Security Profiles
`
`Protecting SSL Server uses a server certificate to protect a single server.
`You can use Protecting SSL Server if you do not want a client on the internet to directly access your internal server, and
`you want the FortiGate to simulate your real server.
`
`To upload a server certificate into FortiGate and use that certificate in the SSL/SSH inspection profile:
`
`1. Go to System > Certificates.
`2. Select Import > Local Certificate and upload the certificate.
`3. Go to Security Profiles > SSL/SSH Inspection and edit or create a new profile.
`4. For Enable SSL Inspection of, select Protecting SSL Server.
`5. For Server Certificate, select the local certificate you imported.
`6. Click Apply.
`
`When you apply the Protecting SSL Server profile in a policy, the FortiGate will send the server certificate to the client as
`your server does.
`
`Ignoring the AUTH TLS command
`
`If the FortiGate receives an AUTH TLS (PBSZ and PROT) command before receiving plain text traffic from a decrypted
`device, by default, it will expect encrypted traffic, determine that the traffic belongs to an abnormal protocol, and bypass
`the traffic.
`When the ssl-offloaded command is enabled, the AUTH TLS command is ignored, and the traffic is treated as plain
`text rather than encrypted data. SSL decryption and encryption are performed by an external device.
`
`To enable SSL offloading:
`config firewall profile-protocol-options
`edit "test"
`config ftp
`set ssl-offloaded yes
`end
`config imap
`set ssl-offloaded yes
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1030
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`end
`config pop3
`set ssl-offloaded yes
`end
`config smtp
`set ssl-offloaded yes
`end
`
`next
`
`end
`
`SSH traffic file scanning
`
`FortiGates can buffer, scan, log, or block files sent over SSH traffic (SCP and SFTP) depending on the file size, type, or
`contents (such as viruses or sensitive content).
`
`This feature is supported in proxy-based inspection mode. It is currently not supported in flow-
`based inspection mode.
`
`You can configure the following SSH traffic settings in the CLI:
`l Protocol options
`l Filter profile (SCP block/log options and file filter)
`l DLP sensor
`l Antivirus (profile and quarantine options)
`
`To configure SSH protocol options:
`config firewall profile-protocol-options
`edit "protocol"
`config ssh
`set options [oversize | clientcomfort | servercomfort]
`set comfort-interval [1 - 900]
`set comfort-amount [1 - 65535]
`set oversize-limit [1 - 798]
`set uncompressed-oversize-limit [0 - 798]
`set uncompressed-nest-limit [2 - 100]
`set scan-bzip2 [enable | disable]
`
`end
`
`next
`
`end
`
`To configure SCP block and log options:
`config ssh-filter profile
`edit "ssh-test"
`set block scp
`set log scp
`
`next
`
`end
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1031
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`To configure the SSH file filter:
`config ssh-filter profile
`edit "ssh-test"
`config file-filter
`set status [enable | disable]
`set log [enable | disable]
`set scan-archive-contents [enable | disable]
`config entries
`edit "1"
`set comment ''
`set action [block | log]
`set direction [incoming | outgoing | any]
`set password-protected [yes | any]
`set file-type "msoffice"
`
`next
`
`end
`
`end
`
`next
`
`end
`
`To configure the DLP sensor:
`config dlp sensor
`edit "test"
`set full-archive-proto ssh
`set summary-proto ssh
`config filter
`edit 1
`set proto ssh
`next
`
`end
`
`next
`
`end
`
`To configure the antivirus profile options:
`config antivirus profile
`edit "av"
`config ssh
`set options [scan | avmonitor | quarantine]
`set archive-block [encrypted | corrupted | partiallycorrupted | multipart |
`nested | mailbomb | fileslimit | timeout | unhandled]
`set archive-log [encrypted | corrupted | partiallycorrupted | multipart | nested
`| mailbomb | fileslimit | timeout | unhandled]
`set emulator [enable | disable]
`set outbreak-prevention [disabled | files | full-archive]
`
`end
`
`next
`
`end
`
`To configure the antivirus quarantine options:
`config antivirus quarantine
`set drop-infected ssh
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1032
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`set store-infected ssh
`set drop-blocked ssh
`set store-blocked ssh
`set drop-heuristic ssh
`set store-heuristic ssh
`
`end
`
`Sample logs
`SCP traffic blocked by ssh-filter profile:
`1: date=2019-07-24 time=10:34:42 logid="1601061010" type="utm" subtype="ssh" eventtype="ssh-
`channel" level="warning" vd="vdom1" eventtime=1563989682560488314 tz="-0700" policyid=1
`sessionid=2693 profile="ssh-test" srcip=10.1.100.11 srcport=33044 dstip=172.16.200.44
`dstport=22 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined"
`proto=6 action="blocked" direction="outgoing" login="root" channeltype="scp"
`SCP traffic blocked by file-filter:
`1: date=2019-07-24 time=10:36:44 logid="1900064000" type="utm" subtype="file-filter"
`eventtype="file-filter" level="warning" vd="vdom1" eventtime=1563989804387444023 tz="-0700"
`policyid=1 sessionid=2732 srcip=10.1.100.11 srcport=33048 srcintf="port1"
`srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port3"
`dstintfrole="undefined" proto=6 service="SSH" subservice="SCP" profile="ssh-test"
`direction="incoming" action="blocked" filtername="1" filename="test.xls" filesize=13824
`filetype="msoffice" msg="File was blocked by file filter."
`SFTP traffic blocked by file-filter:
`1: date=2019-07-24 time=10:43:58 logid="1900064000" type="utm" subtype="file-filter"
`eventtype="file-filter" level="warning" vd="vdom1" eventtime=1563990238339440605 tz="-0700"
`policyid=1 sessionid=2849 srcip=10.1.100.11 srcport=33056 srcintf="port1"
`srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port3"
`dstintfrole="undefined" proto=6 service="SSH" subservice="SFTP" profile="ssh-test"
`direction="incoming" action="blocked" filtername="1" filename="test.xls" filesize=13824
`filetype="msoffice" msg="File was blocked by file filter."
`SCP traffic blocked by dlp sensor:
`1: date=2019-07-24 time=10:42:42 logid="0954024576" type="utm" subtype="dlp" eventtype="dlp"
`level="warning" vd="vdom1" eventtime=1563990162266253784 tz="-0700" filteridx=1
`filtername="test" dlpextra="builtin-patterns" filtertype="file-type" filtercat="file"
`severity="medium" policyid=1 sessionid=2838 epoch=1425775843 eventid=0 srcip=10.1.100.11
`srcport=33054 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.44 dstport=22
`dstintf="port3" dstintfrole="undefined" proto=6 service="SSH" subservice="SFTP"
`filetype="msoffice" direction="incoming" action="block" filename="test.xls" filesize=13824
`profile="test"
`SFTP traffic blocked by dlp sensor:
`1: date=2019-07-24 time=10:41:23 logid="0954024576" type="utm" subtype="dlp" eventtype="dlp"
`level="warning" vd="vdom1" eventtime=1563990083875731367 tz="-0700" filteridx=1
`filtername="test" dlpextra="builtin-patterns" filtertype="file-type" filtercat="file"
`severity="medium" policyid=1 sessionid=2809 epoch=1425775842 eventid=0 srcip=10.1.100.11
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1033
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`srcport=33052 srcintf="port1" srcintfrole="undefined" dstip=172.16.200.44 dstport=22
`dstintf="port3" dstintfrole="undefined" proto=6 service="SSH" subservice="SCP"
`filetype="msoffice" direction="incoming" action="block" filename="test.xls" filesize=13824
`profile="test"
`SCP traffic blocked by antivirus profile:
`1: date=2019-07-24 time=10:45:57 logid="0211008192" type="utm" subtype="virus"
`eventtype="infected" level="warning" vd="vdom1" eventtime=1563990357330463670 tz="-0700"
`msg="File is infected." action="blocked" service="SSH" subservice="SCP" sessionid=2875
`srcip=10.1.100.11 dstip=172.16.200.44 srcport=33064 dstport=22 srcintf="port1"
`srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" policyid=1 proto=6
`direction="incoming" filename="eicar.exe" checksum="53badd68" quarskip="No-skip"
`virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE"
`virusid=2172 profile="av"
`analyticscksum="7fc2dfc5a2247d743556ef59abe3e03569a6241e2b1e44b9614fc764847fb637"
`analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
`SFTP traffic blocked by antivirus profile:
`2: date=2019-07-24 time=10:45:46 logid="0211008192" type="utm" subtype="virus"
`eventtype="infected" level="warning" vd="vdom1" eventtime=1563990346334781409 tz="-0700"
`msg="File is infected." action="blocked" service="SSH" subservice="SFTP" sessionid=2874
`srcip=10.1.100.11 dstip=172.16.200.44 srcport=33062 dstport=22 srcintf="port1"
`srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" policyid=1 proto=6
`direction="incoming" filename="eicar.exe" checksum="53badd68" quarskip="No-skip"
`virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE"
`virusid=2172 profile="av"
`analyticscksum="7fc2dfc5a2247d743556ef59abe3e03569a6241e2b1e44b9614fc764847fb637"
`analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
`
`Antivirus quarantine list triggered by infected files sent over SCP/SFTP:
`CHECKSUM SIZE
`FIRST-TIMESTAMP
`LAST-TIMESTAMP
`SERVICE STATUS
`FILENAME DESCRIPTION
`53badd68 12939
`2019-07-24 10:45 2019-07-24 10:45 SSH
`Infected
`'eicar.exe' 'EICAR_TEST_FILE'
`
`DC
`1
`
`TTL
`FOREVER
`
`Redirect to WAD after handshake completion
`
`In a proxy-based policy, the TCP connection is proxied by the FortiGate. A TCP 3-way handshake can be established
`with the client even though the server did not complete the handshake.
`This option uses IPS to handle the initial TCP 3-way handshake. It rebuilds the sockets and redirects the session back to
`proxy only when the handshake with the server is established.
`
`To enable proxy after a TCP handshake in an SSL/SSH profile:
`config firewall ssl-ssh-profile
`edit "test"
`config https
`set ports 443
`set status certificate-inspection
`set proxy-after-tcp-handshake enable
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1034
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`end
`.....
`
`next
`
`end
`
`To enable proxy after a TCP handshake in protocol options:
`config firewall profile-protocol-options
`edit "test"
`config http
`set ports 80
`set proxy-after-tcp-handshake enable
`unset options
`unset post-lang
`end
`....
`
`next
`
`end
`
`Custom signatures
`
`You can create the following custom signatures and apply them to firewall policies:
`l IPS signature
`l Application signature
`l Application group
`The following topic provides information about custom signatures:
`l Application groups in policies on page 1035
`
`Application groups in policies
`
`This feature provides an application group command for firewall shaping policies.
`The following CLI command is used:
`config firewall shaping-policy
`edit 1
`set app-group <application group>...
`......
`next
`end
`
`Example
`
`In this example, there are two traffic shaping policies:
`l Policy 1 is for traffic related to cloud applications that has high priority.
`l Policy 2 is for other traffic and has low priority.
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1035
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`To create the shaping policies using the GUI:
`
`1. Configure an application group for cloud applications:
`a. Go to Security Profiles > Application Signatures.
`b. Click Create New > Application Group. The New Application Group page opens.
`
`c. Enter a name for the group, select the type, and then add the group the members.
`d. Click OK.
`2. Create the shaping policy for the high priority cloud application traffic:
`a. Go to Policy & Objects > Traffic Shaping Policy.
`b. Click Create New. The New Shaping Policy page opens.
`
`c. Configure the shaping policy, selecting the previously created cloud application group, and setting both the
`Shared shaper and Reverse shaper to high-priority.
`d. Click OK.
`
`At least one firewall policy must have application control enabled for the applications to
`match any policy traffic.
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1036
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`3. Create the shaping policy for all other traffic, setting both the Shared shaper and Reverse shaper to low-priority.
`
`To create the shaping policies using the CLI:
`
`1. Configure an application group for cloud applications:
`config application group
`edit "cloud app group"
`set application 27210 36740 35944 24467 33048
`next
`
`end
`2. Create the shaping policies for the high priority cloud application traffic and the other, low priority traffic:
`config firewall shaping-policy
`edit 1
`set name "For Cloud Traffic"
`set service "ALL"
`set app-category 30
`set app-group "cloud app group"
`set dstintf "port1"
`set traffic-shaper "high-priority"
`set traffic-shaper-reverse "high-priority"
`set srcaddr "all"
`set dstaddr "all"
`next
`edit 2
`set name "For Other Traffic"
`set service "ALL"
`set dstintf "port1"
`set traffic-shaper "low-priority"
`set traffic-shaper-reverse "low-priority"
`set srcaddr "all"
`set dstaddr "all"
`
`next
`
`end
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1037
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`Overrides
`
`Web filter configuration can be separated into profile configuration and profile overrides.
`You can also override web filter behavior based on the FortiGuard website categorization:
`l Use alternate categories (web rating overrides): this method manually assigns a specific website to a different
`Fortinet category or a locally-created category.
`l Use alternate profiles: configured users or IP addresses can use an alternative web filter profile when attempting to
`access blocked websites.
`
`Some features of this functionality require a subscription to FortiGuard Web Filtering.
`
`The following topics provide information about web overrides:
`l Web rating override on page 1038
`l Web profile override on page 1041
`
`Web rating override
`
`Web rating override requires a FortiGuard license.
`This option is for you to categorize websites by different criteria. Even for the same criterion, an organization might want
`to block most websites in a category while allowing access to specific URLs in that category.
`
`For example, a website called example.com is in the subcategory of pornography and the organization uses FortiGuard
`Web Filter to block access to sites in the category of pornography. However, in this example, example.com is a client
`and that website is for artists that specialize in nudes and erotic images. In this example, there are two approaches. The
`first is to use the web rating override function to assign example.com to the nudity and risque category instead of
`pornography category to match the criteria that the organization goes by. The second approach is to assign the website
`to a custom category that is not blocked because the website belongs to a client and staff need to access that website.
`Another example from the reverse perspective is a school decides that a website specializing in selling books online
`should not be accessible because it sells books with violent subject matter. Fortinet categorizes this website,
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1038
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`example2.com, as General Interest - Business with the subcategory of Shopping and Auction, which is a category that is
`allowed. In this example, the school can reassign this website to the category Adult Material which is a blocked category.
`You can assign a website to a built-in category or a custom category.
`
`Create a local custom category
`
`You can create a custom or local category and assign a URL to it.
`
`To create a custom category in the GUI:
`
`1. Go to Security Profiles > Web Rating Overrides and click Custom Categories.
`2.
`In the Custom Categories pane, click Create New.
`3. Enter the category Name, for example, mylocalcategory.
`
`4. Click OK.
`The custom category appears in Web Filter under Local Categories where you can change the Action for that
`category.
`
`To create a custom category in the CLI:
`config webfilter ftgd-local-cat
`edit "custom1"
`set id 140
`next
`edit "custom2"
`set id 141
`next
`edit "mylocalcategory"   <<---- the name of category you created
`set id 142           <<---- the id for this category in Web Filter profile
`next
`
`end
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1039
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`To change the action to block for a custom category in the CLI:
`config webfilter profile
`edit "webfilter"
`config ftgd-wf
`unset options
`config filters
`edit 142               <<---- this is the id of local category
`set action block   <<---- set the action to block
`next
`
`end
`
`end
`
`next
`
`end
`
`Override URL category
`
`You can override a URL to another category or to a custom category. This example shows overriding www.fortinet.com
`to the custom category: mylocalcategory.
`
`To override a URL category in the GUI:
`
`1. Go to Security Profiles > Web Rating Overrides and click Create New.
`2.
`In the New Web Rating Overrides pane, enter the URL you want to re-categorize.
`3. To view the URL's current rating, click Lookup Rating.
`4.
`In the Override to section:
`a. For Category, select Custom Categories.
`b. For Sub-Category, select mylocalcategory.
`
`5. Click OK.
`The URL www.fortinet.com now belongs to the mylocalcategory category.
`
`To override a URL category in the CLI:
`config webfilter ftgd-local-rating
`edit "www.fortinet.com"
`set rating 142       <<---- this is the id of mylocalcategory
`next
`
`end
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1040
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`Web profile override
`
`You can use the following profile override methods:
`l Administrative override
`l Allow users to override blocked categories
`
`Administrative override
`
`Administrators can grant temporary access to sites that are otherwise blocked by a web filter profile. You can grant
`temporary access to a user, user group, or source IP address. You can set the time limit for days, hours, or minutes. The
`default is 15 minutes.
`When the administrative web profile override is enabled, a blocked access page or replacement message does not
`appear, and authentication is not required.
`
`Scope range
`
`You can choose one of the following scope ranges:
`l User: authentication for permission to override is based on whether or not the user is using a specific user account.
`l User group: authentication for permission to override is based on whether or not the user account supplied as a
`credential is a member of the specified user group.
`l Source IP: authentication for permission to override is based on the IP address of the computer that was used to
`authenticate. This would be used for computers that have multiple users. For example, if a user logs on to the
`computer, engages the override by using their credentials, and then logs off, anyone who logs on with an account
`on that computer would be using the alternate override web filter profile.
`
`When you enter an IP address in the administrative override method, only individual IP
`addresses are allowed.
`
`Differences between IP and identity-based scope
`
`Using the IP scope does not require using an identity-based policy.
`When using the administrative override method and IP scope, you might not see a warning message when you change
`from using the original web filter profile to using the alternate profile. There is no requirement for credentials from the
`user so, if allowed, the page will just appear in the browser.
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1041
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`Example of configuring a web profile administrative override
`
`This example describes how to override a webfilter profile with a webfilter_new profile.
`
`To configure web profile administrative override using the GUI:
`
`1. Go to Security Profiles > Web Profile Overrides.
`2. Click Create New.
`
`The New Administrative Override pane opens.
`3. Configure the administrative override:
`a. For Scope Range, click Source IP.
`In the Source IP field, enter the IP address for the client computer (10.1.100.11 in this example).
`b.
`c.
`In the Original Profile dropdown, select webfilter.
`d.
`In the New Profile dropdown, select webfilter_new.
`In the Minutes field, the default 15 minutes appears, which is the desired duration for this example.
`
`4. Click OK. The list of web profile overrides appears.
`The actual expiration time displays instead of the number of minutes.
`
`To configure web profile administrative override using the CLI:
`config webfilter override
`edit 1
`set status enable
`set scope ip
`set old-profile "webfilter"
`set new-profile "webfilter_new"
`set expires 2019/04/10 14:33:00
`set initiator "admin"
`set ip 10.1.100.11
`next
`end
`
`Allow users to override blocked categories
`
`For both override methods, the scope ranges (for specified users, user groups, or IP addresses) allow sites blocked by
`web filtering profiles to be overridden for a specified length of time.
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1042
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`But there is a difference between the override methods when the users or user group scope ranges are selected. In both
`cases, you would need to apply the user or user group as source in the firewall policy. With administrative override, if you
`do not apply the source in the firewall policy, the traffic will not match the override and will be blocked by the original
`profile. With Allow users to override blocked categories, the traffic will also be blocked, but instead of displaying a
`blocking page, the following message appears:
`
`When you choose the user group scope, once one user overrides, it will affect the other users in the group when they
`attempt to override. For example, user1 and user2 both belong to the local_user group. Once user1 successfully
`overrides, this will generate an override entry for the local_user group instead of one specific user. This means that if
`user2 logs in from another PC, they can override transparently.
`
`Ask feature
`
`This option is only available in the Allow users to override blocked categories method. It configures the message page to
`have the user choose which scope they want to use. Normally on the message page, the scope options are greyed out
`and not editable. In the following example, the Scope is predefined with IP.
`
`When the ask option is enabled (through the Switch applies to field in the GUI), the Scope dropdown is editable. Users
`can choose one of the following:
`l User
`l User Group
`l IP
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1043
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`User and User Group are only available when there is a user group in the firewall policy. You
`must specify a user group as a source in the firewall policy so the scope includes User and
`User Group; otherwise, only the IP option will be available.
`
`Other features
`
`Besides the scope, there are some other features in Allow users to override blocked categories.
`
`Apply to group(s)
`
`Individual users can not be selected. You can select one or more of the user groups recognized by the FortiGate. They
`can be local to the system or from a third party authentication device, such as an AD server through FSSO.
`
`Switch duration
`
`Administrative override sets a specified time frame that is always used for that override. The available options in Allow
`users to override blocked categories are:
`l Predefined: the value entered is the set duration (length of time in days, hours, or minutes) that the override will be
`in effect. If the duration variable is set to 15 minutes, the length of the override will always be 15 minutes. The option
`will be visible in the override message page, but the setting will be greyed out.
`l Ask: the user has the option to set the override duration once it is engaged. The user can set the duration in terms of
`days, hours, or minutes.
`
`Example of creating a web profile users override
`
`This example describes how to allow users in the local_group to override the webfilter_new profile.
`
`To allow users to override blocked categories using the GUI:
`
`1. Go to Security Profiles > Web Filter.
`2. Click Create New.
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1044
`
`Netskope Exhibit 1017
`
`

`

`Security Profiles
`
`3. Under the Category Usage Quota section, toggle on Allow users to override blocked categories.
`
`4. Configure the web filter profile:
`a. Click the Groups that can override field, and select a group (local_group in this example).
`b. Click the Profile Name field, and select the webfilter_new profile.
`c. For the Switch applies to field, click IP.
`d. For the Switch Duration field, click Predefined. The default 15 minutes appears, which is the desired duration
`for this example.
`e. Configure the rest of the profile as needed.
`
`5. Click OK.
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1045
`
`Netskope Exhibit 1017
`
`

`

`VPN
`
`Virtual Private Network (VPN) technology lets remote users connect to private computer networks to gain access to their
`resources in a secure way. For example, an employee traveling or working at home can use a VPN to securely access
`the office network through the Internet.
`Instead of remotely logging into a private network using an unencrypted and unsecured Internet connection, using a
`VPN ensures that unauthorized parties cannot access the office network and cannot intercept information going
`between the employee and the office. Another common use of a VPN is to connect the private networks of multiple
`offices.
`Fortinet offers VPN capabilities in the FortiGate Unified Threat Management (UTM) appliance and in the FortiClient
`Endpoint Security suite of applications. You can install a FortiGate unit on a private network and install FortiClient
`software on the user’s computer. You can also use a FortiGate unit to connect to the private network instead of using
`FortiClient software.
`The following sections provide information about VPN:
`l IPsec VPNs on page 1046
`l SSL VPN on page 1282
`
`IPsec VPNs
`
`The following sections provide instructions on configuring IPsec VPN connections in FortiOS 6.4.0.
`l General IPsec VPN configuration on page 1046
`l Site-to-site VPN on page 1071
`l Remote access on page 1116
`l Aggregate and redundant VPN on page 1150
`l Overlay Controller VPN (OCVPN) on page 1185
`l ADVPN on page 1216
`l Other VPN topics on page 1249
`l VPN IPsec troubleshooting on page 1275
`
`General IPsec VPN configuration
`
`The following sections provide instructions on general IPsec VPN configurations:
`l Network topologies on page 1047
`l Phase 1 configuration on page 1047
`l Phase 2 configuration on page 1062
`l VPN security policies on page 1066
`l Blocking unwanted IKE negotiations and ESP packets with a local-in policy on page 1070
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1046
`
`Netskope Exhibit 1017
`
`

`

`VPN
`
`Network topologies
`
`The topology of your network will determine how remote peers and clients connect to the VPN and how VPN traffic is
`routed.
`
`Topology
`Site-to-Site
`
`Hub and spoke/ADVPN
`
`OCVPN
`
`FortiClient dialup
`
`FortiGate dialup
`
`Aggregate VPN
`
`Redundant VPN
`
`L2TP over IPsec
`
`GRE over IPsec
`
`Description
`Standard one-to-one VPN between two FortiGates. See Site-to-site VPN on page
`1071.
`
`One central FortiGate (hub) has multiple VPNs to other remote FortiGates
`(spokes). In ADVPN, shortcuts can be created between spokes for direct
`communication. See ADVPN on page 1216.
`
`Fortinet's cloud based solution for automating VPN setup between devices
`registered to the same account. See Overlay Controller VPN (OCVPN) on page
`1185.
`
`Typically remote FortiClient dialup clients use dynamic IP addresses through NAT
`devices. The FortiGate acts as a dialup server allowing dialup VPN connections
`from multiple sources. See FortiClient as dialup client on page 1122.
`
`Similar to site-to-site except one end is a dialup server and the other end is a
`dialup client. This facilitates scenarios in which the remote dialup end has a
`dynamic address, or does not have a public IP, possibly because it is behind NAT.
`See FortiGate as dialup client on page 1116.
`
`Natively support aggregating multiple VPN tunnels to increase performance and
`provide redundancy over multiple links. See IPsec aggregate for redundancy and
`traffic load-balancing on page 1167.
`
`Options for supporting redundant and partially redundant IPsec VPNs, using
`route-based approaches. See Redundant hub and spoke VPN on page 1177.
`
`Configure VPN for Microsoft Windows dialup clients using the built in L2TP
`software. Users do not have to install any Fortinet software. See L2TP over IPsec
`on page 1140.
`
`Legacy support for routers requiring point-to-point GRE over IPsec for tunneling.
`See GRE over IPsec on page 1083.
`
`Phase 1 configuration
`
`Phase 1 configuration primarily defines the parameters used in IKE (Internet Key Exchange) negotiation between the
`ends of the IPsec tunnel. The local end is the FortiGate interface that initiates the IKE negotiations. The remote end is
`the remote gateway that responds and exchanges messages with the initiator. Hence, they are sometimes referred to as
`the initiator and responder. The purpose of phase 1 is to secure a tunnel with one bi-directional IKE SA (security
`association) for negotiating IKE phase 2 parameters.
`The auto-negotiate and negotiation-timeout commands control how the IKE negotiation is processed when
`there is no traffic, and the length of time that the FortiGate waits for negotiations to occur.
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1047
`
`Netskope Exhibit 1017
`
`

`

`VPN
`
`IPsec tunnels can be configured in the GUI using the VPN Creation Wizard. Go to VPN > IPsec Wizard. The wizard
`includes several templates (site-to-site, hub and spoke, remote access), but a custom tunnel can be configured with the
`following settings:
`
`Name
`
`Network
`
`IP Version
`Remote Gateway
`
`IP Address
`
`Dynamic DNS
`
`Interface
`
`Local Gateway
`
`Mode Config
`
`NAT Traversal
`
`Phase 1 definition name.
`The maximum length is 15 characters for an interface mode VPN and 35
`characters for a policy-based VPN.
`For a policy-based VPN, the name normally reflects where the remote
`connection originates. For a route-based tunnel, the FortiGate also uses the
`name for the virtual IPsec interface that it creates automatically.
`
`Protocol, either IPv4 or IPv6.
`
`Category of the remote connection:
`l Static IP Address: the remote peer has a static IP address.
`l Dialup User: one or more FortiClient or FortiGate dialup clients with
`dynamic IP addresses will connect to the FortiGate.
`l Dynamic DNS: a remote peer that has a domain name and subscribes to
`a dynamic DNS service will connect to the FortiGate.
`
`The IP address of the remote peer. This option is only available when the
`Remote Gateway is Static IP Address.
`
`The domain name of the remote peer. This option is only available when the
`Remote Gateway is Dynamic DNS.
`
`The interface through which remote peers or dialup clients connect to the
`FortiGate. This option is only available in NAT mode.
`By default, the local VPN gateway IP address is the IP address of the
`interface that was selected (Primary IP in the Local Gateway field).
`
`IP address for the local end of the VPN tunnel (Primary IP is used by default):
`l Secondary IP: secondary address of the interface selected in the
`Interface field.
`l Specify: manually enter an address.
`Interface mode cannot be configured in a transparent mode VDOM.
`
`This option is only available when the Remote Gateway is Dialup User.
`Configure the client IP address range, subnet mask/prefix length,
`DNS server, and split tunnel capability to automate remote client addressing.
`
`This option is only available when the Remote Gateway is Static IP Address
`or Dynamic DNS.
`ESP (encapsulating security payload), the protocol for encrypting data in the
`VPN session, uses IP protocol 50 by default. However, it does not use any
`port numbers so when traversing a NAT device, the packets cannot be
`demultiplexed. Enabling NAT traversal encapsulates the ESP packet inside a
`UDP packet, thereby adding a unique source port to the packet. This allows
`the NAT device to map the packets to the correct session.
`l Enable: a NAT device exists between the local FortiGate and the VPN
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`1048
`
`Netskope Exhibit 1017
`
`

`

`VPN
`
`Keepalive
`Frequency
`
`Dead Peer
`Detection
`
`peer or client. Outbound encrypted packets are wrapped inside a UDP
`IP header that contains a port number. The local FortiGate and the VPN
`peer or client must have the same NAT traversal setting (both selected
`or both cleared) to connect reliably. When in doubt, enable
`NAT traversal.
`l Disable: disable the NAT traversal setting.
`l Forced: the FortiGate will use a port value of zero when constructing the
`NAT discovery hash for the peer. This causes the peer to think it is
`behind a NAT device, and it will use UDP encapsulation for IPsec, even
`if no NAT is present. This approach maintains interoperability with any
`IPsec implementation that supports the NAT-T RFC.
`
`Keepalive frequency setting. This option is only available when
`NAT Traversal is set to Enable or F