auth-on-demand

soft-timeout

idle-timeout

new-session

hard-timeout

The signature setting uses a custom rating threshold.

The signature setting includes a group of other signatures.

Traffic matching the signature will be allowed and logged.

Traffic matching the signature will be silently dropped and logged.

FortiGate uses the AD server as the collector agent.

FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

FortiGate does not support workstation check.

FortiGate directs the collector agent to use a remote LDAP server.

Proxy-based inspection

Certificate inspection

Flow-based inspection

Full Content inspection

FortiGate acts as an FDS server.

FortiGate acts as an HTTP reverse proxy.

FortiGate acts as DNS server.

FortiGate acts as router.

To detect intermediary NAT devices in the tunnel path.

To dynamically change phase 1 negotiation mode aggressive mode.

To encapsulation ESP packets in UDP packets using port 4500.

To force a new DH exchange with each phase 2 rekey.

Source defined as Internet Services in the firewall policy.

Destination defined as Internet Services in the firewall policy.

Highest to lowest priority defined in the firewall policy.

Services defined in the firewall policy.

Lowest to highest policy ID number.

remote user’s public IP address

The public IP address of the FortiGate device.

The remote user’s virtual IP address.

The internal IP address of the FortiGate device.

On HQ-FortiGate, set IKE mode to Main (ID protection).

On both FortiGate devices, set Dead Peer Detection to On Demand.

On HQ-FortiGate, disable Diffie-Helman group 2.

On Remote-FortiGate, set port2 as Interface.

DNS

ping

udp-echo

TWAMP

The firmware image must be manually uploaded to each FortiGate.

Only secondary FortiGate devices are rebooted.

Uninterruptable upgrade is enabled by default.

Traffic load balancing is temporally disabled while upgrading the firmware.

Antivirus scan

Trojan scan

Machine learning scan

Ransomware scan

A phase 2 configuration is not required.

This VPN cannot be used as part of a hub-and-spoke topology.

A virtual IPsec interface is automatically created after the phase 1 configuration is completed.

The IPsec firewall policies must be placed at the top of the list.

The session is in SYN_SENT state.

The session is in FIN_ACK state.

The session is in FTN_WAIT state.

The session is in ESTABLISHED state.

Root VDOM

FG-traffic VDOM

Customer VDOM

Global VDOM

It provides executive summaries of the four largest areas of security focus.

Many of the security issues can be fixed immediately by clicking Apply where available.

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.

The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

FortiGate automatically negotiates different local and remote addresses with the remote peer.

FortiGate automatically negotiates a new security association after the existing security association expires.

FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

Web filtering

Antivirus

Web proxy

Application control

Enable anti-replay in firewall policy.

Disable the RPF check at the FortiGate interface level for the source check

Enable asymmetric routing.

Disable strict-arc-check under system settings.

SSH

HTTPS

FTM

FortiTelemetry