FortiOS - Administration Guide
`Version 6.4.0
`
`Netskope Exhibit 1017
`
`

`

`FORTINET DOCUMENT LIBRARY
`https://docs.fortinet.com
`
`FORTINET VIDEO GUIDE
`https://video.fortinet.com
`
`FORTINET BLOG
`https://blog.fortinet.com
`
`CUSTOMER SERVICE & SUPPORT
`https://support.fortinet.com
`
`FORTINET TRAINING & CERTIFICATION PROGRAM
`https://www.fortinet.com/training-certification
`
`NSE INSTITUTE
`https://training.fortinet.com
`
`FORTIGUARD CENTER
`https://www.fortiguard.com
`
`END USER LICENSE AGREEMENT
`https://www.fortinet.com/doc/legal/EULA.pdf
`
`FEEDBACK
`Email: techdoc@fortinet.com
`
`June 3, 2021
`FortiOS 6.4.0 Administration Guide
`01-640-607590-20210603
`
`Netskope Exhibit 1017
`
`

`

`TABLE OF CONTENTS
`
`Change Log
`Getting started
`Differences between models
`Using the GUI
`Connecting using a web browser
`Menus
`Tables
`Entering values
`Using the CLI
`Connecting to the CLI
`CLI basics
`Command syntax
`Subcommands
`Permissions
`FortiExplorer for iOS
`Getting started with FortiExplorer
`Connecting FortiExplorer to a FortiGate via WiFi
`Running a security rating
`Upgrading to FortiExplorer Pro
`Basic administration
`Registration
`FortiCare and FortiGate Cloud login
`Troubleshooting your installation
`Zero touch provisioning
`Zero touch provisioning with FortiDeploy
`Zero touch provisioning with FortiManager
`Dashboards and widgets
`Using dashboards
`Viewing device dashboards in the security fabric
`Creating a fabric system and license dashboard
`Using widgets
`Monitor dashboards and widgets
`Static & Dynamic Routing Monitor
`DHCP monitor
`IPSEC monitor
`SSL VPN monitor
`Firewall Users Monitor
`Device inventory
`FortiView
`FortiView dashboards and widgets
`Adding top FortiView widgets by category
`VDOMs and dashboards
`FortiView interface
`FortiView from disk
`
`16
`19
`19
`19
`19
`20
`21
`23
`24
`24
`27
`33
`36
`38
`38
`39
`42
`43
`44
`44
`45
`46
`49
`51
`51
`53
`56
`56
`58
`59
`60
`62
`63
`64
`66
`67
`68
`69
`73
`74
`75
`78
`79
`86
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`3
`
`Netskope Exhibit 1017
`
`

`

`FortiView from FortiAnalyzer
`FortiView from FortiGate Cloud
`FortiView top sources
`Viewing top websites and sources by category
`Cloud application view
`Configuration backups
`Fortinet Security Fabric
`Security Fabric settings and usage
`Components
`Configuring the root FortiGate and downstream FortiGates
`Configuring FortiAnalyzer
`Configuring other Security Fabric devices
`Using the Security Fabric
`Deploying the Security Fabric
`Synchronizing objects across the Security Fabric
`Security Fabric over IPsec VPN
`Leveraging LLDP to simplify security fabric negotiation
`Configuring the Security Fabric with SAML
`Configuring single-sign-on in the Security Fabric
`CLI commands for SAML SSO
`SAML SSO with pre-authorized FortiGates
`Navigating between Security Fabric members with SSO
`Integrating FortiAnalyzer management using SAML SSO
`Integrating FortiManager management using SAML SSO
`Advanced option - FortiGate SP changes
`Advanced option - unique SAML attribute types
`Security rating
`Security Fabric score
`External connectors
`SDN connectors
`Kubernetes (K8s) SDN connectors
`Endpoint/Identity connectors
`Threat feeds
`Automation stitches
`Creating automation stitches
`Triggers
`Actions
`Execute a CLI script based on CPU and memory thresholds
`Troubleshooting
`Viewing a summary of all connected FortiGates in a Security Fabric
`Diagnosing automation stitches
`Network
`Interfaces
`Interface settings
`Aggregation and redundancy
`VLANs
`Enhanced MAC VLANs
`Inter-VDOM routing
`
`88
`89
`91
`92
`96
`108
`112
`112
`113
`115
`120
`120
`144
`158
`166
`170
`176
`179
`179
`184
`185
`185
`188
`190
`191
`192
`195
`198
`199
`200
`245
`258
`270
`284
`284
`297
`301
`328
`333
`333
`336
`340
`340
`341
`344
`346
`352
`355
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`4
`
`Netskope Exhibit 1017
`
`

`

`Software switch
`Zone
`Virtual Wire Pair
`Virtual switch support for FortiGate 300E series
`Failure detection for aggregate and redundant interfaces
`VLAN inside VXLAN
`Virtual Wire Pair with VXLAN
`DNS
`Important DNS CLI commands
`DNS domain list
`FortiGate DNS server
`DDNS
`DNS latency information
`DNS over TLS
`DNS troubleshooting
`Explicit and transparent proxies
`Explicit web proxy
`FTP proxy
`Transparent proxy
`Proxy policy addresses
`Proxy policy security profiles
`Explicit proxy authentication
`Transparent web proxy forwarding
`Upstream proxy authentication in transparent proxy mode
`Multiple dynamic header count
`Restricted SaaS access (Office 365, G Suite, Dropbox)
`Explicit proxy and FortiSandbox Cloud
`Proxy chaining (web proxy forwarding servers)
`Agentless NTLM authentication for web proxy
`DHCP server
`Configure DHCP on the FortiGate
`DHCP options
`IP address assignment with relay agent information option
`DHCP client options
`Static routes
`Policy routes
`RIP
`OSPF
`BGP
`Direct IP support for LTE/4G
`LLDP reception
`Route leaking between VRFs
`SD-WAN
`SD-WAN quick start
`Configuring the SD-WAN interface
`Adding a static route
`Selecting the implicit SD-WAN algorithm
`
`360
`361
`363
`365
`367
`367
`370
`372
`372
`373
`375
`377
`380
`382
`382
`383
`383
`386
`388
`391
`399
`405
`410
`411
`413
`416
`418
`421
`425
`428
`428
`429
`430
`432
`433
`434
`434
`434
`434
`435
`438
`441
`444
`444
`445
`446
`446
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`5
`
`Netskope Exhibit 1017
`
`

`

`Configuring firewall policies for SD-WAN
`Link monitoring and failover
`Results
`Configuring SD-WAN in the CLI
`WAN path control
`Performance SLA - link monitoring
`Performance SLA - SLA targets
`Factory default health checks
`Implicit rule
`SD-WAN rules - best quality
`SD-WAN rules - lowest cost (SLA)
`SD-WAN rules - maximize bandwidth (SLA)
`Application steering using SD-WAN rules
`SD-WAN traffic shaping and QoS
`Advanced configuration
`Self-originating traffic
`SDN dynamic connector addresses in SD-WAN rules
`Forward error correction on VPN overlay networks
`Using BGP tags with SD-WAN rules
`BGP multiple path support
`Controlling traffic with BGP route mapping and service rules
`Applying BGP route-map to multiple BGP neighbors
`IBGP and EBGP support in VRF
`ADVPN and shortcut paths
`SD-WAN monitor on ADVPN shortcuts
`SD-WAN integration with OCVPN
`DSCP matching (shaping)
`SD-WAN health check packet DSCP marker support
`Dual VPN tunnel wizard
`Internet service customization
`SD-WAN with FGCP HA
`Hub and spoke SD-WAN deployment example
`Datacenter configuration
`Branch configuration
`Validation
`Dynamic definition of SD-WAN routes
`Adding another datacenter
`Dynamic connector addresses in SD-WAN policies
`SD-WAN configuration portability
`Interface speedtest
`Configuring SD-WAN in an HA cluster using internal hardware switches
`Troubleshooting SD-WAN
`Understanding SD-WAN related logs
`SD-WAN related diagnose commands
`SLA logging
`SLA monitoring using the REST API
`SD-WAN bandwidth monitoring service
`
`447
`448
`449
`453
`455
`455
`457
`458
`461
`464
`467
`470
`472
`484
`488
`489
`489
`492
`495
`498
`501
`507
`513
`516
`528
`529
`537
`541
`541
`542
`543
`549
`550
`554
`558
`559
`560
`561
`562
`564
`566
`570
`570
`573
`577
`579
`581
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`6
`
`Netskope Exhibit 1017
`
`

`

`System
`Basic system settings
`Advanced system settings
`Operating modes
`Administrators
`Administrator profiles
`Add a local administrator
`Remote authentication for administrators
`Password policy
`Admin profile option for diagnose access
`Firmware
`Firmware upgrade notifications
`Downloading a firmware image
`Testing a firmware version
`Upgrading the firmware
`Downgrading to a previous firmware version
`Installing firmware from system reboot
`Restoring from a USB drive
`Controlled upgrade
`Settings
`Default administrator password
`Changing the host name
`Setting the system time
`Configuring ports
`Setting the idle timeout time
`Setting the password policy
`Changing the view settings
`Setting the administrator password retries and lockout time
`Virtual Domains
`Split-task VDOM mode
`Multi VDOM mode
`Configure VDOM-A
`Configure VDOM-B
`Configure the VDOM link
`Configure VDOM-A
`Configure VDOM-B
`High Availability
`Introduction to the FGCP cluster
`Failover protection
`FGSP (session synchronization) peer setup
`UTM inspection on asymmetric traffic in FGSP
`UTM inspection on asymmetric traffic on L3
`Encryption for L3 on asymmetric traffic in FGSP
`Synchronizing sessions between FGCP clusters
`Using standalone configuration synchronization
`Troubleshoot an HA formation
`Check HA sync status
`Disabling stateful SCTP inspection
`
`585
`585
`585
`586
`587
`587
`589
`589
`591
`592
`593
`594
`595
`597
`598
`599
`600
`601
`602
`602
`602
`603
`603
`607
`608
`608
`608
`609
`610
`611
`615
`618
`620
`622
`627
`629
`631
`631
`632
`634
`635
`637
`639
`639
`641
`643
`643
`644
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`7
`
`Netskope Exhibit 1017
`
`

`

`Upgrading FortiGates in an HA cluster
`HA cluster setup examples
`Routing data over the HA management interface
`Override FortiAnalyzer and syslog server settings
`Force HA failover for testing and demonstrations
`Querying autoscale clusters for FortiGate VM
`SNMP
`Interface access
`MIB files
`SNMP agent
`SNMP v1/v2c communities
`SNMP v3 users
`Important SNMP traps
`SNMP traps and query for monitoring DHCP pool
`Replacement messages
`Replacement message images
`Modifying replacement messages
`Replacement message groups
`Example
`FortiGuard
`IPv6 FortiGuard connections
`Configuring antivirus and IPS options
`Manual updates
`Automatic updates
`Sending malware statistics to FortiGuard
`Update server location
`Filtering
`Override FortiGuard servers
`Online security tools
`FortiGuard anycast and third-party SSL validation
`Using FortiManager as a local FortiGuard server
`Cloud service communication statistics
`IoT detection service
`Feature visibility
`Security feature presets
`Certificates
`Microsoft CA deep packet inspection
`Purchase and import a signed SSL certificate
`Configuration scripts
`Workspace mode
`Policy and Objects
`Policies
`Firewall policy parameters
`Profile-based NGFW vs policy-based NGFW
`NGFW policy mode application default service
`Policy views and policy lookup
`Policy with source NAT
`Policy with destination NAT
`
`645
`646
`655
`657
`661
`664
`665
`665
`666
`666
`667
`669
`670
`672
`673
`673
`674
`676
`677
`679
`680
`681
`681
`682
`684
`685
`685
`686
`687
`687
`690
`691
`692
`694
`694
`695
`695
`700
`703
`704
`706
`706
`707
`708
`712
`714
`715
`728
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`8
`
`Netskope Exhibit 1017
`
`

`

`Policy with Internet Service
`NAT64 policy and DNS64 (DNS proxy)
`NAT46 policy
`Multicast processing and basic Multicast policy
`Local-in policies
`IPv4/IPv6 access control lists
`Mirroring SSL traffic in policies
`Inspection mode per policy
`OSPFv3 neighbor authentication
`Firewall anti-replay option per policy
`Enabling advanced policy options in the GUI
`Recognize anycast addresses in geo-IP blocking
`Matching GeoIP by registered and physical location
`Authentication policy extensions
`HTTP to HTTPS redirect for load balancing
`GTPv2 in policies
`Use active directory objects directly in policies
`FortiGate Cloud / FDN communication through an explicit proxy
`No session timeout
`Objects
`Address group exclusions
`MAC addressed-based policies
`ISDB well-known MAC address list
`Dynamic policy — fabric devices
`FSSO dynamic address subtype
`ClearPass integration for dynamic address objects
`Group address objects synchronized from FortiManager
`Using wildcard FQDN addresses in firewall policies
`IPv6 geography-based addresses
`Array structure for address objects
`Traffic shaping
`Determining your QoS requirements
`Packet rates
`Changing traffic shaper bandwidth unit of measurement
`Shared traffic shaper
`Per-IP traffic shaper
`Type of Service-based prioritization and policy-based traffic shaping
`Interface-based traffic shaping profile
`Interface-based traffic shaping with NP acceleration
`Classifying traffic by source interface
`Configuring traffic class IDs
`Traffic shaping schedules
`QoS assignment and rate limiting for quarantined VLANs
`Weighted random early detection queuing
`Security Profiles
`Inspection modes
`Flow mode inspection (default mode)
`Proxy mode inspection
`Inspection mode feature comparison
`
`741
`758
`762
`765
`766
`768
`769
`772
`774
`776
`777
`778
`779
`780
`781
`783
`784
`788
`789
`790
`791
`792
`795
`796
`798
`802
`806
`808
`810
`812
`814
`815
`816
`818
`818
`822
`825
`828
`837
`838
`839
`842
`843
`844
`851
`851
`852
`852
`854
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`9
`
`Netskope Exhibit 1017
`
`

`

`Antivirus
`Protocol comparison between antivirus inspection modes
`Other antivirus differences between inspection modes
`Databases
`Content disarm and reconstruction for antivirus
`FortiGuard outbreak prevention
`External malware block list for antivirus
`Checking flow antivirus statistics
`CIFS support
`Using FortiSandbox appliance with antivirus
`Using FortiSandbox Cloud with antivirus
`Web filter
`URL filter
`FortiGuard filter
`Credential phishing prevention
`Usage quota
`Web content filter
`File filter
`Advanced filters 1
`Advanced filters 2
`External resources for web filter
`Reliable web filter statistics
`Flow-based web filtering
`URL certificate blocklist
`DNS filter
`How to configure and apply a DNS filter profile
`FortiGuard category-based DNS domain filtering
`Botnet C&C domain blocking
`DNS safe search
`Local domain filter
`DNS translation
`Using a FortiGate as a DNS server
`Troubleshooting for DNS filter
`Application control
`Basic category filters and overrides
`Port enforcement check
`Protocol enforcement
`SSL-based application detection over decrypted traffic in a sandwich topology
`Matching multiple parameters on application control signatures
`Intrusion prevention
`Botnet C&C IP blocking
`Detecting IEC 61850 MMS protocol in IPS
`Email filter
`Protocol comparison between Email filter inspection modes
`Local-based filters
`FortiGuard-based filters
`File type-based filters
`Protocols and actions
`Configuring webmail filtering
`
`856
`857
`857
`858
`859
`862
`864
`867
`870
`876
`886
`894
`895
`901
`908
`910
`913
`916
`922
`926
`931
`937
`940
`941
`942
`943
`945
`948
`952
`953
`956
`959
`961
`963
`964
`967
`968
`970
`971
`974
`974
`978
`979
`980
`980
`985
`986
`991
`992
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`10
`
`Netskope Exhibit 1017
`
`

`

`Data leak prevention
`Protocol comparison between DLP inspection modes
`Basic DLP filter types
`DLP fingerprinting
`DLP watermarking
`VoIP solutions
`General use cases
`SIP message inspection and filtering
`SIP pinholes
`SIP over TLS
`Custom SIP RTP port range support
`Voice VLAN auto-assignment
`ICAP
`ICAP configuration example
`ICAP response filtering
`Web application firewall
`Protecting a server running web applications
`SSL & SSH Inspection
`Certificate inspection
`Deep inspection
`Protecting an SSL server
`Ignoring the AUTH TLS command
`SSH traffic file scanning
`Redirect to WAD after handshake completion
`Custom signatures
`Application groups in policies
`Overrides
`Web rating override
`Web profile override
`VPN
`IPsec VPNs
`General IPsec VPN configuration
`Site-to-site VPN
`Remote access
`Aggregate and redundant VPN
`Overlay Controller VPN (OCVPN)
`ADVPN
`Other VPN topics
`VPN IPsec troubleshooting
`SSL VPN
`SSL VPN best practices
`SSL VPN quick start
`SSL VPN tunnel mode
`SSL VPN web mode for remote user
`SSL VPN authentication
`SSL VPN to IPsec VPN
`SSL VPN protocols
`SSL VPN troubleshooting
`
`993
`994
`994
`997
`1001
`1004
`1004
`1008
`1010
`1011
`1012
`1014
`1015
`1016
`1018
`1021
`1021
`1024
`1025
`1026
`1029
`1030
`1031
`1034
`1035
`1035
`1038
`1038
`1041
`1046
`1046
`1046
`1071
`1116
`1150
`1185
`1216
`1249
`1275
`1282
`1283
`1285
`1292
`1299
`1302
`1377
`1387
`1388
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`11
`
`Netskope Exhibit 1017
`
`

`

`User & Authentication
`Endpoint control and compliance
`Per-policy disclaimer messages
`Compliance
`FortiGuard distribution of updated Apple certificates
`User Definition
`User types
`Removing a user
`User Groups
`Configuring POP3 authentication
`Guest Management
`Configuring guest access
`Retail environment guest access
`LDAP Servers
`Configuring an LDAP server
`FSSO polling connector agent installation
`Enabling Active Directory recursive search
`Configuring LDAP dial-in using a member attribute
`Configuring wildcard admin accounts
`Exchange Server connector with Kerberos KDC auto-discovery
`Configuring least privileges for LDAP admin account authentication in Active
`Directory
`RADIUS Servers
`Configuring RADIUS SSO authentication
`RSA ACE (SecurID) servers
`Support for Okta RADIUS attributes filter-Id and class
`TACACS+ servers
`SAML
`SAML SP for VPN authentication
`Authentication Settings
`FortiTokens
`Configuring FortiTokens
`FortiToken Cloud
`Configuring FortiToken Mobile
`FortiToken maintenance
`FortiToken Mobile Push
`Configuring the maximum log in attempts and lockout period
`PKI
`Creating a PKI/peer user
`Configuring firewall authentication
`Creating a locally authenticated user account
`Creating a RADIUS-authenticated user account
`Creating an FSSO user group
`Creating a firewall user group
`Defining policy addresses
`Creating security policies
`
`1392
`1392
`1392
`1395
`1401
`1402
`1402
`1402
`1403
`1403
`1404
`1404
`1406
`1407
`1407
`1409
`1414
`1415
`1416
`1418
`
`1419
`1419
`1420
`1426
`1430
`1432
`1433
`1434
`1436
`1438
`1440
`1443
`1443
`1444
`1445
`1445
`1446
`1446
`1447
`1447
`1448
`1449
`1451
`1451
`1452
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`12
`
`Netskope Exhibit 1017
`
`

`

`Wireless configuration
`Switch Controller
`FortiLink setup
`Viewing managed FortiSwitches
`VLAN interface templates for FortiSwitches
`Create VLAN interface templates
`Example
`FortiLink auto network configuration policy
`FortiLink network sniffer extension
`FortiLink MCLAG configuration
`Standalone FortiGate as switch controller
`Standalone FortiGate as switch controller
`Multiple FortiSwitches managed via hardware/software switch
`Multiple FortiSwitches in tiers via aggregate interface with redundant link enabled
`Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only on
`distribution
`HA (A-P) mode FortiGate pairs as switch controller
`Multiple FortiSwitches managed via hardware/software switch
`Multiple FortiSwitches in tiers via aggregate interface with redundant link enabled
`Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only on
`distribution
`Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled on all
`tiers
`Authentication and security
`MAC-based 802.1X authentication
`Port-based 802.1X authentication
`MAC layer control - Sticky MAC and MAC Learning-limit
`Quarantine
`Flow and device detection
`Data statistic
`Security Fabric showing
`NAC policies on switch ports
`Use FortiSwitch to query FortiGuard IoT service for device details
`Voice device detection
`FortiSwitch multi-tenant support
`Persistent MAC learning
`Split port mode (for QSFP / QSFP28)
`Dynamic VLAN name assignment from RADIUS attribute
`MSTI support
`Netflow and IPFIX support
`Log and Report
`Viewing event logs
`Sample logs by log type
`Log buffer on FortiGates with an SSD disk
`Checking the email filter log
`Supported log types to FortiAnalyzer, syslog, and FortiAnalyzer Cloud
`
`1454
`1455
`1455
`1456
`1458
`1459
`1460
`1462
`1463
`1465
`1466
`1466
`1470
`1474
`
`1478
`1482
`1482
`1486
`
`1490
`
`1494
`1499
`1499
`1502
`1505
`1506
`1511
`1511
`1512
`1513
`1517
`1519
`1523
`1526
`1527
`1529
`1529
`1530
`1533
`1533
`1534
`1554
`1557
`1557
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`13
`
`Netskope Exhibit 1017
`
`

`

`Configuring multiple FortiAnalyzers on a multi-VDOM FortiGate
`Checking FortiAnalyzer connectivity
`Configuring multiple FortiAnalyzers (or syslog servers) per VDOM
`Source and destination UUID logging
`Troubleshooting
`Log-related diagnose commands
`Backing up log files or dumping log messages
`SNMP OID for logs that failed to send
`
`VM
`Amazon Web Services
`Microsoft Azure
`Google Cloud Platform
`Oracle OCI
`AliCloud
`Private cloud
`VM license
`Uploading a license file
`Types of VM licenses
`CLI troubleshooting
`FortiGate multiple connector support
`Adding VDOMs with FortiGate v-series
`Terraform: FortiOS as a provider
`Troubleshooting
`PF SR-IOV driver support
`Troubleshooting
`Troubleshooting methodologies
`Verify user permissions
`Establish a baseline
`Create a troubleshooting plan
`Troubleshooting scenarios
`Checking the system date and time
`Checking the hardware connections
`Checking FortiOS network settings
`Troubleshooting CPU and network resources
`Troubleshooting high CPU usage
`Checking the modem status
`Running ping and traceroute
`Checking the logs
`Verifying routing table contents in NAT mode
`Verifying the correct route is being used
`Verifying the correct firewall policy is being used
`Checking the bridging information in transparent mode
`Checking wireless information
`Performing a sniffer trace (CLI and packet capture)
`Debugging the packet flow
`Testing a proxy operation
`Displaying detail Hardware NIC information
`
`1558
`1559
`1561
`1562
`1564
`1564
`1570
`1572
`1576
`1576
`1576
`1576
`1576
`1576
`1576
`1576
`1577
`1578
`1579
`1580
`1583
`1585
`1590
`1590
`1592
`1592
`1593
`1593
`1595
`1596
`1597
`1598
`1599
`1602
`1603
`1607
`1608
`1612
`1612
`1613
`1613
`1614
`1615
`1616
`1619
`1622
`1622
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`14
`
`Netskope Exhibit 1017
`
`

`

`Performing a traffic trace
`Using a session table
`Finding object dependencies
`Diagnosing NPU-based interfaces
`Identifying the XAUI link used for a specific traffic stream
`Running the TAC report
`Other commands
`FortiGuard troubleshooting
`Additional resources
`Technical documentation
`Fortinet video library
`Release notes
`Knowledge base
`Fortinet technical discussion forums
`Fortinet training services online campus
`Fortinet Support
`
`1625
`1626
`1629
`1630
`1631
`1631
`1632
`1633
`1636
`1636
`1636
`1637
`1637
`1637
`1637
`1637
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`15
`
`Netskope Exhibit 1017
`
`

`

`Change Log
`
`Change Log
`
`Date
`2020-03-31
`
`2020-04-08
`
`2020-04-13
`
`2020-04-14
`
`2020-04-15
`
`2020-04-16
`
`2020-04-17
`
`2020-04-21
`
`2020-04-22
`
`2020-04-23
`
`2020-04-24
`
`Change Description
`Initial release.
`
`Added SD-WAN integration with OCVPN on page 529 and Allow FortiClient to join
`OCVPN on page 1199.
`
`Updated Device inventory on page 69.
`
`Added Synchronizing objects across the Security Fabric on page 166.
`
`Added Viewing device dashboards in the security fabric on page 58 and Creating a
`fabric system and license dashboard on page 59.
`Updated Topology on page 147.
`
`Added NAC policies on switch ports on page 1513, Use FortiSwitch to query
`FortiGuard IoT service for device details on page 1517, UTM inspection on
`asymmetric traffic on L3 on page 637, Admin profile option for diagnose access on
`page 592, Interface speedtest on page 564, FortiView on page 73, Adding top
`FortiView widgets by category on page 75 and VDOMs and dashboards on page
`78.
`
`Added Microsoft Teams integration webhook on page 326, SD-WAN monitor on
`ADVPN shortcuts on page 528, SD-WAN health check packet DSCP marker
`support on page 541, SD-WAN configuration portability on page 562, Weighted
`round robin for IPsec aggregate tunnels on page 1183, Matching multiple
`parameters on application control signatures on page 971, and UDP hole punching
`for spokes behind NAT on page 1246.
`
`Added Support for Okta RADIUS attributes filter-Id and class on page 1430, SNMP
`traps and query for monitoring DHCP pool on page 672, Interface-based traffic
`shaping with NP acceleration on page 837, Querying autoscale clusters for
`FortiGate VM on page 664, Detecting IEC 61850 MMS protocol in IPS on page 978,
`NAS-IP support per SSL-VPN realm on page 1375, DHCP client options on page
`432, Defining gateway IP addresses in IPsec with mode-config and DHCP on page
`1271, Group address objects synchronized from FortiManager on page 806, and
`Voice device detection on page 1519.
`
`Added VLAN interface templates for FortiSwitches on page 1458, Firmware
`upgrade notifications on page 594, and Identifying the XAUI link used for a specific
`traffic stream on page 1631.
`
`Added IoT detection service on page 692.
`
`Added Route leaking between VRFs on page 441, No session timeout on page 789,
`and Redirect to WAD after handshake completion on page 1034.
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`16
`
`Netskope Exhibit 1017
`
`

`

`Change Log
`
`Date
`2020-04-27
`
`2020-04-28
`
`2020-05-01
`
`2020-05-04
`
`2020-05-07
`
`2020-05-08
`
`2020-05-13
`
`2020-05-19
`
`2020-05-22
`
`2020-05-27
`
`2020-06-01
`
`2020-06-05
`
`2020-06-12
`
`2020-06-18
`
`2020-06-22
`
`2020-06-23
`
`2020-07-03
`
`2020-08-14
`
`2020-08-20
`
`2020-08-20
`
`2020-08-25
`
`2020-08-31
`
`Change Description
`Added SD-WAN quick start on page 444, FortiView from disk on page 86, FortiView
`from FortiAnalyzer on page 88, Cloud application view on page 96, and FortiView
`Top Source and Top Destination Firewall Objects widgets on page 106.
`
`Added FortiView top sources on page 91, Cloud application view on page 96, and
`Top application: YouTube example on page 102.
`Updated Synchronizing sessions between FGCP clusters on page 639.
`
`Added Application steering using SD-WAN rules on page 472.
`
`Added Viewing top websites and sources by category on page 92.
`Updated Additional devices on page 143.
`
`Added Applying BGP route-map to multiple BGP neighbors on page 507 and SD-
`WAN with FGCP HA on page 543.
`
`Updated Private Cloud K8s SDN connector on page 245.
`
`Updated Credential phishing prevention on page 908.
`
`Added Array structure for address objects on page 812.
`
`Added SSL VPN with RADIUS on Windows NPS on page 1331.
`
`Added SSL VPN with multiple RADIUS servers on page 1336.
`
`Updated Using wildcard FQDN addresses in firewall policies on page 808 and
`VXLAN over IPsec tunnel on page 1267.
`
`Added Integrating FortiManager management using SAML SSO on page 190.
`
`Updated VLAN inside VXLAN on page 367.
`Added Configuring least privileges for LDAP admin account authentication in Active
`Directory on page 1419.
`
`Updated DHCP options on page 429.
`
`Updated SSL VPN multi-realm on page 1370.
`
`Added Proxy chaining (web proxy forwarding servers) on page 421.
`
`Updated FortiClient EMS on page 132.
`
`Added Self-originating traffic on page 489.
`
`Updated Cisco ACI SDN connector on page 232 and Nuage SDN connector on
`page 236.
`
`Updated Reliable web filter statistics on page 937.
`
`Updated FortiSwitch multi-tenant support on page 1523.
`
`Updated Add FortiToken multi-factor authentication on page 1127, SSL VPN best
`practices on page 1283, Set up FortiToken multi-factor authentication on page
`1290, and Configuring FortiToken Mobile on page 1443.
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`17
`
`Netskope Exhibit 1017
`
`

`

`Change Log
`
`Date
`2020-09-02
`
`2020-09-04
`
`2020-09-25
`
`2020-10-02
`
`2020-10-05
`
`2020-10-22
`
`2021-01-08
`
`2021-01-21
`
`2021-02-17
`
`2021-05-31
`
`2021-06-03
`
`Change Description
`Updated Encryption algorithms on page 1259.
`
`Added General IPsec VPN configuration on page 1046.
`
`Updated SSL VPN best practices on page 1283 and SSL VPN with certificate
`authentication on page 1350.
`
`Added VM license on page 1576.
`
`Updated Threat feeds on page 270 and External resources for DNS filter on page
`279.
`
`Updated Agentless NTLM authentication for web proxy on page 425 and LLDP
`reception on page 438.
`
`Updated FortiGuard outbreak prevention on page 862.
`
`Updated Matching multiple parameters on application control signatures on page
`971.
`
`Updated Antivirus on page 856.
`
`Updated IPsec VPN to an Azure with virtual WAN on page 1111.
`
`Updated Adding top FortiView widgets by category on page 75.
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`18
`
`Netskope Exhibit 1017
`
`

`

`Getting started
`
`This section explains how to get started with a FortiGate.
`
`Differences between models
`
`Not all FortiGates have the same features, particularly entry-level models (models 30 to 90). A number of features on
`these models are only available in the CLI.
`
`Consult your model's QuickStart Guide, hardware manual, or the Feature / Platform Matrix for
`further information about features that vary by model.
`
`FortiGate models differ principally by the names used and the features available:
`l Naming conventions may vary between FortiGate models. For example, on some models the hardware switch
`interface used for the local area network is called lan, while on other units it is called internal.
`l Certain features are not available on all models. Additionally, a particular feature may be available only through the
`CLI on some models, while that same feature may be viewed in the GUI on other models.
`If you believe your FortiGate model supports a feature that does not appear in the GUI, go to System > Feature
`Visibility and confirm that the feature is enabled. For more information, see Feature visibility on page 694.
`
`Using the GUI
`
`This section presents an introduction to the graphical user interface (GUI) on your FortiGate.
`The following topics are included in this section:
`l Connecting using a web browser
`l Menus
`l Tables
`l Entering values
`For information about using the dashboards, see Dashboards and widgets on page 56.
`
`Connecting using a web browser
`
`In order to connect to the GUI using a web browser, an interface must be configured to allow administrative access over
`HTTPS or over both HTTPS and HTTP. By default, an interface has already been set up that allows HTTPS access with
`the IP address 192.168.1.99.
`Browse to https://192.168.1.99 and enter your username and password. If you have not changed the admin account’s
`password, use the default user name, admin, and leave the password field blank.
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`19
`
`Netskope Exhibit 1017
`
`

`

`Getting started
`
`The GUI will now be displayed in your browser.
`
`To use a different interface to access the GUI:
`
`1. Go to Network > Interfaces and edit the interface you wish to use for access. Take note of its assigned IP address.
`2.
`In Administrative Access, select HTTPS, and any other protocol you require. You can also select HTTP, although
`this is not recommended as the connection will be less secure.
`3. Click OK.
`4. Browse to the IP address using your chosen protocol.
`The GUI will now be displayed in your browser.
`
`Menus
`
`If you believe your FortiGate model supports a menu that does not appear in the GUI, go to
`System > Feature Visibility and ensure the feature is enabled. For more information, see
`Feature visibility on page 694.
`
`The GUI contains the following main menus, which provide access to configuration options for most FortiOS features:
`
`Dashboard
`
`Security Fabric
`
`Network
`
`System
`
`Policy & Objects
`
`Security Profiles
`
`VPN
`
`The dashboard displays various widgets that display important system
`information and allow you to configure some system options.
`For more information, see Dashboards and widgets on page 56.
`
`Access the physical topology, logical topology, automation, and settings of the
`Fortinet Security Fabric.
`For more information, see Fortinet Security Fabric on page 112.
`
`Options for networking, including configuring system interfaces and routing
`options.
`For more information, see Network on page 340.
`
`Configure system settings, such as administrators, FortiGuard, and certificates.
`For more information, see System on page 585.
`
`Configure firewall policies, protocol options, and supporting content for policies,
`including schedules, firewall addresses, and traffic shapers.
`For more information, see Policy and Objects on page 706.
`
`Configure your FortiGate's security features, including Antivirus, Web Filter, and
`Application Control.
`For more information, see Security Profiles on page 851.
`
`Configure options for IPsec and SSL virtual private networks (VPNs).
`For more information, see IPsec VPNs on page 1046 and SSL VPN on page
`1282.
`
`User & Authetication
`
`Configure user accounts, groups, and authentication methods, including external
`authentication and single sign-on (SSO).
`
`FortiOS 6.4.0 Administration Guide
`Fortinet Inc.
`
`20
`
`Netskope Exhibit 1017
`
`

`

`Getting started
`
`WiFi & Switch Controller
`
`Configure the unit to act as a wireless network controller, managing the wireless
`Access Point (AP) functionality of FortiWiFi and FortiAP units.
`On certain FortiGate models, this menu has additional features allowing for
`FortiSwitch units to be managed by the FortiGate.
`For more information, see Wireless configuration on page 1454 and Switch
`Controller on page 1455.
`
`Log & Report
`
`Configure logging and alert email as well as reports.
`For more information, see Log and Report on page 1533.
`
`Tables
`
`Many GUI pages contain tables of information that can be filtered and customized to display specific information in a
`specific way. Some tables allow content to be edited directly on that table, or rows to be copied and pasted.
`
`Navigation
`
`Some tables contain information and lists that span multiple pages. Navigation controls will be available at the bottom of
`the page.
`
`Filters
`
`Filters are used to locate a specific set of information or content in a table. They can be particularly useful for locating
`specific log entries. The filtering options vary, depending on the type of information in the log.
`Depending on the table content, filters can be applied using the filter bar, using a column filter, or based on a cell's
`content. Some tables allow filtering based on regular expressions.
`Administrators with read and write access can define filters. Multiple filters can be applied at one time.
`
`To manually create a filter:
`
`1. Click Add Filter at the top of the table. A list of the fields available for filtering is shown.
`2. Select the field to filter by.
`3. Enter the value to filter by, adding modifiers as needed.
`4. Press Enter to apply the filter.
`
`To create a column filter:
`
`1. Click the filter icon on the right side