FortiGate 60Eの初期コンフィグを掲載します。
CLIでの設定などの際に参考にされることを想定しています。
前提
- 対象機器
- 型番:FortiGate 60E
- ファームウェアバージョン: v6.0.6 build0272 (GA)
- 設定は基本的に工場出荷時の状態
- 言語設定は日本語にした状態です(デフォルトは英語)
- ホスト名は「FGT」にした状態です(デフォルトは機器のシリアル番号)
- 「set output standard」は設定した状態です
- 掲載しているのは[show]コマンドの結果です。
full-configではないですがそれでもかなり長いため、必要な部分を検索して探すなどの利用方法を想定しています。
初期コンフィグ
FGT # show
#config-version=FGT60E-6.0.6-FW-build0272-190716:opmode=1:vdom=0:user=admin
#conf_file_ver=183579787175666
#buildno=0272
#global_vdom=1
config system global
set alias "[シリアル番号]"
set hostname "FGT"
set language japanese
set switch-controller enable
set timezone 04
end
config system accprofile
edit "prof_admin"
set secfabgrp read-write
set ftviewgrp read-write
set authgrp read-write
set sysgrp read-write
set netgrp read-write
set loggrp read-write
set fwgrp read-write
set vpngrp read-write
set utmgrp read-write
set wifi read-write
next
end
config system interface
edit "wan1"
set vdom "root"
set mode dhcp
set allowaccess ping fgfm
set type physical
set role wan
set snmp-index 1
next
edit "wan2"
set vdom "root"
set mode dhcp
set allowaccess ping fgfm
set type physical
set role wan
set snmp-index 2
next
edit "dmz"
set vdom "root"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping https http fgfm capwap
set type physical
set role dmz
set snmp-index 3
next
edit "modem"
set vdom "root"
set mode pppoe
set type physical
set snmp-index 4
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 5
next
edit "internal"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh http fgfm capwap
set type hard-switch
set stp enable
set role lan
set snmp-index 6
next
end
config system physical-switch
edit "sw0"
set age-val 0
next
end
config system virtual-switch
edit "internal"
set physical-switch "sw0"
config port
edit "internal1"
next
edit "internal2"
next
edit "internal3"
next
edit "internal4"
next
edit "internal5"
next
edit "internal6"
next
edit "internal7"
next
end
next
end
config system custom-language
edit "en"
set filename "en"
next
edit "fr"
set filename "fr"
next
edit "sp"
set filename "sp"
next
edit "pg"
set filename "pg"
next
edit "x-sjis"
set filename "x-sjis"
next
edit "big5"
set filename "big5"
next
edit "GB2312"
set filename "GB2312"
next
edit "euc-kr"
set filename "euc-kr"
next
end
config system admin
edit "admin"
set accprofile "super_admin"
set vdom "root"
next
end
config system ha
set override disable
end
config system dns
set primary 208.91.112.53
set secondary 208.91.112.52
end
config system replacemsg-image
edit "logo_fnet"
set image-type gif
set image-base64 ''
next
edit "logo_fguard_wf"
set image-type gif
set image-base64 ''
next
edit "logo_fw_auth"
set image-base64 ''
next
edit "logo_v2_fnet"
set image-base64 ''
next
edit "logo_v2_fguard_wf"
set image-base64 ''
next
edit "logo_v2_fguard_app"
set image-base64 ''
next
end
config system replacemsg mail "email-av-fail"
end
config system replacemsg mail "email-block"
end
config system replacemsg mail "email-dlp-subject"
end
config system replacemsg mail "email-dlp-ban"
end
config system replacemsg mail "email-filesize"
end
config system replacemsg mail "partial"
end
config system replacemsg mail "smtp-block"
end
config system replacemsg mail "smtp-filesize"
end
config system replacemsg mail "email-decompress-limit"
end
config system replacemsg mail "smtp-decompress-limit"
end
config system replacemsg http "bannedword"
end
config system replacemsg http "url-block"
end
config system replacemsg http "urlfilter-err"
end
config system replacemsg http "infcache-block"
end
config system replacemsg http "http-block"
end
config system replacemsg http "http-filesize"
end
config system replacemsg http "http-dlp-ban"
end
config system replacemsg http "http-archive-block"
end
config system replacemsg http "http-contenttypeblock"
end
config system replacemsg http "https-invalid-cert-block"
end
config system replacemsg http "http-client-block"
end
config system replacemsg http "http-client-filesize"
end
config system replacemsg http "http-client-bannedword"
end
config system replacemsg http "http-post-block"
end
config system replacemsg http "http-client-archive-block"
end
config system replacemsg http "switching-protocols-block"
end
config system replacemsg webproxy "deny"
end
config system replacemsg webproxy "user-limit"
end
config system replacemsg webproxy "auth-challenge"
end
config system replacemsg webproxy "auth-login-fail"
end
config system replacemsg webproxy "auth-group-info-fail"
end
config system replacemsg webproxy "http-err"
end
config system replacemsg webproxy "auth-ip-blackout"
end
config system replacemsg ftp "ftp-av-fail"
end
config system replacemsg ftp "ftp-dl-blocked"
end
config system replacemsg ftp "ftp-dl-filesize"
end
config system replacemsg ftp "ftp-dl-dlp-ban"
end
config system replacemsg ftp "ftp-explicit-banner"
end
config system replacemsg ftp "ftp-dl-archive-block"
end
config system replacemsg nntp "nntp-av-fail"
end
config system replacemsg nntp "nntp-dl-blocked"
end
config system replacemsg nntp "nntp-dl-filesize"
end
config system replacemsg nntp "nntp-dlp-subject"
end
config system replacemsg nntp "nntp-dlp-ban"
end
config system replacemsg nntp "email-decompress-limit"
end
config system replacemsg fortiguard-wf "ftgd-block"
end
config system replacemsg fortiguard-wf "http-err"
end
config system replacemsg fortiguard-wf "ftgd-ovrd"
end
config system replacemsg fortiguard-wf "ftgd-quota"
end
config system replacemsg fortiguard-wf "ftgd-warning"
end
config system replacemsg spam "ipblocklist"
end
config system replacemsg spam "smtp-spam-dnsbl"
end
config system replacemsg spam "smtp-spam-feip"
end
config system replacemsg spam "smtp-spam-helo"
end
config system replacemsg spam "smtp-spam-emailblack"
end
config system replacemsg spam "smtp-spam-mimeheader"
end
config system replacemsg spam "reversedns"
end
config system replacemsg spam "smtp-spam-bannedword"
end
config system replacemsg spam "smtp-spam-ase"
end
config system replacemsg spam "submit"
end
config system replacemsg alertmail "alertmail-virus"
end
config system replacemsg alertmail "alertmail-block"
end
config system replacemsg alertmail "alertmail-nids-event"
end
config system replacemsg alertmail "alertmail-crit-event"
end
config system replacemsg alertmail "alertmail-disk-full"
end
config system replacemsg admin "pre_admin-disclaimer-text"
end
config system replacemsg admin "post_admin-disclaimer-text"
end
config system replacemsg auth "auth-disclaimer-page-1"
end
config system replacemsg auth "auth-disclaimer-page-2"
end
config system replacemsg auth "auth-disclaimer-page-3"
end
config system replacemsg auth "auth-reject-page"
end
config system replacemsg auth "auth-login-page"
end
config system replacemsg auth "auth-login-failed-page"
end
config system replacemsg auth "auth-token-login-page"
end
config system replacemsg auth "auth-token-login-failed-page"
end
config system replacemsg auth "auth-success-msg"
end
config system replacemsg auth "auth-challenge-page"
end
config system replacemsg auth "auth-keepalive-page"
end
config system replacemsg auth "auth-portal-page"
end
config system replacemsg auth "auth-password-page"
end
config system replacemsg auth "auth-fortitoken-page"
end
config system replacemsg auth "auth-next-fortitoken-page"
end
config system replacemsg auth "auth-email-token-page"
end
config system replacemsg auth "auth-sms-token-page"
end
config system replacemsg auth "auth-email-harvesting-page"
end
config system replacemsg auth "auth-email-failed-page"
end
config system replacemsg auth "auth-cert-passwd-page"
end
config system replacemsg auth "auth-guest-print-page"
end
config system replacemsg auth "auth-guest-email-page"
end
config system replacemsg auth "auth-success-page"
end
config system replacemsg auth "auth-block-notification-page"
end
config system replacemsg auth "auth-quarantine-page"
end
config system replacemsg auth "auth-qtn-reject-page"
end
config system replacemsg sslvpn "sslvpn-login"
end
config system replacemsg sslvpn "sslvpn-header"
end
config system replacemsg sslvpn "sslvpn-limit"
end
config system replacemsg sslvpn "hostcheck-error"
end
config system replacemsg ec "endpt-download-portal"
end
config system replacemsg ec "endpt-download-portal-mac"
end
config system replacemsg ec "endpt-download-portal-linux"
end
config system replacemsg ec "endpt-download-portal-ios"
end
config system replacemsg ec "endpt-download-portal-aos"
end
config system replacemsg ec "endpt-download-portal-other"
end
config system replacemsg ec "endpt-warning-portal"
end
config system replacemsg ec "endpt-warning-portal-mac"
end
config system replacemsg ec "endpt-warning-portal-linux"
end
config system replacemsg ec "endpt-remedy-inst"
end
config system replacemsg ec "endpt-remedy-reg"
end
config system replacemsg ec "endpt-remedy-ftcl-autofix"
end
config system replacemsg ec "endpt-remedy-av-3rdp"
end
config system replacemsg ec "endpt-remedy-ver"
end
config system replacemsg ec "endpt-remedy-os-ver"
end
config system replacemsg ec "endpt-remedy-vuln"
end
config system replacemsg ec "endpt-remedy-sig-ids"
end
config system replacemsg ec "endpt-remedy-ems-online"
end
config system replacemsg ec "endpt-ftcl-incompat"
end
config system replacemsg ec "endpt-download-ftcl"
end
config system replacemsg ec "endpt-quarantine-portal"
end
config system replacemsg device-detection-portal "device-detection-failure"
end
config system replacemsg nac-quar "nac-quar-virus"
end
config system replacemsg nac-quar "nac-quar-dos"
end
config system replacemsg nac-quar "nac-quar-ips"
end
config system replacemsg nac-quar "nac-quar-dlp"
end
config system replacemsg nac-quar "nac-quar-admin"
end
config system replacemsg nac-quar "nac-quar-app"
end
config system replacemsg traffic-quota "per-ip-shaper-block"
end
config system replacemsg utm "virus-html"
end
config system replacemsg utm "client-virus-html"
end
config system replacemsg utm "virus-text"
end
config system replacemsg utm "dlp-html"
end
config system replacemsg utm "dlp-text"
end
config system replacemsg utm "appblk-html"
end
config system replacemsg utm "ipsblk-html"
end
config system replacemsg utm "ipsfail-html"
end
config system replacemsg utm "exe-text"
end
config system replacemsg utm "waf-html"
end
config system replacemsg utm "outbreak-prevention-html"
end
config system replacemsg utm "outbreak-prevention-text"
end
config system replacemsg icap "icap-req-resp"
end
config system snmp sysinfo
end
config system central-management
set type fortiguard
end
config user device-category
edit "android-phone"
next
edit "android-tablet"
next
edit "blackberry-phone"
next
edit "blackberry-playbook"
next
edit "forticam"
next
edit "fortifone"
next
edit "fortinet"
next
edit "gaming-console"
next
edit "ip-phone"
next
edit "ipad"
next
edit "iphone"
next
edit "linux-pc"
next
edit "mac"
next
edit "media-streaming"
next
edit "printer"
next
edit "router-nat-device"
next
edit "windows-pc"
next
edit "windows-phone"
next
edit "windows-tablet"
next
edit "other-network-device"
next
edit "collected-emails"
next
edit "amazon-device"
next
edit "android-device"
next
edit "blackberry-device"
next
edit "fortinet-device"
next
edit "ios-device"
next
edit "windows-device"
next
edit "all"
next
end
config system cluster-sync
end
config system fortiguard
set sdns-server-ip "208.91.112.220"
end
config ips global
end
config system email-server
set server "notification.fortinet.net"
set port 465
set security smtps
end
config system session-helper
edit 1
set name pptp
set protocol 6
set port 1723
next
edit 2
set name h323
set protocol 6
set port 1720
next
edit 3
set name ras
set protocol 17
set port 1719
next
edit 4
set name tns
set protocol 6
set port 1521
next
edit 5
set name tftp
set protocol 17
set port 69
next
edit 6
set name rtsp
set protocol 6
set port 554
next
edit 7
set name rtsp
set protocol 6
set port 7070
next
edit 8
set name rtsp
set protocol 6
set port 8554
next
edit 9
set name ftp
set protocol 6
set port 21
next
edit 10
set name mms
set protocol 6
set port 1863
next
edit 11
set name pmap
set protocol 6
set port 111
next
edit 12
set name pmap
set protocol 17
set port 111
next
edit 13
set name sip
set protocol 17
set port 5060
next
edit 14
set name dns-udp
set protocol 17
set port 53
next
edit 15
set name rsh
set protocol 6
set port 514
next
edit 16
set name rsh
set protocol 6
set port 512
next
edit 17
set name dcerpc
set protocol 6
set port 135
next
edit 18
set name dcerpc
set protocol 17
set port 135
next
edit 19
set name mgcp
set protocol 17
set port 2427
next
edit 20
set name mgcp
set protocol 17
set port 2727
next
end
config system auto-install
set auto-install-config enable
set auto-install-image enable
end
config system console
set output standard
end
config system ntp
set ntpsync enable
end
config system object-tagging
edit "default"
next
end
config system settings
set inspection-mode flow
end
config system dhcp server
edit 1
set dns-service default
set default-gateway 192.168.1.99
set netmask 255.255.255.0
set interface "internal"
config ip-range
edit 1
set start-ip 192.168.1.110
set end-ip 192.168.1.210
next
end
next
end
config firewall address
edit "none"
set uuid 43aecd66-56c4-51ea-c0c0-f7f68bbafe1b
set subnet 0.0.0.0 255.255.255.255
next
edit "all"
set uuid 44fc126e-56c4-51ea-4760-37ef4f4f80b0
next
edit "FIREWALL_AUTH_PORTAL_ADDRESS"
set uuid 44fc1da4-56c4-51ea-9fde-9f51f47cb9e5
set visibility disable
next
edit "SSLVPN_TUNNEL_ADDR1"
set uuid 44ff0442-56c4-51ea-9f73-5f987dbb0158
set type iprange
set associated-interface "ssl.root"
set start-ip 10.212.134.200
set end-ip 10.212.134.210
next
end
config firewall multicast-address
edit "all"
set start-ip 224.0.0.0
set end-ip 239.255.255.255
next
edit "all_hosts"
set start-ip 224.0.0.1
set end-ip 224.0.0.1
next
edit "all_routers"
set start-ip 224.0.0.2
set end-ip 224.0.0.2
next
edit "Bonjour"
set start-ip 224.0.0.251
set end-ip 224.0.0.251
next
edit "EIGRP"
set start-ip 224.0.0.10
set end-ip 224.0.0.10
next
edit "OSPF"
set start-ip 224.0.0.5
set end-ip 224.0.0.6
next
end
config firewall address6
edit "SSLVPN_TUNNEL_IPv6_ADDR1"
set uuid 44ff17ac-56c4-51ea-755d-d70129f7bca2
set ip6 fdff:ffff::/120
next
edit "all"
set uuid 4fb78954-56c4-51ea-6899-ebff2df0e73a
next
edit "none"
set uuid 4fb7ca90-56c4-51ea-d290-f77fe8a5f267
set ip6 ::/128
next
end
config firewall multicast-address6
edit "all"
set ip6 ff00::/8
next
end
config firewall wildcard-fqdn custom
edit "adobe"
set uuid 45063ab4-56c4-51ea-6b62-1b93940045e2
set wildcard-fqdn "*.adobe.com"
next
edit "Adobe Login"
set uuid 450642ca-56c4-51ea-2888-a5ec5ecff609
set wildcard-fqdn "*.adobelogin.com"
next
edit "android"
set uuid 450649f0-56c4-51ea-b958-46cdd245a230
set wildcard-fqdn "*.android.com"
next
edit "apple"
set uuid 450650f8-56c4-51ea-f55b-71f538d6b5a0
set wildcard-fqdn "*.apple.com"
next
edit "appstore"
set uuid 45065814-56c4-51ea-f168-0a3d04e872fd
set wildcard-fqdn "*.appstore.com"
next
edit "auth.gfx.ms"
set uuid 45065f1c-56c4-51ea-0ba2-a6957c25146e
set wildcard-fqdn "*.auth.gfx.ms"
next
edit "citrix"
set uuid 45066750-56c4-51ea-f559-3ddeea3a712a
set wildcard-fqdn "*.citrixonline.com"
next
edit "dropbox.com"
set uuid 45066e80-56c4-51ea-d6cf-d2c66de1cbc4
set wildcard-fqdn "*.dropbox.com"
next
edit "eease"
set uuid 4506759c-56c4-51ea-9fbb-e56a1958f815
set wildcard-fqdn "*.eease.com"
next
edit "firefox update server"
set uuid 45067cc2-56c4-51ea-64d1-3caa48bc88cf
set wildcard-fqdn "aus*.mozilla.org"
next
edit "fortinet"
set uuid 450683f2-56c4-51ea-a9df-3ad6c1910327
set wildcard-fqdn "*.fortinet.com"
next
edit "googleapis.com"
set uuid 45068bd6-56c4-51ea-2b15-aa0cb60f8d2f
set wildcard-fqdn "*.googleapis.com"
next
edit "google-drive"
set uuid 45069306-56c4-51ea-684d-0fb3b9ae14d0
set wildcard-fqdn "*drive.google.com"
next
edit "google-play2"
set uuid 45069a4a-56c4-51ea-bdf1-634fa48af80a
set wildcard-fqdn "*.ggpht.com"
next
edit "google-play3"
set uuid 4506a1a2-56c4-51ea-6267-57151c4b551b
set wildcard-fqdn "*.books.google.com"
next
edit "Gotomeeting"
set uuid 4506a8dc-56c4-51ea-c2bd-91151dfa2dd1
set wildcard-fqdn "*.gotomeeting.com"
next
edit "icloud"
set uuid 4506b728-56c4-51ea-892c-26187b312373
set wildcard-fqdn "*.icloud.com"
next
edit "itunes"
set uuid 4506bf48-56c4-51ea-e6dd-13749a5057eb
set wildcard-fqdn "*itunes.apple.com"
next
edit "microsoft"
set uuid 4506c6a0-56c4-51ea-392b-2951b92b01ee
set wildcard-fqdn "*.microsoft.com"
next
edit "skype"
set uuid 4506cdee-56c4-51ea-3d15-f1959ced8233
set wildcard-fqdn "*.messenger.live.com"
next
edit "softwareupdate.vmware.com"
set uuid 4506d528-56c4-51ea-fc30-bf69015023e1
set wildcard-fqdn "*.softwareupdate.vmware.com"
next
edit "verisign"
set uuid 4506dc76-56c4-51ea-dbe4-3994cebe0213
set wildcard-fqdn "*.verisign.com"
next
edit "Windows update 2"
set uuid 4506e3c4-56c4-51ea-397b-45cea2d94a36
set wildcard-fqdn "*.windowsupdate.com"
next
edit "live.com"
set uuid 4506eb1c-56c4-51ea-9b9c-577e04b2f998
set wildcard-fqdn "*.live.com"
next
edit "google-play"
set uuid 4506f26a-56c4-51ea-29a3-1c9a27da2ce0
set wildcard-fqdn "*play.google.com"
next
edit "update.microsoft.com"
set uuid 4506f9cc-56c4-51ea-9ee1-49b01d33a18b
set wildcard-fqdn "*update.microsoft.com"
next
edit "swscan.apple.com"
set uuid 4507011a-56c4-51ea-dab2-ff998f55764e
set wildcard-fqdn "*swscan.apple.com"
next
edit "autoupdate.opera.com"
set uuid 45070cdc-56c4-51ea-0043-a05c79b9cba5
set wildcard-fqdn "*autoupdate.opera.com"
next
end
config firewall service category
edit "General"
set comment "General services."
next
edit "Web Access"
set comment "Web access."
next
edit "File Access"
set comment "File access."
next
edit "Email"
set comment "Email services."
next
edit "Network Services"
set comment "Network services."
next
edit "Authentication"
set comment "Authentication service."
next
edit "Remote Access"
set comment "Remote access."
next
edit "Tunneling"
set comment "Tunneling service."
next
edit "VoIP, Messaging & Other Applications"
set comment "VoIP, messaging, and other applications."
next
edit "Web Proxy"
set comment "Explicit web proxy."
next
end
config firewall service custom
edit "ALL"
set category "General"
set protocol IP
next
edit "ALL_TCP"
set category "General"
set tcp-portrange 1-65535
next
edit "ALL_UDP"
set category "General"
set udp-portrange 1-65535
next
edit "ALL_ICMP"
set category "General"
set protocol ICMP
unset icmptype
next
edit "ALL_ICMP6"
set category "General"
set protocol ICMP6
unset icmptype
next
edit "GRE"
set category "Tunneling"
set protocol IP
set protocol-number 47
next
edit "AH"
set category "Tunneling"
set protocol IP
set protocol-number 51
next
edit "ESP"
set category "Tunneling"
set protocol IP
set protocol-number 50
next
edit "AOL"
set visibility disable
set tcp-portrange 5190-5194
next
edit "BGP"
set category "Network Services"
set tcp-portrange 179
next
edit "DHCP"
set category "Network Services"
set udp-portrange 67-68
next
edit "DNS"
set category "Network Services"
set tcp-portrange 53
set udp-portrange 53
next
edit "FINGER"
set visibility disable
set tcp-portrange 79
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "GOPHER"
set visibility disable
set tcp-portrange 70
next
edit "H323"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 1720 1503
set udp-portrange 1719
next
edit "HTTP"
set category "Web Access"
set tcp-portrange 80
next
edit "HTTPS"
set category "Web Access"
set tcp-portrange 443
next
edit "IKE"
set category "Tunneling"
set udp-portrange 500 4500
next
edit "IMAP"
set category "Email"
set tcp-portrange 143
next
edit "IMAPS"
set category "Email"
set tcp-portrange 993
next
edit "Internet-Locator-Service"
set visibility disable
set tcp-portrange 389
next
edit "IRC"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 6660-6669
next
edit "L2TP"
set category "Tunneling"
set tcp-portrange 1701
set udp-portrange 1701
next
edit "LDAP"
set category "Authentication"
set tcp-portrange 389
next
edit "NetMeeting"
set visibility disable
set tcp-portrange 1720
next
edit "NFS"
set category "File Access"
set tcp-portrange 111 2049
set udp-portrange 111 2049
next
edit "NNTP"
set visibility disable
set tcp-portrange 119
next
edit "NTP"
set category "Network Services"
set tcp-portrange 123
set udp-portrange 123
next
edit "OSPF"
set category "Network Services"
set protocol IP
set protocol-number 89
next
edit "PC-Anywhere"
set category "Remote Access"
set tcp-portrange 5631
set udp-portrange 5632
next
edit "PING"
set category "Network Services"
set protocol ICMP
set icmptype 8
unset icmpcode
next
edit "TIMESTAMP"
set protocol ICMP
set visibility disable
set icmptype 13
unset icmpcode
next
edit "INFO_REQUEST"
set protocol ICMP
set visibility disable
set icmptype 15
unset icmpcode
next
edit "INFO_ADDRESS"
set protocol ICMP
set visibility disable
set icmptype 17
unset icmpcode
next
edit "ONC-RPC"
set category "Remote Access"
set tcp-portrange 111
set udp-portrange 111
next
edit "DCE-RPC"
set category "Remote Access"
set tcp-portrange 135
set udp-portrange 135
next
edit "POP3"
set category "Email"
set tcp-portrange 110
next
edit "POP3S"
set category "Email"
set tcp-portrange 995
next
edit "PPTP"
set category "Tunneling"
set tcp-portrange 1723
next
edit "QUAKE"
set visibility disable
set udp-portrange 26000 27000 27910 27960
next
edit "RAUDIO"
set visibility disable
set udp-portrange 7070
next
edit "REXEC"
set visibility disable
set tcp-portrange 512
next
edit "RIP"
set category "Network Services"
set udp-portrange 520
next
edit "RLOGIN"
set visibility disable
set tcp-portrange 513:512-1023
next
edit "RSH"
set visibility disable
set tcp-portrange 514:512-1023
next
edit "SCCP"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 2000
next
edit "SIP"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 5060
set udp-portrange 5060
next
edit "SIP-MSNmessenger"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 1863
next
edit "SAMBA"
set category "File Access"
set tcp-portrange 139
next
edit "SMTP"
set category "Email"
set tcp-portrange 25
next
edit "SMTPS"
set category "Email"
set tcp-portrange 465
next
edit "SNMP"
set category "Network Services"
set tcp-portrange 161-162
set udp-portrange 161-162
next
edit "SSH"
set category "Remote Access"
set tcp-portrange 22
next
edit "SYSLOG"
set category "Network Services"
set udp-portrange 514
next
edit "TALK"
set visibility disable
set udp-portrange 517-518
next
edit "TELNET"
set category "Remote Access"
set tcp-portrange 23
next
edit "TFTP"
set category "File Access"
set udp-portrange 69
next
edit "MGCP"
set visibility disable
set udp-portrange 2427 2727
next
edit "UUCP"
set visibility disable
set tcp-portrange 540
next
edit "VDOLIVE"
set visibility disable
set tcp-portrange 7000-7010
next
edit "WAIS"
set visibility disable
set tcp-portrange 210
next
edit "WINFRAME"
set visibility disable
set tcp-portrange 1494 2598
next
edit "X-WINDOWS"
set category "Remote Access"
set tcp-portrange 6000-6063
next
edit "PING6"
set protocol ICMP6
set visibility disable
set icmptype 128
unset icmpcode
next
edit "MS-SQL"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 1433 1434
next
edit "MYSQL"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 3306
next
edit "RDP"
set category "Remote Access"
set tcp-portrange 3389
next
edit "VNC"
set category "Remote Access"
set tcp-portrange 5900
next
edit "DHCP6"
set category "Network Services"
set udp-portrange 546 547
next
edit "SQUID"
set category "Tunneling"
set tcp-portrange 3128
next
edit "SOCKS"
set category "Tunneling"
set tcp-portrange 1080
set udp-portrange 1080
next
edit "WINS"
set category "Remote Access"
set tcp-portrange 1512
set udp-portrange 1512
next
edit "RADIUS"
set category "Authentication"
set udp-portrange 1812 1813
next
edit "RADIUS-OLD"
set visibility disable
set udp-portrange 1645 1646
next
edit "CVSPSERVER"
set visibility disable
set tcp-portrange 2401
set udp-portrange 2401
next
edit "AFS3"
set category "File Access"
set tcp-portrange 7000-7009
set udp-portrange 7000-7009
next
edit "TRACEROUTE"
set category "Network Services"
set udp-portrange 33434-33535
next
edit "RTSP"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 554 7070 8554
set udp-portrange 554
next
edit "MMS"
set visibility disable
set tcp-portrange 1755
set udp-portrange 1024-5000
next
edit "KERBEROS"
set category "Authentication"
set tcp-portrange 88 464
set udp-portrange 88 464
next
edit "LDAP_UDP"
set category "Authentication"
set udp-portrange 389
next
edit "SMB"
set category "File Access"
set tcp-portrange 445
next
edit "NONE"
set visibility disable
set tcp-portrange 0
next
edit "webproxy"
set proxy enable
set category "Web Proxy"
set protocol ALL
set tcp-portrange 0-65535:0-65535
next
end
config firewall service group
edit "Email Access"
set member "DNS" "IMAP" "IMAPS" "POP3" "POP3S" "SMTP" "SMTPS"
next
edit "Web Access"
set member "DNS" "HTTP" "HTTPS"
next
edit "Windows AD"
set member "DCE-RPC" "DNS" "KERBEROS" "LDAP" "LDAP_UDP" "SAMBA" "SMB"
next
edit "Exchange Server"
set member "DCE-RPC" "DNS" "HTTPS"
next
end
config webfilter ftgd-local-cat
edit "custom1"
set id 140
next
edit "custom2"
set id 141
next
end
config ips sensor
edit "default"
set comment "Prevent critical attacks."
config entries
edit 1
set severity medium high critical
next
end
next
edit "sniffer-profile"
set comment "Monitor IPS attacks."
config entries
edit 1
set severity medium high critical
next
end
next
edit "wifi-default"
set comment "Default configuration for offloading WiFi traffic."
config entries
edit 1
set severity medium high critical
next
end
next
edit "all_default"
set comment "All predefined signatures with default setting."
config entries
edit 1
next
end
next
edit "all_default_pass"
set comment "All predefined signatures with PASS action."
config entries
edit 1
set action pass
next
end
next
edit "protect_http_server"
set comment "Protect against HTTP server-side vulnerabilities."
config entries
edit 1
set location server
set protocol HTTP
next
end
next
edit "protect_email_server"
set comment "Protect against email server-side vulnerabilities."
config entries
edit 1
set location server
set protocol SMTP POP3 IMAP
next
end
next
edit "protect_client"
set comment "Protect against client-side vulnerabilities."
config entries
edit 1
set location client
next
end
next
edit "high_security"
set comment "Blocks all Critical/High/Medium and some Low severity vulnerabilities"
set block-malicious-url enable
config entries
edit 1
set severity medium high critical
set status enable
set action block
next
edit 2
set severity low
next
end
next
end
config firewall shaper traffic-shaper
edit "high-priority"
set maximum-bandwidth 1048576
set per-policy enable
next
edit "medium-priority"
set maximum-bandwidth 1048576
set priority medium
set per-policy enable
next
edit "low-priority"
set maximum-bandwidth 1048576
set priority low
set per-policy enable
next
edit "guarantee-100kbps"
set guaranteed-bandwidth 100
set maximum-bandwidth 1048576
set per-policy enable
next
edit "shared-1M-pipe"
set maximum-bandwidth 1024
next
end
config web-proxy global
set proxy-fqdn "default.fqdn"
end
config application list
edit "default"
set comment "Monitor all applications."
config entries
edit 1
set action pass
next
end
next
edit "sniffer-profile"
set comment "Monitor all applications."
unset options
config entries
edit 1
set action pass
next
end
next
edit "wifi-default"
set comment "Default configuration for offloading WiFi traffic."
set deep-app-inspection disable
config entries
edit 1
set action pass
set log disable
next
end
next
edit "block-high-risk"
config entries
edit 1
set category 2 6
next
edit 2
set action pass
next
end
next
end
config dlp filepattern
edit 1
set name "builtin-patterns"
config entries
edit "*.bat"
next
edit "*.com"
next
edit "*.dll"
next
edit "*.doc"
next
edit "*.exe"
next
edit "*.gz"
next
edit "*.hta"
next
edit "*.ppt"
next
edit "*.rar"
next
edit "*.scr"
next
edit "*.tar"
next
edit "*.tgz"
next
edit "*.vb?"
next
edit "*.wps"
next
edit "*.xl?"
next
edit "*.zip"
next
edit "*.pif"
next
edit "*.cpl"
next
end
next
edit 2
set name "all_executables"
config entries
edit "bat"
set filter-type type
set file-type bat
next
edit "exe"
set filter-type type
set file-type exe
next
edit "elf"
set filter-type type
set file-type elf
next
edit "hta"
set filter-type type
set file-type hta
next
end
next
end
config dlp fp-sensitivity
edit "Private"
next
edit "Critical"
next
edit "Warning"
next
end
config dlp sensor
edit "default"
set comment "Default sensor."
next
edit "sniffer-profile"
set comment "Log a summary of email and web traffic."
set flow-based enable
set summary-proto smtp pop3 imap http-get http-post
next
edit "Content_Summary"
set summary-proto smtp pop3 imap http-get http-post ftp nntp mapi
next
edit "Content_Archive"
set summary-proto smtp pop3 imap http-get http-post ftp nntp mapi
next
edit "Large-File"
config filter
edit 1
set name "Large-File-Filter"
set proto smtp pop3 imap http-get http-post mapi
set filter-by file-size
set file-size 5120
set action log-only
next
end
next
edit "Credit-Card"
config filter
edit 1
set name "Credit-Card-Filter"
set severity high
set proto smtp pop3 imap http-get http-post mapi
set action log-only
next
edit 2
set name "Credit-Card-Filter"
set severity high
set type message
set proto smtp pop3 imap http-post mapi
set action log-only
next
end
next
edit "SSN-Sensor"
set comment "Match SSN numbers but NOT WebEx invite emails."
config filter
edit 1
set name "SSN-Sensor-Filter"
set severity high
set type message
set proto smtp pop3 imap mapi
set filter-by regexp
set regexp "WebEx"
next
edit 2
set name "SSN-Sensor-Filter"
set severity high
set type message
set proto smtp pop3 imap mapi
set filter-by ssn
set action log-only
next
edit 3
set name "SSN-Sensor-Filter"
set severity high
set proto smtp pop3 imap http-get http-post ftp mapi
set filter-by ssn
set action log-only
next
end
next
end
config webfilter ips-urlfilter-setting
end
config webfilter ips-urlfilter-setting6
end
config log threat-weight
config web
edit 1
set category 26
set level high
next
edit 2
set category 61
set level high
next
edit 3
set category 86
set level high
next
edit 4
set category 1
set level medium
next
edit 5
set category 3
set level medium
next
edit 6
set category 4
set level medium
next
edit 7
set category 5
set level medium
next
edit 8
set category 6
set level medium
next
edit 9
set category 12
set level medium
next
edit 10
set category 59
set level medium
next
edit 11
set category 62
set level medium
next
edit 12
set category 83
set level medium
next
edit 13
set category 72
next
edit 14
set category 14
next
end
config application
edit 1
set category 2
next
edit 2
set category 6
set level medium
next
end
end
config icap profile
edit "default"
next
end
config vpn certificate ca
end
config vpn certificate local
edit "Fortinet_CA_SSL"
set password ENC WR0rmRYaBxVnp8Lq9yipvgvi0qQmO1AlwBXDMypQD5uoaCe44IZREqcZy+cr9a0WJFpDlDgjgCjcgLV2jmAF7ZaSPL51pYGpX6Gs1LfPwMV/EFb1pkOwgqvMW1igxD+iY2Q7VOlU2/5M48OOQypGsLdOCK781L6NPPNSyMyvx7jk+gJE6fKmUVFd5VSmCX8ps0HHtA==
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
set range global
set source factory
next
edit "Fortinet_CA_Untrusted"
set password ENC 6Z6ZjzSPance5CSt5EG5jfDYw+0N49QBhjfeEXrIb6gK3LVyBkqgCXCJMAPE1NCvOh0O5H9wBFWseJUbwnQNV+NDeixo4YTmrGQN1PejaoOIqrdZCuFMnIU5e8EoHM8k7h4K0eb9M8lP0nl8BlLHUrSv0pn/2bIts2ZhvR+5Umjen5h4ASCePzgYb1+BpY7GwBZMfA==
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
set range global
set source factory
next
edit "Fortinet_SSL"
set password ENC WcmrIcRxgnoBoGvCE8YcziVlfAW5tXVHRTe3Bd6eqnsAnToHLLYTYDpJIj/oeszvBU4JyZPQeCVWohgcOT2mLBHOP57l6nJ6GXFdCl3z3FlMFwLCtK5dPqtrU4PgWVs9dFr4WPyEha0g4izyxk9z1nqI3krMPRH5VcJKQls07WU/v1RyKQPrq0TfmnYNjfK/q0S5DQ==
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global
set source factory
next
edit "Fortinet_SSL_RSA1024"
set password ENC 2G7fAWQWqQflmXTYlxmo8cFkfQNF/WrX6CFC48LiWrsITA05Jd/74eVK9Ec75vmtIXiaEg3EnboNFOe7IbssAgVIT+qdOkf+WjUuFSuvfOVvJEl7xt8Gv1lM7c0vk9WnXVjOjtj7GG70lUuamFm9SP3fAbKPy14FlHcVQRp6ZWfnCuRSusu65H6VDs0GFFB6zaRn8w==
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global
set source factory
next
edit "Fortinet_SSL_RSA2048"
set password ENC ALGzeHqy1bRi1/v6TA/BShvm2WvtGKmaMAMfxYy/8lkFi1X9aPPYh0XUn0HJAWJqKzszP7GrgOmChFdMVeRB202fPYMe8ZT4zUk967Y8QKKbDw76x2WmzgQnXQQRf2gh5jYwoLcybO6I7hTtGMfU7Tw4PSQuwT1wh8bkGwfGkMtqJGda+LwL9B9H8E8ctAnhkStehg==
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global
set source factory
next
edit "Fortinet_SSL_DSA1024"
set password ENC a5uR1pCYbeZerw8NxRwlByWpbHYgWcU7bizWCn1RhBcfuNpFYD26ur472SJ6e7fM88mJCSHtdbIA4bQ5/vBmqoU+N75mJSn8r6SfWNN3hErpKixRSutiEtGkhI+n3RBcLfaCxub/oe6vr6oTqofSOtMfXzCuzyR9LYT83nrWDPRj4xAwOciKSd2JEBGF7KhCHX2LJg==
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global
set source factory
next
edit "Fortinet_SSL_DSA2048"
set password ENC Nsi8/7vYYOQ0bpDIdJx30lQN/yf9ohXSVAHzn8f7mCIzhlfv7ye/36ji08fbPiWDN5FtiTqzn2tAEKNeWmsK9H33D8107FBtGx/9jdjm2EeAooZbcBEE58UsLyVDlBiH4V+2XWExMfoek7SQgYOmBcVujAMqJBOiV2x/J6Dpvj27ltEp5bJ5CnaNNKtysT084OceDw==
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global
set source factory
next
edit "Fortinet_SSL_ECDSA256"
set password ENC qkZ1cFWXHv/mXce1l7U2BNLMM4vU/i0vbJZEqRHGssPYN1eoKxYu2DSO5MfWnbQThwlIVDbVkx3vXJgYRJrMiaiakq1nCK++bH4Agjd50mW9Gnb39uwfkZLdba9iynR9sSCIeMc1rSw19JmA/VUogsSDTvTcLJKkvyKcnBVzrx+CJ98LROnRd/nh4USgRUDSb7WUGw==
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global
set source factory
next
edit "Fortinet_SSL_ECDSA384"
set password ENC C1Yh2RZ8N00L0CrMI8Oqi/J2jZNtCR8FtY7Hl/U1y0yHltXdXEXwGuUtH7VUB+A7eMOatAYYK/Cb4QvvG6lViEq7On7q4kQ0Nnzg3hRbbVOlcaM0aNUKV3G+shIwxZVEdDWsj0Vb3KpjJigJGuie/QLsxsmeDeghIs9Ogi7E0CfYEll3ghjpWOWHPjzXRWdw85+fzQ==
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global
set source factory
next
end
config user local
edit "guest"
set type password
set passwd ENC ZqFOCVASZVQbwqtHoNUb7oqCMopcxPTCLFePNSAI3xgn6I+TMKzdK7YNQDsLdeJSLPZP8QUehPat2u4esZEFYhoMu6U6qRhZ+hhhBtpSqKodYejbhtUzIRD50HcoLoOvf7cBXmxcnZfiQGZlPq6DPjuxh0+bwBIclMyWQknANktp8GpVUAbELbRIhCMHvOZs9ed/eg==
next
end
config user setting
set auth-cert "Fortinet_Factory"
end
config user group
edit "SSO_Guest_Users"
next
edit "Guest-group"
set member "guest"
next
end
config user device-group
edit "Mobile Devices"
set member "android-phone" "android-tablet" "blackberry-phone" "blackberry-playbook" "ipad" "iphone" "windows-phone" "windows-tablet"
set comment "Phones, tablets, etc."
next
edit "Network Devices"
set member "fortinet-device" "other-network-device" "router-nat-device"
set comment "Routers, firewalls, gateways, etc."
next
edit "Others"
set member "gaming-console" "media-streaming"
set comment "Other devices."
next
end
config vpn ssl web host-check-software
edit "FortiClient-AV"
set guid "C86EC76D-5A4C-40E7-BD94-59358E544D81"
next
edit "FortiClient-FW"
set type fw
set guid "528CB157-D384-4593-AAAA-E42DFF111CED"
next
edit "FortiClient-AV-Vista"
set guid "385618A6-2256-708E-3FB9-7E98B93F91F9"
next
edit "FortiClient-FW-Vista"
set type fw
set guid "006D9983-6839-71D6-14E6-D7AD47ECD682"
next
edit "FortiClient-AV-Win7"
set guid "71629DC5-BE6F-CCD3-C5A5-014980643264"
next
edit "AVG-Internet-Security-AV"
set guid "17DDD097-36FF-435F-9E1B-52D74245D6BF"
next
edit "AVG-Internet-Security-FW"
set type fw
set guid "8DECF618-9569-4340-B34A-D78D28969B66"
next
edit "AVG-Internet-Security-AV-Vista-Win7"
set guid "0C939084-9E57-CBDB-EA61-0B0C7F62AF82"
next
edit "AVG-Internet-Security-FW-Vista-Win7"
set type fw
set guid "34A811A1-D438-CA83-C13E-A23981B1E8F9"
next
edit "CA-Anti-Virus"
set guid "17CFD1EA-56CF-40B5-A06B-BD3A27397C93"
next
edit "CA-Internet-Security-AV"
set guid "6B98D35F-BB76-41C0-876B-A50645ED099A"
next
edit "CA-Internet-Security-FW"
set type fw
set guid "38102F93-1B6E-4922-90E1-A35D8DC6DAA3"
next
edit "CA-Internet-Security-AV-Vista-Win7"
set guid "3EED0195-0A4B-4EF3-CC4F-4F401BDC245F"
next
edit "CA-Internet-Security-FW-Vista-Win7"
set type fw
set guid "06D680B0-4024-4FAB-E710-E675E50F6324"
next
edit "CA-Personal-Firewall"
set type fw
set guid "14CB4B80-8E52-45EA-905E-67C1267B4160"
next
edit "F-Secure-Internet-Security-AV"
set guid "E7512ED5-4245-4B4D-AF3A-382D3F313F15"
next
edit "F-Secure-Internet-Security-FW"
set type fw
set guid "D4747503-0346-49EB-9262-997542F79BF4"
next
edit "F-Secure-Internet-Security-AV-Vista-Win7"
set guid "15414183-282E-D62C-CA37-EF24860A2F17"
next
edit "F-Secure-Internet-Security-FW-Vista-Win7"
set type fw
set guid "2D7AC0A6-6241-D774-E168-461178D9686C"
next
edit "Kaspersky-AV"
set guid "2C4D4BC6-0793-4956-A9F9-E252435469C0"
next
edit "Kaspersky-FW"
set type fw
set guid "2C4D4BC6-0793-4956-A9F9-E252435469C0"
next
edit "Kaspersky-AV-Vista-Win7"
set guid "AE1D740B-8F0F-D137-211D-873D44B3F4AE"
next
edit "Kaspersky-FW-Vista-Win7"
set type fw
set guid "9626F52E-C560-D06F-0A42-2E08BA60B3D5"
next
edit "McAfee-Internet-Security-Suite-AV"
set guid "84B5EE75-6421-4CDE-A33A-DD43BA9FAD83"
next
edit "McAfee-Internet-Security-Suite-FW"
set type fw
set guid "94894B63-8C7F-4050-BDA4-813CA00DA3E8"
next
edit "McAfee-Internet-Security-Suite-AV-Vista-Win7"
set guid "86355677-4064-3EA7-ABB3-1B136EB04637"
next
edit "McAfee-Internet-Security-Suite-FW-Vista-Win7"
set type fw
set guid "BE0ED752-0A0B-3FFF-80EC-B2269063014C"
next
edit "McAfee-Virus-Scan-Enterprise"
set guid "918A2B0B-2C60-4016-A4AB-E868DEABF7F0"
next
edit "Norton-360-2.0-AV"
set guid "A5F1BC7C-EA33-4247-961C-0217208396C4"
next
edit "Norton-360-2.0-FW"
set type fw
set guid "371C0A40-5A0C-4AD2-A6E5-69C02037FBF3"
next
edit "Norton-360-3.0-AV"
set guid "E10A9785-9598-4754-B552-92431C1C35F8"
next
edit "Norton-360-3.0-FW"
set type fw
set guid "7C21A4C9-F61F-4AC4-B722-A6E19C16F220"
next
edit "Norton-Internet-Security-AV"
set guid "E10A9785-9598-4754-B552-92431C1C35F8"
next
edit "Norton-Internet-Security-FW"
set type fw
set guid "7C21A4C9-F61F-4AC4-B722-A6E19C16F220"
next
edit "Norton-Internet-Security-AV-Vista-Win7"
set guid "88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855"
next
edit "Norton-Internet-Security-FW-Vista-Win7"
set type fw
set guid "B0F2DB13-C654-2E74-30D4-99C9310F0F2E"
next
edit "Symantec-Endpoint-Protection-AV"
set guid "FB06448E-52B8-493A-90F3-E43226D3305C"
next
edit "Symantec-Endpoint-Protection-FW"
set type fw
set guid "BE898FE3-CD0B-4014-85A9-03DB9923DDB6"
next
edit "Symantec-Endpoint-Protection-AV-Vista-Win7"
set guid "88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855"
next
edit "Symantec-Endpoint-Protection-FW-Vista-Win7"
set type fw
set guid "B0F2DB13-C654-2E74-30D4-99C9310F0F2E"
next
edit "Panda-Antivirus+Firewall-2008-AV"
set guid "EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A"
next
edit "Panda-Antivirus+Firewall-2008-FW"
set type fw
set guid "7B090DC0-8905-4BAF-8040-FD98A41C8FB8"
next
edit "Panda-Internet-Security-AV"
set guid "4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0"
next
edit "Panda-Internet-Security-2006~2007-FW"
set type fw
set guid "4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0"
next
edit "Panda-Internet-Security-2008~2009-FW"
set type fw
set guid "7B090DC0-8905-4BAF-8040-FD98A41C8FB8"
next
edit "Sophos-Anti-Virus"
set guid "3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD"
next
edit "Sophos-Enpoint-Secuirty-and-Control-FW"
set type fw
set guid "0786E95E-326A-4524-9691-41EF88FB52EA"
next
edit "Sophos-Enpoint-Secuirty-and-Control-AV-Vista-Win7"
set guid "479CCF92-4960-B3E0-7373-BF453B467D2C"
next
edit "Sophos-Enpoint-Secuirty-and-Control-FW-Vista-Win7"
set type fw
set guid "7FA74EB7-030F-B2B8-582C-1670C5953A57"
next
edit "Trend-Micro-AV"
set guid "7D2296BC-32CC-4519-917E-52E652474AF5"
next
edit "Trend-Micro-FW"
set type fw
set guid "3E790E9E-6A5D-4303-A7F9-185EC20F3EB6"
next
edit "Trend-Micro-AV-Vista-Win7"
set guid "48929DFC-7A52-A34F-8351-C4DBEDBD9C50"
next
edit "Trend-Micro-FW-Vista-Win7"
set type fw
set guid "70A91CD9-303D-A217-A80E-6DEE136EDB2B"
next
edit "ZoneAlarm-AV"
set guid "5D467B10-818C-4CAB-9FF7-6893B5B8F3CF"
next
edit "ZoneAlarm-FW"
set type fw
set guid "829BDA32-94B3-44F4-8446-F8FCFF809F8B"
next
edit "ZoneAlarm-AV-Vista-Win7"
set guid "D61596DF-D219-341C-49B3-AD30538CBC5B"
next
edit "ZoneAlarm-FW-Vista-Win7"
set type fw
set guid "EE2E17FA-9876-3544-62EC-0405AD5FFB20"
next
edit "ESET-Smart-Security-AV"
set guid "19259FAE-8396-A113-46DB-15B0E7DFA289"
next
edit "ESET-Smart-Security-FW"
set type fw
set guid "211E1E8B-C9F9-A04B-6D84-BC85190CE5F2"
next
end
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set web-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
next
edit "web-access"
set web-mode enable
next
edit "tunnel-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
next
end
config vpn ssl settings
set servercert "Fortinet_Factory"
set port 443
end
config voip profile
edit "default"
set comment "Default VoIP profile."
next
edit "strict"
config sip
set malformed-request-line discard
set malformed-header-via discard
set malformed-header-from discard
set malformed-header-to discard
set malformed-header-call-id discard
set malformed-header-cseq discard
set malformed-header-rack discard
set malformed-header-rseq discard
set malformed-header-contact discard
set malformed-header-record-route discard
set malformed-header-route discard
set malformed-header-expires discard
set malformed-header-content-type discard
set malformed-header-content-length discard
set malformed-header-max-forwards discard
set malformed-header-allow discard
set malformed-header-p-asserted-identity discard
set malformed-header-sdp-v discard
set malformed-header-sdp-o discard
set malformed-header-sdp-s discard
set malformed-header-sdp-i discard
set malformed-header-sdp-c discard
set malformed-header-sdp-b discard
set malformed-header-sdp-z discard
set malformed-header-sdp-k discard
set malformed-header-sdp-a discard
set malformed-header-sdp-t discard
set malformed-header-sdp-r discard
set malformed-header-sdp-m discard
end
next
end
config webfilter profile
edit "default"
set comment "Default web filtering."
set inspection-mode flow-based
config ftgd-wf
unset options
config filters
edit 1
set category 2
set action block
next
edit 2
set category 7
set action block
next
edit 3
set category 8
set action block
next
edit 4
set category 9
set action block
next
edit 5
set category 11
set action block
next
edit 6
set category 12
set action block
next
edit 7
set category 13
set action block
next
edit 8
set category 14
set action block
next
edit 9
set category 15
set action block
next
edit 10
set category 16
set action block
next
edit 11
set action block
next
edit 12
set category 57
set action block
next
edit 13
set category 63
set action block
next
edit 14
set category 64
set action block
next
edit 15
set category 65
set action block
next
edit 16
set category 66
set action block
next
edit 17
set category 67
set action block
next
edit 18
set category 26
set action block
next
edit 19
set category 61
set action block
next
edit 20
set category 86
set action block
next
edit 21
set category 88
set action block
next
edit 22
set category 90
set action block
next
edit 23
set category 91
set action block
next
end
end
next
edit "sniffer-profile"
set comment "Monitor web traffic."
set inspection-mode flow-based
config ftgd-wf
config filters
edit 1
next
edit 2
set category 1
next
edit 3
set category 2
next
edit 4
set category 3
next
edit 5
set category 4
next
edit 6
set category 5
next
edit 7
set category 6
next
edit 8
set category 7
next
edit 9
set category 8
next
edit 10
set category 9
next
edit 11
set category 11
next
edit 12
set category 12
next
edit 13
set category 13
next
edit 14
set category 14
next
edit 15
set category 15
next
edit 16
set category 16
next
edit 17
set category 17
next
edit 18
set category 18
next
edit 19
set category 19
next
edit 20
set category 20
next
edit 21
set category 23
next
edit 22
set category 24
next
edit 23
set category 25
next
edit 24
set category 26
next
edit 25
set category 28
next
edit 26
set category 29
next
edit 27
set category 30
next
edit 28
set category 31
next
edit 29
set category 33
next
edit 30
set category 34
next
edit 31
set category 35
next
edit 32
set category 36
next
edit 33
set category 37
next
edit 34
set category 38
next
edit 35
set category 39
next
edit 36
set category 40
next
edit 37
set category 41
next
edit 38
set category 42
next
edit 39
set category 43
next
edit 40
set category 44
next
edit 41
set category 46
next
edit 42
set category 47
next
edit 43
set category 48
next
edit 44
set category 49
next
edit 45
set category 50
next
edit 46
set category 51
next
edit 47
set category 52
next
edit 48
set category 53
next
edit 49
set category 54
next
edit 50
set category 55
next
edit 51
set category 56
next
edit 52
set category 57
next
edit 53
set category 58
next
edit 54
set category 59
next
edit 55
set category 61
next
edit 56
set category 62
next
edit 57
set category 63
next
edit 58
set category 64
next
edit 59
set category 65
next
edit 60
set category 66
next
edit 61
set category 67
next
edit 62
set category 68
next
edit 63
set category 69
next
edit 64
set category 70
next
edit 65
set category 71
next
edit 66
set category 72
next
edit 67
set category 75
next
edit 68
set category 76
next
edit 69
set category 77
next
edit 70
set category 78
next
edit 71
set category 79
next
edit 72
set category 80
next
edit 73
set category 81
next
edit 74
set category 82
next
edit 75
set category 83
next
edit 76
set category 84
next
edit 77
set category 85
next
edit 78
set category 86
next
edit 79
set category 87
next
edit 80
set category 88
next
edit 81
set category 89
next
edit 82
set category 90
next
edit 83
set category 91
next
edit 84
set category 92
next
edit 85
set category 93
next
edit 86
set category 94
next
edit 87
set category 95
next
end
end
next
edit "wifi-default"
set comment "Default configuration for offloading WiFi traffic."
set inspection-mode flow-based
set options block-invalid-url
config ftgd-wf
unset options
config filters
edit 1
next
edit 2
set category 2
set action block
next
edit 3
set category 7
set action block
next
edit 4
set category 8
set action block
next
edit 5
set category 9
set action block
next
edit 6
set category 11
set action block
next
edit 7
set category 12
set action block
next
edit 8
set category 13
set action block
next
edit 9
set category 14
set action block
next
edit 10
set category 15
set action block
next
edit 11
set category 16
set action block
next
edit 12
set category 26
set action block
next
edit 13
set category 57
set action block
next
edit 14
set category 61
set action block
next
edit 15
set category 63
set action block
next
edit 16
set category 64
set action block
next
edit 17
set category 65
set action block
next
edit 18
set category 66
set action block
next
edit 19
set category 67
set action block
next
edit 20
set category 86
set action block
next
edit 21
set category 88
set action block
next
edit 22
set category 90
set action block
next
edit 23
set category 91
set action block
next
end
end
next
edit "monitor-all"
set comment "Monitor and log all visited URLs, flow-based."
set inspection-mode flow-based
config ftgd-wf
unset options
config filters
edit 1
set category 1
next
edit 2
set category 3
next
edit 3
set category 4
next
edit 4
set category 5
next
edit 5
set category 6
next
edit 6
set category 12
next
edit 7
set category 59
next
edit 8
set category 62
next
edit 9
set category 83
next
edit 10
set category 2
next
edit 11
set category 7
next
edit 12
set category 8
next
edit 13
set category 9
next
edit 14
set category 11
next
edit 15
set category 13
next
edit 16
set category 14
next
edit 17
set category 15
next
edit 18
set category 16
next
edit 19
set category 57
next
edit 20
set category 63
next
edit 21
set category 64
next
edit 22
set category 65
next
edit 23
set category 66
next
edit 24
set category 67
next
edit 25
set category 19
next
edit 26
set category 24
next
edit 27
set category 25
next
edit 28
set category 72
next
edit 29
set category 75
next
edit 30
set category 76
next
edit 31
set category 26
next
edit 32
set category 61
next
edit 33
set category 86
next
edit 34
set category 17
next
edit 35
set category 18
next
edit 36
set category 20
next
edit 37
set category 23
next
edit 38
set category 28
next
edit 39
set category 29
next
edit 40
set category 30
next
edit 41
set category 33
next
edit 42
set category 34
next
edit 43
set category 35
next
edit 44
set category 36
next
edit 45
set category 37
next
edit 46
set category 38
next
edit 47
set category 39
next
edit 48
set category 40
next
edit 49
set category 42
next
edit 50
set category 44
next
edit 51
set category 46
next
edit 52
set category 47
next
edit 53
set category 48
next
edit 54
set category 54
next
edit 55
set category 55
next
edit 56
set category 58
next
edit 57
set category 68
next
edit 58
set category 69
next
edit 59
set category 70
next
edit 60
set category 71
next
edit 61
set category 77
next
edit 62
set category 78
next
edit 63
set category 79
next
edit 64
set category 80
next
edit 65
set category 82
next
edit 66
set category 85
next
edit 67
set category 87
next
edit 68
set category 31
next
edit 69
set category 41
next
edit 70
set category 43
next
edit 71
set category 49
next
edit 72
set category 50
next
edit 73
set category 51
next
edit 74
set category 52
next
edit 75
set category 53
next
edit 76
set category 56
next
edit 77
set category 81
next
edit 78
set category 84
next
edit 79
next
edit 80
set category 88
next
edit 81
set category 89
next
edit 82
set category 90
next
edit 83
set category 91
next
edit 84
set category 92
next
edit 85
set category 93
next
edit 86
set category 94
next
edit 87
set category 95
next
end
end
set log-all-url enable
set web-content-log disable
set web-filter-activex-log disable
set web-filter-command-block-log disable
set web-filter-cookie-log disable
set web-filter-applet-log disable
set web-filter-jscript-log disable
set web-filter-js-log disable
set web-filter-vbs-log disable
set web-filter-unknown-log disable
set web-filter-referer-log disable
set web-filter-cookie-removal-log disable
set web-url-log disable
set web-invalid-domain-log disable
set web-ftgd-err-log disable
set web-ftgd-quota-usage disable
next
end
config webfilter search-engine
edit "google"
set hostname ".*\\.google\\..*"
set url "^\\/((custom|search|images|videosearch|webhp)\\?)"
set query "q="
set safesearch url
set safesearch-str "&safe=active"
next
edit "yahoo"
set hostname ".*\\.yahoo\\..*"
set url "^\\/search(\\/video|\\/images){0,1}(\\?|;)"
set query "p="
set safesearch url
set safesearch-str "&vm=r"
next
edit "bing"
set hostname ".*\\.bing\\..*"
set url "^(\\/images|\\/videos)?(\\/search|\\/async|\\/asyncv2)\\?"
set query "q="
set safesearch header
next
edit "yandex"
set hostname "yandex\\..*"
set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?"
set query "text="
set safesearch url
set safesearch-str "&family=yes"
next
edit "youtube"
set hostname ".*youtube.*"
set safesearch header
next
edit "baidu"
set hostname ".*\\.baidu\\.com"
set url "^\\/s?\\?"
set query "wd="
next
edit "baidu2"
set hostname ".*\\.baidu\\.com"
set url "^\\/(ns|q|m|i|v)\\?"
set query "word="
next
edit "baidu3"
set hostname "tieba\\.baidu\\.com"
set url "^\\/f\\?"
set query "kw="
next
end
config dnsfilter profile
edit "default"
set comment "Default dns filtering."
config ftgd-dns
config filters
edit 1
set category 2
next
edit 2
set category 7
next
edit 3
set category 8
next
edit 4
set category 9
next
edit 5
set category 11
next
edit 6
set category 12
next
edit 7
set category 13
next
edit 8
set category 14
next
edit 9
set category 15
next
edit 10
set category 16
next
edit 11
next
edit 12
set category 57
next
edit 13
set category 63
next
edit 14
set category 64
next
edit 15
set category 65
next
edit 16
set category 66
next
edit 17
set category 67
next
edit 18
set category 26
set action block
next
edit 19
set category 61
set action block
next
edit 20
set category 86
set action block
next
edit 21
set category 88
set action block
next
edit 22
set category 90
set action block
next
edit 23
set category 91
set action block
next
end
end
set block-botnet enable
next
end
config antivirus settings
set grayware enable
end
config antivirus profile
edit "default"
set comment "Scan files and block viruses."
config http
set options scan
end
config ftp
set options scan
end
config imap
set options scan
set executables virus
end
config pop3
set options scan
set executables virus
end
config smtp
set options scan
set executables virus
end
next
edit "sniffer-profile"
set comment "Scan files and monitor viruses."
config http
set options scan
end
config ftp
set options scan
end
config imap
set options scan
set executables virus
end
config pop3
set options scan
set executables virus
end
config smtp
set options scan
set executables virus
end
next
edit "wifi-default"
set comment "Default configuration for offloading WiFi traffic."
config http
set options scan
end
config ftp
set options scan
end
config imap
set options scan
set executables virus
end
config pop3
set options scan
set executables virus
end
config smtp
set options scan
set executables virus
end
next
end
config spamfilter profile
edit "sniffer-profile"
set comment "Malware and phishing URL monitoring."
set flow-based enable
next
edit "default"
set comment "Malware and phishing URL filtering."
next
end
config firewall schedule recurring
edit "always"
set day sunday monday tuesday wednesday thursday friday saturday
next
edit "none"
next
end
config firewall profile-protocol-options
edit "default"
set comment "All default services."
config http
set ports 80
unset options
unset post-lang
end
config ftp
set ports 21
set options splice
end
config imap
set ports 143
set options fragmail
end
config mapi
set ports 135
set options fragmail
end
config pop3
set ports 110
set options fragmail
end
config smtp
set ports 25
set options fragmail splice
end
config nntp
set ports 119
set options splice
end
config dns
set ports 53
end
next
end
config firewall ssl-ssh-profile
edit "deep-inspection"
set comment "Read-only deep inspection profile."
config https
set ports 443
end
config ftps
set ports 990
end
config imaps
set ports 993
end
config pop3s
set ports 995
end
config smtps
set ports 465
end
config ssh
set ports 22
end
config ssl-exempt
edit 1
set fortiguard-category 31
next
edit 2
set fortiguard-category 33
next
edit 3
set type wildcard-fqdn
set wildcard-fqdn "adobe"
next
edit 4
set type wildcard-fqdn
set wildcard-fqdn "Adobe Login"
next
edit 5
set type wildcard-fqdn
set wildcard-fqdn "android"
next
edit 6
set type wildcard-fqdn
set wildcard-fqdn "apple"
next
edit 7
set type wildcard-fqdn
set wildcard-fqdn "appstore"
next
edit 8
set type wildcard-fqdn
set wildcard-fqdn "auth.gfx.ms"
next
edit 9
set type wildcard-fqdn
set wildcard-fqdn "citrix"
next
edit 10
set type wildcard-fqdn
set wildcard-fqdn "dropbox.com"
next
edit 11
set type wildcard-fqdn
set wildcard-fqdn "eease"
next
edit 12
set type wildcard-fqdn
set wildcard-fqdn "firefox update server"
next
edit 13
set type wildcard-fqdn
set wildcard-fqdn "fortinet"
next
edit 14
set type wildcard-fqdn
set wildcard-fqdn "googleapis.com"
next
edit 15
set type wildcard-fqdn
set wildcard-fqdn "google-drive"
next
edit 16
set type wildcard-fqdn
set wildcard-fqdn "google-play2"
next
edit 17
set type wildcard-fqdn
set wildcard-fqdn "google-play3"
next
edit 18
set type wildcard-fqdn
set wildcard-fqdn "Gotomeeting"
next
edit 19
set type wildcard-fqdn
set wildcard-fqdn "icloud"
next
edit 20
set type wildcard-fqdn
set wildcard-fqdn "itunes"
next
edit 21
set type wildcard-fqdn
set wildcard-fqdn "microsoft"
next
edit 22
set type wildcard-fqdn
set wildcard-fqdn "skype"
next
edit 23
set type wildcard-fqdn
set wildcard-fqdn "softwareupdate.vmware.com"
next
edit 24
set type wildcard-fqdn
set wildcard-fqdn "verisign"
next
edit 25
set type wildcard-fqdn
set wildcard-fqdn "Windows update 2"
next
edit 26
set type wildcard-fqdn
set wildcard-fqdn "live.com"
next
edit 27
set type wildcard-fqdn
set wildcard-fqdn "google-play"
next
edit 28
set type wildcard-fqdn
set wildcard-fqdn "update.microsoft.com"
next
edit 29
set type wildcard-fqdn
set wildcard-fqdn "swscan.apple.com"
next
edit 30
set type wildcard-fqdn
set wildcard-fqdn "autoupdate.opera.com"
next
end
next
edit "custom-deep-inspection"
set comment "Customizable deep inspection profile."
config https
set ports 443
end
config ftps
set ports 990
end
config imaps
set ports 993
end
config pop3s
set ports 995
end
config smtps
set ports 465
end
config ssh
set ports 22
end
config ssl-exempt
edit 1
set fortiguard-category 31
next
edit 2
set fortiguard-category 33
next
edit 3
set type wildcard-fqdn
set wildcard-fqdn "adobe"
next
edit 4
set type wildcard-fqdn
set wildcard-fqdn "Adobe Login"
next
edit 5
set type wildcard-fqdn
set wildcard-fqdn "android"
next
edit 6
set type wildcard-fqdn
set wildcard-fqdn "apple"
next
edit 7
set type wildcard-fqdn
set wildcard-fqdn "appstore"
next
edit 8
set type wildcard-fqdn
set wildcard-fqdn "auth.gfx.ms"
next
edit 9
set type wildcard-fqdn
set wildcard-fqdn "citrix"
next
edit 10
set type wildcard-fqdn
set wildcard-fqdn "dropbox.com"
next
edit 11
set type wildcard-fqdn
set wildcard-fqdn "eease"
next
edit 12
set type wildcard-fqdn
set wildcard-fqdn "firefox update server"
next
edit 13
set type wildcard-fqdn
set wildcard-fqdn "fortinet"
next
edit 14
set type wildcard-fqdn
set wildcard-fqdn "googleapis.com"
next
edit 15
set type wildcard-fqdn
set wildcard-fqdn "google-drive"
next
edit 16
set type wildcard-fqdn
set wildcard-fqdn "google-play2"
next
edit 17
set type wildcard-fqdn
set wildcard-fqdn "google-play3"
next
edit 18
set type wildcard-fqdn
set wildcard-fqdn "Gotomeeting"
next
edit 19
set type wildcard-fqdn
set wildcard-fqdn "icloud"
next
edit 20
set type wildcard-fqdn
set wildcard-fqdn "itunes"
next
edit 21
set type wildcard-fqdn
set wildcard-fqdn "microsoft"
next
edit 22
set type wildcard-fqdn
set wildcard-fqdn "skype"
next
edit 23
set type wildcard-fqdn
set wildcard-fqdn "softwareupdate.vmware.com"
next
edit 24
set type wildcard-fqdn
set wildcard-fqdn "verisign"
next
edit 25
set type wildcard-fqdn
set wildcard-fqdn "Windows update 2"
next
edit 26
set type wildcard-fqdn
set wildcard-fqdn "live.com"
next
edit 27
set type wildcard-fqdn
set wildcard-fqdn "google-play"
next
edit 28
set type wildcard-fqdn
set wildcard-fqdn "update.microsoft.com"
next
edit 29
set type wildcard-fqdn
set wildcard-fqdn "swscan.apple.com"
next
edit 30
set type wildcard-fqdn
set wildcard-fqdn "autoupdate.opera.com"
next
end
next
edit "certificate-inspection"
set comment "Read-only SSL handshake inspection profile."
config https
set ports 443
set status certificate-inspection
end
config ftps
set status disable
end
config imaps
set status disable
end
config pop3s
set status disable
end
config smtps
set status disable
end
config ssh
set ports 22
set status disable
end
next
end
config waf profile
edit "default"
config signature
config main-class 100000000
set action block
set severity high
end
config main-class 20000000
end
config main-class 30000000
set status enable
set action block
set severity high
end
config main-class 40000000
end
config main-class 50000000
set status enable
set action block
set severity high
end
config main-class 60000000
end
config main-class 70000000
set status enable
set action block
set severity high
end
config main-class 80000000
set status enable
set severity low
end
config main-class 110000000
set status enable
set severity high
end
config main-class 90000000
set status enable
set action block
set severity high
end
set disabled-signature 80080005 80200001 60030001 60120001 80080003 90410001 90410002
end
config constraint
config header-length
set status enable
set log enable
set severity low
end
config content-length
set status enable
set log enable
set severity low
end
config param-length
set status enable
set log enable
set severity low
end
config line-length
set status enable
set log enable
set severity low
end
config url-param-length
set status enable
set log enable
set severity low
end
config version
set log enable
end
config method
set action block
set log enable
end
config hostname
set action block
set log enable
end
config malformed
set log enable
end
config max-cookie
set status enable
set log enable
set severity low
end
config max-header-line
set status enable
set log enable
set severity low
end
config max-url-param
set status enable
set log enable
set severity low
end
config max-range-segment
set status enable
set log enable
set severity high
end
end
next
end
config firewall policy
edit 1
set uuid 512941c4-56c4-51ea-a7c7-fbbbb7ae4884
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
config firewall ssh local-key
edit "Fortinet_SSH_RSA2048"
set password ENC T93uP+ZVcGj5KjeSUOkNC2B8n8//dOHqd5SniiIYrKPbp3eRTPkqz2rFnHwRKrEU/b9j4sRr/4eN03Zfuznuk8LGXDTDC/9CW5c+pYQSBttziBoakDAsN51hpPe328W3fW0+IpK4j//JKfFjmvMfiyoKrqsNTnSkEbLhEFa1M32aPc97ZZVQIEASn8LD0YTRw7dNXQ==
set source built-in
next
edit "Fortinet_SSH_DSA1024"
set password ENC 8BpKur/0FGb6xqEdPyoc/h+C7UUKAkmK8Yhbzv1CkoWQ3ktdXpsMhqEWLU9tZu9l+gLRMecbnr9fi6j6dJMO75QQg7jRILPefNmWQXCC17+JRcF3IxAiFQ0ygtXr6aNRK9oVT8+xQl3DCH8Hjeu1H8aXVB82q2h9+pfDHHgsMeZTfPtZGaWe3smlXBqUdu7Q8/ov0g==
set source built-in
next
edit "Fortinet_SSH_ECDSA256"
set password ENC o7xvwVm4XCT33Ym/z2BqmghacBBi2l6vvo7qnKy3rkSsBI2nZ8L+xTCicIZA3XQGgq/0pUMayjCSjfOv8mQKGkEYBXoPXc5i7PGkAMOvuXeIhkU/1TusQtBur/2qZ3dqDCVo+PU0Zf2n8tdkEkKkPVJiaXa7mGWiNoUysly9kzhSg6tvUh0Ho/UNtv2anipin63K4w==
set source built-in
next
edit "Fortinet_SSH_ECDSA384"
set password ENC knRlJU+uPnpInn6g7EyqbFhwkazgOUK0SmegkXh99KJ7Gz+7WD1gyQ0aALLUZO+G+xqob2TE1vuv3WfvVl9YS4Nf8BtkV01Dj/z2G9vh/TcDuRchaNwgJLuIMNwjRKBwwyWtbzkLx6MGMV6hxM8e9gbArXc824Rk10ZIs7YOoQ27pVPRFUkUMYK9sgOQLKeC9s6OKA==
set source built-in
next
edit "Fortinet_SSH_ECDSA521"
set password ENC CjHxr0czEIUU7kdM4hH2jzOIwKLuHPhs1ozofzuiTnIuygxt1KbHCoQJAhnBlx069DX8jMFB1eaBHiTKGtEUXBKe7d4HGDeXx7pD0E0eN8jsgj79z/PTnPypkgoKlns8fmGD3P6BmLk7HyObNfRYJsTJN1h23TRUx3efs3+++FPw0TCoBhqA7HmtEAjwwYinmzzr0Q==
set source built-in
next
edit "Fortinet_SSH_ED25519"
set password ENC vDtZPnX779QNKJrqIHO12ZyKR+fNeX4z+XltV1lkidxHCZbvcFa0aDASOuSLxi8LgQVPV9+KrsfqKpTX39lN10yfPul1Pvsh/wvnsGUXR7w7yPVZg+HWd0M2Hx5Mr/5iI2O3yWdBAiD7H6iyqyvQU4TGgw3obQG4qi/G1+FllTtPGIRl5ccFYBgf2G3lcnhwOlK9sw==
set source built-in
next
end
config firewall ssh local-ca
edit "Fortinet_SSH_CA"
set password ENC 4Hh70yfz9Y9HEwWvcKF2GJPHShEOuKhKpvOVX9Y3hepPtKOLHkBeU7UIR21IaZPAHLxlpbt2EaO4dZQKVc54w9/xpNLpOv+pcXxdoiE0vT/K98CRDE2ADoYVVEMTH0TTBU9CZOzHk2Hmeomm9MG8eWmXkZaTk92Zx9ygwUJCM7YKr5DaFKs4NRx8/IDnciAJ6icqXg==
set source built-in
next
edit "Fortinet_SSH_CA_Untrusted"
set password ENC PGT/Qfw9tfB0F7ktB+Lask2dXOKT+dQUvv0nW+VgznThwYGDOIbvamvr6pp2KpGJytXzoZ0lti7rbdFlFg3LDJcqIYx2I5rWqzifqkOu6SQMAgciVIYKQuV8KkiislvOAJkpO1joC0oxe4cNHvAJ8iyS3lxlGbvPQcouv5loH2LovB1pFRRbRhjQRz/2xpPaVGPbyQ==
set source built-in
next
end
config firewall ssh setting
set caname "Fortinet_SSH_CA"
set untrusted-caname "Fortinet_SSH_CA_Untrusted"
set hostkey-rsa2048 "Fortinet_SSH_RSA2048"
set hostkey-dsa1024 "Fortinet_SSH_DSA1024"
set hostkey-ecdsa256 "Fortinet_SSH_ECDSA256"
set hostkey-ecdsa384 "Fortinet_SSH_ECDSA384"
set hostkey-ecdsa521 "Fortinet_SSH_ECDSA521"
set hostkey-ed25519 "Fortinet_SSH_ED25519"
end
config switch-controller security-policy 802-1X
edit "802-1X-policy-default"
set user-group "SSO_Guest_Users"
set mac-auth-bypass disable
set open-auth disable
set eap-passthru enable
set guest-vlan disable
set auth-fail-vlan disable
set radius-timeout-overwrite disable
next
end
config switch-controller lldp-profile
edit "default"
set med-tlvs inventory-management network-policy
set auto-isl disable
config med-network-policy
edit "voice"
next
edit "voice-signaling"
next
edit "guest-voice"
next
edit "guest-voice-signaling"
next
edit "softphone-voice"
next
edit "video-conferencing"
next
edit "streaming-video"
next
edit "video-signaling"
next
end
next
edit "default-auto-isl"
next
end
config switch-controller qos dot1p-map
edit "voice-dot1p"
set priority-0 queue-4
set priority-1 queue-4
set priority-2 queue-3
set priority-3 queue-2
set priority-4 queue-3
set priority-5 queue-1
set priority-6 queue-2
set priority-7 queue-2
next
end
config switch-controller qos ip-dscp-map
edit "voice-dscp"
config map
edit "1"
set cos-queue 1
set value 46
next
edit "2"
set cos-queue 2
set value 24,26,48,56
next
edit "5"
set cos-queue 3
set value 34
next
end
next
end
config switch-controller qos queue-policy
edit "default"
set schedule round-robin
config cos-queue
edit "queue-0"
next
edit "queue-1"
next
edit "queue-2"
next
edit "queue-3"
next
edit "queue-4"
next
edit "queue-5"
next
edit "queue-6"
next
edit "queue-7"
next
end
next
edit "voice-egress"
set schedule weighted
config cos-queue
edit "queue-0"
next
edit "queue-1"
set weight 0
next
edit "queue-2"
set weight 6
next
edit "queue-3"
set weight 37
next
edit "queue-4"
set weight 12
next
edit "queue-5"
next
edit "queue-6"
next
edit "queue-7"
next
end
next
end
config switch-controller qos qos-policy
edit "default"
next
edit "voice-qos"
set trust-dot1p-map "voice-dot1p"
set trust-ip-dscp-map "voice-dscp"
set queue-policy "voice-egress"
next
end
config switch-controller switch-profile
edit "default"
next
end
config endpoint-control profile
edit "default"
config forticlient-winmac-settings
end
config forticlient-android-settings
end
config forticlient-ios-settings
end
next
end
config wireless-controller wids-profile
edit "default"
set comment "Default WIDS profile."
set ap-scan enable
set wireless-bridge enable
set deauth-broadcast enable
set null-ssid-probe-resp enable
set long-duration-attack enable
set invalid-mac-oui enable
set weak-wep-iv enable
set auth-frame-flood enable
set assoc-frame-flood enable
set spoofed-deauth enable
set asleap-attack enable
set eapol-start-flood enable
set eapol-logoff-flood enable
set eapol-succ-flood enable
set eapol-fail-flood enable
set eapol-pre-succ-flood enable
set eapol-pre-fail-flood enable
next
edit "default-wids-apscan-enabled"
set ap-scan enable
next
end
config wireless-controller wtp-profile
edit "AP-11N-default"
config platform
set type AP-11N
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
next
edit "FAP112B-default"
config platform
set type 112B
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
next
edit "FAP220B-default"
set handoff-sta-thresh 30
config radio-1
set band 802.11n-5G
end
config radio-2
set band 802.11n,g-only
end
next
edit "FAP223B-default"
config platform
set type 223B
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n-5G
end
config radio-2
set band 802.11n,g-only
end
next
edit "FAP210B-default"
config platform
set type 210B
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
next
edit "FAP222B-default"
config platform
set type 222B
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11n-5G
end
next
edit "FAP320B-default"
config platform
set type 320B
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n-5G
end
config radio-2
set band 802.11n,g-only
end
next
edit "FAP11C-default"
config platform
set type 11C
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
next
edit "FAP14C-default"
config platform
set type 14C
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
next
edit "FAP28C-default"
config platform
set type 28C
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
next
edit "FAP320C-default"
config platform
set type 320C
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAP221C-default"
config platform
set type 221C
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAP25D-default"
config platform
set type 25D
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
next
edit "FAP222C-default"
config platform
set type 222C
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAP224D-default"
config platform
set type 224D
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n-5G
end
config radio-2
set band 802.11n,g-only
end
next
edit "FK214B-default"
config platform
set type 214B
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
next
edit "FAP21D-default"
config platform
set type 21D
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
next
edit "FAP24D-default"
config platform
set type 24D
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
next
edit "FAP112D-default"
config platform
set type 112D
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
next
edit "FAP223C-default"
config platform
set type 223C
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAP321C-default"
config platform
set type 321C
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAPS321C-default"
config platform
set type S321C
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAPS322C-default"
config platform
set type S322C
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAPS323C-default"
config platform
set type S323C
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAPS311C-default"
config platform
set type S311C
end
set handoff-sta-thresh 30
config radio-1
set band 802.11ac
end
next
edit "FAPS313C-default"
config platform
set type S313C
end
set handoff-sta-thresh 30
config radio-1
set band 802.11ac
end
next
edit "FAPS321CR-default"
config platform
set type S321CR
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAPS322CR-default"
config platform
set type S322CR
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAPS323CR-default"
config platform
set type S323CR
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAPS421E-default"
config platform
set type S421E
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAPS422E-default"
config platform
set type S422E
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAPS423E-default"
config platform
set type S423E
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAP421E-default"
config platform
set type 421E
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAP423E-default"
config platform
set type 423E
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAPU421E-default"
config platform
set type U421E
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n
end
config radio-2
set band 802.11ac
end
next
edit "FAPU422EV-default"
config platform
set type U422EV
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n
end
config radio-2
set band 802.11ac
end
next
edit "FAPU423E-default"
config platform
set type U423E
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n
end
config radio-2
set band 802.11ac
end
next
edit "FAP221E-default"
config platform
set type 221E
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAP222E-default"
config platform
set type 222E
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAP223E-default"
config platform
set type 223E
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAP224E-default"
config platform
set type 224E
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAPS221E-default"
config platform
set type S221E
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAPS223E-default"
config platform
set type S223E
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n,g-only
end
config radio-2
set band 802.11ac
end
next
edit "FAPU221EV-default"
config platform
set type U221EV
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n
end
config radio-2
set band 802.11ac
end
next
edit "FAPU223EV-default"
config platform
set type U223EV
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n
end
config radio-2
set band 802.11ac
end
next
edit "FAPU24JEV-default"
config platform
set type U24JEV
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n
end
config radio-2
set band 802.11ac
end
next
edit "FAPU321EV-default"
config platform
set type U321EV
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n
end
config radio-2
set band 802.11ac
end
next
edit "FAPU323EV-default"
config platform
set type U323EV
end
set handoff-sta-thresh 30
config radio-1
set band 802.11n
end
config radio-2
set band 802.11ac
end
next
end
config wireless-controller utm-profile
edit "wifi-default"
set comment "Default configuration for offloading WiFi traffic."
set ips-sensor "wifi-default"
set application-list "wifi-default"
set antivirus-profile "wifi-default"
set webfilter-profile "wifi-default"
next
end
config log memory setting
set status enable
end
config log null-device setting
set status disable
end
config router rip
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "ospf"
end
config redistribute "bgp"
end
config redistribute "isis"
end
end
config router ripng
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "ospf"
end
config redistribute "bgp"
end
config redistribute "isis"
end
end
config router ospf
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
config redistribute "isis"
end
end
config router ospf6
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
config redistribute "isis"
end
end
config router bgp
config redistribute "connected"
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "static"
end
config redistribute "isis"
end
config redistribute6 "connected"
end
config redistribute6 "rip"
end
config redistribute6 "ospf"
end
config redistribute6 "static"
end
config redistribute6 "isis"
end
end
config router isis
config redistribute "connected"
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "bgp"
end
config redistribute "static"
end
config redistribute6 "connected"
end
config redistribute6 "rip"
end
config redistribute6 "ospf"
end
config redistribute6 "bgp"
end
config redistribute6 "static"
end
end
config router multicast
end―――――――――――――
