "/sec*.aac"
next
edit 12
set pattern "/sec*.h264"
next
edit 13
set pattern "/sec*.h263"
next
edit 14
set pattern "*.ts"
next
end
config skip-entries
edit 1
set target parameter
set pattern "start=*"
next
--More--
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://break/"
set host-domain-name-suffix "break.com" "0ebe.edgecastcdn.net"
config rules
edit "rule1"
set match-mode any
edit 1
set pattern "/dnet/media/*.flv"
next
edit 2
set pattern "/dnet/media/*.mp4"
next
end
config skip-entries
edit 1
set pattern "ec_seek=*"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
edit "rule2"
--More--
edit 1
set pattern "/*.mp4*"
next
edit 2
set pattern "*Seg*"
next
edit 3
set pattern "*Frag*"
next
end
config content-id
set start-str "/"

set start-skip 1
end
next
end
next
edit "vcache://msn/"
set host-domain-name-suffix "video.msn.com"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2
next
edit 3
set pattern "/*.ts"
next
end
--More--
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://llnwd/"
set host-domain-name-suffix "llnwd.net"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2
next
edit 3
set pattern "/*.fll"
next
end
config skip-entries
edit 1
set pattern "fs=*"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
--More--
end
next
edit "vcache://yahoo/"
set host-domain-name-suffix "yimg.com"
config rules
edit "rule1"
set match-mode any
edit 1

next
edit 2
next
edit 3
set pattern "/*.m4s"
next
end
config content-id
set start-str "vid="
end
next
end
next
edit "vcache://myspace/"
set host-domain-name-suffix "myspacecdn.com"
set request-cache-control enable
set response-cache-control enable
config rules
edit "rule1"
set match-mode any

--More--
edit 1
next
edit 2
next
edit 3
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://vimeo/"
set host-domain-name-suffix "vimeo.com" "vimeocdn.com" "56skyfiregce-a.akamaihd.net"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2
next
edit 3
set pattern "/*.m4s"
next
--More--
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://blip.tv/"
set host-domain-name-suffix "blip.tv"

config rules
edit "rule1"
set match-mode any
edit 1
set pattern "/*.m4v"
next
edit 2
next
edit 3
next
edit 4
set pattern "/*.wmv"
next
edit 5
set pattern "/*.rm"
next
edit 6
set pattern "/*.ram"
next
edit 7
set pattern "/*.mov"

--More--
next
edit 8
set pattern "/*.avi"
next
end
config skip-entries
edit 1
set pattern "ms=*"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://maker.tv/"
set host-domain-name-suffix "videos-f.jwpsrv.com"
config rules
edit "rule1"
set match-mode any
edit 1
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
--More--
next
edit "vcache://aol/"
set host-domain-name-suffix "stream.aol.com" "5min.com" "vidiblevod-vh.akamaihd.net" "stg-ec-

ore-u.uplynk.com" "vidible.tv"
config rules
edit "rule1"
edit 1
next
end
config skip-entries
edit 1
set pattern "*timeoffset=*"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
edit "rule2"
edit 1
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
--More--
edit "vcache://clipfish/"
set host-domain-name-suffix "clipfish.de" "universal-music.de"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2
set pattern "/*.f4v"
next
edit 3
next
edit 4
set pattern "/*.m4v"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://cnn/"
set host-domain-name-suffix "cnn-vh.akamaihd.net"
config rules
edit "rule1"
edit 1
--More--
set pattern "/*.flv*"
next
edit 2
set pattern "*Seg*"
next
edit 3
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
edit "rule2"
edit 1
next
edit 2
set pattern "*Seg*"
next
edit 3
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
edit "rule3"
edit 1
set pattern "/*.ts*"
next
--More--
edit 2
set pattern "*Seg*"
next
edit 3
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://foxnews/"
set host-domain-name-suffix "foxnews.com" "foxnews-f.akamaihd.net"
config rules
edit "rule1"
edit 1
next
edit 2
set pattern "*Seg*"
next
edit 3
next
end
config content-id
set start-str "/"
set start-skip 1
--More--
end
next
end
next
edit "vcache://discovery/"
set host-domain-name-suffix "discovery.com" "discidevflash-f.akamaihd.net"
config rules
edit "rule1"
set match-mode any

edit 1
next
edit 2
next
edit 3
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://liveleak/"
set host-domain-name-suffix "edge.liveleak.com" "cdn.liveleak.com"
config rules
edit "rule1"
--More--
edit 1
next
edit 2
set pattern "*seek=0"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
edit "rule2"
edit 1
next
edit 2
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
edit "rule3"
edit 1
set pattern "/*.wmv"
next
edit 2
--More--
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://sevenload/"
set host-domain-name-suffix "sevenload.com"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2
next
end
config skip-entries
edit 1
set pattern "aktimeoffset=*"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
--More--
end
next
edit "vcache://stupidvideos/"
set host-domain-name-suffix "stupidvideos.com"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2
next
edit 3
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://howcast/"
set host-domain-name-suffix "media.howcast.com"
config rules
edit "rule1"
set match-mode any
--More--
edit 1
next
edit 2
next
end
config skip-entries
edit 1
set pattern "start=*"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://vevo/"
set host-domain-name-suffix "vevo.com"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2
next
edit 3
--More--
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://redtube/"
set host-domain-name-suffix "redtube.com" "redtubefiles.com"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2

next
edit 3
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
--More--
edit "vcache://xtube/"
set host-domain-name-suffix "xtube.com"
config rules
edit "rule1"
set match-mode any
edit 1
set pattern "/videos/*.flv"
next
end
config skip-entries
edit 1
set pattern "Thumb*"
next
edit 2
set pattern "av_preview*"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
edit "rule2"
edit 1
set pattern "/videos/*"
next
edit 2
set pattern "*ms=0"
next
--More--
end
config content-id
set start-str "/"
set start-skip 1
end
next
edit "rule3"
edit 1
set pattern "/videos/*"
next
end
config skip-entries
edit 1
set pattern "*ms=*"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://youporn/"
set host-domain-name-suffix "youporn.com" "youporn.phncdn.com"
config rules
edit "rule1"
set match-mode any
edit 1
next
--More--
edit 2
next
edit 3
set pattern "/*.ts"
next
end
config skip-entries
edit 1
set pattern "*ms=*"
next
end
config content-id
set start-str "/"
set start-skip 1
set start-direction backward
end
next
end
next
edit "vcache://pornhub/"
set host-domain-name-suffix "pornhub.com" "pornhub.phncdn.com" "d.rncdn3.com"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2
next
--More--
edit 3
set pattern "/*.ts"
next
end
config skip-entries
edit 1
set pattern "*start=*"
next
edit 2
set pattern "*ms=*"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://tube8/"
set host-domain-name-suffix "tube8.com" "tube8.phncdn.com"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2
set pattern "/*.3gp"
next
--More--
edit 3
next
end
config skip-entries
edit 1
next
end
config content-id
set start-str "/"

set start-skip 1
end
next
end
next
edit "vcache://ooyala/"
set host-domain-name-suffix "ooyala.com"
config rules
edit "rule1"
edit 1
set pattern "*Seg*"
next
edit 2
next
end
config content-id
set start-str "/"
set start-skip 1
end
--More--
next
end
next
edit "vcache://ms-ads/"
set host-domain-name-suffix "msads.net"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2
next
edit 3
set pattern "/*.ts"
next
end
config content-id
set start-str "/"

set start-skip 1
end
next
end
next
edit "vcache://yumenetworks-ads/"
set host-domain-name-suffix "yumenetworks.com"
config rules
edit "rule1"
set match-mode any
--More--
edit 1
next
edit 2
next
edit 3
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://2mdn-ads/"
set host-domain-name-suffix "2mdn.net"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2
next
edit 3
set pattern "/*.ts"

--More--
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://eyewonder-ads/"
set host-domain-name-suffix "eyewonder.com"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2
next
edit 3
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://eyereturn-ads/"
--More--
set host-domain-name-suffix "eyereturn.com"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2
next
edit 3
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://serving-sys-ads/"
set host-domain-name-suffix "serving-sys.com"
config rules
edit "rule1"
set match-mode any
edit 1

--More--
next
edit 2
next
edit 3
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://amazonaws-ads/"
set host-domain-name-suffix "amazonaws.com"
config rules
edit "rule1"
set match-mode any
edit 1
next
edit 2
next
edit 3
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
--More--
set start-skip 1
end
next
end
next
edit "vcache://edgesuite-ads/"
set host-domain-name-suffix "edgesuite.net"
config rules
edit "rule1"
set match-mode any

edit 1
next
edit 2
next
edit 3
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://gorillanation-ads/"
set host-domain-name-suffix "video.gorillanation.com"
config rules
--More--
edit "rule1"
set match-mode any
edit 1
next
edit 2
next
edit 3
set pattern "/*.ts"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://youku/"

config rules
edit "rule1"
edit 1
set pattern "/youku/*.mp4"
next
edit 2
set pattern "*start=0"
next
end
config content-id
--More--
set target youku-id
set start-str "/"
set start-skip 1
end
next
edit "rule2"
edit 1
set pattern "/youku/*.flv"
next
edit 2
next
end
config content-id
set target youku-id
set start-str "/"
set start-skip 1
end
next
edit "rule3"
edit 1
set pattern "/youku/*.kux"
next
edit 2
next
end
config content-id
set target youku-id
set start-str "/"

--More--
set start-skip 1
end
next
edit "rule4"
edit 1
set pattern "/youku/*.mp4"
next
end
config skip-entries
edit 1
next
end
config content-id
set target youku-id
set start-str "/"
set start-skip 1
end
next
edit "rule5"
edit 1
set pattern "/youku/*.flv"
next
end
config skip-entries
edit 1
next
end
config content-id
--More--
set target youku-id
set start-str "/"
set start-skip 1
end
next
edit "rule6"
edit 1
set pattern "/youku/*.kux"
next
end
config skip-entries
edit 1
next
end
config content-id
set target youku-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://tudou/"
config rules
edit "rule1"
edit 1
set pattern "/f4v/*"
next
--More--
edit 2
set pattern "*id=tudou*"
next
end
config skip-entries
edit 1
set pattern "*begin=*"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://cbc/"
set host-domain-name-suffix "cbc.ca" "mobilehls-vh.akamaihd.net"
config rules
edit "rule1"
edit 1
set pattern "*.mp4*"
next
edit 2
set pattern "*Seg*"
next
edit 3
next
end
--More--
config content-id
set start-str "/"
set start-skip 1
end
next
edit "rule2"
set match-mode any
edit 1
set pattern "*.ts"
next
edit 2
set pattern "*.mp4"
next
end
config content-id
set start-str "/"
set start-skip 1
end
next
end
next
edit "vcache://megaupload/"
set host-domain-name-suffix "megaupload.com"
config rules
edit "rule1"
edit 1
set pattern "/files/*"
next
end
config content-id
set target referrer
set start-str "d="

--More--
set start-skip 2
end
next
end
next
edit "update://windowsupdate/"
set host-domain-name-suffix "download.windowsupdate.com"
set request-cache-control enable
set response-cache-control enable
set updateserver enable
next
end
config system cluster-sync
end
config system fortiguard
set update-server-location usa
set sdns-server-ip "208.91.112.220"
end
config ips global
end
config system email-server
set server "notification.fortinet.net"

set port 465
set security smtps
end
config system session-helper
edit 1
set name pptp
set protocol 6
set port 1723
next
edit 2
set name h323
set protocol 6
--More--
set port 1720
next
edit 3
set name ras
set protocol 17
set port 1719
next
edit 4
set name tns
set protocol 6
set port 1521
next
edit 5
set name tftp
set protocol 17
set port 69
next
edit 6
set name rtsp
set protocol 6
set port 554
next
edit 7
set name rtsp
set protocol 6
set port 7070
next
edit 8
set name rtsp
set protocol 6
set port 8554
next
edit 9
set name ftp
set protocol 6
set port 21
--More--
next
edit 10
set name mms
set protocol 6
set port 1863
next
edit 11
set name pmap
set protocol 6
set port 111
next
edit 12
set name pmap
set protocol 17
set port 111
next
edit 13
set name sip
set protocol 17
set port 5060
next
edit 14
set name dns-udp
set protocol 17
set port 53
next
edit 15
set name rsh
set protocol 6
set port 514
next
edit 16
set name rsh
set protocol 6
set port 512
next
--More--
edit 17
set name dcerpc
set protocol 6
set port 135
next
edit 18
set name dcerpc
set protocol 17
set port 135
next
edit 19
set name mgcp

set protocol 17
set port 2427
next
edit 20
set name mgcp
set protocol 17
set port 2727
next
end
config system auto-install
set auto-install-config enable
set auto-install-image enable
end
config system ntp
set ntpsync enable
end
config dpdk global
set multiqueue disable
set sleep-on-idle disable
set elasticbuffer disable
set per-session-accounting traffic-log-only
set hugepage-percentage 30
set mbufpool-percentage 25
end
--More--
config dpdk cpus
set rx-cpus "0-0"
set vnp-cpus "0-0"
set ips-cpus "0-0"
set tx-cpus "0-0"
end
config system object-tagging
edit "default"
next
end
config switch-controller traffic-policy
edit "quarantine"
set description "Rate control for quarantined traffic"
set guaranteed-bandwidth 163840
set guaranteed-burst 8192
set maximum-burst 163840
set cos-queue 0
next
edit "sniffer"
set description "Rate control for sniffer mirrored traffic"
set guaranteed-burst 8192
set maximum-burst 163840
set cos-queue 0
next
end
config system settings
set multicast-forward disable
set multicast-ttl-notchange enable
set gui-multicast-policy enable
end
config firewall address
edit "login.microsoftonline.com"
set uuid b5a25452-4971-51ea-483f-a63a1f6b81fd
set type fqdn
set fqdn "login.microsoftonline.com"
--More--
next
edit "login.microsoft.com"
set uuid b5a260d2-4971-51ea-bd5e-7bed5f982002
set type fqdn
set fqdn "login.microsoft.com"
next
edit "login.windows.net"
set uuid b5a26b7c-4971-51ea-17b6-1508f56fac34
set type fqdn
set fqdn "login.windows.net"
next
edit "gmail.com"
set uuid b5a2755e-4971-51ea-4168-58e92db927db
set type fqdn
set fqdn "gmail.com"
next
edit "wildcard.google.com"
set uuid b5a28030-4971-51ea-f5f3-2af1dbb28d6b
set type fqdn
set fqdn "*.google.com"
next
edit "all"
set uuid b5afea18-4971-51ea-af8d-6fb4d8409752
next
edit "FIREWALL_AUTH_PORTAL_ADDRESS"
set uuid b5afecca-4971-51ea-6418-4710379e69c6
set visibility disable
next
edit "FABRIC_DEVICE"
set uuid b5afeee6-4971-51ea-0d79-b3c2102e5073
set comment "IPv4 addresses of Fabric Devices."
next
edit "SSLVPN_TUNNEL_ADDR1"
set uuid b5b0aa52-4971-51ea-afeb-81da7d7d15c5
set type iprange
set associated-interface "ssl.root"

--More--
set start-ip 10.212.134.200
set end-ip 10.212.134.210
next
edit "2-2-2-20"
set uuid 3cdb9d50-49ab-51ea-e2b3-712ae8e2f394
set subnet 2.2.2.20 255.255.255.255
next
edit "200-200-200-200"
set uuid 48c04f08-49ab-51ea-fea2-33476d52dfb4
set subnet 200.200.200.200 255.255.255.255
next
end
config firewall multicast-address
edit "all"
set start-ip 224.0.0.0
set end-ip 239.255.255.255
next
end
config firewall address6
edit "SSLVPN_TUNNEL_IPv6_ADDR1"
set uuid b5b0ade0-4971-51ea-e2c3-5dbe0e77d794
set ip6 fdff:ffff::/120
next
edit "all"
set uuid b5a2c2ac-4971-51ea-58ad-fc9611861495
next
edit "none"
set uuid b5a2cacc-4971-51ea-afb7-3b81acaf0ec7
set ip6 ::/128
next
end
config firewall multicast-address6
edit "all"
set ip6 ff00::/8
next
end
--More--
config firewall addrgrp
edit "G Suite"
set uuid b5a2a27c-4971-51ea-d7d8-9296c7c37cdc
set member "gmail.com" "wildcard.google.com"
next
edit "Microsoft Office 365"
set uuid b5a2b0f0-4971-51ea-b27a-6f57f3527826
set member "login.microsoftonline.com" "login.microsoft.com" "login.windows.net"
next
end
config firewall wildcard-fqdn custom
edit "adobe"
set uuid b5d6c4da-4971-51ea-eb26-750e7b4b0f43
set wildcard-fqdn "*.adobe.com"
next
edit "Adobe Login"
set uuid b5d6c6ba-4971-51ea-ac52-ebb40c3d2608
set wildcard-fqdn "*.adobelogin.com"
next
edit "android"
set uuid b5d6c840-4971-51ea-39bc-4ea681d9afc4
set wildcard-fqdn "*.android.com"
next
edit "apple"
set uuid b5d6c9b2-4971-51ea-822f-ed8a48611d7b
set wildcard-fqdn "*.apple.com"
next
edit "appstore"
set uuid b5d6cb2e-4971-51ea-5547-1f3bdb36265c
set wildcard-fqdn "*.appstore.com"
next
edit "auth.gfx.ms"
set uuid b5d6ccd2-4971-51ea-f284-90d640f68a0a
set wildcard-fqdn "*.auth.gfx.ms"
next
edit "citrix"
--More--
set uuid b5d6ce4e-4971-51ea-ac95-d06450c6de46
set wildcard-fqdn "*.citrixonline.com"
next
edit "dropbox.com"
set uuid b5d6cfc0-4971-51ea-95b9-dbc68efbc96c
set wildcard-fqdn "*.dropbox.com"
next
edit "eease"
set uuid b5d6d13c-4971-51ea-da6d-6622a84f1ed3
set wildcard-fqdn "*.eease.com"
next
edit "firefox update server"
set uuid b5d6d2e0-4971-51ea-f49e-593a7eb0a323
set wildcard-fqdn "aus*.mozilla.org"
next
edit "fortinet"
set uuid b5d6d466-4971-51ea-8413-9af73d77a577
set wildcard-fqdn "*.fortinet.com"
next
edit "googleapis.com"
set uuid b5d6d5e2-4971-51ea-d029-27eba9e80766
set wildcard-fqdn "*.googleapis.com"
next
edit "google-drive"
set uuid b5d6d75e-4971-51ea-12d1-089a68109cad
set wildcard-fqdn "*drive.google.com"
next
edit "google-play2"
set uuid b5d6d8da-4971-51ea-b587-d71515e87961
set wildcard-fqdn "*.ggpht.com"
next
edit "google-play3"
set uuid b5d6da88-4971-51ea-5a67-2ca025ad1d75
set wildcard-fqdn "*.books.google.com"
next
edit "Gotomeeting"
--More--
set uuid b5d6dc04-4971-51ea-8503-dbfb9df54905
set wildcard-fqdn "*.gotomeeting.com"
next
edit "icloud"
set uuid b5d6dea2-4971-51ea-b695-3805aca769a1
set wildcard-fqdn "*.icloud.com"
next
edit "itunes"
set uuid b5d6e06e-4971-51ea-d17f-d80ba8661b8e
set wildcard-fqdn "*itunes.apple.com"
next
edit "microsoft"
set uuid b5d6e1ea-4971-51ea-b64c-aa2f90fda0e9
set wildcard-fqdn "*.microsoft.com"
next
edit "skype"
set uuid b5d6e370-4971-51ea-e634-7aec574810c1
set wildcard-fqdn "*.messenger.live.com"
next
edit "softwareupdate.vmware.com"
set uuid b5d6e546-4971-51ea-053f-ffdb955bad4a
set wildcard-fqdn "*.softwareupdate.vmware.com"
next
edit "verisign"
set uuid b5d6e74e-4971-51ea-b9cc-abf716045bd5
set wildcard-fqdn "*.verisign.com"
next
edit "Windows update 2"
set uuid b5d6f0b8-4971-51ea-f334-18ede24234aa
set wildcard-fqdn "*.windowsupdate.com"
next
edit "live.com"
set uuid b5d6f28e-4971-51ea-b477-5344ae685b3b
set wildcard-fqdn "*.live.com"
next
edit "google-play"
--More--
set uuid b5d6f414-4971-51ea-b03a-83d26073bcd6
set wildcard-fqdn "*play.google.com"
next
edit "update.microsoft.com"
set uuid b5d6f59a-4971-51ea-fdb1-4f2194d5932f
set wildcard-fqdn "*update.microsoft.com"
next
edit "swscan.apple.com"
set uuid b5d6f720-4971-51ea-7977-4c5437465125
set wildcard-fqdn "*swscan.apple.com"
next
edit "autoupdate.opera.com"
set uuid b5d6f8ce-4971-51ea-0869-fe6eb0f9221f
set wildcard-fqdn "*autoupdate.opera.com"
next
end
config firewall service category
edit "General"
set comment "General services."
next
edit "Web Access"
set comment "Web access."
next
edit "File Access"

set comment "File access."
next
edit "Email"
set comment "Email services."
next
edit "Network Services"
set comment "Network services."
next
edit "Authentication"
set comment "Authentication service."
next
edit "Remote Access"
--More--
set comment "Remote access."
next
edit "Tunneling"
set comment "Tunneling service."
next
edit "VoIP, Messaging & Other Applications"
set comment "VoIP, messaging, and other applications."
next
edit "Web Proxy"
set comment "Explicit web proxy."
next
end
config firewall service custom
edit "DNS"
set category "Network Services"
set tcp-portrange 53
set udp-portrange 53
next
edit "HTTP"
set category "Web Access"
next
edit "HTTPS"
set category "Web Access"
next
edit "IMAP"
set category "Email"
next
edit "IMAPS"
next
edit "LDAP"
set category "Authentication"

--More--
next
edit "DCE-RPC"
set category "Remote Access"
next
edit "POP3"
next
edit "POP3S"
next
edit "SAMBA"
set category "File Access"
next
edit "SMTP"
next
edit "SMTPS"
next
edit "KERBEROS"
set tcp-portrange 88 464
set udp-portrange 88 464
next
edit "LDAP_UDP"
next
--More--
edit "SMB"
next
edit "ALL"
set category "General"
set protocol IP
next
edit "ALL_TCP"
set tcp-portrange 1-65535
next
edit "ALL_UDP"
set udp-portrange 1-65535
next
edit "ALL_ICMP"
set protocol ICMP
unset icmptype
next
edit "ALL_ICMP6"
set protocol ICMP6
unset icmptype
next
edit "GRE"
set category "Tunneling"
set protocol IP
set protocol-number 47
next
edit "AH"
set protocol IP
next
--More--
edit "ESP"
set protocol IP
next
edit "AOL"
next
edit "BGP"
next
edit "DHCP"
next
edit "FINGER"
next
edit "FTP"
next
edit "FTP_GET"
next
edit "FTP_PUT"
next
edit "GOPHER"
--More--
next
edit "H323"
set category "VoIP, Messaging & Other Applications"
next
edit "IKE"
next
edit "Internet-Locator-Service"

next
edit "IRC"
next
edit "L2TP"
next
edit "NetMeeting"
next
edit "NFS"
next
edit "NNTP"
next
--More--
edit "NTP"
next
edit "OSPF"
set protocol IP
next
edit "PC-Anywhere"
next
edit "PING"
set protocol ICMP
set icmptype 8
unset icmpcode
next
edit "TIMESTAMP"
set protocol ICMP

set icmptype 13
unset icmpcode
next
edit "INFO_REQUEST"
set protocol ICMP
set icmptype 15
unset icmpcode
next
edit "INFO_ADDRESS"
set protocol ICMP
--More--
set icmptype 17
unset icmpcode
next
edit "ONC-RPC"
next
edit "PPTP"
next
edit "QUAKE"
set udp-portrange 26000 27000 27910 27960
next
edit "RAUDIO"
next
edit "REXEC"
next
edit "RIP"
next
edit "RLOGIN"
set tcp-portrange 513:512-1023
next
edit "RSH"
set tcp-portrange 514:512-1023
next
--More--
edit "SCCP"
next
edit "SIP"
next
edit "SIP-MSNmessenger"
next
edit "SNMP"
next
edit "SSH"
next
edit "SYSLOG"

next
edit "TALK"
next
edit "TELNET"
next
edit "TFTP"
--More--
next
edit "MGCP"
next
edit "UUCP"
next
edit "VDOLIVE"

next
edit "WAIS"
next
edit "WINFRAME"
next
edit "X-WINDOWS"
next
edit "PING6"
set protocol ICMP6
set icmptype 128
unset icmpcode
next
edit "MS-SQL"
next
--More--
edit "MYSQL"
next
edit "RDP"
next
edit "VNC"
next
edit "DHCP6"
next
edit "SQUID"
next
edit "SOCKS"

next
edit "WINS"
next
edit "RADIUS"
next
edit "RADIUS-OLD"
--More--
next
edit "CVSPSERVER"
next
edit "AFS3"
next
edit "TRACEROUTE"
next
edit "RTSP"
set tcp-portrange 554 7070 8554
next
edit "MMS"
next
edit "NONE"
set tcp-portrange 0
next
edit "webproxy"
set proxy enable
set category "Web Proxy"
set protocol ALL
set tcp-portrange 0-65535:0-65535
next
--More--
end
config firewall service group
edit "Email Access"
set member "DNS" "IMAP" "IMAPS" "POP3" "POP3S" "SMTP" "SMTPS"
next
edit "Web Access"
set member "DNS" "HTTP" "HTTPS"
next
edit "Windows AD"
set member "DCE-RPC" "DNS" "KERBEROS" "LDAP" "LDAP_UDP" "SAMBA" "SMB"
next
edit "Exchange Server"
set member "DCE-RPC" "DNS" "HTTPS"
next
end
config vpn certificate ca
end
config vpn certificate local
edit "Fortinet_CA_SSL"
set password ENC

6U+wSf3T7KD5S3lNhTUOJ4w4SKHmeimjC9QWQcPKYXDpaF8pd1li2Ov6GdDtcBc+C2Jrhh0WyNwiM41TC
ogTgvn0Svz4Cl13B+rgW15lgPM9JsnOsZN4+nXpPbKa4zXXd0MkQ50Jv1UqRPMtbsLY5+6iDCkOBcexA192
WgAFVz7j+QpQcUFc3NWFsAha9vRGciIvrQ==
set comments "This is the default CA certificate the SSL Inspection will use when generating new
server certificates."
set range global

set source factory
next
edit "Fortinet_CA_Untrusted"
set password ENC

lkHKFmYh3z1FD0Eq0v9d9y1a1JYo2hhzm07GHQRp5DNIWtD5HUfL08SSZ4Pwixv8oxJRaUvNzttpK+ztpKOC
T2geqlkPAUfohcyp2MMu2ypX+72gb1nxdzsaULf+CVBKT94KnWMuRO3IpxE7eQVeHvH9izhsOtU8RzZwlHg
vTdcabmI+BknxXEzKiQhd/ZvsroNjgA==
set comments "This is the default CA certificate the SSL Inspection will use when generating new
server certificates."
set range global
set source factory
next
edit "Fortinet_SSL"
set password ENC

0KObyQE4RpstiHLkB09fcwtFR0e+rTD9wd+e2Lh+s8piCPDaPfuutxOCZDdRG7RnLVLAE/t7LcLLrwi31snIvLo
9dvlPZ4kcne+wYGaCt85e1B6EjwCP5JRGUGiagjZbn0lVW7fAAYCpJ3t8bXS7San+IBtcwBcsZueDRdLHUpwO
fX07mcAAKSSgy95IkT7bEbhIMg==
set comments "This certificate is embedded in the hardware at the factory and is unique to this
unit. "
--More--
set range global
set source factory
next
edit "Fortinet_SSL_RSA1024"
set password ENC

EWsa/1odzsEfSEm0SqdyGn4AGGM460hg0o7y1GfX9UxGeaRinDaWvk53Y3Y1IdXSsDHW+5wVt2l8CpHnU
C/MAwgcE6d0Ko2FSzriEvmulcbMutFe0YC5IrnbTmu9X9HqTMl88ETlDa9Dj7VsOH2CtOdjbn+JBWhk0UP0
QPwBUtbqDRXpjFGNNSBsmdRWbfiTHboFZA==
unit. "
set range global
set source factory
next
set password ENC

X7LGNgPrMgmop64x29jEgpyN4gHDMNru+dvUZrLN1whzaAZgT2QH1x/L1qpOKlzB4Kob0oS8CzUQD+XX9
eYFMRJytV7NS/ik8cLuTAM4/qWF/YUmVNnzmn5OPNgucjUcfVcDBQaBxbPP69bopN23bXL8K+LrSbUPFz
Wk9hXedGHFoZa7WYwKT8LHZEkmF4KzsO1t7w==
unit. "
set range global
set source factory
next
set password ENC

KmsejqkMWYHfEuJP6C1VMtok4ka3pquMfcWLkrX/xVYNu0doMHsT5Zy0mOPbObrJx9vPiDY9l39l82oFcca
puzGEOHc2H1Fg5inBohI2A2vdHAT03fmEtPynBSKwZgyfZzdKhl7+dQXCIx4QVk16worqria8hFc0xwTzQSPju
SP03E52Ujn6ZlaP4lQWmKKiF8S/VQ==
unit. "
set range global
set source factory
next
edit "Fortinet_SSL_DSA1024"
set password ENC

IDqczS6jK+bWx2R4zXz1yKnFJPeei7uwtePJbJCNSrQ1jBNwIrNxtpQQt7v5cmWi75OkW6FrYtZxKXXCE1mZm
CC0trJps7TYg71PqQQsYXGdshKqD7cWXcqaTM8HY4rgKmZ/If46VvYy89yXiDu6Z7mK1LdX2nPbUYZ0Mnf0
+l3EIJTkhEpLKVTLjDsTa6EJ7nFRjQ==
unit. "
set range global
set source factory
next
edit "Fortinet_SSL_DSA2048"
set password ENC

zvALTYXUBZUFDOITxngYcb1u+AHN7TQ3DTI1MhCU0TZOz6R/HXOYXVXzky+im7lPmt74EPSWKgWyUWKY
xW5ljhLewLOdktKLGO46gI/jYuYGb4CSUCps4/T5WvJHKjCyZxWlbDVmXALxEf2bLpH8eWzDnoG425664jP2
kIIioYicAqM+tm9tDMYxifM+Vwxsy7GWjg==
unit. "
set range global
--More--
set source factory
next
edit "Fortinet_SSL_ECDSA256"
set password ENC

z2YPNUoB81u6Y1RuHMFhVJk7glr+A6QW2YBKkL/I5HMfoyHtmXK0SF6N927ndtqL3u5OXb+4NB99kWbdi
dMnNc6ogKiSlE0bOhm3V55Y9cahMWvOG3WXOBl5lCqLLOAZhCo0urDn7xUPdEGvCVqFcyVM673Rk+ukv
23b5CCwhUJwsYXxGdIyxGdPXFxi4MrMxJymAA==
unit. "
set range global
set source factory
next
set password ENC

ojh+LGIM6K+/bYiUESVOb8CvKs2AXqAu5URRmNYfXBU7k/JHab1tpVBwxV68WWrI/zytHOCwKM0gNM9Y
e7xGJpiv+mWYOfGzRAnBQA2mgAEkPAVDvaIotUe/xJky9dkVpBwRe4vMSGn4C/7xNcNXj62nPZ735b8JCP
uyAghMnI1N5ApfaehaLP73OA9zfDunpeTqZw==
unit. "
set range global
set source factory
next
set password ENC

ww9u4ze0aYxv4VuKhrC6PjTkkEirZcm0TSJN406SuEMrlfXJYdtNWqhBqTHpnlM666fWx7T5PHT5o7wMmlu
zcxA9Q+qh4xToTS5yjhGph5MkTGaDc9E4cdGSS7XbBMEGxrim2tz9TEmsZwJkhMyOWcgVEbAUYT3MYszhi
KwNuG7rfkCCzeI8k+CYBhZ+Tj5FRV6zAA==
unit. "
set range global
set source factory
next
edit "Fortinet_SSL_ED25519"
set password ENC

uBRzZ67yA9/dL2rjeyiEqSwDCLpjDJ1GTtb5aDeCw9hCfvULBhy6jSsZb5zIZXmMgWGLefnRXlsG2mZxHnerM
0V0rO97pX7a267QZOeBgKP6J+Xqykwxw0MPeiiKsRbosgxLv+Guc4G+buc3OTvfmK6iajJMnTbtAXWoIeZvv
PV7y6jxmJd1AROMrutVva62pyttZg==
unit. "
set range global
set source factory
next
edit "Fortinet_SSL_ED448"
set password ENC

1jruU13lcQ0RXHQ9goMG95TL+esLn5Y17QFiu0/vOwvzExC03rLHd5633qrvAYs2IBfWqfSWS9KTyL62sjnpq
4GFqrWFxZJG2SACiNieVnrnKCCVLddP/zUMUe6rlM9t7SOCjya3qDYnG9KpEK0CK4HOelTIqwtEvWJWNb+C
Q06CxOrXZBS7wGy2Vg4zjxwaYw/kkg==
unit. "
set range global
set source factory
--More--
next
end
config webfilter ftgd-local-cat
edit "custom1"
set id 140
next
edit "custom2"
set id 141
next
end
config ips sensor
edit "default"
set comment "Prevent critical attacks."
config entries
edit 1
set severity medium high critical
next
end
next
edit "sniffer-profile"
set comment "Monitor IPS attacks."

config entries
edit 1
next
end
next
edit "wifi-default"
set comment "Default configuration for offloading WiFi traffic."
config entries
edit 1
next
end
next
edit "all_default"
--More--
set comment "All predefined signatures with default setting."
config entries
edit 1
next
end
next
edit "all_default_pass"
set comment "All predefined signatures with PASS action."
config entries
edit 1
set action pass
next
end
next
edit "protect_http_server"
set comment "Protect against HTTP server-side vulnerabilities."
config entries
edit 1
set location server
set protocol HTTP
next
end
next
edit "protect_email_server"
set comment "Protect against email server-side vulnerabilities."
config entries
edit 1
set location server
set protocol SMTP POP3 IMAP
next
end
next
edit "protect_client"
set comment "Protect against client-side vulnerabilities."

config entries
edit 1
--More--
set location client
next
end
next
edit "high_security"
set comment "Blocks all Critical/High/Medium and some Low severity vulnerabilities"
set block-malicious-url enable
config entries
edit 1
set status enable
set action block
next
edit 2
set severity low
next
end
next
end
config firewall shaper traffic-shaper
edit "high-priority"
set maximum-bandwidth 1048576

set per-policy enable
next
edit "medium-priority"
set priority medium
next
edit "low-priority"
set priority low
next
edit "guarantee-100kbps"
--More--
next
edit "shared-1M-pipe"
next
end
config web-proxy global
set proxy-fqdn "default.fqdn"
end
config application list
edit "default"
set comment "Monitor all applications."
config entries
edit 1
set action pass
next
end
next
set comment "Monitor all applications."
unset options
config entries
edit 1
set action pass
next
end
next
edit "wifi-default"
set deep-app-inspection disable
config entries
edit 1
set action pass
set log disable

next
--More--
end
next
edit "block-high-risk"
config entries
edit 1
set category 2 6
next
edit 2
set action pass
next
end
next
end
config dlp filepattern
edit 1
set name "builtin-patterns"
config entries
edit "*.bat"
next
edit "*.com"
next
edit "*.dll"
next
edit "*.doc"
next
edit "*.exe"
next
edit "*.gz"
next
edit "*.hta"
next
edit "*.ppt"
next
edit "*.rar"
next
edit "*.scr"
--More--
next
edit "*.tar"
next
edit "*.tgz"
next
edit "*.vb?"
next
edit "*.wps"
next
edit "*.xl?"
next
edit "*.zip"
next
edit "*.pif"
next
edit "*.cpl"
next
end
next
edit 2
set name "all_executables"
config entries
edit "bat"
set filter-type type
set file-type bat
next
edit "exe"
set file-type exe
next
edit "elf"
set file-type elf
next
edit "hta"

--More--
set file-type hta
next
end
next
end
config dlp sensitivity
edit "Private"
next
edit "Critical"
next
edit "Warning"
next
end
config dlp sensor
edit "default"
set comment "Default sensor."
next
set comment "Log a summary of email and web traffic."
set summary-proto smtp pop3 imap http-get http-post
next
end
config webfilter ips-urlfilter-setting
end
config webfilter ips-urlfilter-setting6
end
config log threat-weight
config web
edit 1
set category 26
set level high
next
edit 2
set category 61
set level high
next
--More--
edit 3
set category 86
set level high
next
edit 4
set category 1
set level medium
next
edit 5
set category 3
set level medium
next
edit 6
set category 4
set level medium
next
edit 7
set category 5
set level medium
next
edit 8
set category 6
set level medium
next
edit 9
set category 12
set level medium
next
edit 10
set category 59
set level medium
next
edit 11
set category 62
set level medium
next
--More--
edit 12
set category 83
set level medium
next
edit 13
set category 72
next
edit 14
set category 14
next
end
config application
edit 1
set category 2
next
edit 2
set category 6
set level medium
next
end
end
config icap profile
edit "default"
config icap-headers
edit 1
set name "X-Authenticated-User"
set content "$user"
next
edit 2
set name "X-Authenticated-Groups"
set content "$local_grp"
next
end
next
end
config user local
--More--
edit "guest"
set type password
set passwd ENC

Tw9eac6fsWxjF8BJi2sY457Qjosz2wrFD3J82QWhLDu/it1wmZK7Kl+4XM1IVj8hBgFxsbz5DnM2sGDhy0rNP
c+b/epNrO7RZ8NaKUfHNqAhlWqvlvDe77f0jxO1LpynOSrwkOo3g98wJ3Y41PP+wgMIpSz44kSH0+OMofQ
EC08Ikeczmp4Nfaq2IGNBdwvFV0xqAw==
next
end
config user setting
set auth-cert "Fortinet_Factory"
end
config user group
edit "SSO_Guest_Users"
next
edit "Guest-group"
set member "guest"
next
end
config vpn ssl web host-check-software
edit "FortiClient-AV"
set guid "1A0271D5-3D4F-46DB-0C2C-AB37BA90D9F7"
next
edit "FortiClient-FW"
set type fw
set guid "528CB157-D384-4593-AAAA-E42DFF111CED"
next
edit "FortiClient-AV-Vista"
set guid "385618A6-2256-708E-3FB9-7E98B93F91F9"
next
edit "FortiClient-FW-Vista"
set type fw
set guid "006D9983-6839-71D6-14E6-D7AD47ECD682"
next
edit "FortiClient5-AV"
set guid "5EEDDB8C-C27A-6714-3657-DBD811D1F1B7"
next
edit "AVG-Internet-Security-AV"
set guid "17DDD097-36FF-435F-9E1B-52D74245D6BF"

--More--
next
edit "AVG-Internet-Security-FW"
set type fw
set guid "8DECF618-9569-4340-B34A-D78D28969B66"
next
edit "AVG-Internet-Security-AV-Vista-Win7"
set guid "0C939084-9E57-CBDB-EA61-0B0C7F62AF82"
next
edit "AVG-Internet-Security-FW-Vista-Win7"
set type fw
set guid "34A811A1-D438-CA83-C13E-A23981B1E8F9"
next
edit "CA-Anti-Virus"
set guid "17CFD1EA-56CF-40B5-A06B-BD3A27397C93"
next
edit "CA-Internet-Security-AV"
set guid "6B98D35F-BB76-41C0-876B-A50645ED099A"
next
edit "CA-Internet-Security-FW"
set type fw
set guid "38102F93-1B6E-4922-90E1-A35D8DC6DAA3"
next
edit "CA-Internet-Security-AV-Vista-Win7"
set guid "3EED0195-0A4B-4EF3-CC4F-4F401BDC245F"

next
edit "CA-Internet-Security-FW-Vista-Win7"
set type fw
set guid "06D680B0-4024-4FAB-E710-E675E50F6324"
next
edit "CA-Personal-Firewall"
set type fw
set guid "14CB4B80-8E52-45EA-905E-67C1267B4160"
next
edit "F-Secure-Internet-Security-AV"
set guid "E7512ED5-4245-4B4D-AF3A-382D3F313F15"
next
--More--
edit "F-Secure-Internet-Security-FW"
set type fw
set guid "D4747503-0346-49EB-9262-997542F79BF4"
next
edit "F-Secure-Internet-Security-AV-Vista-Win7"
set guid "15414183-282E-D62C-CA37-EF24860A2F17"
next
edit "F-Secure-Internet-Security-FW-Vista-Win7"
set type fw
set guid "2D7AC0A6-6241-D774-E168-461178D9686C"
next
edit "Kaspersky-AV"
set guid "2C4D4BC6-0793-4956-A9F9-E252435469C0"
next
edit "Kaspersky-FW"
set type fw
set guid "2C4D4BC6-0793-4956-A9F9-E252435469C0"
next
edit "Kaspersky-AV-Vista-Win7"
set guid "AE1D740B-8F0F-D137-211D-873D44B3F4AE"
next
edit "Kaspersky-FW-Vista-Win7"
set type fw
set guid "9626F52E-C560-D06F-0A42-2E08BA60B3D5"
next
edit "McAfee-Internet-Security-Suite-AV"
set guid "84B5EE75-6421-4CDE-A33A-DD43BA9FAD83"
next
edit "McAfee-Internet-Security-Suite-FW"
set type fw
set guid "94894B63-8C7F-4050-BDA4-813CA00DA3E8"
next
edit "McAfee-Internet-Security-Suite-AV-Vista-Win7"
set guid "86355677-4064-3EA7-ABB3-1B136EB04637"
next
edit "McAfee-Internet-Security-Suite-FW-Vista-Win7"
--More--
set type fw
set guid "BE0ED752-0A0B-3FFF-80EC-B2269063014C"
next
edit "McAfee-Virus-Scan-Enterprise"
set guid "918A2B0B-2C60-4016-A4AB-E868DEABF7F0"
next
edit "Norton-360-2.0-AV"
set guid "A5F1BC7C-EA33-4247-961C-0217208396C4"
next
edit "Norton-360-2.0-FW"
set type fw
set guid "371C0A40-5A0C-4AD2-A6E5-69C02037FBF3"
next
edit "Norton-360-3.0-AV"
set guid "E10A9785-9598-4754-B552-92431C1C35F8"
next
edit "Norton-360-3.0-FW"
set type fw
set guid "7C21A4C9-F61F-4AC4-B722-A6E19C16F220"
next
edit "Norton-Internet-Security-AV"
set guid "E10A9785-9598-4754-B552-92431C1C35F8"
next
edit "Norton-Internet-Security-FW"
set type fw
set guid "7C21A4C9-F61F-4AC4-B722-A6E19C16F220"
next
edit "Norton-Internet-Security-AV-Vista-Win7"
set guid "88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855"
next
edit "Norton-Internet-Security-FW-Vista-Win7"
set type fw
set guid "B0F2DB13-C654-2E74-30D4-99C9310F0F2E"
next
edit "Symantec-Endpoint-Protection-AV"
set guid "FB06448E-52B8-493A-90F3-E43226D3305C"
--More--
next
edit "Symantec-Endpoint-Protection-FW"
set type fw
set guid "BE898FE3-CD0B-4014-85A9-03DB9923DDB6"
next
edit "Symantec-Endpoint-Protection-AV-Vista-Win7"
set guid "88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855"
next
edit "Symantec-Endpoint-Protection-FW-Vista-Win7"
set type fw
set guid "B0F2DB13-C654-2E74-30D4-99C9310F0F2E"
next
edit "Panda-Antivirus+Firewall-2008-AV"
set guid "EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A"
next
edit "Panda-Antivirus+Firewall-2008-FW"
set type fw
set guid "7B090DC0-8905-4BAF-8040-FD98A41C8FB8"
next
edit "Panda-Internet-Security-AV"
set guid "4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0"
next
edit "Panda-Internet-Security-2006~2007-FW"
set type fw
set guid "4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0"
next
edit "Panda-Internet-Security-2008~2009-FW"
set type fw
set guid "7B090DC0-8905-4BAF-8040-FD98A41C8FB8"
next
edit "Sophos-Anti-Virus"
set guid "3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD"
next
edit "Sophos-Enpoint-Secuirty-and-Control-FW"
set type fw
set guid "0786E95E-326A-4524-9691-41EF88FB52EA"

--More--
next
edit "Sophos-Enpoint-Secuirty-and-Control-AV-Vista-Win7"
set guid "479CCF92-4960-B3E0-7373-BF453B467D2C"
next
edit "Sophos-Enpoint-Secuirty-and-Control-FW-Vista-Win7"
set type fw
set guid "7FA74EB7-030F-B2B8-582C-1670C5953A57"
next
edit "Trend-Micro-AV"
set guid "7D2296BC-32CC-4519-917E-52E652474AF5"
next
edit "Trend-Micro-FW"
set type fw
set guid "3E790E9E-6A5D-4303-A7F9-185EC20F3EB6"
next
edit "Trend-Micro-AV-Vista-Win7"
set guid "48929DFC-7A52-A34F-8351-C4DBEDBD9C50"
next
edit "Trend-Micro-FW-Vista-Win7"
set type fw
set guid "70A91CD9-303D-A217-A80E-6DEE136EDB2B"
next
edit "ZoneAlarm-AV"
set guid "5D467B10-818C-4CAB-9FF7-6893B5B8F3CF"

next
edit "ZoneAlarm-FW"
set type fw
set guid "829BDA32-94B3-44F4-8446-F8FCFF809F8B"
next
edit "ZoneAlarm-AV-Vista-Win7"
set guid "D61596DF-D219-341C-49B3-AD30538CBC5B"
next
edit "ZoneAlarm-FW-Vista-Win7"
set type fw
set guid "EE2E17FA-9876-3544-62EC-0405AD5FFB20"
next
--More--
edit "ESET-Smart-Security-AV"
set guid "19259FAE-8396-A113-46DB-15B0E7DFA289"
next
edit "ESET-Smart-Security-FW"
set type fw
set guid "211E1E8B-C9F9-A04B-6D84-BC85190CE5F2"
next
end
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable

set web-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
next
end
config vpn ssl settings
set servercert "self-sign"
set port 443
end
config voip profile
edit "default"
set comment "Default VoIP profile."
next
edit "strict"
config sip
set malformed-request-line discard
set malformed-header-via discard
set malformed-header-from discard
set malformed-header-to discard
set malformed-header-call-id discard
set malformed-header-cseq discard
set malformed-header-rack discard
set malformed-header-rseq discard
set malformed-header-contact discard

--More--
set malformed-header-record-route discard
set malformed-header-route discard
set malformed-header-expires discard
set malformed-header-content-type discard
set malformed-header-content-length discard
set malformed-header-max-forwards discard
set malformed-header-allow discard
set malformed-header-p-asserted-identity discard
set malformed-header-sdp-v discard
set malformed-header-sdp-o discard
set malformed-header-sdp-s discard
set malformed-header-sdp-i discard
set malformed-header-sdp-c discard
set malformed-header-sdp-b discard
set malformed-header-sdp-z discard
set malformed-header-sdp-k discard
set malformed-header-sdp-a discard
set malformed-header-sdp-t discard
set malformed-header-sdp-r discard
set malformed-header-sdp-m discard
end
next
end
config dnsfilter profile

edit "default"
set comment "Default dns filtering."
config ftgd-dns
config filters
edit 1
set category 2
next
edit 2
set category 7
next
edit 3
set category 8
--More--
next
edit 4
set category 9
next
edit 5
set category 11
next
edit 6
set category 12
next
edit 7
set category 13
next
edit 8
set category 14
next
edit 9
set category 15
next
edit 10
set category 16
next
edit 11
next
edit 12
set category 57
next
edit 13
set category 63
next
edit 14
set category 64
next
edit 15
set category 65
next
--More--
edit 16
set category 66
next
edit 17
set category 67
next
edit 18
set category 26
set action block
next
edit 19
set category 61
set action block
next
edit 20
set category 86
set action block
next
edit 21
set category 88
set action block
next
edit 22
set category 90
set action block
next
edit 23
set category 91
set action block
next
end
end
set block-botnet enable
next
end
config antivirus settings
--More--
set grayware enable
end
config antivirus profile
edit "default"
set comment "Scan files and block viruses."
config http
set options scan
end
config ftp
set options scan
end
config imap
set options scan
set executables virus
end
config pop3
set options scan
end
config smtp
set options scan
end
next
set comment "Scan files and monitor viruses."
config http
set options scan
end
config ftp
set options scan
end
config imap
set options scan
end
--More--
config pop3
set options scan
end
config smtp
set options scan
end
next
edit "wifi-default"
config http
set options scan
end
config ftp
set options scan
end
config imap
set options scan
end
config pop3
set options scan

end
config smtp
set options scan
end
next
end
config webfilter profile
edit "default"
set comment "Default web filtering."
config ftgd-wf
unset options
--More--
config filters
edit 1
set action block
next
edit 2
set category 2
set action block
next
edit 3
set category 7
set action block
next
edit 4
set category 8
set action block
next
edit 5
set category 9
set action block
next
edit 6
set category 11
set action block
next
edit 7
set category 12
set action block
next
edit 8
set category 13
set action block
next
edit 9
set category 14
set action block
next
--More--
edit 10
set category 15
set action block
next
edit 11
set category 16
set action block
next
edit 12
set category 26
set action block
next
edit 13
set category 57
set action block
next
edit 14
set category 61
set action block
next
edit 15
set category 63
set action block
next
edit 16
set category 64
set action block
next
edit 17
set category 65
set action block
next
edit 18
set category 66
set action block
next
--More--
edit 19
set category 67
set action block
next
edit 20
set category 86
set action block
next
edit 21
set category 88
set action block
next
edit 22
set category 90
set action block
next
edit 23
set category 91
set action block
next
end
end
next
set comment "Monitor web traffic."
config ftgd-wf
config filters
edit 1
next
edit 2
set category 1
next
edit 3
set category 2
next
edit 4
--More--
set category 3
next
edit 5
set category 4
next
edit 6
set category 5
next
edit 7
set category 6
next
edit 8
set category 7
next
edit 9
set category 8
next
edit 10
set category 9
next
edit 11
set category 11
next
edit 12
set category 12
next
edit 13
set category 13
next
edit 14
set category 14
next
edit 15
set category 15
next
edit 16
--More--
set category 16
next
edit 17
set category 17
next
edit 18
set category 18
next
edit 19
set category 19
next
edit 20
set category 20
next
edit 21
set category 23
next
edit 22
set category 24
next
edit 23
set category 25
next
edit 24
set category 26
next
edit 25
set category 28
next
edit 26
set category 29
next
edit 27
set category 30
next
edit 28
--More--
set category 31
next
edit 29
set category 33
next
edit 30
set category 34
next
edit 31
set category 35
next
edit 32
set category 36
next
edit 33
set category 37
next
edit 34
set category 38
next
edit 35
set category 39
next
edit 36
set category 40
next
edit 37
set category 41
next
edit 38
set category 42
next
edit 39
set category 43
next
edit 40
--More--
set category 44
next
edit 41
set category 46
next
edit 42
set category 47
next
edit 43
set category 48
next
edit 44
set category 49
next
edit 45
set category 50
next
edit 46
set category 51
next
edit 47
set category 52
next
edit 48
set category 53
next
edit 49
set category 54
next
edit 50
set category 55
next
edit 51
set category 56
next
edit 52
--More--
set category 57
next
edit 53
set category 58
next
edit 54
set category 59
next
edit 55
set category 61
next
edit 56
set category 62
next
edit 57
set category 63
next
edit 58
set category 64
next
edit 59
set category 65
next
edit 60
set category 66
next
edit 61
set category 67
next
edit 62
set category 68
next
edit 63
set category 69
next
edit 64
--More--
set category 70
next
edit 65
set category 71
next
edit 66
set category 72
next
edit 67
set category 75
next
edit 68
set category 76
next
edit 69
set category 77
next
edit 70
set category 78
next
edit 71
set category 79
next
edit 72
set category 80
next
edit 73
set category 81
next
edit 74
set category 82
next
edit 75
set category 83
next
edit 76
--More--
set category 84
next
edit 77
set category 85
next
edit 78
set category 86
next
edit 79
set category 87
next
edit 80
set category 88
next
edit 81
set category 89
next
edit 82
set category 90
next
edit 83
set category 91
next
edit 84
set category 92
next
edit 85
set category 93
next
edit 86
set category 94
next
edit 87
set category 95
next
end
--More--
end
next
edit "wifi-default"
set options block-invalid-url
config ftgd-wf
unset options
config filters
edit 1
next
edit 2
set category 2
set action block
next
edit 3
set category 7
set action block
next
edit 4
set category 8
set action block
next
edit 5
set category 9
set action block
next
edit 6
set category 11
set action block
next
edit 7
set category 12
set action block
next
edit 8
set category 13
--More--
set action block
next
edit 9
set category 14
set action block
next
edit 10
set category 15
set action block
next
edit 11
set category 16
set action block
next
edit 12
set category 26
set action block
next
edit 13
set category 57
set action block
next
edit 14
set category 61
set action block
next
edit 15
set category 63
set action block
next
edit 16
set category 64
set action block
next
edit 17
set category 65
--More--
set action block
next
edit 18
set category 66
set action block
next
edit 19
set category 67
set action block
next
edit 20
set category 86
set action block
next
edit 21
set category 88
set action block
next
edit 22
set category 90
set action block
next
edit 23
set category 91
set action block
next
end
end
next
edit "monitor-all"
set comment "Monitor and log all visited URLs, flow-based."
config ftgd-wf
unset options
config filters
edit 1
set category 1
--More--
next
edit 2
set category 3
next
edit 3
set category 4
next
edit 4
set category 5
next
edit 5
set category 6
next
edit 6
set category 12
next
edit 7
set category 59
next
edit 8
set category 62
next
edit 9
set category 83
next
edit 10
set category 2
next
edit 11
set category 7
next
edit 12
set category 8
next
edit 13
set category 9
--More--
next
edit 14
set category 11
next
edit 15
set category 13
next
edit 16
set category 14
next
edit 17
set category 15
next
edit 18
set category 16
next
edit 19
set category 57
next
edit 20
set category 63
next
edit 21
set category 64
next
edit 22
set category 65
next
edit 23
set category 66
next
edit 24
set category 67
next
edit 25
set category 19
--More--
next
edit 26
set category 24
next
edit 27
set category 25
next
edit 28
set category 72
next
edit 29
set category 75
next
edit 30
set category 76
next
edit 31
set category 26
next
edit 32
set category 61
next
edit 33
set category 86
next
edit 34
set category 17
next
edit 35
set category 18
next
edit 36
set category 20
next
edit 37
set category 23
--More--
next
edit 38
set category 28
next
edit 39
set category 29
next
edit 40
set category 30
next
edit 41
set category 33
next
edit 42
set category 34
next
edit 43
set category 35
next
edit 44
set category 36
next
edit 45
set category 37
next
edit 46
set category 38
next
edit 47
set category 39
next
edit 48
set category 40
next
edit 49
set category 42
--More--
next
edit 50
set category 44
next
edit 51
set category 46
next
edit 52
set category 47
next
edit 53
set category 48
next
edit 54
set category 54
next
edit 55
set category 55
next
edit 56
set category 58
next
edit 57
set category 68
next
edit 58
set category 69
next
edit 59
set category 70
next
edit 60
set category 71
next
edit 61
set category 77
--More--
next
edit 62
set category 78
next
edit 63
set category 79
next
edit 64
set category 80
next
edit 65
set category 82
next
edit 66
set category 85
next
edit 67
set category 87
next
edit 68
set category 31
next
edit 69
set category 41
next
edit 70
set category 43
next
edit 71
set category 49
next
edit 72
set category 50
next
edit 73
set category 51
--More--
next
edit 74
set category 52
next
edit 75
set category 53
next
edit 76
set category 56
next
edit 77
set category 81
next
edit 78
set category 84
next
edit 79
next
edit 80
set category 88
next
edit 81
set category 89
next
edit 82
set category 90
next
edit 83
set category 91
next
edit 84
set category 92
next
edit 85
set category 93
next
--More--
edit 86
set category 94
next
edit 87
set category 95
next
end
end
set log-all-url enable
set web-content-log disable
set web-filter-activex-log disable
set web-filter-command-block-log disable

set web-filter-cookie-log disable
set web-filter-applet-log disable
set web-filter-jscript-log disable
set web-filter-js-log disable
set web-filter-vbs-log disable
set web-filter-unknown-log disable
set web-filter-referer-log disable
set web-filter-cookie-removal-log disable
set web-url-log disable
set web-invalid-domain-log disable
set web-ftgd-err-log disable
set web-ftgd-quota-usage disable
next
end
config webfilter search-engine
edit "google"
set hostname ".*\\.google\\..*"
set url "^\\/((custom|search|images|videosearch|webhp)\\?)"
set query "q="
set safesearch url
set safesearch-str "&safe=active"
next
edit "yahoo"
set hostname ".*\\.yahoo\\..*"

--More--
set url "^\\/search(\\/video|\\/images){0,1}(\\?|;)"
set query "p="
set safesearch url
set safesearch-str "&vm=r"
next
edit "bing"
set hostname ".*\\.bing\\..*"
set url "^(\\/images|\\/videos)?(\\/search|\\/async|\\/asyncv2)\\?"
set query "q="
set safesearch header
next
edit "yandex"
set hostname "yandex\\..*"
set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?"
set query "text="
set safesearch url
set safesearch-str "&family=yes"
next
edit "youtube"
set hostname ".*youtube.*"
set safesearch header
next
edit "baidu"
set hostname ".*\\.baidu\\.com"

set url "^\\/s?\\?"
set query "wd="
next
edit "baidu2"
set hostname ".*\\.baidu\\.com"
set url "^\\/(ns|q|m|i|v)\\?"
set query "word="
next
edit "baidu3"
set hostname "tieba\\.baidu\\.com"
set url "^\\/f\\?"
set query "kw="
--More--
next
end
config emailfilter profile
set comment "Malware and phishing URL monitoring."
next
edit "default"
set comment "Malware and phishing URL filtering."
next
end
config report layout
edit "default"
set title "FortiGate System Analysis Report"
set style-theme "default-report"
set options include-table-of-content view-chart-as-heading
config page
set paper letter
set page-break-before heading1
config header
config header-item
edit 1
set type image
set style "header-image"
set img-src "fortinet_logo_small.png"
next
end
end
config footer
config footer-item
edit 1
set style "footer-text"
set content "FortiGate ${schedule_type} Security Report - Host Name: ${hostname}"
next
edit 2
set style "footer-pageno"
next
--More--
end
end
end
config body-item
edit 101
set type image
set style "report-cover1"
set img-src "fortigate_log.png"
next
edit 103
set content "FortiGate ${schedule_type} Security Report"
next
edit 105
set content "Report Date: ${started_time}"
next
edit 107
set content "Data Range: ${report_data_range} (${hostname})"
next
edit 109
set content "${vdom}"

next
edit 111
set type image
set img-src "fortinet_logo_small.png"
next
edit 121
set type misc
set misc-component page-break
next
edit 301
set text-component heading1
--More--
set content "Bandwidth and Applications"
next
edit 311
set type chart
set chart "traffic.bandwidth.history_c"
next
edit 321
set type chart
set chart "traffic.sessions.history_c"
next
edit 331
set type chart

set chart "traffic.statistics"
next
edit 411
set type chart
set chart "traffic.bandwidth.apps_c"
next
edit 421
set type chart
set chart "traffic.bandwidth.cats_c"
next
edit 511
set type chart
set chart "traffic.bandwidth.users_c"
next
edit 521
set type chart
set chart "traffic.users.history.hour_c"
next
edit 611
set type chart
set chart "traffic.bandwidth.destinations_tab"
next
edit 1001

--More--
set content "Web Usage"
next
edit 1011
set type chart
set chart "web.allowed-request.sites_c"
next
edit 1021
set type chart
set chart "web.bandwidth.sites_c"
next
edit 1031
set type chart
set chart "web.blocked-request.sites_c"
next
edit 1041
set type chart
set chart "web.blocked-request.users_c"
next
edit 1051
set type chart
set chart "web.requests.users_c"
next
edit 1061
set type chart

set chart "web.bandwidth.users_c"
next
edit 1071
set type chart
set chart "web.bandwidth.stream-sites_c"
next
edit 1301
set content "Emails"
next
edit 1311
set type chart
--More--
set chart "email.request.senders_c"
next
edit 1321
set type chart
set chart "email.bandwidth.senders_c"
next
edit 1331
set type chart
set chart "email.request.recipients_c"
next
edit 1341
set type chart

set chart "email.bandwidth.recipients_c"
next
edit 1501
set content "Threats"
next
edit 1511
set type chart
set top-n 80
set chart "virus.count.viruses_c"
next
edit 1531
set type chart
set top-n 80
set chart "virus.count.users_c"
next
edit 1541
set type chart
set top-n 80
set chart "virus.count.sources_c"
next
edit 1551
set type chart
set chart "virus.count.history_c"

--More--
next
edit 1561
set type chart
set top-n 80
set chart "botnet.count_c"
next
edit 1571
set type chart
set top-n 80
set chart "botnet.count.users_c"
next
edit 1581
set type chart
set top-n 80
set chart "botnet.count.sources_c"
next
edit 1591
set type chart
set chart "botnet.count.history_c"
next
edit 1601
set type chart
set top-n 80
set chart "attack.count.attacks_c"

next
edit 1611
set type chart
set top-n 80
set chart "attack.count.victims_c"
next
edit 1621
set type chart
set top-n 80
set chart "attack.count.source_bar_c"
next
edit 1631
--More--
set type chart
set chart "attack.count.blocked_attacks_c"
next
edit 1641
set type chart
set chart "attack.count.severity_c"
next
edit 1651
set type chart
set chart "attack.count.history_c"
next
edit 1701
set content "VPN Usage"
next
edit 1711
set type chart
set top-n 80
set chart "vpn.bandwidth.static-tunnels_c"
next
edit 1721
set type chart
set top-n 80
set chart "vpn.bandwidth.dynamic-tunnels_c"
next
edit 1731
set type chart
set top-n 80
set chart "vpn.bandwidth.ssl-tunnel.users_c"
next
edit 1741
set type chart
set top-n 80
set chart "vpn.bandwidth.ssl-web.users_c"
next
edit 1901
--More--
set content "Admin Login and System Events"
next
edit 1911
set type chart
set top-n 80
set chart "event.login.summary_c"
next
edit 1931
set type chart
set top-n 80
set chart "event.failed.login_c"
next
edit 1961
set type chart
set top-n 80
set chart "event.system.group_events_c"
next
end
next
end
config wanopt settings
set host-id "default-id"
end
config wanopt profile
edit "default"
set comments "Default WANopt profile."
next
end
config system virtual-wan-link
config health-check
edit "Default_Office_365"
set server "www.office.com"
set protocol http
set interval 1000
set recoverytime 10
--More--
config sla
edit 1
set latency-threshold 250
set jitter-threshold 50
set packetloss-threshold 5
next
end
next
edit "Default_Gmail"
set server "gmail.com"
set interval 1000
set recoverytime 10
config sla
edit 1
next
end
next
edit "Default_AWS"
set server "aws.amazon.com"
set protocol http
set interval 1000
set recoverytime 10
config sla
edit 1
next
end
next
edit "Default_Google Search"
set server "www.google.com"
set protocol http

--More--
set interval 1000
set recoverytime 10
config sla
edit 1
next
end
next
edit "Default_FortiGuard"
set server "fortiguard.com"
set protocol http
set interval 1000
set recoverytime 10
config sla
edit 1
next
end
next
end
end
config firewall schedule recurring
edit "always"
set day sunday monday tuesday wednesday thursday friday saturday
next
edit "none"
next
edit "default-darrp-optimize"
set start 01:00
set end 01:30
set day sunday monday tuesday wednesday thursday friday saturday
next
--More--
end
config firewall profile-protocol-options
edit "default"
set comment "All default services."
config http
set ports 80
unset options
unset post-lang
end
config ftp
set ports 21
set options splice

end
config imap
set ports 143
set options fragmail
end
config mapi
set ports 135
end
config pop3
set ports 110
end
config smtp
set ports 25
set options fragmail splice
end
config nntp
set ports 119
set options splice
end
config ssh
unset options
end
--More--
config dns
set ports 53
end
config cifs
set ports 445
end
next
end
config firewall ssl-ssh-profile
edit "deep-inspection"
set comment "Read-only deep inspection profile."
config https
set ports 443
set status deep-inspection
end
config ftps
set ports 990
end
config imaps
set ports 993
end
config pop3s
set ports 995
end
config smtps
set ports 465
end
config ssh
set ports 22
set status disable
end
config ssl-exempt
--More--
edit 1
set fortiguard-category 31
next
edit 2
next
edit 3
set type wildcard-fqdn
set wildcard-fqdn "adobe"
next
edit 4

set wildcard-fqdn "Adobe Login"
next
edit 5
set wildcard-fqdn "android"
next
edit 6
set wildcard-fqdn "apple"
next
edit 7
set wildcard-fqdn "appstore"
next
edit 8
set wildcard-fqdn "auth.gfx.ms"
next
edit 9
set wildcard-fqdn "citrix"
next
edit 10

--More--
set wildcard-fqdn "dropbox.com"
next
edit 11
set wildcard-fqdn "eease"
next
edit 12
set wildcard-fqdn "firefox update server"
next
edit 13
set wildcard-fqdn "fortinet"
next
edit 14
set wildcard-fqdn "googleapis.com"
next
edit 15
set wildcard-fqdn "google-drive"
next
edit 16

set wildcard-fqdn "google-play2"
next
edit 17
next
edit 18
set wildcard-fqdn "Gotomeeting"
next
edit 19
--More--
set wildcard-fqdn "icloud"
next
edit 20
set wildcard-fqdn "itunes"
next
edit 21
set wildcard-fqdn "microsoft"
next
edit 22

set wildcard-fqdn "skype"
next
edit 23
set wildcard-fqdn "softwareupdate.vmware.com"
next
edit 24
set wildcard-fqdn "verisign"
next
edit 25
set wildcard-fqdn "Windows update 2"
next
edit 26
set wildcard-fqdn "live.com"
next
edit 27
set wildcard-fqdn "google-play"
next
edit 28

--More--
set wildcard-fqdn "update.microsoft.com"
next
edit 29
set wildcard-fqdn "swscan.apple.com"
next
edit 30
set wildcard-fqdn "autoupdate.opera.com"
next
end
next
edit "custom-deep-inspection"
set comment "Customizable deep inspection profile."
config https
set ports 443
end
config ftps
set ports 990
end
config imaps
set ports 993

end
config pop3s
set ports 995
end
config smtps
set ports 465
end
config ssh
set ports 22
--More--
set status disable
end
config ssl-exempt
edit 1
next
edit 2
next
edit 3
set wildcard-fqdn "adobe"

next
edit 4
set wildcard-fqdn "Adobe Login"
next
edit 5
set wildcard-fqdn "android"
next
edit 6
set wildcard-fqdn "apple"
next
edit 7
set wildcard-fqdn "appstore"
next
edit 8
set wildcard-fqdn "auth.gfx.ms"
next
edit 9
set wildcard-fqdn "citrix"

--More--
next
edit 10
set wildcard-fqdn "dropbox.com"
next
edit 11
set wildcard-fqdn "eease"
next
edit 12
set wildcard-fqdn "firefox update server"
next
edit 13
set wildcard-fqdn "fortinet"
next
edit 14
set wildcard-fqdn "googleapis.com"
next
edit 15
set wildcard-fqdn "google-drive"

next
edit 16
next
edit 17
next
edit 18
set wildcard-fqdn "Gotomeeting"
--More--
next
edit 19
set wildcard-fqdn "icloud"
next
edit 20
set wildcard-fqdn "itunes"
next
edit 21
set wildcard-fqdn "microsoft"

next
edit 22
set wildcard-fqdn "skype"
next
edit 23
set wildcard-fqdn "softwareupdate.vmware.com"
next
edit 24
set wildcard-fqdn "verisign"
next
edit 25
set wildcard-fqdn "Windows update 2"
next
edit 26
set wildcard-fqdn "live.com"
next
edit 27
set wildcard-fqdn "google-play"

--More--
next
edit 28
set wildcard-fqdn "update.microsoft.com"
next
edit 29
set wildcard-fqdn "swscan.apple.com"
next
edit 30
set wildcard-fqdn "autoupdate.opera.com"
next
end
next
edit "no-inspection"
set comment "Read-only profile that does no inspection."
config https
set status disable
end
config ftps
set status disable
end
config imaps
set status disable
end
config pop3s
set status disable
end
config smtps
set status disable
end
config ssh
set ports 22
set status disable
end
--More--
next
edit "certificate-inspection"
set comment "Read-only SSL handshake inspection profile."
config https
set ports 443
set status certificate-inspection
end
config ftps
set status disable
end
config imaps
set status disable

end
config pop3s
set status disable
end
config smtps
set status disable
end
config ssh
set ports 22
set status disable
end
next
end
config waf profile
edit "default"
config signature
config main-class 100000000
set action block
set severity high
end
end
set status enable

--More--
set action block
set severity high
end
end
set status enable
set action block
set severity high
end
end
set status enable
set action block
set severity high
end
set status enable
set severity low
end
set status enable
set severity high

end
set status enable
set action block
set severity high
end
set disabled-signature 80080005 80200001 60030001 60120001 80080003 90410001 90410002
end
config constraint
config header-length
set status enable
set log enable
--More--
set severity low
end
config content-length
set status enable
set log enable
set severity low
end
config param-length
set status enable
set log enable
set severity low
end
config line-length
set status enable
set log enable
set severity low
end
config url-param-length
set status enable
set log enable
set severity low
end
config version
set log enable
end
config method
set action block
set log enable
end
config hostname
set action block
set log enable
end
config malformed
set log enable
end
--More--
config max-cookie
set status enable
set log enable
set severity low
end
config max-header-line
set status enable
set log enable
set severity low
end
config max-url-param
set status enable
set log enable
set severity low
end
config max-range-segment
set status enable
set log enable
set severity high
end
end
next
end
config firewall policy

edit 1
set name "ALLOW-ALL"
set uuid 3b5dc528-4976-51ea-09ea-06f6e4c6cb5e
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
--More--
config firewall multicast-policy
edit 1
set srcintf "any"
set dstintf "any"
set srcaddr "2-2-2-20"
set dstaddr "all"
set snat enable
set snat-ip 200.200.200.200
next
end
config firewall ssh local-key
edit "Fortinet_SSH_RSA2048"
set password ENC
fwAAAKSJ0o20GPL+z7vD3F5rrs8UfYRHNNRI5kyTxpKeqeRUmwV1vAo4D0Ny6SIFt1BJRoEMlDfBIYC47IyqT
ZuFV2/B1ivlBK6XQ2kFR4FAZZQCcQ+F5ddYGzFpkrAzmTYBHBX5sQilV44lUuSdtnVJseX3xz0s4pFfAQNYx6F
myvKE6Yyq2KL68bxHlyNHh/Zzug==
set source built-in
next
edit "Fortinet_SSH_DSA1024"
set password ENC

fwAAAIdXMHI54B8aHTcu5QHHbxUknlrV/mpoWGbXbQcCQLp9iHFBR87G6DX9OYkr3yjIeNNnKqsbaKUpB
gvBOmqGcHzgsQAnDpg3TqEFC0/WNxe/W4g9nmJc8W6YA0T/YgQxgafXTzClhImVUc+eVt533zVeKuUC8Z
o7v3UXz9hj5GaGUPc7tyzOKVcOqVMKrp9PvA==
set source built-in
next
edit "Fortinet_SSH_ECDSA256"
set password ENC

fwAAAOsdgL09yHkTj7Ke9X//YvcIJ9wj5QpoNTvlp/FnZSbl+MjzSlzpM90O6naY5bTA7pVPcSMIGTiIsUbAVCc
upptce9tEXOFio9EeepVjK+WWT+thFKiLQ84Fq3EYLryyVA1ZSYl1Sxh/8Y6Nx93OBZX3hjqC1o886mhFq4nH
uQFSaWLx1lAhwMgkUedGHsUm2A==
set source built-in
next
set password ENC

fwAAAIMSDYyCHAAAdhnDBHu+rmfi0IY2FoF+cZ3ee8C5eoRlukogALyfEvfBJgDEY+mBTNjEIqxH5M+OoWT
3o+5JWcsyXAmcEZBddVZ78n40OE5kvTjLKpofg7xipzWmFGc0Yl9fpRFpMy419SEApgD7u9snQoyVFErIFHq
uXG6oV+8ZaaNcVtBsRgLKWE8eXMuBew==
set source built-in
next
set password ENC

fwAAACaInP2SxgjGBNvrM7YvGzGo6x47tHcdUyX9sXELnrWfGjJYFntnu6dOEyWYo8mlBUyf2jYPwfpoVAGY
TGWcx4gOK4pj7mOE8tKcPo4nMsDDN4DfCjHxho2S/ZsPtHJFzcoioD24PmlFuTx2dzS0HBsYvZI6iMrPYwRw
z+x45jKGz2BoPh153lAjRFtPoBmwgQ==
set source built-in
next
--More--
edit "Fortinet_SSH_ED25519"
set password ENC

X8/uPRcEiY5+/rqBeR5xameuGEzWe8tvDPUQP+je7YTfdPEXP93ck/CxREIvijorrGcaVpGucfcdCHD8bvSEUl+
xBUQ7CqhIWHS3OiYXCjN5m2NrWAd726mwY4Whzy6R9GaI/QFG0SYiAT2ttv1QdgZ/HoVv6O3FqUii1HBaF
BSmR7XlwD2qmGXActHFkJqMR/83ig==
set source built-in
next
end
config firewall ssh local-ca
edit "Fortinet_SSH_CA"
set password ENC

AAAAASRSqiyvj0xiOaldQIQY1FLgqgzunY8Mhnv3bpKXmSow/rzEjxltsppTmZCYtfe4PjQtFDZ826u4Mu760T
BQO/9N0jy2Z+8ud8cyqPwqZSOh7IJT6tNIWuKSLxj9DYjnfNTTOuZ1QoDsxC5RaxTxHC+LjocNeND0HObmxJI
fVBhfpiguXPfWj+CkPbfwfit4AA==
set source built-in
next
edit "Fortinet_SSH_CA_Untrusted"
set password ENC

AAAAAU9f4SfTX6xl8KNqsHFhYUOJMJicUWz6U1P84yhzeyTtdmsxQLE6l8LPFfZ92h9Hr26BS846o8A9r9tj/2
WwR/L/48bDzg0XKPq6KNLjhtwQji8RmP9AgAcI9nFvMQVhm046IBAK7FJCBwIEOdJBNaGjxTI9oOfPXY5Yuf
N1Ed+otTSWWDx+H91e7c1B8tL4og==
set source built-in
next
end
config firewall ssh setting
set caname "Fortinet_SSH_CA"
set untrusted-caname "Fortinet_SSH_CA_Untrusted"
set hostkey-rsa2048 "Fortinet_SSH_RSA2048"
set hostkey-dsa1024 "Fortinet_SSH_DSA1024"
set hostkey-ecdsa256 "Fortinet_SSH_ECDSA256"
set hostkey-ed25519 "Fortinet_SSH_ED25519"
end
config switch-controller security-policy 802-1X
edit "802-1X-policy-default"
set user-group "SSO_Guest_Users"
set mac-auth-bypass disable
set open-auth disable
set eap-passthru enable
set guest-vlan disable
set auth-fail-vlan disable
--More--
set framevid-apply enable
set radius-timeout-overwrite disable
next
end
config switch-controller security-policy local-access
edit "default"
set mgmt-allowaccess https ping ssh
set internal-allowaccess https ping ssh
next
end
config switch-controller lldp-profile
edit "default"
set med-tlvs inventory-management network-policy location-identification
set auto-isl disable
config med-network-policy
edit "voice"
next
edit "voice-signaling"
next
edit "guest-voice"
next
edit "guest-voice-signaling"
next
edit "softphone-voice"
next
edit "video-conferencing"
next
edit "streaming-video"
next
edit "video-signaling"
next
end
config med-location-service
edit "coordinates"
next
edit "address-civic"
--More--
next
edit "elin-number"
next
end
next
edit "default-auto-isl"
next
end
config switch-controller qos dot1p-map
edit "voice-dot1p"
set priority-0 queue-4
next
end
config switch-controller qos ip-dscp-map
edit "voice-dscp"
config map
edit "1"
set cos-queue 1
set value 46
next
edit "2"
set cos-queue 2
set value 24,26,48,56
next
edit "5"
set cos-queue 3
set value 34
next
end
--More--
next
end
config switch-controller qos queue-policy
edit "default"
set schedule round-robin
set rate-by kbps
config cos-queue
edit "queue-0"
next
edit "queue-1"
next
edit "queue-2"
next
edit "queue-3"
next
edit "queue-4"
next
edit "queue-5"
next
edit "queue-6"
next
edit "queue-7"
next
end
next
edit "voice-egress"
set schedule weighted
set rate-by kbps
config cos-queue
edit "queue-0"
next
edit "queue-1"
set weight 0
next
edit "queue-2"
set weight 6
--More--
next
edit "queue-3"
set weight 37
next
edit "queue-4"
set weight 12
next
edit "queue-5"
next
edit "queue-6"
next
edit "queue-7"
next
end
next
end
config switch-controller qos qos-policy
edit "default"
next
edit "voice-qos"
set trust-dot1p-map "voice-dot1p"
set trust-ip-dscp-map "voice-dscp"
set queue-policy "voice-egress"
next
end
config switch-controller storm-control-policy
edit "default"
set description "default storm control on all port"
next
edit "auto-config"
set description "storm control policy for fortilink-isl-icl port"
set storm-control-mode disabled
next
end
config switch-controller auto-config policy
edit "default"
--More--
next
edit "default-icl"
set poe-status disable
set igmp-flood-report enable
set igmp-flood-traffic enable
next
end
config switch-controller switch-profile

edit "default"
next
end
config switch-controller remote-log
edit "syslogd"
next
edit "syslogd2"
next
end
config wireless-controller setting
set darrp-optimize-schedules "default-darrp-optimize"
end
config wireless-controller wids-profile
edit "default"
set comment "Default WIDS profile."
set ap-scan enable
set wireless-bridge enable
set deauth-broadcast enable
set null-ssid-probe-resp enable
set long-duration-attack enable
set invalid-mac-oui enable
set weak-wep-iv enable
set auth-frame-flood enable
set assoc-frame-flood enable
set spoofed-deauth enable

set asleap-attack enable
set eapol-start-flood enable
set eapol-logoff-flood enable
--More--
set eapol-succ-flood enable
set eapol-fail-flood enable
set eapol-pre-succ-flood enable
set eapol-pre-fail-flood enable
next
edit "default-wids-apscan-enabled"
set ap-scan enable
next
end
config wireless-controller wtp-profile
edit "AP-11N-default"
config platform
set type AP-11N
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
next
edit "FAP112B-default"
config platform
set type 112B
end
config radio-1
end
next
config platform
set type 220B
end
config radio-1
set band 802.11n-5G
end
--More--
config radio-2
end
next
config platform
set type 223B
end
config radio-1
set band 802.11n-5G
end
config radio-2
end
next
config platform
set type 210B
end
config radio-1
end
next
config platform
set type 222B
end
config radio-1
end
config radio-2
set band 802.11n-5G
end
--More--
next
config platform
set type 320B
end
config radio-1
set band 802.11n-5G
end
config radio-2
end
next
edit "FAP11C-default"
config platform
set type 11C
end
config radio-1
end
next
config platform
set type 14C
end
config radio-1
end
next
config platform
set type 28C
end
--More--
config radio-1
end
next
config platform
set type 320C
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type 221C
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
edit "FAP25D-default"
config platform
set type 25D
end
config radio-1

end
--More--
next
config platform
set type 222C
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type 224D
end
config radio-1
set band 802.11n-5G
end
config radio-2

end
next
edit "FK214B-default"
config platform
set type 214B
end
config radio-1
end
next
config platform
--More--
set type 21D
end
config radio-1
end
next
config platform
set type 24D
end
config radio-1
end
next
config platform
set type 112D
end
config radio-1
end
next
config platform
set type 223C
end
config radio-1
end
config radio-2
set band 802.11ac
end
--More--
next
config platform
set type 321C
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
edit "FAPS321C-default"
config platform
set type S321C
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type S322C
end
config radio-1
end
config radio-2
set band 802.11ac
end
--More--
next
config platform
set type S323C
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type S311C
end
config radio-1
set band 802.11ac
end
next
config platform
set type S313C
end
config radio-1
set band 802.11ac
end
next
edit "FAPS321CR-default"
config platform
set type S321CR
end
--More--
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type S322CR
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type S323CR
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
edit "FAPS421E-default"
config platform
set type S421E
end
--More--
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type S422E
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type S423E
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
edit "FAP421E-default"
config platform
set type 421E
end
--More--
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type 423E
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
edit "FAPU421E-default"
config platform
set type U421E
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
edit "FAPU422EV-default"
config platform
set type U422EV
end
--More--
config radio-1
end
config radio-2
set band 802.11ac
end
next
edit "FAPU423E-default"
config platform
set type U423E
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type 222E
end
config radio-1
end
--More--
config radio-2
set band 802.11ac
end
next
config platform
set type 223E
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type 224E
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type S221E
end
config radio-1
end
--More--
config radio-2
set band 802.11ac
end
next
config platform
set type S223E
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type 321E
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type U221EV
end
config radio-1
end
--More--
config radio-2
set band 802.11ac
end
next
config platform
set type U223EV
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
edit "FAPU24JEV-default"
config platform
set type U24JEV
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
config platform
set type U321EV
end
config radio-1
end
--More--
config radio-2
set band 802.11ac
end
next
config platform
set type U323EV
end
config radio-1
end
config radio-2
set band 802.11ac
end
next
edit "FAPU431F-default"
config platform
set type U431F
end
config radio-1
set band 802.11ax-5G
end
config radio-2
end
config radio-3
end
next
edit "FAPU433F-default"
config platform
set type U433F
end
--More--
config radio-1
end
config radio-2
end
config radio-3
end
next
end
config wireless-controller utm-profile
edit "wifi-default"
set ips-sensor "wifi-default"
set application-list "wifi-default"
set antivirus-profile "wifi-default"
set webfilter-profile "wifi-default"
next
end
config log memory setting
set status disable
end
config log disk setting

set status enable
end
config log null-device setting
set status disable
end
config router access-list
edit "ALLOWED-GROUPS"
config rule
edit 1
set prefix 238.3.3.3 255.255.255.255
next
edit 2
--More--
set prefix 238.0.0.0 255.0.0.0
next
end
next
edit "ALLOWED-GROUPS`"
next
end
config router rip
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "ospf"
end
config redistribute "bgp"
end
config redistribute "isis"
end
end
config router ripng
end
end
end
end
end
end
config router static
edit 1
set dst 30.30.30.0 255.255.255.0
set gateway 3.3.3.30
set device "port3"

--More--
next
end
config router ospf
end
end
config redistribute "rip"
end
end
end
end
config router ospf6
end
end
end
end

end
end
config router bgp
end
end
end
end
--More--
end
config redistribute6 "connected"
end
config redistribute6 "rip"
end
config redistribute6 "ospf"
end
config redistribute6 "static"
end
config redistribute6 "isis"
end
end
config router isis
end
end
end
end
end
config redistribute6 "connected"
end
config redistribute6 "rip"
end
config redistribute6 "ospf"
end
config redistribute6 "bgp"
end
config redistribute6 "static"
end
end
config router multicast
set multicast-routing enable

--More--
config pim-sm-global
config rp-address
edit 1
set ip-address 30.30.30.30
next
end
end
config interface
edit "port2"
set pim-mode sparse-mode
next
edit "port3"
set pim-mode sparse-mode
next
end
end
FortiGate-VM64 #

Pim Sparse Mode With Snat Potential Bug

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Pim Sparse Mode With Snat Potential Bug

Încărcat de

Drepturi de autor:

Formate disponibile

Above, we are using SPARSE mode.

Rp has a downstream listener on 238.2.2.2

1) One in REGSITER message

2) One without Register message i.e. natively, out of port3.

Capture taken on port3:

As a result, FW continue to send packet without NAT in REGISTER message.

What needs to be fixed?

config system global

set alias "FortiGate-VM64"

set hostname "FortiGate-VM64"

config system accprofile

set secfabgrp read-write

set ftviewgrp read-write

set authgrp read-write

set sysgrp read-write

set netgrp read-write

set loggrp read-write

set fwgrp read-write

set vpngrp read-write

set wanoptgrp read-write

set wifi read-write

config system interface

set vdom "root"

set ip 192.168.1.1 255.255.255.0

set allowaccess ping https ssh http fgfm

set type physical

set vdom "root"

set ip 2.2.2.2 255.255.255.0

set allowaccess ping

set type physical

set vdom "root"

set ip 3.3.3.3 255.255.255.0

set allowaccess ping

set vdom "root"

set type physical

set vdom "root"

set type tunnel

set alias "SSL VPN interface"

config system custom-language

set filename "en"

set filename "fr"

set filename "sp"

set filename "pg"

set filename "x-sjis"

set filename "big5"

set filename "GB2312"

set filename "euc-kr"

config system admin

set accprofile "super_admin"

set vdom "root"

set password ENC SH22ySxjo/6mWx1nrHHKzMDTYwG2Jhq0R04lRaUCV6DpDiCqTnROSK5vIOYJiw=

config system sso-admin

set override disable

config system storage

set status enable

set media-status enable

set partition "LOGUSEDXE101E90C"

set device "/dev/sdb1"

set size 30235

set usage log

config system dns

set primary 208.91.112.53

set secondary 208.91.112.52

config system replacemsg-image