scsd/scsd-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fortigate Thu Nov 13 08:46:12 PM EST 2025

Browse Source
This commit is contained in:
John Poland 2025-11-13 20:46:12 -05:00
parent 7da70a743a
commit 926d98e6f8
51 changed files with 1068 additions and 366 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
configs/fortigate/global/certificate.cfg
View File

@ -16,6 +16,11 @@ config certificate local
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set source factory
next
edit "Fortinet_GUI_Server"
set password ENC *HIDDEN*
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
set source factory
next
edit "Fortinet_SSL_RSA1024"
set password ENC *HIDDEN*
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "

35
configs/fortigate/global/dlp.cfg
View File

@ -1,6 +1,37 @@
config dlp sensor
config dlp data-type
edit "g-edm-keyword"
set pattern ".+"
set transform "/\\b\\0\\b/i"
next
edit "g-keyword"
set pattern "built-in"
next
edit "g-regex"
set pattern "built-in"
next
edit "g-hex"
set pattern "built-in"
next
edit "g-mip-label"
set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
set transform "built-in"
next
edit "g-credit-card"
set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
set verify "builtin)credit-card"
set look-back 20
set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
next
edit "g-ssn-us"
set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
set look-back 12
set transform "\\b\\1-\\2-\\3\\b"
next
end
config dlp profile
edit "g-default"
set comment "Default sensor."
set comment "Default profile."
next
edit "g-sniffer-profile"
set comment "Log a summary of email and web traffic."

4
configs/fortigate/global/endpoint-control.cfg
View File

@ -14,4 +14,8 @@ config endpoint-control fctems
next
edit 5
next
edit 6
next
edit 7
next
end

216
configs/fortigate/global/firewall.cfg
View File

@ -5189,6 +5189,222 @@ config firewall internet-service-name
edit "Microsoft-Azure.Front.Door.MicrosoftSecurity"
set internet-service-id 328080
next
edit "Microsoft-Azure.Connectors"
set internet-service-id 327980
next
edit "Microsoft-Azure.Front.Door"
set internet-service-id 327993
next
edit "Microsoft-Azure.Service.Bus"
set internet-service-id 328007
next
edit "Microsoft-Azure.Microsoft.Defender"
set internet-service-id 328009
next
edit "Microsoft-Azure.Resource.Manager"
set internet-service-id 328013
next
edit "Microsoft-Azure.Arc.Infrastructure"
set internet-service-id 328014
next
edit "Microsoft-Azure.Storage"
set internet-service-id 328015
next
edit "Microsoft-Azure.ATP"
set internet-service-id 328016
next
edit "Microsoft-Azure.Traffic.Manager"
set internet-service-id 328017
next
edit "Microsoft-Azure.Windows.Admin.Center"
set internet-service-id 328018
next
edit "Microsoft-Azure.KeyVault"
set internet-service-id 328021
next
edit "Microsoft-Azure.Databricks"
set internet-service-id 328034
next
edit "Microsoft-Azure.Event.Hub"
set internet-service-id 328035
next
edit "Microsoft-Azure.Power.Platform"
set internet-service-id 328043
next
edit "Amazon-AWS.EBS"
set internet-service-id 393470
next
edit "Amazon-AWS.Cloud9"
set internet-service-id 393471
next
edit "Amazon-AWS.DynamoDB"
set internet-service-id 393472
next
edit "Amazon-AWS.Route53"
set internet-service-id 393473
next
edit "Amazon-AWS.S3"
set internet-service-id 393474
next
edit "Amazon-AWS.Kinesis.Video.Streams"
set internet-service-id 393475
next
edit "Amazon-AWS.Global.Accelerator"
set internet-service-id 393476
next
edit "Amazon-AWS.EC2"
set internet-service-id 393477
next
edit "Amazon-AWS.API.Gateway"
set internet-service-id 393478
next
edit "Amazon-AWS.Chime.Voice.Connector"
set internet-service-id 393479
next
edit "Amazon-AWS.Connect"
set internet-service-id 393480
next
edit "Amazon-AWS.CloudFront"
set internet-service-id 393481
next
edit "Amazon-AWS.CodeBuild"
set internet-service-id 393482
next
edit "Amazon-AWS.Chime.Meetings"
set internet-service-id 393483
next
edit "Amazon-AWS.AppFlow"
set internet-service-id 393484
next
edit "Salesforce-Hyperforce"
set internet-service-id 655738
next
edit "Fortinet-FortiMonitor"
set internet-service-id 1245558
next
edit "Tor-Tor.Node"
set internet-service-id 2818432
next
edit "OVHcloud-OVH.Telecom"
set internet-service-id 13828461
next
edit "Zero.Networks-Zero.Networks"
set internet-service-id 17891679
next
edit "EGI-EGI.Hosting.Service"
set internet-service-id 18022753
next
edit "ONYPHE-Scanner"
set internet-service-id 18088102
next
edit "Proofpoint-Proofpoint"
set internet-service-id 18153828
next
edit "Heimdal-Heimdal.Security"
set internet-service-id 18284902
next
edit "Yealink-Yealink.Meeting"
set internet-service-id 18350439
next
edit "Secomea-Secomea"
set internet-service-id 18415976
next
edit "CallTower-CT.Cloud"
set internet-service-id 18481513
next
edit "OpenAI-OpenAI.Bot"
set internet-service-id 18547052
next
edit "OpenAI-GPT.Actions"
set internet-service-id 18547073
next
edit "Alpemix-Alpemix"
set internet-service-id 18612590
next
edit "M247-M247.Hosting.Service"
set internet-service-id 18678127
next
edit "Quintex-Quintex.Hosting.Service"
set internet-service-id 18743664
next
edit "Aeza-Aeza.Hosting.Service"
set internet-service-id 18809201
next
edit "Amanah-Amanah.Hosting.Service"
set internet-service-id 18874738
next
edit "ByteDance-Lark"
set internet-service-id 18940275
next
edit "KnowBe4-KnowBe4"
set internet-service-id 19005812
next
edit "Keeper-Keeper.Security"
set internet-service-id 19071349
next
edit "NinjaOne-NinjaOne"
set internet-service-id 19136887
next
edit "Modat-Scanner"
set internet-service-id 19202214
next
edit "Make-Make.Platform"
set internet-service-id 19267963
next
edit "Cloudzy-Cloudzy.Hosting.Service"
set internet-service-id 19333501
next
edit "Nokia-Deepfield.Genome.Crawler"
set internet-service-id 19399038
next
edit "Neat-Neat.Cloud"
set internet-service-id 19464575
next
edit "Brightree-Brightree"
set internet-service-id 19530114
next
edit "PagerDuty-PagerDuty"
set internet-service-id 19595651
next
edit "JFrog-JFrog"
set internet-service-id 19661188
next
edit "Tailscale-Tailscale"
set internet-service-id 19726725
next
edit "Gamma-Horizon"
set internet-service-id 19792265
next
edit "Automox-Automox"
set internet-service-id 19857802
next
edit "Pulseway-Pulseway.RMM"
set internet-service-id 19923339
next
edit "3xK-3xK.Hosting.Service"
set internet-service-id 19988876
next
edit "ASEM-UBIQUITY"
set internet-service-id 20054413
next
edit "Dialpad-Dialpad"
set internet-service-id 20119950
next
edit "iboss-iboss.Cloud"
set internet-service-id 20185487
next
edit "Redstor-Redstor"
set internet-service-id 20251025
next
edit "Anthropic-Claude"
set internet-service-id 20382099
next
edit "NETLOCK-NETLOCK"
set internet-service-id 20578711
next
edit "Aircall-Aircall"
set internet-service-id 20906400
next
end
config firewall internet-service-definition
end

6
configs/fortigate/global/ips.cfg
View File

@ -3,7 +3,7 @@ config ips sensor
set comment "Prevent critical attacks."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next
@ -11,7 +11,7 @@ config ips sensor
set comment "Monitor IPS attacks."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next
@ -19,7 +19,7 @@ config ips sensor
set comment "Default configuration for offloading WiFi traffic."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next

285
configs/fortigate/global/system.cfg
View File

@ -2,14 +2,16 @@ config system global
set admin-server-cert "Fortinet_Factory"
set admintimeout 59
set alias "FortiGate-2601F"
set gui-auto-upgrade-setup-warning disable
set gui-device-latitude "43.02974913459805"
set gui-device-longitude "-76.14486694335938"
set hostname "noc-fortigate-a"
set management-port-use-admin-sport disable
set remoteauthtimeout 120
set revision-backup-on-logout enable
set sslvpn-web-mode enable
set switch-controller enable
set timezone 12
set timezone "US/Eastern"
set vdom-mode multi-vdom
end
config system accprofile
@ -25,6 +27,10 @@ config system accprofile
set utmgrp read-write
set wanoptgrp read-write
set wifi read-write
set cli-get enable
set cli-show enable
set cli-exec enable
set cli-config enable
next
edit "NOC_Dashboard"
set comments "For displaying info in Operations area"
@ -40,7 +46,10 @@ config system accprofile
set wanoptgrp read
set wifi read
set admintimeout-override enable
set system-diagnostics disable
set cli-get enable
set cli-show enable
set cli-exec enable
set cli-config enable
set admintimeout 0
next
edit "Read_Only"
@ -55,6 +64,10 @@ config system accprofile
set utmgrp read
set wanoptgrp read
set wifi read
set cli-get enable
set cli-show enable
set cli-exec enable
set cli-config enable
next
end
config system npu
@ -150,26 +163,22 @@ config system interface
set type physical
set alias "HA Port 1"
set snmp-index 1
set speed 10000auto
next
edit "port2"
set vdom "root"
set type physical
set alias "HA Port 2"
set snmp-index 2
set speed 10000auto
next
edit "port3"
set vdom "root"
set type physical
set snmp-index 3
set speed 10000auto
next
edit "port4"
set vdom "root"
set type physical
set snmp-index 4
set speed 10000auto
next
edit "port5"
set vdom "scsd"
@ -187,13 +196,11 @@ config system interface
set vdom "root"
set type physical
set snmp-index 7
set speed 10000auto
next
edit "port8"
set vdom "root"
set type physical
set snmp-index 8
set speed 10000auto
next
edit "port9"
set vdom "TEST"
@ -201,7 +208,6 @@ config system interface
set type physical
set alias "LAN_Test"
set snmp-index 9
set speed 10000auto
next
edit "port10"
set vdom "TEST"
@ -209,43 +215,36 @@ config system interface
set type physical
set alias "WAN_Test"
set snmp-index 10
set speed 10000auto
next
edit "port11"
set vdom "root"
set type physical
set snmp-index 11
set speed 10000auto
next
edit "port12"
set vdom "root"
set type physical
set snmp-index 12
set speed 10000auto
next
edit "port13"
set vdom "root"
set type physical
set snmp-index 13
set speed 10000auto
next
edit "port14"
set vdom "root"
set type physical
set snmp-index 14
set speed 10000auto
next
edit "port15"
set vdom "root"
set type physical
set snmp-index 15
set speed 10000auto
next
edit "port16"
set vdom "root"
set type physical
set snmp-index 16
set speed 10000auto
next
edit "port17"
set vdom "scsd"
@ -457,23 +456,6 @@ config system interface
set alias "SSL VPN interface"
set snmp-index 42
next
edit "naf.scsd"
set vdom "scsd"
set type tunnel
set src-check disable
set snmp-index 57
next
edit "l2t.scsd"
set vdom "scsd"
set type tunnel
set snmp-index 58
next
edit "ssl.scsd"
set vdom "scsd"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 45
next
edit "naf.Policy"
set vdom "Policy"
set type tunnel
@ -508,6 +490,23 @@ config system interface
set alias "SSL VPN interface"
set snmp-index 47
next
edit "naf.scsd"
set vdom "scsd"
set type tunnel
set src-check disable
set snmp-index 57
next
edit "l2t.scsd"
set vdom "scsd"
set type tunnel
set snmp-index 58
next
edit "ssl.scsd"
set vdom "scsd"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 45
next
edit "npu0_vlink0"
set vdom "root"
set type physical
@ -532,9 +531,9 @@ config system interface
set tcp-mss 1379
set remote-ip 169.254.69.217 255.255.255.252
set snmp-index 48
set interface "outside lag"
set mtu-override enable
set mtu 1427
set interface "outside lag"
next
edit "SCHC"
set vdom "scsd"
@ -550,9 +549,9 @@ config system interface
set tcp-mss 1379
set remote-ip 169.254.54.77 255.255.255.252
set snmp-index 59
set interface "outside lag"
set mtu-override enable
set mtu 1427
set interface "outside lag"
next
edit "inside lag"
set vdom "scsd"
@ -597,9 +596,9 @@ config system interface
set tcp-mss 1379
set remote-ip 169.254.242.193 255.255.255.252
set snmp-index 63
set interface "outside lag"
set mtu-override enable
set mtu 1427
set interface "outside lag"
next
edit "Highstreet"
set vdom "scsd"
@ -609,9 +608,9 @@ config system interface
set tcp-mss 1379
set remote-ip 169.254.117.221 255.255.255.252
set snmp-index 65
set interface "outside lag"
set mtu-override enable
set mtu 1427
set interface "outside lag"
next
edit "Highstreet_2"
set vdom "scsd"
@ -622,9 +621,9 @@ config system interface
set tcp-mss 1379
set remote-ip 169.254.13.85 255.255.255.252
set snmp-index 66
set interface "outside lag"
set mtu-override enable
set mtu 1427
set interface "outside lag"
next
edit "DPS"
set vdom "scsd"
@ -763,11 +762,9 @@ config system dns
end
config system replacemsg-image
edit "logo_fnet"
set image-type gif
set image-base64 ''
next
edit "logo_fguard_wf"
set image-type gif
set image-base64 ''
next
edit "logo_v3_fguard_app"
@ -802,6 +799,8 @@ config system replacemsg http "https-untrusted-cert-block"
end
config system replacemsg http "https-blocklisted-cert-block"
end
config system replacemsg http "https-ech-block"
end
config system replacemsg http "switching-protocols-block"
end
config system replacemsg http "http-antiphish-block"
@ -822,7 +821,43 @@ config system replacemsg webproxy "http-err"
end
config system replacemsg webproxy "auth-ip-blackout"
end
config system replacemsg webproxy "ztna-block"
config system replacemsg webproxy "ztna-invalid-cert"
end
config system replacemsg webproxy "ztna-empty-cert"
end
config system replacemsg webproxy "ztna-manageable-empty-cert"
end
config system replacemsg webproxy "ztna-no-api-gwy-matched"
end
config system replacemsg webproxy "ztna-cant-find-real-srv"
end
config system replacemsg webproxy "ztna-fqdn-dns-failed"
end
config system replacemsg webproxy "ztna-ssl-bookmark-failed"
end
config system replacemsg webproxy "ztna-no-policy-matched"
end
config system replacemsg webproxy "ztna-matched-deny-policy"
end
config system replacemsg webproxy "ztna-client-cert-revoked"
end
config system replacemsg webproxy "ztna-denied-by-matched-tags"
end
config system replacemsg webproxy "ztna-denied-no-matched-tags"
end
config system replacemsg webproxy "ztna-no-dev-info"
end
config system replacemsg webproxy "ztna-dev-is-offline"
end
config system replacemsg webproxy "ztna-dev-is-unmanageable"
end
config system replacemsg webproxy "ztna-auth-fail"
end
config system replacemsg webproxy "casb-block"
end
config system replacemsg webproxy "swp-empty-cert"
end
config system replacemsg webproxy "swp-manageable-empty-cert"
end
config system replacemsg ftp "ftp-explicit-banner"
end
@ -842,7 +877,11 @@ config system replacemsg spam "smtp-spam-feip"
end
config system replacemsg spam "smtp-spam-helo"
end
config system replacemsg spam "smtp-spam-emailblock"
config system replacemsg spam "smtp-spam-emailblock-to"
end
config system replacemsg spam "smtp-spam-emailblock-from"
end
config system replacemsg spam "smtp-spam-emailblock-subject"
end
config system replacemsg spam "smtp-spam-mimeheader"
end
@ -962,6 +1001,8 @@ config system replacemsg utm "appblk-html"
end
config system replacemsg utm "ipsblk-html"
end
config system replacemsg utm "virpatchblk-html"
end
config system replacemsg utm "ipsfail-html"
end
config system replacemsg utm "exe-text"
@ -1014,11 +1055,26 @@ config system replacemsg utm "file-size-html"
end
config system replacemsg utm "client-file-size-html"
end
config system replacemsg utm "inline-scan-timeout-html"
end
config system replacemsg utm "inline-scan-timeout-text"
end
config system replacemsg utm "inline-scan-error-html"
end
config system replacemsg utm "inline-scan-error-text"
end
config system replacemsg utm "icap-block-text"
end
config system replacemsg utm "icap-error-text"
end
config system replacemsg utm "icap-http-error"
end
config system replacemsg icap "icap-req-resp"
end
config system replacemsg automation "automation-email"
end
config system snmp sysinfo
set append-index enable
end
config system central-management
set type fortiguard
@ -1031,10 +1087,6 @@ config system vdom-property
set description "property limits for vdom root"
set snmp-index 1
next
edit "scsd"
set description "property limits for vdom scsd"
set snmp-index 2
next
edit "Policy"
set description "property limits for vdom Policy"
set snmp-index 4
@ -1043,18 +1095,25 @@ config system vdom-property
set description "property limits for vdom TEST"
set snmp-index 3
next
edit "scsd"
set description "property limits for vdom scsd"
set snmp-index 2
next
end
config system cluster-sync
config system standalone-cluster
config cluster-peer
end
end
config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 53
set update-server-location usa
set auto-firmware-upgrade disable
set sdns-server-ip "208.91.112.220" "173.243.140.53" "210.7.96.53"
end
config system email-server
set server "notification.fortinet.net"
set server "fortinet-notifications.com"
set port 465
set security smtps
end
@ -1176,7 +1235,7 @@ config system ntp
end
end
config system ftm-push
set server-cert "Fortinet_Factory"
set server-cert "Fortinet_GUI_Server"
end
config system automation-trigger
edit "Network Down"
@ -1211,6 +1270,76 @@ config system automation-trigger
edit "Security Rating Notification"
set event-type security-rating-summary
next
edit "Local Cert Expired Notification"
set description "Default automation trigger configuration for when a local certificate is near expiration."
set event-type local-cert-near-expiry
next
edit "Compromised Host"
set description "An incident of compromise has been detected on a host endpoint."
next
edit "Any Security Rating Notification"
set description "A security rating summary report has been generated."
set event-type security-rating-summary
next
edit "AV & IPS DB update"
set description "The antivirus and IPS database has been updated."
set event-type virus-ips-db-updated
next
edit "Configuration Change"
set description "An administrator\'s session that changed a FortiGate\'s configuration has ended."
set event-type config-change
next
edit "Conserve Mode"
set description "A FortiGate has entered conserve mode due to low memory."
set event-type low-memory
next
edit "High CPU"
set description "A FortiGate has high CPU usage."
set event-type high-cpu
next
edit "License Expiry"
set description "A FortiGate license is near expiration."
set event-type license-near-expiry
set license-type any
next
edit "Anomaly Logs"
set description "An anomalous event has occurred."
set event-type anomaly-logs
next
edit "IPS Logs"
set description "An IPS event has occurred."
set event-type ips-logs
next
edit "SSH Logs"
set description "A SSH event has occurred."
set event-type ssh-logs
next
edit "Traffic Violation"
set description "A traffic policy has been violated."
set event-type traffic-violation
next
edit "Virus Logs"
set description "A virus event has occurred."
set event-type virus-logs
next
edit "Webfilter Violation"
set description "A webfilter policy has been violated."
set event-type webfilter-violation
next
edit "Admin Login"
set description "A FortiOS event with specified log ID has occurred."
set event-type event-log
set logid 32001
next
edit "Local Certificate Expiry"
set description "A local certificate is near expiration."
set event-type local-cert-near-expiry
next
edit "Auto Firmware upgrade"
set description "Automatic firmware upgrade."
set event-type event-log
set logid 22094 22095 32263
next
end
config system automation-action
edit "Network Down_email"
@ -1240,6 +1369,54 @@ config system automation-action
edit "Compromised Host Quarantine_quarantine-forticlient"
set action-type quarantine-forticlient
next
edit "Reboot FortiGate"
set description "Default automation action configuration for rebooting this FortiGate unit."
set action-type system-actions
set system-action reboot
set minimum-interval 300
next
edit "Shutdown FortiGate"
set description "Default automation action configuration for shuting down this FortiGate unit."
set action-type system-actions
set system-action shutdown
next
edit "Backup Config Disk"
set description "Default automation action configuration for backing up the configuration on disk."
set action-type system-actions
set system-action backup-config
next
edit "Access Layer Quarantine"
set description "Quarantine the MAC address on access layer devices (FortiSwitch and FortiAP)."
set action-type quarantine
next
edit "FortiClient Quarantine"
set description "Use FortiClient EMS to quarantine the endpoint device."
set action-type quarantine-forticlient
next
edit "FortiNAC Quarantine"
set description "Use FortiNAC to quarantine the endpoint device."
set action-type quarantine-fortinac
next
edit "IP Ban"
set description "Ban the IP address specified in the automation trigger event."
set action-type ban-ip
next
edit "FortiExplorer Notification"
set description "Send a notification to FortiExplorer mobile application."
set action-type fortiexplorer-notification
next
edit "Email Notification"
set description "Send a custom email notification to the FortiCare email address registered on this device."
set action-type email
set forticare-email enable
set email-subject "%%log.logdesc%%"
next
edit "CLI Script - System Status"
set description "Execute a CLI script to return the system status."
set action-type cli-script
set script "get system status"
set accprofile "super_admin_readonly"
next
end
config system automation-stitch
edit "Network Down"
@ -1317,6 +1494,16 @@ config system automation-stitch
next
end
next
edit "Firmware upgrade notification"
set description "Automatic firmware upgrade notification."
set trigger "Auto Firmware upgrade"
set condition-logic or
config actions
edit 1
set action "Email Notification"
next
end
next
end
config system federated-upgrade
set status disabled

4
configs/fortigate/global/virtual-patch.cfg Normal file
View File

@ -0,0 +1,4 @@
config virtual-patch profile
edit "g-default"
next
end

5
configs/fortigate/global/webfilter.cfg
View File

@ -488,7 +488,7 @@ config webfilter search-engine
next
edit "g-yandex"
set hostname "yandex\\..*"
set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?"
set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
set query "text="
set safesearch url
set safesearch-str "&family=yes"
@ -547,16 +547,19 @@ config webfilter search-engine
set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
set query "variables="
set safesearch translate
set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
next
edit "g-google-translate-1"
set hostname "translate\\.google\\..*"
set url "^\\/translate"
set query "u="
set safesearch translate
set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
next
edit "g-google-translate-2"
set hostname ".*\\.translate\\.goog"
set url "^\\/"
set safesearch translate
set safesearch-str "case::google-translate"
next
end

8
configs/fortigate/vdom_Policy/casb.cfg Normal file
View File

@ -0,0 +1,8 @@
config casb saas-application
end
config casb user-activity
end
config casb profile
edit "default"
next
end

35
configs/fortigate/vdom_Policy/dlp.cfg
View File

@ -1,3 +1,34 @@
config dlp data-type
edit "g-credit-card"
set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
set verify "builtin)credit-card"
set look-back 20
set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
next
edit "g-edm-keyword"
set pattern ".+"
set transform "/\\b\\0\\b/i"
next
edit "g-hex"
set pattern "built-in"
next
edit "g-keyword"
set pattern "built-in"
next
edit "g-mip-label"
set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
set transform "built-in"
next
edit "g-regex"
set pattern "built-in"
next
edit "g-ssn-us"
set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
set look-back 12
set transform "\\b\\1-\\2-\\3\\b"
next
end
config dlp filepattern
edit 1
set name "builtin-patterns"
@ -70,9 +101,9 @@ config dlp sensitivity
edit "Warning"
next
end
config dlp sensor
config dlp profile
edit "g-default"
set comment "Default sensor."
set comment "Default profile."
next
edit "g-sniffer-profile"
set comment "Log a summary of email and web traffic."

83
configs/fortigate/vdom_Policy/firewall.cfg
View File

@ -1,4 +1,12 @@
config firewall address
edit "EMS_ALL_UNKNOWN_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "EMS_ALL_UNMANAGEABLE_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "none"
set subnet 0.0.0.0 255.255.255.255
next
@ -217,6 +225,22 @@ config firewall service category
next
end
config firewall service custom
edit "ALL"
set category "General"
set protocol IP
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "DNS"
set category "Network Services"
set tcp-portrange 53
@ -280,22 +304,6 @@ config firewall service custom
set category "File Access"
set tcp-portrange 445
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "ALL"
set category "General"
set protocol IP
next
edit "ALL_TCP"
set category "General"
set tcp-portrange 1-65535
@ -330,7 +338,6 @@ config firewall service custom
set protocol-number 50
next
edit "AOL"
set visibility disable
set tcp-portrange 5190-5194
next
edit "BGP"
@ -342,11 +349,9 @@ config firewall service custom
set udp-portrange 67-68
next
edit "FINGER"
set visibility disable
set tcp-portrange 79
next
edit "GOPHER"
set visibility disable
set tcp-portrange 70
next
edit "H323"
@ -359,7 +364,6 @@ config firewall service custom
set udp-portrange 500 4500
next
edit "Internet-Locator-Service"
set visibility disable
set tcp-portrange 389
next
edit "IRC"
@ -372,7 +376,6 @@ config firewall service custom
set udp-portrange 1701
next
edit "NetMeeting"
set visibility disable
set tcp-portrange 1720
next
edit "NFS"
@ -381,7 +384,6 @@ config firewall service custom
set udp-portrange 111 2049
next
edit "NNTP"
set visibility disable
set tcp-portrange 119
next
edit "NTP"
@ -407,19 +409,16 @@ config firewall service custom
next
edit "TIMESTAMP"
set protocol ICMP
set visibility disable
set icmptype 13
unset icmpcode
next
edit "INFO_REQUEST"
set protocol ICMP
set visibility disable
set icmptype 15
unset icmpcode
next
edit "INFO_ADDRESS"
set protocol ICMP
set visibility disable
set icmptype 17
unset icmpcode
next
@ -433,15 +432,12 @@ config firewall service custom
set tcp-portrange 1723
next
edit "QUAKE"
set visibility disable
set udp-portrange 26000 27000 27910 27960
next
edit "RAUDIO"
set visibility disable
set udp-portrange 7070
next
edit "REXEC"
set visibility disable
set tcp-portrange 512
next
edit "RIP"
@ -449,11 +445,9 @@ config firewall service custom
set udp-portrange 520
next
edit "RLOGIN"
set visibility disable
set tcp-portrange 513:512-1023
next
edit "RSH"
set visibility disable
set tcp-portrange 514:512-1023
next
edit "SCCP"
@ -483,7 +477,6 @@ config firewall service custom
set udp-portrange 514
next
edit "TALK"
set visibility disable
set udp-portrange 517-518
next
edit "TELNET"
@ -495,23 +488,18 @@ config firewall service custom
set udp-portrange 69
next
edit "MGCP"
set visibility disable
set udp-portrange 2427 2727
next
edit "UUCP"
set visibility disable
set tcp-portrange 540
next
edit "VDOLIVE"
set visibility disable
set tcp-portrange 7000-7010
next
edit "WAIS"
set visibility disable
set tcp-portrange 210
next
edit "WINFRAME"
set visibility disable
set tcp-portrange 1494 2598
next
edit "X-WINDOWS"
@ -520,7 +508,6 @@ config firewall service custom
next
edit "PING6"
set protocol ICMP6
set visibility disable
set icmptype 128
unset icmpcode
next
@ -563,11 +550,9 @@ config firewall service custom
set udp-portrange 1812 1813
next
edit "RADIUS-OLD"
set visibility disable
set udp-portrange 1645 1646
next
edit "CVSPSERVER"
set visibility disable
set tcp-portrange 2401
set udp-portrange 2401
next
@ -586,12 +571,10 @@ config firewall service custom
set udp-portrange 554
next
edit "MMS"
set visibility disable
set tcp-portrange 1755
set udp-portrange 1024-5000
next
edit "NONE"
set visibility disable
set tcp-portrange 0
next
edit "webproxy"
@ -639,6 +622,16 @@ config firewall shaper traffic-shaper
set maximum-bandwidth 1024
next
end
config firewall proxy-address
edit "IPv4-address"
set type host-regex
set host-regex "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}$"
next
edit "IPv6-address"
set type host-regex
set host-regex "^\\[(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\\]$"
next
end
config firewall schedule recurring
edit "always"
set day sunday monday tuesday wednesday thursday friday saturday
@ -747,6 +740,7 @@ config firewall ssl-ssh-profile
config https
set ports 443
set status certificate-inspection
set quic inspect
set unsupported-ssl-version allow
end
config ftps
@ -771,6 +765,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic inspect
end
next
edit "deep-inspection"
@ -778,6 +773,7 @@ config firewall ssl-ssh-profile
config https
set ports 443
set status deep-inspection
set quic inspect
set unsupported-ssl-version allow
end
config ftps
@ -806,6 +802,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic inspect
end
config ssl-exempt
edit 1
@ -941,6 +938,7 @@ config firewall ssl-ssh-profile
config https
set ports 443
set status deep-inspection
set quic inspect
set unsupported-ssl-version allow
end
config ftps
@ -969,6 +967,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic inspect
end
config ssl-exempt
edit 1
@ -1103,6 +1102,7 @@ config firewall ssl-ssh-profile
set comment "Read-only profile that does no inspection."
config https
set status disable
set quic bypass
set unsupported-ssl-version allow
end
config ftps
@ -1127,6 +1127,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic bypass
end
next
end

6
configs/fortigate/vdom_Policy/ips.cfg
View File

@ -3,7 +3,7 @@ config ips sensor
set comment "Prevent critical attacks."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next
@ -11,7 +11,7 @@ config ips sensor
set comment "Monitor IPS attacks."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next
@ -19,7 +19,7 @@ config ips sensor
set comment "Default configuration for offloading WiFi traffic."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next

13
configs/fortigate/vdom_Policy/switch-controller.cfg
View File

@ -26,6 +26,7 @@ config switch-controller security-policy 802-1X
set framevid-apply enable
set radius-timeout-overwrite disable
set authserver-timeout-vlan disable
set dacl disable
next
end
config switch-controller security-policy local-access
@ -170,6 +171,8 @@ config switch-controller storm-control-policy
next
end
config switch-controller auto-config policy
edit "pse"
next
edit "default"
next
edit "default-icl"
@ -208,12 +211,12 @@ config switch-controller switch-profile
edit "default"
next
end
config switch-controller ptp settings
set mode disable
end
config switch-controller ptp policy
config switch-controller ptp profile
edit "default"
next
end
config switch-controller ptp interface-policy
edit "default"
set status enable
next
end
config switch-controller remote-log

13
configs/fortigate/vdom_Policy/system.cfg
View File

@ -6,6 +6,7 @@ config system settings
set comments "Test VDOM for Policy-based"
set ngfw-mode policy-based
set h323-direct-model enable
set default-app-port-as-service disable
end
config system replacemsg-group
edit "default"
@ -33,8 +34,8 @@ config system sdwan
next
edit "Default_Office_365"
set server "www.office.com"
set protocol http
set interval 1000
set protocol https
set interval 120000
set probe-timeout 1000
set recoverytime 10
config sla
@ -60,8 +61,8 @@ config system sdwan
next
edit "Default_Google Search"
set server "www.google.com"
set protocol http
set interval 1000
set protocol https
set interval 120000
set probe-timeout 1000
set recoverytime 10
config sla
@ -74,8 +75,8 @@ config system sdwan
next
edit "Default_FortiGuard"
set server "fortiguard.com"
set protocol http
set interval 1000
set protocol https
set interval 120000
set probe-timeout 1000
set recoverytime 10
config sla

4
configs/fortigate/vdom_Policy/virtual-patch.cfg Normal file
View File

@ -0,0 +1,4 @@
config virtual-patch profile
edit "g-default"
next
end

6
configs/fortigate/vdom_Policy/vpn.cfg
View File

@ -16,6 +16,11 @@ config vpn certificate local
set range global
set source factory
next
edit "Fortinet_GUI_Server"
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
set range global
set source factory
next
edit "Fortinet_SSL_RSA1024"
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global
@ -294,6 +299,7 @@ config vpn ssl web portal
next
end
config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert "Fortinet_Factory"
set port 443
end

11
configs/fortigate/vdom_Policy/webfilter.cfg
View File

@ -56,17 +56,20 @@ config webfilter search-engine
set url "^\\/translate"
set query "u="
set safesearch translate
set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
next
edit "g-google-translate-2"
set hostname ".*\\.translate\\.goog"
set url "^\\/"
set safesearch translate
set safesearch-str "case::google-translate"
next
edit "g-twitter"
set hostname "twitter\\.com"
set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
set query "variables="
set safesearch translate
set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
next
edit "g-vimeo"
set hostname ".*vimeo.*"
@ -83,7 +86,7 @@ config webfilter search-engine
next
edit "g-yandex"
set hostname "yandex\\..*"
set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?"
set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
set query "text="
set safesearch url
set safesearch-str "&family=yes"
@ -116,12 +119,6 @@ config webfilter search-engine
set url "www.youtube.com/youtubei/v1/navigator"
set safesearch yt-scan
next
edit "translate"
set hostname "translate\\.google\\..*"
set url "^\\/translate\\?"
set query "u="
set safesearch translate
next
edit "yt-video"
set url "www.youtube.com/watch"
set safesearch yt-video

8
configs/fortigate/vdom_TEST/casb.cfg Normal file
View File

@ -0,0 +1,8 @@
config casb saas-application
end
config casb user-activity
end
config casb profile
edit "default"
next
end

35
configs/fortigate/vdom_TEST/dlp.cfg
View File

@ -1,3 +1,34 @@
config dlp data-type
edit "g-credit-card"
set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
set verify "builtin)credit-card"
set look-back 20
set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
next
edit "g-edm-keyword"
set pattern ".+"
set transform "/\\b\\0\\b/i"
next
edit "g-hex"
set pattern "built-in"
next
edit "g-keyword"
set pattern "built-in"
next
edit "g-mip-label"
set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
set transform "built-in"
next
edit "g-regex"
set pattern "built-in"
next
edit "g-ssn-us"
set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
set look-back 12
set transform "\\b\\1-\\2-\\3\\b"
next
end
config dlp filepattern
edit 1
set name "builtin-patterns"
@ -70,9 +101,9 @@ config dlp sensitivity
edit "Warning"
next
end
config dlp sensor
config dlp profile
edit "g-default"
set comment "Default sensor."
set comment "Default profile."
next
edit "g-sniffer-profile"
set comment "Log a summary of email and web traffic."

85
configs/fortigate/vdom_TEST/firewall.cfg
View File

@ -1,4 +1,12 @@
config firewall address
edit "EMS_ALL_UNKNOWN_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "EMS_ALL_UNMANAGEABLE_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "none"
set subnet 0.0.0.0 255.255.255.255
next
@ -248,6 +256,22 @@ config firewall service category
next
end
config firewall service custom
edit "ALL"
set category "General"
set protocol IP
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "DNS"
set category "Network Services"
set tcp-portrange 53
@ -311,22 +335,6 @@ config firewall service custom
set category "File Access"
set tcp-portrange 445
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "ALL"
set category "General"
set protocol IP
next
edit "ALL_TCP"
set category "General"
set tcp-portrange 1-65535
@ -361,7 +369,6 @@ config firewall service custom
set protocol-number 50
next
edit "AOL"
set visibility disable
set tcp-portrange 5190-5194
next
edit "BGP"
@ -373,11 +380,9 @@ config firewall service custom
set udp-portrange 67-68
next
edit "FINGER"
set visibility disable
set tcp-portrange 79
next
edit "GOPHER"
set visibility disable
set tcp-portrange 70
next
edit "H323"
@ -390,7 +395,6 @@ config firewall service custom
set udp-portrange 500 4500
next
edit "Internet-Locator-Service"
set visibility disable
set tcp-portrange 389
next
edit "IRC"
@ -403,7 +407,6 @@ config firewall service custom
set udp-portrange 1701
next
edit "NetMeeting"
set visibility disable
set tcp-portrange 1720
next
edit "NFS"
@ -412,7 +415,6 @@ config firewall service custom
set udp-portrange 111 2049
next
edit "NNTP"
set visibility disable
set tcp-portrange 119
next
edit "NTP"
@ -438,19 +440,16 @@ config firewall service custom
next
edit "TIMESTAMP"
set protocol ICMP
set visibility disable
set icmptype 13
unset icmpcode
next
edit "INFO_REQUEST"
set protocol ICMP
set visibility disable
set icmptype 15
unset icmpcode
next
edit "INFO_ADDRESS"
set protocol ICMP
set visibility disable
set icmptype 17
unset icmpcode
next
@ -464,15 +463,12 @@ config firewall service custom
set tcp-portrange 1723
next
edit "QUAKE"
set visibility disable
set udp-portrange 26000 27000 27910 27960
next
edit "RAUDIO"
set visibility disable
set udp-portrange 7070
next
edit "REXEC"
set visibility disable
set tcp-portrange 512
next
edit "RIP"
@ -480,11 +476,9 @@ config firewall service custom
set udp-portrange 520
next
edit "RLOGIN"
set visibility disable
set tcp-portrange 513:512-1023
next
edit "RSH"
set visibility disable
set tcp-portrange 514:512-1023
next
edit "SCCP"
@ -514,7 +508,6 @@ config firewall service custom
set udp-portrange 514
next
edit "TALK"
set visibility disable
set udp-portrange 517-518
next
edit "TELNET"
@ -526,23 +519,18 @@ config firewall service custom
set udp-portrange 69
next
edit "MGCP"
set visibility disable
set udp-portrange 2427 2727
next
edit "UUCP"
set visibility disable
set tcp-portrange 540
next
edit "VDOLIVE"
set visibility disable
set tcp-portrange 7000-7010
next
edit "WAIS"
set visibility disable
set tcp-portrange 210
next
edit "WINFRAME"
set visibility disable
set tcp-portrange 1494 2598
next
edit "X-WINDOWS"
@ -551,7 +539,6 @@ config firewall service custom
next
edit "PING6"
set protocol ICMP6
set visibility disable
set icmptype 128
unset icmpcode
next
@ -594,11 +581,9 @@ config firewall service custom
set udp-portrange 1812 1813
next
edit "RADIUS-OLD"
set visibility disable
set udp-portrange 1645 1646
next
edit "CVSPSERVER"
set visibility disable
set tcp-portrange 2401
set udp-portrange 2401
next
@ -617,12 +602,10 @@ config firewall service custom
set udp-portrange 554
next
edit "MMS"
set visibility disable
set tcp-portrange 1755
set udp-portrange 1024-5000
next
edit "NONE"
set visibility disable
set tcp-portrange 0
next
edit "webproxy"
@ -670,6 +653,16 @@ config firewall shaper traffic-shaper
set maximum-bandwidth 1024
next
end
config firewall proxy-address
edit "IPv4-address"
set type host-regex
set host-regex "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}$"
next
edit "IPv6-address"
set type host-regex
set host-regex "^\\[(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\\]$"
next
end
config firewall schedule recurring
edit "always"
set day sunday monday tuesday wednesday thursday friday saturday
@ -791,6 +784,7 @@ config firewall ssl-ssh-profile
config https
set ports 443
set status certificate-inspection
set quic inspect
set unsupported-ssl-version allow
end
config ftps
@ -815,6 +809,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic inspect
end
next
edit "deep-inspection"
@ -822,6 +817,7 @@ config firewall ssl-ssh-profile
config https
set ports 443
set status deep-inspection
set quic inspect
set unsupported-ssl-version allow
end
config ftps
@ -850,6 +846,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic inspect
end
config ssl-exempt
edit 1
@ -985,6 +982,7 @@ config firewall ssl-ssh-profile
config https
set ports 443
set status deep-inspection
set quic inspect
set unsupported-ssl-version allow
end
config ftps
@ -1013,6 +1011,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic inspect
end
config ssl-exempt
edit 1
@ -1147,6 +1146,7 @@ config firewall ssl-ssh-profile
set comment "Read-only profile that does no inspection."
config https
set status disable
set quic bypass
set unsupported-ssl-version allow
end
config ftps
@ -1171,6 +1171,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic bypass
end
next
end
@ -1184,7 +1185,6 @@ config firewall policy
set schedule "always"
set service "ALL"
set logtraffic disable
set match-vip enable
next
edit 4
set name "Block_Countries_Out"
@ -1195,7 +1195,6 @@ config firewall policy
set schedule "always"
set service "ALL"
set logtraffic disable
set match-vip enable
next
edit 2
set name "Webosphere"

11
configs/fortigate/vdom_TEST/ips.cfg
View File

@ -3,7 +3,7 @@ config ips sensor
set comment "Prevent critical attacks."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next
@ -11,7 +11,7 @@ config ips sensor
set comment "Monitor IPS attacks."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next
@ -19,7 +19,7 @@ config ips sensor
set comment "Default configuration for offloading WiFi traffic."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next
@ -28,7 +28,7 @@ config ips sensor
set scan-botnet-connections block
config entries
edit 1
set severity medium high critical
set severity medium high critical
set action block
next
end
@ -37,3 +37,6 @@ config ips sensor
set comment "This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI"
next
end
config ips settings
set proxy-inline-ips disable
end

13
configs/fortigate/vdom_TEST/switch-controller.cfg
View File

@ -26,6 +26,7 @@ config switch-controller security-policy 802-1X
set framevid-apply enable
set radius-timeout-overwrite disable
set authserver-timeout-vlan disable
set dacl disable
next
end
config switch-controller security-policy local-access
@ -170,6 +171,8 @@ config switch-controller storm-control-policy
next
end
config switch-controller auto-config policy
edit "pse"
next
edit "default"
next
edit "default-icl"
@ -208,12 +211,12 @@ config switch-controller switch-profile
edit "default"
next
end
config switch-controller ptp settings
set mode disable
end
config switch-controller ptp policy
config switch-controller ptp profile
edit "default"
next
end
config switch-controller ptp interface-policy
edit "default"
set status enable
next
end
config switch-controller remote-log

12
configs/fortigate/vdom_TEST/system.cfg
View File

@ -40,8 +40,8 @@ config system sdwan
next
edit "Default_Office_365"
set server "www.office.com"
set protocol http
set interval 1000
set protocol https
set interval 120000
set probe-timeout 1000
set recoverytime 10
config sla
@ -67,8 +67,8 @@ config system sdwan
next
edit "Default_Google Search"
set server "www.google.com"
set protocol http
set interval 1000
set protocol https
set interval 120000
set probe-timeout 1000
set recoverytime 10
config sla
@ -81,8 +81,8 @@ config system sdwan
next
edit "Default_FortiGuard"
set server "fortiguard.com"
set protocol http
set interval 1000
set protocol https
set interval 120000
set probe-timeout 1000
set recoverytime 10
config sla

4
configs/fortigate/vdom_TEST/virtual-patch.cfg Normal file
View File

@ -0,0 +1,4 @@
config virtual-patch profile
edit "g-default"
next
end

2
configs/fortigate/vdom_TEST/voip.cfg
View File

@ -1,6 +1,8 @@
config voip profile
edit "default"
set comment "Default VoIP profile."
config sip
end
next
edit "strict"
config sip

6
configs/fortigate/vdom_TEST/vpn.cfg
View File

@ -16,6 +16,11 @@ config vpn certificate local
set range global
set source factory
next
edit "Fortinet_GUI_Server"
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
set range global
set source factory
next
edit "Fortinet_SSL_RSA1024"
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global
@ -294,6 +299,7 @@ config vpn ssl web portal
next
end
config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert "Fortinet_Factory"
set port 443
end

11
configs/fortigate/vdom_TEST/webfilter.cfg
View File

@ -511,17 +511,20 @@ config webfilter search-engine
set url "^\\/translate"
set query "u="
set safesearch translate
set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
next
edit "g-google-translate-2"
set hostname ".*\\.translate\\.goog"
set url "^\\/"
set safesearch translate
set safesearch-str "case::google-translate"
next
edit "g-twitter"
set hostname "twitter\\.com"
set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
set query "variables="
set safesearch translate
set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
next
edit "g-vimeo"
set hostname ".*vimeo.*"
@ -538,7 +541,7 @@ config webfilter search-engine
next
edit "g-yandex"
set hostname "yandex\\..*"
set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?"
set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
set query "text="
set safesearch url
set safesearch-str "&family=yes"
@ -571,12 +574,6 @@ config webfilter search-engine
set url "www.youtube.com/youtubei/v1/navigator"
set safesearch yt-scan
next
edit "translate"
set hostname "translate\\.google\\..*"
set url "^\\/translate\\?"
set query "u="
set safesearch translate
next
edit "yt-video"
set url "www.youtube.com/watch"
set safesearch yt-video

8
configs/fortigate/vdom_root/casb.cfg Normal file
View File

@ -0,0 +1,8 @@
config casb saas-application
end
config casb user-activity
end
config casb profile
edit "default"
next
end

103
configs/fortigate/vdom_root/dlp.cfg
View File

@ -1,3 +1,81 @@
config dlp data-type
edit "g-credit-card"
set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
set verify "builtin)credit-card"
set look-back 20
set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
next
edit "g-edm-keyword"
set pattern ".+"
set transform "/\\b\\0\\b/i"
next
edit "g-hex"
set pattern "built-in"
next
edit "g-keyword"
set pattern "built-in"
next
edit "g-mip-label"
set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
set transform "built-in"
next
edit "g-regex"
set pattern "built-in"
next
edit "g-ssn-us"
set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
set look-back 12
set transform "\\b\\1-\\2-\\3\\b"
next
end
config dlp dictionary
edit "SSN-Sensor-r1d"
config entries
edit 1
set type "g-regex"
set pattern "WebEx"
next
end
next
edit "def-cc-dict"
config entries
edit 1
set type "g-credit-card"
next
end
next
edit "def-ssn-dict"
config entries
edit 1
set type "g-ssn-us"
next
end
next
end
config dlp sensor
edit "SSN-Sensor-r1s"
config entries
edit 1
set dictionary "SSN-Sensor-r1d"
next
end
next
edit "def-cc-sensor"
config entries
edit 1
set dictionary "def-cc-dict"
next
end
next
edit "def-ssn-sensor"
config entries
edit 1
set dictionary "def-ssn-dict"
next
end
next
end
config dlp filepattern
edit 1
set name "builtin-patterns"
@ -70,9 +148,9 @@ config dlp sensitivity
edit "Warning"
next
end
config dlp sensor
config dlp profile
edit "g-default"
set comment "Default sensor."
set comment "Default profile."
next
edit "g-sniffer-profile"
set comment "Log a summary of email and web traffic."
@ -89,11 +167,13 @@ config dlp sensor
next
edit "Credit-Card"
set feature-set proxy
config filter
config rule
edit 1
set name "Credit-Card-Filter"
set severity high
set proto smtp pop3 imap http-get http-post mapi
set filter-by sensor
set sensor "def-cc-sensor"
set action log-only
next
edit 2
@ -101,17 +181,18 @@ config dlp sensor
set severity high
set type message
set proto smtp pop3 imap http-post mapi
set filter-by sensor
set sensor "def-cc-sensor"
set action log-only
next
end
next
edit "Large-File"
set feature-set proxy
config filter
config rule
edit 1
set name "Large-File-Filter"
set proto smtp pop3 imap http-get http-post mapi
set filter-by file-size
set file-size 5120
set action log-only
next
@ -120,28 +201,30 @@ config dlp sensor
edit "SSN-Sensor"
set comment "Match SSN numbers but NOT WebEx invite emails."
set feature-set proxy
config filter
config rule
edit 1
set name "SSN-Sensor-Filter"
set severity high
set type message
set proto smtp pop3 imap mapi
set filter-by regexp
set regexp "WebEx"
set filter-by sensor
set sensor "SSN-Sensor-r1s"
next
edit 2
set name "SSN-Sensor-Filter"
set severity high
set type message
set proto smtp pop3 imap mapi
set filter-by ssn
set filter-by sensor
set sensor "def-ssn-sensor"
set action log-only
next
edit 3
set name "SSN-Sensor-Filter"
set severity high
set proto smtp pop3 imap http-get http-post ftp mapi
set filter-by ssn
set filter-by sensor
set sensor "def-ssn-sensor"
set action log-only
next
end

83
configs/fortigate/vdom_root/firewall.cfg
View File

@ -1,4 +1,12 @@
config firewall address
edit "EMS_ALL_UNKNOWN_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "EMS_ALL_UNMANAGEABLE_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "none"
set subnet 0.0.0.0 255.255.255.255
next
@ -217,6 +225,22 @@ config firewall service category
next
end
config firewall service custom
edit "ALL"
set category "General"
set protocol IP
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "DNS"
set category "Network Services"
set tcp-portrange 53
@ -280,22 +304,6 @@ config firewall service custom
set category "File Access"
set tcp-portrange 445
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "ALL"
set category "General"
set protocol IP
next
edit "ALL_TCP"
set category "General"
set tcp-portrange 1-65535
@ -330,7 +338,6 @@ config firewall service custom
set protocol-number 50
next
edit "AOL"
set visibility disable
set tcp-portrange 5190-5194
next
edit "BGP"
@ -342,11 +349,9 @@ config firewall service custom
set udp-portrange 67-68
next
edit "FINGER"
set visibility disable
set tcp-portrange 79
next
edit "GOPHER"
set visibility disable
set tcp-portrange 70
next
edit "H323"
@ -359,7 +364,6 @@ config firewall service custom
set udp-portrange 500 4500
next
edit "Internet-Locator-Service"
set visibility disable
set tcp-portrange 389
next
edit "IRC"
@ -372,7 +376,6 @@ config firewall service custom
set udp-portrange 1701
next
edit "NetMeeting"
set visibility disable
set tcp-portrange 1720
next
edit "NFS"
@ -381,7 +384,6 @@ config firewall service custom
set udp-portrange 111 2049
next
edit "NNTP"
set visibility disable
set tcp-portrange 119
next
edit "NTP"
@ -407,19 +409,16 @@ config firewall service custom
next
edit "TIMESTAMP"
set protocol ICMP
set visibility disable
set icmptype 13
unset icmpcode
next
edit "INFO_REQUEST"
set protocol ICMP
set visibility disable
set icmptype 15
unset icmpcode
next
edit "INFO_ADDRESS"
set protocol ICMP
set visibility disable
set icmptype 17
unset icmpcode
next
@ -433,15 +432,12 @@ config firewall service custom
set tcp-portrange 1723
next
edit "QUAKE"
set visibility disable
set udp-portrange 26000 27000 27910 27960
next
edit "RAUDIO"
set visibility disable
set udp-portrange 7070
next
edit "REXEC"
set visibility disable
set tcp-portrange 512
next
edit "RIP"
@ -449,11 +445,9 @@ config firewall service custom
set udp-portrange 520
next
edit "RLOGIN"
set visibility disable
set tcp-portrange 513:512-1023
next
edit "RSH"
set visibility disable
set tcp-portrange 514:512-1023
next
edit "SCCP"
@ -483,7 +477,6 @@ config firewall service custom
set udp-portrange 514
next
edit "TALK"
set visibility disable
set udp-portrange 517-518
next
edit "TELNET"
@ -495,23 +488,18 @@ config firewall service custom
set udp-portrange 69
next
edit "MGCP"
set visibility disable
set udp-portrange 2427 2727
next
edit "UUCP"
set visibility disable
set tcp-portrange 540
next
edit "VDOLIVE"
set visibility disable
set tcp-portrange 7000-7010
next
edit "WAIS"
set visibility disable
set tcp-portrange 210
next
edit "WINFRAME"
set visibility disable
set tcp-portrange 1494 2598
next
edit "X-WINDOWS"
@ -520,7 +508,6 @@ config firewall service custom
next
edit "PING6"
set protocol ICMP6
set visibility disable
set icmptype 128
unset icmpcode
next
@ -563,11 +550,9 @@ config firewall service custom
set udp-portrange 1812 1813
next
edit "RADIUS-OLD"
set visibility disable
set udp-portrange 1645 1646
next
edit "CVSPSERVER"
set visibility disable
set tcp-portrange 2401
set udp-portrange 2401
next
@ -586,12 +571,10 @@ config firewall service custom
set udp-portrange 554
next
edit "MMS"
set visibility disable
set tcp-portrange 1755
set udp-portrange 1024-5000
next
edit "NONE"
set visibility disable
set tcp-portrange 0
next
edit "webproxy"
@ -639,6 +622,16 @@ config firewall shaper traffic-shaper
set maximum-bandwidth 1024
next
end
config firewall proxy-address
edit "IPv4-address"
set type host-regex
set host-regex "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}$"
next
edit "IPv6-address"
set type host-regex
set host-regex "^\\[(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\\]$"
next
end
config firewall schedule recurring
edit "always"
set day sunday monday tuesday wednesday thursday friday saturday
@ -747,6 +740,7 @@ config firewall ssl-ssh-profile
config https
set ports 443
set status deep-inspection
set quic inspect
set unsupported-ssl-version allow
end
config ftps
@ -775,6 +769,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic inspect
end
config ssl-exempt
edit 1
@ -910,6 +905,7 @@ config firewall ssl-ssh-profile
config https
set ports 443
set status deep-inspection
set quic inspect
set unsupported-ssl-version allow
end
config ftps
@ -938,6 +934,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic inspect
end
config ssl-exempt
edit 1
@ -1072,6 +1069,7 @@ config firewall ssl-ssh-profile
set comment "Read-only profile that does no inspection."
config https
set status disable
set quic bypass
set unsupported-ssl-version allow
end
config ftps
@ -1096,6 +1094,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic bypass
end
next
edit "certificate-inspection"
@ -1103,6 +1102,7 @@ config firewall ssl-ssh-profile
config https
set ports 443
set status certificate-inspection
set quic inspect
set unsupported-ssl-version allow
end
config ftps
@ -1127,6 +1127,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic inspect
end
next
end

23
configs/fortigate/vdom_root/ips.cfg
View File

@ -3,7 +3,7 @@ config ips sensor
set comment "Prevent critical attacks."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next
@ -11,7 +11,7 @@ config ips sensor
set comment "Monitor IPS attacks."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next
@ -19,7 +19,7 @@ config ips sensor
set comment "Default configuration for offloading WiFi traffic."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next
@ -43,12 +43,12 @@ config ips sensor
set block-malicious-url enable
config entries
edit 1
set severity medium high critical
set severity medium high critical
set status enable
set action block
next
edit 2
set severity low
set severity low
next
end
next
@ -56,7 +56,7 @@ config ips sensor
set comment "Protect against client-side vulnerabilities."
config entries
edit 1
set location client
set location client
next
end
next
@ -64,8 +64,8 @@ config ips sensor
set comment "Protect against email server-side vulnerabilities."
config entries
edit 1
set location server
set protocol SMTP POP3 IMAP
set location server
set protocol SMTP POP3 IMAP
next
end
next
@ -73,9 +73,12 @@ config ips sensor
set comment "Protect against HTTP server-side vulnerabilities."
config entries
edit 1
set location server
set protocol HTTP
set location server
set protocol HTTP
next
end
next
end
config ips settings
set proxy-inline-ips disable
end

1
configs/fortigate/vdom_root/log.cfg
View File

@ -82,5 +82,4 @@ config log setting
set local-in-allow enable
set local-in-deny-unicast enable
set local-in-deny-broadcast enable
set local-out enable
end

13
configs/fortigate/vdom_root/switch-controller.cfg
View File

@ -26,6 +26,7 @@ config switch-controller security-policy 802-1X
set framevid-apply enable
set radius-timeout-overwrite disable
set authserver-timeout-vlan disable
set dacl disable
next
end
config switch-controller security-policy local-access
@ -170,6 +171,8 @@ config switch-controller storm-control-policy
next
end
config switch-controller auto-config policy
edit "pse"
next
edit "default"
next
edit "default-icl"
@ -208,12 +211,12 @@ config switch-controller switch-profile
edit "default"
next
end
config switch-controller ptp settings
set mode disable
end
config switch-controller ptp policy
config switch-controller ptp profile
edit "default"
next
end
config switch-controller ptp interface-policy
edit "default"
set status enable
next
end
config switch-controller remote-log

12
configs/fortigate/vdom_root/system.cfg
View File

@ -34,8 +34,8 @@ config system sdwan
config health-check
edit "Default_Office_365"
set server "www.office.com"
set protocol http
set interval 1000
set protocol https
set interval 120000
set probe-timeout 1000
set recoverytime 10
config sla
@ -61,8 +61,8 @@ config system sdwan
next
edit "Default_Google Search"
set server "www.google.com"
set protocol http
set interval 1000
set protocol https
set interval 120000
set probe-timeout 1000
set recoverytime 10
config sla
@ -75,8 +75,8 @@ config system sdwan
next
edit "Default_FortiGuard"
set server "fortiguard.com"
set protocol http
set interval 1000
set protocol https
set interval 120000
set probe-timeout 1000
set recoverytime 10
config sla

4
configs/fortigate/vdom_root/virtual-patch.cfg Normal file
View File

@ -0,0 +1,4 @@
config virtual-patch profile
edit "g-default"
next
end

2
configs/fortigate/vdom_root/voip.cfg
View File

@ -1,6 +1,8 @@
config voip profile
edit "default"
set comment "Default VoIP profile."
config sip
end
next
edit "strict"
config sip

8
configs/fortigate/vdom_root/vpn.cfg
View File

@ -16,6 +16,11 @@ config vpn certificate local
set range global
set source factory
next
edit "Fortinet_GUI_Server"
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
set range global
set source factory
next
edit "Fortinet_SSL_RSA1024"
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global
@ -294,8 +299,7 @@ config vpn ssl web portal
next
end
config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert "Fortinet_Factory"
set port 443
end
config vpn ocvpn
end

11
configs/fortigate/vdom_root/webfilter.cfg
View File

@ -1263,17 +1263,20 @@ config webfilter search-engine
set url "^\\/translate"
set query "u="
set safesearch translate
set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
next
edit "g-google-translate-2"
set hostname ".*\\.translate\\.goog"
set url "^\\/"
set safesearch translate
set safesearch-str "case::google-translate"
next
edit "g-twitter"
set hostname "twitter\\.com"
set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
set query "variables="
set safesearch translate
set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
next
edit "g-vimeo"
set hostname ".*vimeo.*"
@ -1290,7 +1293,7 @@ config webfilter search-engine
next
edit "g-yandex"
set hostname "yandex\\..*"
set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?"
set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
set query "text="
set safesearch url
set safesearch-str "&family=yes"
@ -1323,12 +1326,6 @@ config webfilter search-engine
set url "www.youtube.com/youtubei/v1/navigator"
set safesearch yt-scan
next
edit "translate"
set hostname "translate\\.google\\..*"
set url "^\\/translate\\?"
set query "u="
set safesearch translate
next
edit "yt-video"
set url "www.youtube.com/watch"
set safesearch yt-video

8
configs/fortigate/vdom_scsd/casb.cfg Normal file
View File

@ -0,0 +1,8 @@
config casb saas-application
end
config casb user-activity
end
config casb profile
edit "default"
next
end

35
configs/fortigate/vdom_scsd/dlp.cfg
View File

@ -1,3 +1,34 @@
config dlp data-type
edit "g-credit-card"
set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
set verify "builtin)credit-card"
set look-back 20
set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
next
edit "g-edm-keyword"
set pattern ".+"
set transform "/\\b\\0\\b/i"
next
edit "g-hex"
set pattern "built-in"
next
edit "g-keyword"
set pattern "built-in"
next
edit "g-mip-label"
set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
set transform "built-in"
next
edit "g-regex"
set pattern "built-in"
next
edit "g-ssn-us"
set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
set look-back 12
set transform "\\b\\1-\\2-\\3\\b"
next
end
config dlp filepattern
edit 1
set name "builtin-patterns"
@ -70,9 +101,9 @@ config dlp sensitivity
edit "Warning"
next
end
config dlp sensor
config dlp profile
edit "g-default"
set comment "Default sensor."
set comment "Default profile."
next
edit "g-sniffer-profile"
set comment "Log a summary of email and web traffic."

114
configs/fortigate/vdom_scsd/firewall.cfg
View File

@ -1,4 +1,12 @@
config firewall address
edit "EMS_ALL_UNKNOWN_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "EMS_ALL_UNMANAGEABLE_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "SSLVPN_TUNNEL_ADDR1"
set type iprange
set start-ip 10.212.134.200
@ -2943,9 +2951,9 @@ config firewall addrgrp
set color 6
next
edit "City_Side_VoIP_Park_Place_Group"
set allow-routing enable
set member "City_Side_VoIP_1_Park_Place_A" "City_Side_VoIP_1_Park_Place_B"
set color 28
set allow-routing enable
next
edit "SchoolTool_Cloud_Internal"
set member "21JumpSt" "DataTools" "Fileserver03" "Nighttime_Inside" "Tableau" "DC01_A" "DC01_B" "DC01_C" "HVDC02" "HVDC03_A" "HVDC03_B" "DocHolliday" "SchoolTool webjs" "Elastic"
@ -3024,10 +3032,10 @@ config firewall addrgrp
set color 6
next
edit "City_Side_CGR_Group"
set allow-routing enable
set member "City_Side_CGR_01" "City_Side_CGR_02"
set comment "City Lights CGR Subnets on their side."
set color 28
set allow-routing enable
next
edit "Access_Control_VLAN_72_Group"
set member "Access_Control_40_Porter" "Access_Control_01_NOC" "Access_Control_02_ITC" "Access_Control_03_PSLA" "Access_Control_04_Nottingham" "Access_Control_06_Henninger" "Access_Control_07_Corcoran" "Access_Control_08_Clary" "Access_Control_09_Grant" "Access_Control_10_Levy"
@ -3038,16 +3046,16 @@ config firewall addrgrp
set comment "Microsoft to Barracuda Archivers"
next
edit "City_Side_VoIP_Group"
set allow-routing enable
set member "City_Side_VoIP_30" "City_Side_VoIP_56" "City_Side_VoIP_61" "City_Side_VoIP_62" "City_Side_VoIP_63" "City_Side_VoIP_64" "City_Side_VoIP_65" "City_Side_VoIP_66" "City_Side_VoIP_67" "City_Side_VoIP_68" "City_Side_VoIP_72" "City_Side_VoIP_74" "City_Side_VoIP_75" "City_Side_VoIP_76" "City_Side_VoIP_77" "City_Side_VoIP_88" "City_Side_VoIP_132" "City_Side_VoIP_1_Park_Place_A" "City_Side_VoIP_1_Park_Place_B" "City_Side_VoIP_Router_A" "City_Side_VoIP_Router_B"
set comment "City VoIP Group - except Parks and Water Recorder"
set color 28
set allow-routing enable
next
edit "SPD_Side_Firewall_Group"
set allow-routing enable
set member "SPD_Side_A" "SPD_Side_B"
set comment "IP Range of SPD Side Firewalls"
set color 2
set allow-routing enable
next
edit "Country Allow"
set member "Microsoft 1"
@ -3058,35 +3066,35 @@ config firewall addrgrp
set color 20
next
edit "Genetec_Inside_Group"
set allow-routing enable
set member "NVR-NOC" "NVR-FAILOVER" "NVR-RING1-CLAR" "NVR-RING1-CLAR2" "NVR-RING1-CORC" "NVR-RING1-CORC2" "NVR-RING2-DANF" "NVR-RING2-DANF2" "NVR-RING3-PSLA" "NVR-RING3-PSLA2" "NVR-RING4-BLOD" "NVR-RING4-FRAZ" "NVR-RING5-CENT" "NVR-RING6-EDSM" "NVR-RING6-HWSM" "NVR-RING6-HWSM2" "NVR-RING6-NOTT" "NVR-RING7-BELL" "NVR-RING7-GRAN" "NVR-RING7-GRAN2" "NVR-RING8-HENN" "NVR-RING8-HENN2" "NVR-RING8-HUNT" "Genetec-Dir" "Genetec-DirBU" "Genetec-Media" "Genetec-MRouter"
set comment "District NVRs and Genetec Servers for SPD Federation"
set color 2
set allow-routing enable
next
edit "MS_Teams_External_Group"
set member "MS_Teams_External_A" "MS_Teams_External_B"
next
edit "SchoolTool_AWS_Internal"
set member "DataTools" "ST_Internal_2"
set allow-routing enable
set member "DataTools" "ST_Internal_2"
next
edit "SchoolTool_AWS_External"
set member "ST_External_4" "ST_External_5" "ST_External_6" "ST_External_1" "ST_External_2" "ST_External_3"
set allow-routing enable
set member "ST_External_4" "ST_External_5" "ST_External_6" "ST_External_1" "ST_External_2" "ST_External_3"
next
edit "HighStreet_Local"
set member "DataTools" "Nighttime_Inside"
set comment "Internal IPs for Highstreet Tunnel"
next
edit "DPS_local"
set allow-routing enable
set member "DPS_local_subnet_1"
set comment "VPN: DPS (Created by VPN wizard)"
set allow-routing enable
next
edit "DPS_remote"
set allow-routing enable
set member "DPS_remote_subnet_1"
set comment "VPN: DPS (Created by VPN wizard)"
set allow-routing enable
next
edit "Nutanix_CVM"
set member "Patty_CT_NOC_CVM" "Pigpen_CT_NOC_CVM" "RedBaron_CT_NOC_CVM" "Sally_CT_NOC_CVM" "Schroeder _CT_NOC_CVM"
@ -3229,6 +3237,22 @@ config firewall service category
next
end
config firewall service custom
edit "ALL"
set category "General"
set protocol IP
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "DNS"
set category "Network Services"
set tcp-portrange 53
@ -3292,22 +3316,6 @@ config firewall service custom
set category "File Access"
set tcp-portrange 445
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "ALL"
set category "General"
set protocol IP
next
edit "ALL_TCP"
set category "General"
set tcp-portrange 1-65535
@ -3342,7 +3350,6 @@ config firewall service custom
set protocol-number 50
next
edit "AOL"
set visibility disable
set tcp-portrange 5190-5194
next
edit "BGP"
@ -3354,11 +3361,9 @@ config firewall service custom
set udp-portrange 67-68
next
edit "FINGER"
set visibility disable
set tcp-portrange 79
next
edit "GOPHER"
set visibility disable
set tcp-portrange 70
next
edit "H323"
@ -3371,7 +3376,6 @@ config firewall service custom
set udp-portrange 500 4500
next
edit "Internet-Locator-Service"
set visibility disable
set tcp-portrange 389
next
edit "IRC"
@ -3384,7 +3388,6 @@ config firewall service custom
set udp-portrange 1701
next
edit "NetMeeting"
set visibility disable
set tcp-portrange 1720
next
edit "NFS"
@ -3393,7 +3396,6 @@ config firewall service custom
set udp-portrange 111 2049
next
edit "NNTP"
set visibility disable
set tcp-portrange 119
next
edit "NTP"
@ -3419,19 +3421,16 @@ config firewall service custom
next
edit "TIMESTAMP"
set protocol ICMP
set visibility disable
set icmptype 13
unset icmpcode
next
edit "INFO_REQUEST"
set protocol ICMP
set visibility disable
set icmptype 15
unset icmpcode
next
edit "INFO_ADDRESS"
set protocol ICMP
set visibility disable
set icmptype 17
unset icmpcode
next
@ -3445,15 +3444,12 @@ config firewall service custom
set tcp-portrange 1723
next
edit "QUAKE"
set visibility disable
set udp-portrange 26000 27000 27910 27960
next
edit "RAUDIO"
set visibility disable
set udp-portrange 7070
next
edit "REXEC"
set visibility disable
set tcp-portrange 512
next
edit "RIP"
@ -3461,11 +3457,9 @@ config firewall service custom
set udp-portrange 520
next
edit "RLOGIN"
set visibility disable
set tcp-portrange 513:512-1023
next
edit "RSH"
set visibility disable
set tcp-portrange 514:512-1023
next
edit "SCCP"
@ -3495,7 +3489,6 @@ config firewall service custom
set udp-portrange 514
next
edit "TALK"
set visibility disable
set udp-portrange 517-518
next
edit "TELNET"
@ -3507,23 +3500,18 @@ config firewall service custom
set udp-portrange 69
next
edit "MGCP"
set visibility disable
set udp-portrange 2427 2727
next
edit "UUCP"
set visibility disable
set tcp-portrange 540
next
edit "VDOLIVE"
set visibility disable
set tcp-portrange 7000-7010
next
edit "WAIS"
set visibility disable
set tcp-portrange 210
next
edit "WINFRAME"
set visibility disable
set tcp-portrange 1494 2598
next
edit "X-WINDOWS"
@ -3532,7 +3520,6 @@ config firewall service custom
next
edit "PING6"
set protocol ICMP6
set visibility disable
set icmptype 128
unset icmpcode
next
@ -3575,11 +3562,9 @@ config firewall service custom
set udp-portrange 1812 1813
next
edit "RADIUS-OLD"
set visibility disable
set udp-portrange 1645 1646
next
edit "CVSPSERVER"
set visibility disable
set tcp-portrange 2401
set udp-portrange 2401
next
@ -3598,12 +3583,10 @@ config firewall service custom
set udp-portrange 554
next
edit "MMS"
set visibility disable
set tcp-portrange 1755
set udp-portrange 1024-5000
next
edit "NONE"
set visibility disable
set tcp-portrange 0
next
edit "webproxy"
@ -3958,6 +3941,16 @@ config firewall shaper traffic-shaper
set maximum-bandwidth 1024
next
end
config firewall proxy-address
edit "IPv4-address"
set type host-regex
set host-regex "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}$"
next
edit "IPv6-address"
set type host-regex
set host-regex "^\\[(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\\]$"
next
end
config firewall schedule recurring
edit "always"
set day sunday monday tuesday wednesday thursday friday saturday
@ -4401,6 +4394,7 @@ config firewall ssl-ssh-profile
config https
set ports 443
set status certificate-inspection
set quic inspect
set unsupported-ssl-version allow
end
config ftps
@ -4425,6 +4419,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic inspect
end
next
edit "deep-inspection"
@ -4432,6 +4427,7 @@ config firewall ssl-ssh-profile
config https
set ports 443
set status deep-inspection
set quic inspect
set unsupported-ssl-version allow
end
config ftps
@ -4460,6 +4456,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic inspect
end
config ssl-exempt
edit 1
@ -4595,6 +4592,7 @@ config firewall ssl-ssh-profile
config https
set ports 443
set status deep-inspection
set quic inspect
set unsupported-ssl-version allow
end
config ftps
@ -4623,6 +4621,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic inspect
end
config ssl-exempt
edit 1
@ -4760,6 +4759,7 @@ config firewall ssl-ssh-profile
set comment "Read-only profile that does no inspection."
config https
set status disable
set quic bypass
set unsupported-ssl-version allow
end
config ftps
@ -4784,6 +4784,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic bypass
end
next
edit "custom-cert-inspection"
@ -4791,6 +4792,7 @@ config firewall ssl-ssh-profile
config https
set ports 443
set status certificate-inspection
set quic inspect
set unsupported-ssl-version allow
end
config ftps
@ -4815,6 +4817,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic inspect
end
next
edit "SCSD custom-deep-inspection"
@ -4822,6 +4825,7 @@ config firewall ssl-ssh-profile
config https
set ports 443
set status deep-inspection
set quic inspect
set unsupported-ssl-version allow
end
config ftps
@ -4850,6 +4854,7 @@ config firewall ssl-ssh-profile
end
config dot
set status disable
set quic inspect
end
config ssl-exempt
edit 1
@ -5015,7 +5020,6 @@ config firewall policy
set schedule "always"
set service "ALL"
set logtraffic all
set match-vip enable
set comments "Block specific countries"
next
edit 110
@ -5027,7 +5031,6 @@ config firewall policy
set schedule "always"
set service "ALL"
set logtraffic all
set match-vip enable
set comments "Block specific countries"
next
edit 10020
@ -5039,7 +5042,6 @@ config firewall policy
set schedule "always"
set service "ALL"
set logtraffic all
set match-vip enable
set comments "Block Known Attachers"
next
edit 10022
@ -5051,7 +5053,6 @@ config firewall policy
set schedule "always"
set service "ALL"
set logtraffic all
set match-vip enable
set comments "Block Known Attachers"
next
edit 112
@ -5844,6 +5845,7 @@ config firewall policy
set schedule "always"
set service "DNS"
set logtraffic disable
set match-vip disable
set comments "Deny SPD DNS"
next
edit 55
@ -6564,18 +6566,15 @@ config firewall sniffer
set interface "vpn-0fc50345"
set host "172.30.45.35"
set port "3389"
set max-packet-count 100
next
edit 4
set interface "city_phones lag"
set host "10.250.229.0/24"
set max-packet-count 2000
next
edit 6
set interface "city_phones lag"
set host "10.1.150.20"
set port "8445"
set max-packet-count 50
next
edit 5
set interface "vpn-0403e61"
@ -6610,7 +6609,6 @@ config firewall sniffer
edit 15
set interface "RAP"
set host "192.168.79.2"
set max-packet-count 10000
next
edit 16
set interface "city_phones lag"

17
configs/fortigate/vdom_scsd/ips.cfg
View File

@ -3,7 +3,7 @@ config ips sensor
set comment "Prevent critical attacks."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next
@ -11,7 +11,7 @@ config ips sensor
set comment "Monitor IPS attacks."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next
@ -19,7 +19,7 @@ config ips sensor
set comment "Default configuration for offloading WiFi traffic."
config entries
edit 1
set severity medium high critical
set severity medium high critical
next
end
next
@ -27,8 +27,8 @@ config ips sensor
set block-malicious-url enable
config entries
edit 1
set location server
set severity medium high critical
set location server
set severity medium high critical
set action block
next
end
@ -38,9 +38,12 @@ config ips sensor
set scan-botnet-connections block
config entries
edit 1
set location client
set severity medium high critical
set location client
set severity medium high critical
next
end
next
end
config ips settings
set proxy-inline-ips disable
end

1
configs/fortigate/vdom_scsd/log.cfg
View File

@ -82,5 +82,4 @@ config log setting
set local-in-allow enable
set local-in-deny-unicast enable
set local-in-deny-broadcast enable
set local-out enable
end

1
configs/fortigate/vdom_scsd/router.cfg
View File

@ -202,6 +202,7 @@ config router static
set dst 172.30.44.0 255.255.254.0
set distance 253
set blackhole enable
set vrf 0
next
edit 30
set dst 10.11.0.0 255.255.240.0

13
configs/fortigate/vdom_scsd/switch-controller.cfg
View File

@ -26,6 +26,7 @@ config switch-controller security-policy 802-1X
set framevid-apply enable
set radius-timeout-overwrite disable
set authserver-timeout-vlan disable
set dacl disable
next
end
config switch-controller security-policy local-access
@ -170,6 +171,8 @@ config switch-controller storm-control-policy
next
end
config switch-controller auto-config policy
edit "pse"
next
edit "default"
next
edit "default-icl"
@ -208,12 +211,12 @@ config switch-controller switch-profile
edit "default"
next
end
config switch-controller ptp settings
set mode disable
end
config switch-controller ptp policy
config switch-controller ptp profile
edit "default"
next
end
config switch-controller ptp interface-policy
edit "default"
set status enable
next
end
config switch-controller remote-log

13
configs/fortigate/vdom_scsd/system.cfg
View File

@ -6,6 +6,7 @@ config system settings
set h323-direct-model enable
set gui-voip-profile enable
set gui-local-in-policy enable
set gui-sslvpn enable
set gui-wireless-controller disable
set gui-switch-controller disable
set gui-dnsfilter disable
@ -53,8 +54,8 @@ config system sdwan
next
edit "Default_Office_365"
set server "www.office.com"
set protocol http
set interval 1000
set protocol https
set interval 120000
set probe-timeout 1000
set recoverytime 10
config sla
@ -80,8 +81,8 @@ config system sdwan
next
edit "Default_Google Search"
set server "www.google.com"
set protocol http
set interval 1000
set protocol https
set interval 120000
set probe-timeout 1000
set recoverytime 10
config sla
@ -94,8 +95,8 @@ config system sdwan
next
edit "Default_FortiGuard"
set server "fortiguard.com"
set protocol http
set interval 1000
set protocol https
set interval 120000
set probe-timeout 1000
set recoverytime 10
config sla

2
configs/fortigate/vdom_scsd/user.cfg
View File

@ -5509,7 +5509,7 @@ end
config user local
edit "jorge-mike"
set type password
set passwd-time 2025-10-03 11:14:17
set passwd-time 2025-10-02 19:14:17
set passwd ENC *HIDDEN*
next
end

4
configs/fortigate/vdom_scsd/virtual-patch.cfg Normal file
View File

@ -0,0 +1,4 @@
config virtual-patch profile
edit "g-default"
next
end

4
configs/fortigate/vdom_scsd/voip.cfg
View File

@ -1,6 +1,8 @@
config voip profile
edit "default"
set comment "Default VoIP profile."
config sip
end
next
edit "strict"
config sip
@ -37,5 +39,7 @@ config voip profile
next
edit "parks_sip"
set comment "VoIP Profile for Parks SIP"
config sip
end
next
end

17
configs/fortigate/vdom_scsd/vpn.cfg
View File

@ -20,6 +20,11 @@ config vpn certificate local
set range global
set source factory
next
edit "Fortinet_GUI_Server"
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
set range global
set source factory
next
edit "Fortinet_SSL_RSA1024"
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global
@ -337,56 +342,48 @@ config vpn ssl web portal
edit "Obiwan_RDP"
set apptype rdp
set host "10.1.48.202"
set security any
set port 3389
set sso auto
next
edit "HanSolo_RDP"
set apptype rdp
set host "10.1.48.201"
set security any
set port 3389
set sso auto
next
edit "C3PO_RDP"
set apptype rdp
set host "10.1.48.133"
set security any
set port 3389
set sso auto
next
edit "Chewbacca_RDP"
set apptype rdp
set host "10.1.48.129"
set security any
set port 3389
set sso auto
next
edit "Skywalker_RDP"
set apptype rdp
set host "10.1.48.63"
set security any
set port 3389
set sso auto
next
edit "Yoda_RDP"
set apptype rdp
set host "10.1.48.103"
set security any
set port 3389
set sso auto
next
edit "MANDO_RDP"
set apptype rdp
set host "10.1.40.72"
set security any
set port 3389
set sso auto
next
edit "GROGU_RDP"
set apptype rdp
set host "10.1.40.224"
set security any
set port 3389
set sso auto
next
@ -545,14 +542,12 @@ config vpn ssl web portal
edit "411app"
set apptype rdp
set host "10.1.40.216"
set security any
set port 3389
set sso auto
next
edit "411sql"
set apptype rdp
set host "10.1.40.225"
set security any
set port 3389
set sso auto
next
@ -644,6 +639,7 @@ config vpn ssl web portal
next
end
config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert "StarCert-Expire03202026"
set idle-timeout 3600
set auth-timeout 36000
@ -732,7 +728,6 @@ config vpn ssl web user-bookmark
edit "My_PC"
set apptype rdp
set host "10.1.7.137"
set security any
set port 3389
set sso auto
next

11
configs/fortigate/vdom_scsd/webfilter.cfg
View File

@ -511,17 +511,20 @@ config webfilter search-engine
set url "^\\/translate"
set query "u="
set safesearch translate
set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
next
edit "g-google-translate-2"
set hostname ".*\\.translate\\.goog"
set url "^\\/"
set safesearch translate
set safesearch-str "case::google-translate"
next
edit "g-twitter"
set hostname "twitter\\.com"
set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
set query "variables="
set safesearch translate
set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
next
edit "g-vimeo"
set hostname ".*vimeo.*"
@ -538,7 +541,7 @@ config webfilter search-engine
next
edit "g-yandex"
set hostname "yandex\\..*"
set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?"
set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
set query "text="
set safesearch url
set safesearch-str "&family=yes"
@ -571,12 +574,6 @@ config webfilter search-engine
set url "www.youtube.com/youtubei/v1/navigator"
set safesearch yt-scan
next
edit "translate"
set hostname "translate\\.google\\..*"
set url "^\\/translate\\?"
set query "u="
set safesearch translate
next
edit "yt-video"
set url "www.youtube.com/watch"
set safesearch yt-video