scsd/scsd-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fortigate Thu Nov 13 08:46:12 PM EST 2025

Browse Source
This commit is contained in:
John Poland 2025-11-13 20:46:12 -05:00
parent 7da70a743a
commit 926d98e6f8
51 changed files with 1068 additions and 366 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
configs/fortigate/global/certificate.cfg
View File

@ -16,6 +16,11 @@ config certificate local
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. " set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set source factory set source factory
next next
edit "Fortinet_GUI_Server"
set password ENC *HIDDEN*
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
set source factory
next
edit "Fortinet_SSL_RSA1024" edit "Fortinet_SSL_RSA1024"
set password ENC *HIDDEN* set password ENC *HIDDEN*
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. " set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "

35
configs/fortigate/global/dlp.cfg
View File

@ -1,6 +1,37 @@
config dlp sensor config dlp data-type
edit "g-edm-keyword"
set pattern ".+"
set transform "/\\b\\0\\b/i"
next
edit "g-keyword"
set pattern "built-in"
next
edit "g-regex"
set pattern "built-in"
next
edit "g-hex"
set pattern "built-in"
next
edit "g-mip-label"
set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
set transform "built-in"
next
edit "g-credit-card"
set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
set verify "builtin)credit-card"
set look-back 20
set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
next
edit "g-ssn-us"
set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
set look-back 12
set transform "\\b\\1-\\2-\\3\\b"
next
end
config dlp profile
edit "g-default" edit "g-default"
set comment "Default sensor." set comment "Default profile."
next next
edit "g-sniffer-profile" edit "g-sniffer-profile"
set comment "Log a summary of email and web traffic." set comment "Log a summary of email and web traffic."

4
configs/fortigate/global/endpoint-control.cfg
View File

@ -14,4 +14,8 @@ config endpoint-control fctems
next next
edit 5 edit 5
next next
edit 6
next
edit 7
next
end end

216
configs/fortigate/global/firewall.cfg
View File

@ -5189,6 +5189,222 @@ config firewall internet-service-name
edit "Microsoft-Azure.Front.Door.MicrosoftSecurity" edit "Microsoft-Azure.Front.Door.MicrosoftSecurity"
set internet-service-id 328080 set internet-service-id 328080
next next
edit "Microsoft-Azure.Connectors"
set internet-service-id 327980
next
edit "Microsoft-Azure.Front.Door"
set internet-service-id 327993
next
edit "Microsoft-Azure.Service.Bus"
set internet-service-id 328007
next
edit "Microsoft-Azure.Microsoft.Defender"
set internet-service-id 328009
next
edit "Microsoft-Azure.Resource.Manager"
set internet-service-id 328013
next
edit "Microsoft-Azure.Arc.Infrastructure"
set internet-service-id 328014
next
edit "Microsoft-Azure.Storage"
set internet-service-id 328015
next
edit "Microsoft-Azure.ATP"
set internet-service-id 328016
next
edit "Microsoft-Azure.Traffic.Manager"
set internet-service-id 328017
next
edit "Microsoft-Azure.Windows.Admin.Center"
set internet-service-id 328018
next
edit "Microsoft-Azure.KeyVault"
set internet-service-id 328021
next
edit "Microsoft-Azure.Databricks"
set internet-service-id 328034
next
edit "Microsoft-Azure.Event.Hub"
set internet-service-id 328035
next
edit "Microsoft-Azure.Power.Platform"
set internet-service-id 328043
next
edit "Amazon-AWS.EBS"
set internet-service-id 393470
next
edit "Amazon-AWS.Cloud9"
set internet-service-id 393471
next
edit "Amazon-AWS.DynamoDB"
set internet-service-id 393472
next
edit "Amazon-AWS.Route53"
set internet-service-id 393473
next
edit "Amazon-AWS.S3"
set internet-service-id 393474
next
edit "Amazon-AWS.Kinesis.Video.Streams"
set internet-service-id 393475
next
edit "Amazon-AWS.Global.Accelerator"
set internet-service-id 393476
next
edit "Amazon-AWS.EC2"
set internet-service-id 393477
next
edit "Amazon-AWS.API.Gateway"
set internet-service-id 393478
next
edit "Amazon-AWS.Chime.Voice.Connector"
set internet-service-id 393479
next
edit "Amazon-AWS.Connect"
set internet-service-id 393480
next
edit "Amazon-AWS.CloudFront"
set internet-service-id 393481
next
edit "Amazon-AWS.CodeBuild"
set internet-service-id 393482
next
edit "Amazon-AWS.Chime.Meetings"
set internet-service-id 393483
next
edit "Amazon-AWS.AppFlow"
set internet-service-id 393484
next
edit "Salesforce-Hyperforce"
set internet-service-id 655738
next
edit "Fortinet-FortiMonitor"
set internet-service-id 1245558
next
edit "Tor-Tor.Node"
set internet-service-id 2818432
next
edit "OVHcloud-OVH.Telecom"
set internet-service-id 13828461
next
edit "Zero.Networks-Zero.Networks"
set internet-service-id 17891679
next
edit "EGI-EGI.Hosting.Service"
set internet-service-id 18022753
next
edit "ONYPHE-Scanner"
set internet-service-id 18088102
next
edit "Proofpoint-Proofpoint"
set internet-service-id 18153828
next
edit "Heimdal-Heimdal.Security"
set internet-service-id 18284902
next
edit "Yealink-Yealink.Meeting"
set internet-service-id 18350439
next
edit "Secomea-Secomea"
set internet-service-id 18415976
next
edit "CallTower-CT.Cloud"
set internet-service-id 18481513
next
edit "OpenAI-OpenAI.Bot"
set internet-service-id 18547052
next
edit "OpenAI-GPT.Actions"
set internet-service-id 18547073
next
edit "Alpemix-Alpemix"
set internet-service-id 18612590
next
edit "M247-M247.Hosting.Service"
set internet-service-id 18678127
next
edit "Quintex-Quintex.Hosting.Service"
set internet-service-id 18743664
next
edit "Aeza-Aeza.Hosting.Service"
set internet-service-id 18809201
next
edit "Amanah-Amanah.Hosting.Service"
set internet-service-id 18874738
next
edit "ByteDance-Lark"
set internet-service-id 18940275
next
edit "KnowBe4-KnowBe4"
set internet-service-id 19005812
next
edit "Keeper-Keeper.Security"
set internet-service-id 19071349
next
edit "NinjaOne-NinjaOne"
set internet-service-id 19136887
next
edit "Modat-Scanner"
set internet-service-id 19202214
next
edit "Make-Make.Platform"
set internet-service-id 19267963
next
edit "Cloudzy-Cloudzy.Hosting.Service"
set internet-service-id 19333501
next
edit "Nokia-Deepfield.Genome.Crawler"
set internet-service-id 19399038
next
edit "Neat-Neat.Cloud"
set internet-service-id 19464575
next
edit "Brightree-Brightree"
set internet-service-id 19530114
next
edit "PagerDuty-PagerDuty"
set internet-service-id 19595651
next
edit "JFrog-JFrog"
set internet-service-id 19661188
next
edit "Tailscale-Tailscale"
set internet-service-id 19726725
next
edit "Gamma-Horizon"
set internet-service-id 19792265
next
edit "Automox-Automox"
set internet-service-id 19857802
next
edit "Pulseway-Pulseway.RMM"
set internet-service-id 19923339
next
edit "3xK-3xK.Hosting.Service"
set internet-service-id 19988876
next
edit "ASEM-UBIQUITY"
set internet-service-id 20054413
next
edit "Dialpad-Dialpad"
set internet-service-id 20119950
next
edit "iboss-iboss.Cloud"
set internet-service-id 20185487
next
edit "Redstor-Redstor"
set internet-service-id 20251025
next
edit "Anthropic-Claude"
set internet-service-id 20382099
next
edit "NETLOCK-NETLOCK"
set internet-service-id 20578711
next
edit "Aircall-Aircall"
set internet-service-id 20906400
next
end end
config firewall internet-service-definition config firewall internet-service-definition
end end

285
configs/fortigate/global/system.cfg
View File

@ -2,14 +2,16 @@ config system global
set admin-server-cert "Fortinet_Factory" set admin-server-cert "Fortinet_Factory"
set admintimeout 59 set admintimeout 59
set alias "FortiGate-2601F" set alias "FortiGate-2601F"
set gui-auto-upgrade-setup-warning disable
set gui-device-latitude "43.02974913459805" set gui-device-latitude "43.02974913459805"
set gui-device-longitude "-76.14486694335938" set gui-device-longitude "-76.14486694335938"
set hostname "noc-fortigate-a" set hostname "noc-fortigate-a"
set management-port-use-admin-sport disable set management-port-use-admin-sport disable
set remoteauthtimeout 120 set remoteauthtimeout 120
set revision-backup-on-logout enable set revision-backup-on-logout enable
set sslvpn-web-mode enable
set switch-controller enable set switch-controller enable
set timezone 12 set timezone "US/Eastern"
set vdom-mode multi-vdom set vdom-mode multi-vdom
end end
config system accprofile config system accprofile
@ -25,6 +27,10 @@ config system accprofile
set utmgrp read-write set utmgrp read-write
set wanoptgrp read-write set wanoptgrp read-write
set wifi read-write set wifi read-write
set cli-get enable
set cli-show enable
set cli-exec enable
set cli-config enable
next next
edit "NOC_Dashboard" edit "NOC_Dashboard"
set comments "For displaying info in Operations area" set comments "For displaying info in Operations area"
@ -40,7 +46,10 @@ config system accprofile
set wanoptgrp read set wanoptgrp read
set wifi read set wifi read
set admintimeout-override enable set admintimeout-override enable
set system-diagnostics disable set cli-get enable
set cli-show enable
set cli-exec enable
set cli-config enable
set admintimeout 0 set admintimeout 0
next next
edit "Read_Only" edit "Read_Only"
@ -55,6 +64,10 @@ config system accprofile
set utmgrp read set utmgrp read
set wanoptgrp read set wanoptgrp read
set wifi read set wifi read
set cli-get enable
set cli-show enable
set cli-exec enable
set cli-config enable
next next
end end
config system npu config system npu
@ -150,26 +163,22 @@ config system interface
set type physical set type physical
set alias "HA Port 1" set alias "HA Port 1"
set snmp-index 1 set snmp-index 1
set speed 10000auto
next next
edit "port2" edit "port2"
set vdom "root" set vdom "root"
set type physical set type physical
set alias "HA Port 2" set alias "HA Port 2"
set snmp-index 2 set snmp-index 2
set speed 10000auto
next next
edit "port3" edit "port3"
set vdom "root" set vdom "root"
set type physical set type physical
set snmp-index 3 set snmp-index 3
set speed 10000auto
next next
edit "port4" edit "port4"
set vdom "root" set vdom "root"
set type physical set type physical
set snmp-index 4 set snmp-index 4
set speed 10000auto
next next
edit "port5" edit "port5"
set vdom "scsd" set vdom "scsd"
@ -187,13 +196,11 @@ config system interface
set vdom "root" set vdom "root"
set type physical set type physical
set snmp-index 7 set snmp-index 7
set speed 10000auto
next next
edit "port8" edit "port8"
set vdom "root" set vdom "root"
set type physical set type physical
set snmp-index 8 set snmp-index 8
set speed 10000auto
next next
edit "port9" edit "port9"
set vdom "TEST" set vdom "TEST"
@ -201,7 +208,6 @@ config system interface
set type physical set type physical
set alias "LAN_Test" set alias "LAN_Test"
set snmp-index 9 set snmp-index 9
set speed 10000auto
next next
edit "port10" edit "port10"
set vdom "TEST" set vdom "TEST"
@ -209,43 +215,36 @@ config system interface
set type physical set type physical
set alias "WAN_Test" set alias "WAN_Test"
set snmp-index 10 set snmp-index 10
set speed 10000auto
next next
edit "port11" edit "port11"
set vdom "root" set vdom "root"
set type physical set type physical
set snmp-index 11 set snmp-index 11
set speed 10000auto
next next
edit "port12" edit "port12"
set vdom "root" set vdom "root"
set type physical set type physical
set snmp-index 12 set snmp-index 12
set speed 10000auto
next next
edit "port13" edit "port13"
set vdom "root" set vdom "root"
set type physical set type physical
set snmp-index 13 set snmp-index 13
set speed 10000auto
next next
edit "port14" edit "port14"
set vdom "root" set vdom "root"
set type physical set type physical
set snmp-index 14 set snmp-index 14
set speed 10000auto
next next
edit "port15" edit "port15"
set vdom "root" set vdom "root"
set type physical set type physical
set snmp-index 15 set snmp-index 15
set speed 10000auto
next next
edit "port16" edit "port16"
set vdom "root" set vdom "root"
set type physical set type physical
set snmp-index 16 set snmp-index 16
set speed 10000auto
next next
edit "port17" edit "port17"
set vdom "scsd" set vdom "scsd"
@ -457,23 +456,6 @@ config system interface
set alias "SSL VPN interface" set alias "SSL VPN interface"
set snmp-index 42 set snmp-index 42
next next
edit "naf.scsd"
set vdom "scsd"
set type tunnel
set src-check disable
set snmp-index 57
next
edit "l2t.scsd"
set vdom "scsd"
set type tunnel
set snmp-index 58
next
edit "ssl.scsd"
set vdom "scsd"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 45
next
edit "naf.Policy" edit "naf.Policy"
set vdom "Policy" set vdom "Policy"
set type tunnel set type tunnel
@ -508,6 +490,23 @@ config system interface
set alias "SSL VPN interface" set alias "SSL VPN interface"
set snmp-index 47 set snmp-index 47
next next
edit "naf.scsd"
set vdom "scsd"
set type tunnel
set src-check disable
set snmp-index 57
next
edit "l2t.scsd"
set vdom "scsd"
set type tunnel
set snmp-index 58
next
edit "ssl.scsd"
set vdom "scsd"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 45
next
edit "npu0_vlink0" edit "npu0_vlink0"
set vdom "root" set vdom "root"
set type physical set type physical
@ -532,9 +531,9 @@ config system interface
set tcp-mss 1379 set tcp-mss 1379
set remote-ip 169.254.69.217 255.255.255.252 set remote-ip 169.254.69.217 255.255.255.252
set snmp-index 48 set snmp-index 48
set interface "outside lag"
set mtu-override enable set mtu-override enable
set mtu 1427 set mtu 1427
set interface "outside lag"
next next
edit "SCHC" edit "SCHC"
set vdom "scsd" set vdom "scsd"
@ -550,9 +549,9 @@ config system interface
set tcp-mss 1379 set tcp-mss 1379
set remote-ip 169.254.54.77 255.255.255.252 set remote-ip 169.254.54.77 255.255.255.252
set snmp-index 59 set snmp-index 59
set interface "outside lag"
set mtu-override enable set mtu-override enable
set mtu 1427 set mtu 1427
set interface "outside lag"
next next
edit "inside lag" edit "inside lag"
set vdom "scsd" set vdom "scsd"
@ -597,9 +596,9 @@ config system interface
set tcp-mss 1379 set tcp-mss 1379
set remote-ip 169.254.242.193 255.255.255.252 set remote-ip 169.254.242.193 255.255.255.252
set snmp-index 63 set snmp-index 63
set interface "outside lag"
set mtu-override enable set mtu-override enable
set mtu 1427 set mtu 1427
set interface "outside lag"
next next
edit "Highstreet" edit "Highstreet"
set vdom "scsd" set vdom "scsd"
@ -609,9 +608,9 @@ config system interface
set tcp-mss 1379 set tcp-mss 1379
set remote-ip 169.254.117.221 255.255.255.252 set remote-ip 169.254.117.221 255.255.255.252
set snmp-index 65 set snmp-index 65
set interface "outside lag"
set mtu-override enable set mtu-override enable
set mtu 1427 set mtu 1427
set interface "outside lag"
next next
edit "Highstreet_2" edit "Highstreet_2"
set vdom "scsd" set vdom "scsd"
@ -622,9 +621,9 @@ config system interface
set tcp-mss 1379 set tcp-mss 1379
set remote-ip 169.254.13.85 255.255.255.252 set remote-ip 169.254.13.85 255.255.255.252
set snmp-index 66 set snmp-index 66
set interface "outside lag"
set mtu-override enable set mtu-override enable
set mtu 1427 set mtu 1427
set interface "outside lag"
next next
edit "DPS" edit "DPS"
set vdom "scsd" set vdom "scsd"
@ -763,11 +762,9 @@ config system dns
end end
config system replacemsg-image config system replacemsg-image
edit "logo_fnet" edit "logo_fnet"
set image-type gif
set image-base64 '' set image-base64 ''
next next
edit "logo_fguard_wf" edit "logo_fguard_wf"
set image-type gif
set image-base64 '' set image-base64 ''
next next
edit "logo_v3_fguard_app" edit "logo_v3_fguard_app"
@ -802,6 +799,8 @@ config system replacemsg http "https-untrusted-cert-block"
end end
config system replacemsg http "https-blocklisted-cert-block" config system replacemsg http "https-blocklisted-cert-block"
end end
config system replacemsg http "https-ech-block"
end
config system replacemsg http "switching-protocols-block" config system replacemsg http "switching-protocols-block"
end end
config system replacemsg http "http-antiphish-block" config system replacemsg http "http-antiphish-block"
@ -822,7 +821,43 @@ config system replacemsg webproxy "http-err"
end end
config system replacemsg webproxy "auth-ip-blackout" config system replacemsg webproxy "auth-ip-blackout"
end end
config system replacemsg webproxy "ztna-block" config system replacemsg webproxy "ztna-invalid-cert"
end
config system replacemsg webproxy "ztna-empty-cert"
end
config system replacemsg webproxy "ztna-manageable-empty-cert"
end
config system replacemsg webproxy "ztna-no-api-gwy-matched"
end
config system replacemsg webproxy "ztna-cant-find-real-srv"
end
config system replacemsg webproxy "ztna-fqdn-dns-failed"
end
config system replacemsg webproxy "ztna-ssl-bookmark-failed"
end
config system replacemsg webproxy "ztna-no-policy-matched"
end
config system replacemsg webproxy "ztna-matched-deny-policy"
end
config system replacemsg webproxy "ztna-client-cert-revoked"
end
config system replacemsg webproxy "ztna-denied-by-matched-tags"
end
config system replacemsg webproxy "ztna-denied-no-matched-tags"
end
config system replacemsg webproxy "ztna-no-dev-info"
end
config system replacemsg webproxy "ztna-dev-is-offline"
end
config system replacemsg webproxy "ztna-dev-is-unmanageable"
end
config system replacemsg webproxy "ztna-auth-fail"
end
config system replacemsg webproxy "casb-block"
end
config system replacemsg webproxy "swp-empty-cert"
end
config system replacemsg webproxy "swp-manageable-empty-cert"
end end
config system replacemsg ftp "ftp-explicit-banner" config system replacemsg ftp "ftp-explicit-banner"
end end
@ -842,7 +877,11 @@ config system replacemsg spam "smtp-spam-feip"
end end
config system replacemsg spam "smtp-spam-helo" config system replacemsg spam "smtp-spam-helo"
end end
config system replacemsg spam "smtp-spam-emailblock" config system replacemsg spam "smtp-spam-emailblock-to"
end
config system replacemsg spam "smtp-spam-emailblock-from"
end
config system replacemsg spam "smtp-spam-emailblock-subject"
end end
config system replacemsg spam "smtp-spam-mimeheader" config system replacemsg spam "smtp-spam-mimeheader"
end end
@ -962,6 +1001,8 @@ config system replacemsg utm "appblk-html"
end end
config system replacemsg utm "ipsblk-html" config system replacemsg utm "ipsblk-html"
end end
config system replacemsg utm "virpatchblk-html"
end
config system replacemsg utm "ipsfail-html" config system replacemsg utm "ipsfail-html"
end end
config system replacemsg utm "exe-text" config system replacemsg utm "exe-text"
@ -1014,11 +1055,26 @@ config system replacemsg utm "file-size-html"
end end
config system replacemsg utm "client-file-size-html" config system replacemsg utm "client-file-size-html"
end end
config system replacemsg utm "inline-scan-timeout-html"
end
config system replacemsg utm "inline-scan-timeout-text"
end
config system replacemsg utm "inline-scan-error-html"
end
config system replacemsg utm "inline-scan-error-text"
end
config system replacemsg utm "icap-block-text"
end
config system replacemsg utm "icap-error-text"
end
config system replacemsg utm "icap-http-error"
end
config system replacemsg icap "icap-req-resp" config system replacemsg icap "icap-req-resp"
end end
config system replacemsg automation "automation-email" config system replacemsg automation "automation-email"
end end
config system snmp sysinfo config system snmp sysinfo
set append-index enable
end end
config system central-management config system central-management
set type fortiguard set type fortiguard
@ -1031,10 +1087,6 @@ config system vdom-property
set description "property limits for vdom root" set description "property limits for vdom root"
set snmp-index 1 set snmp-index 1
next next
edit "scsd"
set description "property limits for vdom scsd"
set snmp-index 2
next
edit "Policy" edit "Policy"
set description "property limits for vdom Policy" set description "property limits for vdom Policy"
set snmp-index 4 set snmp-index 4
@ -1043,18 +1095,25 @@ config system vdom-property
set description "property limits for vdom TEST" set description "property limits for vdom TEST"
set snmp-index 3 set snmp-index 3
next next
edit "scsd"
set description "property limits for vdom scsd"
set snmp-index 2
next
end end
config system cluster-sync config system standalone-cluster
config cluster-peer
end
end end
config system fortiguard config system fortiguard
set fortiguard-anycast disable set fortiguard-anycast disable
set protocol udp set protocol udp
set port 53 set port 53
set update-server-location usa set update-server-location usa
set auto-firmware-upgrade disable
set sdns-server-ip "208.91.112.220" "173.243.140.53" "210.7.96.53" set sdns-server-ip "208.91.112.220" "173.243.140.53" "210.7.96.53"
end end
config system email-server config system email-server
set server "notification.fortinet.net" set server "fortinet-notifications.com"
set port 465 set port 465
set security smtps set security smtps
end end
@ -1176,7 +1235,7 @@ config system ntp
end end
end end
config system ftm-push config system ftm-push
set server-cert "Fortinet_Factory" set server-cert "Fortinet_GUI_Server"
end end
config system automation-trigger config system automation-trigger
edit "Network Down" edit "Network Down"
@ -1211,6 +1270,76 @@ config system automation-trigger
edit "Security Rating Notification" edit "Security Rating Notification"
set event-type security-rating-summary set event-type security-rating-summary
next next
edit "Local Cert Expired Notification"
set description "Default automation trigger configuration for when a local certificate is near expiration."
set event-type local-cert-near-expiry
next
edit "Compromised Host"
set description "An incident of compromise has been detected on a host endpoint."
next
edit "Any Security Rating Notification"
set description "A security rating summary report has been generated."
set event-type security-rating-summary
next
edit "AV & IPS DB update"
set description "The antivirus and IPS database has been updated."
set event-type virus-ips-db-updated
next
edit "Configuration Change"
set description "An administrator\'s session that changed a FortiGate\'s configuration has ended."
set event-type config-change
next
edit "Conserve Mode"
set description "A FortiGate has entered conserve mode due to low memory."
set event-type low-memory
next
edit "High CPU"
set description "A FortiGate has high CPU usage."
set event-type high-cpu
next
edit "License Expiry"
set description "A FortiGate license is near expiration."
set event-type license-near-expiry
set license-type any
next
edit "Anomaly Logs"
set description "An anomalous event has occurred."
set event-type anomaly-logs
next
edit "IPS Logs"
set description "An IPS event has occurred."
set event-type ips-logs
next
edit "SSH Logs"
set description "A SSH event has occurred."
set event-type ssh-logs
next
edit "Traffic Violation"
set description "A traffic policy has been violated."
set event-type traffic-violation
next
edit "Virus Logs"
set description "A virus event has occurred."
set event-type virus-logs
next
edit "Webfilter Violation"
set description "A webfilter policy has been violated."
set event-type webfilter-violation
next
edit "Admin Login"
set description "A FortiOS event with specified log ID has occurred."
set event-type event-log
set logid 32001
next
edit "Local Certificate Expiry"
set description "A local certificate is near expiration."
set event-type local-cert-near-expiry
next
edit "Auto Firmware upgrade"
set description "Automatic firmware upgrade."
set event-type event-log
set logid 22094 22095 32263
next
end end
config system automation-action config system automation-action
edit "Network Down_email" edit "Network Down_email"
@ -1240,6 +1369,54 @@ config system automation-action
edit "Compromised Host Quarantine_quarantine-forticlient" edit "Compromised Host Quarantine_quarantine-forticlient"
set action-type quarantine-forticlient set action-type quarantine-forticlient
next next
edit "Reboot FortiGate"
set description "Default automation action configuration for rebooting this FortiGate unit."
set action-type system-actions
set system-action reboot
set minimum-interval 300
next
edit "Shutdown FortiGate"
set description "Default automation action configuration for shuting down this FortiGate unit."
set action-type system-actions
set system-action shutdown
next
edit "Backup Config Disk"
set description "Default automation action configuration for backing up the configuration on disk."
set action-type system-actions
set system-action backup-config
next
edit "Access Layer Quarantine"
set description "Quarantine the MAC address on access layer devices (FortiSwitch and FortiAP)."
set action-type quarantine
next
edit "FortiClient Quarantine"
set description "Use FortiClient EMS to quarantine the endpoint device."
set action-type quarantine-forticlient
next
edit "FortiNAC Quarantine"
set description "Use FortiNAC to quarantine the endpoint device."
set action-type quarantine-fortinac
next
edit "IP Ban"
set description "Ban the IP address specified in the automation trigger event."
set action-type ban-ip
next
edit "FortiExplorer Notification"
set description "Send a notification to FortiExplorer mobile application."
set action-type fortiexplorer-notification
next
edit "Email Notification"
set description "Send a custom email notification to the FortiCare email address registered on this device."
set action-type email
set forticare-email enable
set email-subject "%%log.logdesc%%"
next
edit "CLI Script - System Status"
set description "Execute a CLI script to return the system status."
set action-type cli-script
set script "get system status"
set accprofile "super_admin_readonly"
next
end end
config system automation-stitch config system automation-stitch
edit "Network Down" edit "Network Down"
@ -1317,6 +1494,16 @@ config system automation-stitch
next next
end end
next next
edit "Firmware upgrade notification"
set description "Automatic firmware upgrade notification."
set trigger "Auto Firmware upgrade"
set condition-logic or
config actions
edit 1
set action "Email Notification"
next
end
next
end end
config system federated-upgrade config system federated-upgrade
set status disabled set status disabled

4
configs/fortigate/global/virtual-patch.cfg Normal file
View File

@ -0,0 +1,4 @@
config virtual-patch profile
edit "g-default"
next
end

5
configs/fortigate/global/webfilter.cfg
View File

@ -488,7 +488,7 @@ config webfilter search-engine
next next
edit "g-yandex" edit "g-yandex"
set hostname "yandex\\..*" set hostname "yandex\\..*"
set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?" set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
set query "text=" set query "text="
set safesearch url set safesearch url
set safesearch-str "&family=yes" set safesearch-str "&family=yes"
@ -547,16 +547,19 @@ config webfilter search-engine
set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName" set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
set query "variables=" set query "variables="
set safesearch translate set safesearch translate
set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
next next
edit "g-google-translate-1" edit "g-google-translate-1"
set hostname "translate\\.google\\..*" set hostname "translate\\.google\\..*"
set url "^\\/translate" set url "^\\/translate"
set query "u=" set query "u="
set safesearch translate set safesearch translate
set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
next next
edit "g-google-translate-2" edit "g-google-translate-2"
set hostname ".*\\.translate\\.goog" set hostname ".*\\.translate\\.goog"
set url "^\\/" set url "^\\/"
set safesearch translate set safesearch translate
set safesearch-str "case::google-translate"
next next
end end

8
configs/fortigate/vdom_Policy/casb.cfg Normal file
View File

@ -0,0 +1,8 @@
config casb saas-application
end
config casb user-activity
end
config casb profile
edit "default"
next
end

35
configs/fortigate/vdom_Policy/dlp.cfg
View File

@ -1,3 +1,34 @@
config dlp data-type
edit "g-credit-card"
set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
set verify "builtin)credit-card"
set look-back 20
set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
next
edit "g-edm-keyword"
set pattern ".+"
set transform "/\\b\\0\\b/i"
next
edit "g-hex"
set pattern "built-in"
next
edit "g-keyword"
set pattern "built-in"
next
edit "g-mip-label"
set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
set transform "built-in"
next
edit "g-regex"
set pattern "built-in"
next
edit "g-ssn-us"
set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
set look-back 12
set transform "\\b\\1-\\2-\\3\\b"
next
end
config dlp filepattern config dlp filepattern
edit 1 edit 1
set name "builtin-patterns" set name "builtin-patterns"
@ -70,9 +101,9 @@ config dlp sensitivity
edit "Warning" edit "Warning"
next next
end end
config dlp sensor config dlp profile
edit "g-default" edit "g-default"
set comment "Default sensor." set comment "Default profile."
next next
edit "g-sniffer-profile" edit "g-sniffer-profile"
set comment "Log a summary of email and web traffic." set comment "Log a summary of email and web traffic."

83
configs/fortigate/vdom_Policy/firewall.cfg
View File

@ -1,4 +1,12 @@
config firewall address config firewall address
edit "EMS_ALL_UNKNOWN_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "EMS_ALL_UNMANAGEABLE_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "none" edit "none"
set subnet 0.0.0.0 255.255.255.255 set subnet 0.0.0.0 255.255.255.255
next next
@ -217,6 +225,22 @@ config firewall service category
next next
end end
config firewall service custom config firewall service custom
edit "ALL"
set category "General"
set protocol IP
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "DNS" edit "DNS"
set category "Network Services" set category "Network Services"
set tcp-portrange 53 set tcp-portrange 53
@ -280,22 +304,6 @@ config firewall service custom
set category "File Access" set category "File Access"
set tcp-portrange 445 set tcp-portrange 445
next next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "ALL"
set category "General"
set protocol IP
next
edit "ALL_TCP" edit "ALL_TCP"
set category "General" set category "General"
set tcp-portrange 1-65535 set tcp-portrange 1-65535
@ -330,7 +338,6 @@ config firewall service custom
set protocol-number 50 set protocol-number 50
next next
edit "AOL" edit "AOL"
set visibility disable
set tcp-portrange 5190-5194 set tcp-portrange 5190-5194
next next
edit "BGP" edit "BGP"
@ -342,11 +349,9 @@ config firewall service custom
set udp-portrange 67-68 set udp-portrange 67-68
next next
edit "FINGER" edit "FINGER"
set visibility disable
set tcp-portrange 79 set tcp-portrange 79
next next
edit "GOPHER" edit "GOPHER"
set visibility disable
set tcp-portrange 70 set tcp-portrange 70
next next
edit "H323" edit "H323"
@ -359,7 +364,6 @@ config firewall service custom
set udp-portrange 500 4500 set udp-portrange 500 4500
next next
edit "Internet-Locator-Service" edit "Internet-Locator-Service"
set visibility disable
set tcp-portrange 389 set tcp-portrange 389
next next
edit "IRC" edit "IRC"
@ -372,7 +376,6 @@ config firewall service custom
set udp-portrange 1701 set udp-portrange 1701
next next
edit "NetMeeting" edit "NetMeeting"
set visibility disable
set tcp-portrange 1720 set tcp-portrange 1720
next next
edit "NFS" edit "NFS"
@ -381,7 +384,6 @@ config firewall service custom
set udp-portrange 111 2049 set udp-portrange 111 2049
next next
edit "NNTP" edit "NNTP"
set visibility disable
set tcp-portrange 119 set tcp-portrange 119
next next
edit "NTP" edit "NTP"
@ -407,19 +409,16 @@ config firewall service custom
next next
edit "TIMESTAMP" edit "TIMESTAMP"
set protocol ICMP set protocol ICMP
set visibility disable
set icmptype 13 set icmptype 13
unset icmpcode unset icmpcode
next next
edit "INFO_REQUEST" edit "INFO_REQUEST"
set protocol ICMP set protocol ICMP
set visibility disable
set icmptype 15 set icmptype 15
unset icmpcode unset icmpcode
next next
edit "INFO_ADDRESS" edit "INFO_ADDRESS"
set protocol ICMP set protocol ICMP
set visibility disable
set icmptype 17 set icmptype 17
unset icmpcode unset icmpcode
next next
@ -433,15 +432,12 @@ config firewall service custom
set tcp-portrange 1723 set tcp-portrange 1723
next next
edit "QUAKE" edit "QUAKE"
set visibility disable
set udp-portrange 26000 27000 27910 27960 set udp-portrange 26000 27000 27910 27960
next next
edit "RAUDIO" edit "RAUDIO"
set visibility disable
set udp-portrange 7070 set udp-portrange 7070
next next
edit "REXEC" edit "REXEC"
set visibility disable
set tcp-portrange 512 set tcp-portrange 512
next next
edit "RIP" edit "RIP"
@ -449,11 +445,9 @@ config firewall service custom
set udp-portrange 520 set udp-portrange 520
next next
edit "RLOGIN" edit "RLOGIN"
set visibility disable
set tcp-portrange 513:512-1023 set tcp-portrange 513:512-1023
next next
edit "RSH" edit "RSH"
set visibility disable
set tcp-portrange 514:512-1023 set tcp-portrange 514:512-1023
next next
edit "SCCP" edit "SCCP"
@ -483,7 +477,6 @@ config firewall service custom
set udp-portrange 514 set udp-portrange 514
next next
edit "TALK" edit "TALK"
set visibility disable
set udp-portrange 517-518 set udp-portrange 517-518
next next
edit "TELNET" edit "TELNET"
@ -495,23 +488,18 @@ config firewall service custom
set udp-portrange 69 set udp-portrange 69
next next
edit "MGCP" edit "MGCP"
set visibility disable
set udp-portrange 2427 2727 set udp-portrange 2427 2727
next next
edit "UUCP" edit "UUCP"
set visibility disable
set tcp-portrange 540 set tcp-portrange 540
next next
edit "VDOLIVE" edit "VDOLIVE"
set visibility disable
set tcp-portrange 7000-7010 set tcp-portrange 7000-7010
next next
edit "WAIS" edit "WAIS"
set visibility disable
set tcp-portrange 210 set tcp-portrange 210
next next
edit "WINFRAME" edit "WINFRAME"
set visibility disable
set tcp-portrange 1494 2598 set tcp-portrange 1494 2598
next next
edit "X-WINDOWS" edit "X-WINDOWS"
@ -520,7 +508,6 @@ config firewall service custom
next next
edit "PING6" edit "PING6"
set protocol ICMP6 set protocol ICMP6
set visibility disable
set icmptype 128 set icmptype 128
unset icmpcode unset icmpcode
next next
@ -563,11 +550,9 @@ config firewall service custom
set udp-portrange 1812 1813 set udp-portrange 1812 1813
next next
edit "RADIUS-OLD" edit "RADIUS-OLD"
set visibility disable
set udp-portrange 1645 1646 set udp-portrange 1645 1646
next next
edit "CVSPSERVER" edit "CVSPSERVER"
set visibility disable
set tcp-portrange 2401 set tcp-portrange 2401
set udp-portrange 2401 set udp-portrange 2401
next next
@ -586,12 +571,10 @@ config firewall service custom
set udp-portrange 554 set udp-portrange 554
next next
edit "MMS" edit "MMS"
set visibility disable
set tcp-portrange 1755 set tcp-portrange 1755
set udp-portrange 1024-5000 set udp-portrange 1024-5000
next next
edit "NONE" edit "NONE"
set visibility disable
set tcp-portrange 0 set tcp-portrange 0
next next
edit "webproxy" edit "webproxy"
@ -639,6 +622,16 @@ config firewall shaper traffic-shaper
set maximum-bandwidth 1024 set maximum-bandwidth 1024
next next
end end
config firewall proxy-address
edit "IPv4-address"
set type host-regex
set host-regex "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}$"
next
edit "IPv6-address"
set type host-regex
set host-regex "^\\[(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\\]$"
next
end
config firewall schedule recurring config firewall schedule recurring
edit "always" edit "always"
set day sunday monday tuesday wednesday thursday friday saturday set day sunday monday tuesday wednesday thursday friday saturday
@ -747,6 +740,7 @@ config firewall ssl-ssh-profile
config https config https
set ports 443 set ports 443
set status certificate-inspection set status certificate-inspection
set quic inspect
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -771,6 +765,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic inspect
end end
next next
edit "deep-inspection" edit "deep-inspection"
@ -778,6 +773,7 @@ config firewall ssl-ssh-profile
config https config https
set ports 443 set ports 443
set status deep-inspection set status deep-inspection
set quic inspect
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -806,6 +802,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic inspect
end end
config ssl-exempt config ssl-exempt
edit 1 edit 1
@ -941,6 +938,7 @@ config firewall ssl-ssh-profile
config https config https
set ports 443 set ports 443
set status deep-inspection set status deep-inspection
set quic inspect
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -969,6 +967,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic inspect
end end
config ssl-exempt config ssl-exempt
edit 1 edit 1
@ -1103,6 +1102,7 @@ config firewall ssl-ssh-profile
set comment "Read-only profile that does no inspection." set comment "Read-only profile that does no inspection."
config https config https
set status disable set status disable
set quic bypass
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -1127,6 +1127,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic bypass
end end
next next
end end

13
configs/fortigate/vdom_Policy/switch-controller.cfg
View File

@ -26,6 +26,7 @@ config switch-controller security-policy 802-1X
set framevid-apply enable set framevid-apply enable
set radius-timeout-overwrite disable set radius-timeout-overwrite disable
set authserver-timeout-vlan disable set authserver-timeout-vlan disable
set dacl disable
next next
end end
config switch-controller security-policy local-access config switch-controller security-policy local-access
@ -170,6 +171,8 @@ config switch-controller storm-control-policy
next next
end end
config switch-controller auto-config policy config switch-controller auto-config policy
edit "pse"
next
edit "default" edit "default"
next next
edit "default-icl" edit "default-icl"
@ -208,12 +211,12 @@ config switch-controller switch-profile
edit "default" edit "default"
next next
end end
config switch-controller ptp settings config switch-controller ptp profile
set mode disable edit "default"
end next
config switch-controller ptp policy end
config switch-controller ptp interface-policy
edit "default" edit "default"
set status enable
next next
end end
config switch-controller remote-log config switch-controller remote-log

13
configs/fortigate/vdom_Policy/system.cfg
View File

@ -6,6 +6,7 @@ config system settings
set comments "Test VDOM for Policy-based" set comments "Test VDOM for Policy-based"
set ngfw-mode policy-based set ngfw-mode policy-based
set h323-direct-model enable set h323-direct-model enable
set default-app-port-as-service disable
end end
config system replacemsg-group config system replacemsg-group
edit "default" edit "default"
@ -33,8 +34,8 @@ config system sdwan
next next
edit "Default_Office_365" edit "Default_Office_365"
set server "www.office.com" set server "www.office.com"
set protocol http set protocol https
set interval 1000 set interval 120000
set probe-timeout 1000 set probe-timeout 1000
set recoverytime 10 set recoverytime 10
config sla config sla
@ -60,8 +61,8 @@ config system sdwan
next next
edit "Default_Google Search" edit "Default_Google Search"
set server "www.google.com" set server "www.google.com"
set protocol http set protocol https
set interval 1000 set interval 120000
set probe-timeout 1000 set probe-timeout 1000
set recoverytime 10 set recoverytime 10
config sla config sla
@ -74,8 +75,8 @@ config system sdwan
next next
edit "Default_FortiGuard" edit "Default_FortiGuard"
set server "fortiguard.com" set server "fortiguard.com"
set protocol http set protocol https
set interval 1000 set interval 120000
set probe-timeout 1000 set probe-timeout 1000
set recoverytime 10 set recoverytime 10
config sla config sla

4
configs/fortigate/vdom_Policy/virtual-patch.cfg Normal file
View File

@ -0,0 +1,4 @@
config virtual-patch profile
edit "g-default"
next
end

6
configs/fortigate/vdom_Policy/vpn.cfg
View File

@ -16,6 +16,11 @@ config vpn certificate local
set range global set range global
set source factory set source factory
next next
edit "Fortinet_GUI_Server"
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
set range global
set source factory
next
edit "Fortinet_SSL_RSA1024" edit "Fortinet_SSL_RSA1024"
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. " set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global set range global
@ -294,6 +299,7 @@ config vpn ssl web portal
next next
end end
config vpn ssl settings config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert "Fortinet_Factory" set servercert "Fortinet_Factory"
set port 443 set port 443
end end

11
configs/fortigate/vdom_Policy/webfilter.cfg
View File

@ -56,17 +56,20 @@ config webfilter search-engine
set url "^\\/translate" set url "^\\/translate"
set query "u=" set query "u="
set safesearch translate set safesearch translate
set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
next next
edit "g-google-translate-2" edit "g-google-translate-2"
set hostname ".*\\.translate\\.goog" set hostname ".*\\.translate\\.goog"
set url "^\\/" set url "^\\/"
set safesearch translate set safesearch translate
set safesearch-str "case::google-translate"
next next
edit "g-twitter" edit "g-twitter"
set hostname "twitter\\.com" set hostname "twitter\\.com"
set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName" set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
set query "variables=" set query "variables="
set safesearch translate set safesearch translate
set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
next next
edit "g-vimeo" edit "g-vimeo"
set hostname ".*vimeo.*" set hostname ".*vimeo.*"
@ -83,7 +86,7 @@ config webfilter search-engine
next next
edit "g-yandex" edit "g-yandex"
set hostname "yandex\\..*" set hostname "yandex\\..*"
set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?" set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
set query "text=" set query "text="
set safesearch url set safesearch url
set safesearch-str "&family=yes" set safesearch-str "&family=yes"
@ -116,12 +119,6 @@ config webfilter search-engine
set url "www.youtube.com/youtubei/v1/navigator" set url "www.youtube.com/youtubei/v1/navigator"
set safesearch yt-scan set safesearch yt-scan
next next
edit "translate"
set hostname "translate\\.google\\..*"
set url "^\\/translate\\?"
set query "u="
set safesearch translate
next
edit "yt-video" edit "yt-video"
set url "www.youtube.com/watch" set url "www.youtube.com/watch"
set safesearch yt-video set safesearch yt-video

8
configs/fortigate/vdom_TEST/casb.cfg Normal file
View File

@ -0,0 +1,8 @@
config casb saas-application
end
config casb user-activity
end
config casb profile
edit "default"
next
end

35
configs/fortigate/vdom_TEST/dlp.cfg
View File

@ -1,3 +1,34 @@
config dlp data-type
edit "g-credit-card"
set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
set verify "builtin)credit-card"
set look-back 20
set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
next
edit "g-edm-keyword"
set pattern ".+"
set transform "/\\b\\0\\b/i"
next
edit "g-hex"
set pattern "built-in"
next
edit "g-keyword"
set pattern "built-in"
next
edit "g-mip-label"
set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
set transform "built-in"
next
edit "g-regex"
set pattern "built-in"
next
edit "g-ssn-us"
set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
set look-back 12
set transform "\\b\\1-\\2-\\3\\b"
next
end
config dlp filepattern config dlp filepattern
edit 1 edit 1
set name "builtin-patterns" set name "builtin-patterns"
@ -70,9 +101,9 @@ config dlp sensitivity
edit "Warning" edit "Warning"
next next
end end
config dlp sensor config dlp profile
edit "g-default" edit "g-default"
set comment "Default sensor." set comment "Default profile."
next next
edit "g-sniffer-profile" edit "g-sniffer-profile"
set comment "Log a summary of email and web traffic." set comment "Log a summary of email and web traffic."

85
configs/fortigate/vdom_TEST/firewall.cfg
View File

@ -1,4 +1,12 @@
config firewall address config firewall address
edit "EMS_ALL_UNKNOWN_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "EMS_ALL_UNMANAGEABLE_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "none" edit "none"
set subnet 0.0.0.0 255.255.255.255 set subnet 0.0.0.0 255.255.255.255
next next
@ -248,6 +256,22 @@ config firewall service category
next next
end end
config firewall service custom config firewall service custom
edit "ALL"
set category "General"
set protocol IP
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "DNS" edit "DNS"
set category "Network Services" set category "Network Services"
set tcp-portrange 53 set tcp-portrange 53
@ -311,22 +335,6 @@ config firewall service custom
set category "File Access" set category "File Access"
set tcp-portrange 445 set tcp-portrange 445
next next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "ALL"
set category "General"
set protocol IP
next
edit "ALL_TCP" edit "ALL_TCP"
set category "General" set category "General"
set tcp-portrange 1-65535 set tcp-portrange 1-65535
@ -361,7 +369,6 @@ config firewall service custom
set protocol-number 50 set protocol-number 50
next next
edit "AOL" edit "AOL"
set visibility disable
set tcp-portrange 5190-5194 set tcp-portrange 5190-5194
next next
edit "BGP" edit "BGP"
@ -373,11 +380,9 @@ config firewall service custom
set udp-portrange 67-68 set udp-portrange 67-68
next next
edit "FINGER" edit "FINGER"
set visibility disable
set tcp-portrange 79 set tcp-portrange 79
next next
edit "GOPHER" edit "GOPHER"
set visibility disable
set tcp-portrange 70 set tcp-portrange 70
next next
edit "H323" edit "H323"
@ -390,7 +395,6 @@ config firewall service custom
set udp-portrange 500 4500 set udp-portrange 500 4500
next next
edit "Internet-Locator-Service" edit "Internet-Locator-Service"
set visibility disable
set tcp-portrange 389 set tcp-portrange 389
next next
edit "IRC" edit "IRC"
@ -403,7 +407,6 @@ config firewall service custom
set udp-portrange 1701 set udp-portrange 1701
next next
edit "NetMeeting" edit "NetMeeting"
set visibility disable
set tcp-portrange 1720 set tcp-portrange 1720
next next
edit "NFS" edit "NFS"
@ -412,7 +415,6 @@ config firewall service custom
set udp-portrange 111 2049 set udp-portrange 111 2049
next next
edit "NNTP" edit "NNTP"
set visibility disable
set tcp-portrange 119 set tcp-portrange 119
next next
edit "NTP" edit "NTP"
@ -438,19 +440,16 @@ config firewall service custom
next next
edit "TIMESTAMP" edit "TIMESTAMP"
set protocol ICMP set protocol ICMP
set visibility disable
set icmptype 13 set icmptype 13
unset icmpcode unset icmpcode
next next
edit "INFO_REQUEST" edit "INFO_REQUEST"
set protocol ICMP set protocol ICMP
set visibility disable
set icmptype 15 set icmptype 15
unset icmpcode unset icmpcode
next next
edit "INFO_ADDRESS" edit "INFO_ADDRESS"
set protocol ICMP set protocol ICMP
set visibility disable
set icmptype 17 set icmptype 17
unset icmpcode unset icmpcode
next next
@ -464,15 +463,12 @@ config firewall service custom
set tcp-portrange 1723 set tcp-portrange 1723
next next
edit "QUAKE" edit "QUAKE"
set visibility disable
set udp-portrange 26000 27000 27910 27960 set udp-portrange 26000 27000 27910 27960
next next
edit "RAUDIO" edit "RAUDIO"
set visibility disable
set udp-portrange 7070 set udp-portrange 7070
next next
edit "REXEC" edit "REXEC"
set visibility disable
set tcp-portrange 512 set tcp-portrange 512
next next
edit "RIP" edit "RIP"
@ -480,11 +476,9 @@ config firewall service custom
set udp-portrange 520 set udp-portrange 520
next next
edit "RLOGIN" edit "RLOGIN"
set visibility disable
set tcp-portrange 513:512-1023 set tcp-portrange 513:512-1023
next next
edit "RSH" edit "RSH"
set visibility disable
set tcp-portrange 514:512-1023 set tcp-portrange 514:512-1023
next next
edit "SCCP" edit "SCCP"
@ -514,7 +508,6 @@ config firewall service custom
set udp-portrange 514 set udp-portrange 514
next next
edit "TALK" edit "TALK"
set visibility disable
set udp-portrange 517-518 set udp-portrange 517-518
next next
edit "TELNET" edit "TELNET"
@ -526,23 +519,18 @@ config firewall service custom
set udp-portrange 69 set udp-portrange 69
next next
edit "MGCP" edit "MGCP"
set visibility disable
set udp-portrange 2427 2727 set udp-portrange 2427 2727
next next
edit "UUCP" edit "UUCP"
set visibility disable
set tcp-portrange 540 set tcp-portrange 540
next next
edit "VDOLIVE" edit "VDOLIVE"
set visibility disable
set tcp-portrange 7000-7010 set tcp-portrange 7000-7010
next next
edit "WAIS" edit "WAIS"
set visibility disable
set tcp-portrange 210 set tcp-portrange 210
next next
edit "WINFRAME" edit "WINFRAME"
set visibility disable
set tcp-portrange 1494 2598 set tcp-portrange 1494 2598
next next
edit "X-WINDOWS" edit "X-WINDOWS"
@ -551,7 +539,6 @@ config firewall service custom
next next
edit "PING6" edit "PING6"
set protocol ICMP6 set protocol ICMP6
set visibility disable
set icmptype 128 set icmptype 128
unset icmpcode unset icmpcode
next next
@ -594,11 +581,9 @@ config firewall service custom
set udp-portrange 1812 1813 set udp-portrange 1812 1813
next next
edit "RADIUS-OLD" edit "RADIUS-OLD"
set visibility disable
set udp-portrange 1645 1646 set udp-portrange 1645 1646
next next
edit "CVSPSERVER" edit "CVSPSERVER"
set visibility disable
set tcp-portrange 2401 set tcp-portrange 2401
set udp-portrange 2401 set udp-portrange 2401
next next
@ -617,12 +602,10 @@ config firewall service custom
set udp-portrange 554 set udp-portrange 554
next next
edit "MMS" edit "MMS"
set visibility disable
set tcp-portrange 1755 set tcp-portrange 1755
set udp-portrange 1024-5000 set udp-portrange 1024-5000
next next
edit "NONE" edit "NONE"
set visibility disable
set tcp-portrange 0 set tcp-portrange 0
next next
edit "webproxy" edit "webproxy"
@ -670,6 +653,16 @@ config firewall shaper traffic-shaper
set maximum-bandwidth 1024 set maximum-bandwidth 1024
next next
end end
config firewall proxy-address
edit "IPv4-address"
set type host-regex
set host-regex "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}$"
next
edit "IPv6-address"
set type host-regex
set host-regex "^\\[(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\\]$"
next
end
config firewall schedule recurring config firewall schedule recurring
edit "always" edit "always"
set day sunday monday tuesday wednesday thursday friday saturday set day sunday monday tuesday wednesday thursday friday saturday
@ -791,6 +784,7 @@ config firewall ssl-ssh-profile
config https config https
set ports 443 set ports 443
set status certificate-inspection set status certificate-inspection
set quic inspect
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -815,6 +809,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic inspect
end end
next next
edit "deep-inspection" edit "deep-inspection"
@ -822,6 +817,7 @@ config firewall ssl-ssh-profile
config https config https
set ports 443 set ports 443
set status deep-inspection set status deep-inspection
set quic inspect
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -850,6 +846,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic inspect
end end
config ssl-exempt config ssl-exempt
edit 1 edit 1
@ -985,6 +982,7 @@ config firewall ssl-ssh-profile
config https config https
set ports 443 set ports 443
set status deep-inspection set status deep-inspection
set quic inspect
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -1013,6 +1011,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic inspect
end end
config ssl-exempt config ssl-exempt
edit 1 edit 1
@ -1147,6 +1146,7 @@ config firewall ssl-ssh-profile
set comment "Read-only profile that does no inspection." set comment "Read-only profile that does no inspection."
config https config https
set status disable set status disable
set quic bypass
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -1171,6 +1171,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic bypass
end end
next next
end end
@ -1184,7 +1185,6 @@ config firewall policy
set schedule "always" set schedule "always"
set service "ALL" set service "ALL"
set logtraffic disable set logtraffic disable
set match-vip enable
next next
edit 4 edit 4
set name "Block_Countries_Out" set name "Block_Countries_Out"
@ -1195,7 +1195,6 @@ config firewall policy
set schedule "always" set schedule "always"
set service "ALL" set service "ALL"
set logtraffic disable set logtraffic disable
set match-vip enable
next next
edit 2 edit 2
set name "Webosphere" set name "Webosphere"

3
configs/fortigate/vdom_TEST/ips.cfg
View File

@ -37,3 +37,6 @@ config ips sensor
set comment "This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI" set comment "This allows you to enable botnet blocking across all traffic that matches the policy by configuring one setting in the GUI"
next next
end end
config ips settings
set proxy-inline-ips disable
end

13
configs/fortigate/vdom_TEST/switch-controller.cfg
View File

@ -26,6 +26,7 @@ config switch-controller security-policy 802-1X
set framevid-apply enable set framevid-apply enable
set radius-timeout-overwrite disable set radius-timeout-overwrite disable
set authserver-timeout-vlan disable set authserver-timeout-vlan disable
set dacl disable
next next
end end
config switch-controller security-policy local-access config switch-controller security-policy local-access
@ -170,6 +171,8 @@ config switch-controller storm-control-policy
next next
end end
config switch-controller auto-config policy config switch-controller auto-config policy
edit "pse"
next
edit "default" edit "default"
next next
edit "default-icl" edit "default-icl"
@ -208,12 +211,12 @@ config switch-controller switch-profile
edit "default" edit "default"
next next
end end
config switch-controller ptp settings config switch-controller ptp profile
set mode disable edit "default"
end next
config switch-controller ptp policy end
config switch-controller ptp interface-policy
edit "default" edit "default"
set status enable
next next
end end
config switch-controller remote-log config switch-controller remote-log

12
configs/fortigate/vdom_TEST/system.cfg
View File

@ -40,8 +40,8 @@ config system sdwan
next next
edit "Default_Office_365" edit "Default_Office_365"
set server "www.office.com" set server "www.office.com"
set protocol http set protocol https
set interval 1000 set interval 120000
set probe-timeout 1000 set probe-timeout 1000
set recoverytime 10 set recoverytime 10
config sla config sla
@ -67,8 +67,8 @@ config system sdwan
next next
edit "Default_Google Search" edit "Default_Google Search"
set server "www.google.com" set server "www.google.com"
set protocol http set protocol https
set interval 1000 set interval 120000
set probe-timeout 1000 set probe-timeout 1000
set recoverytime 10 set recoverytime 10
config sla config sla
@ -81,8 +81,8 @@ config system sdwan
next next
edit "Default_FortiGuard" edit "Default_FortiGuard"
set server "fortiguard.com" set server "fortiguard.com"
set protocol http set protocol https
set interval 1000 set interval 120000
set probe-timeout 1000 set probe-timeout 1000
set recoverytime 10 set recoverytime 10
config sla config sla

4
configs/fortigate/vdom_TEST/virtual-patch.cfg Normal file
View File

@ -0,0 +1,4 @@
config virtual-patch profile
edit "g-default"
next
end

2
configs/fortigate/vdom_TEST/voip.cfg
View File

@ -1,6 +1,8 @@
config voip profile config voip profile
edit "default" edit "default"
set comment "Default VoIP profile." set comment "Default VoIP profile."
config sip
end
next next
edit "strict" edit "strict"
config sip config sip

6
configs/fortigate/vdom_TEST/vpn.cfg
View File

@ -16,6 +16,11 @@ config vpn certificate local
set range global set range global
set source factory set source factory
next next
edit "Fortinet_GUI_Server"
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
set range global
set source factory
next
edit "Fortinet_SSL_RSA1024" edit "Fortinet_SSL_RSA1024"
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. " set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global set range global
@ -294,6 +299,7 @@ config vpn ssl web portal
next next
end end
config vpn ssl settings config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert "Fortinet_Factory" set servercert "Fortinet_Factory"
set port 443 set port 443
end end

11
configs/fortigate/vdom_TEST/webfilter.cfg
View File

@ -511,17 +511,20 @@ config webfilter search-engine
set url "^\\/translate" set url "^\\/translate"
set query "u=" set query "u="
set safesearch translate set safesearch translate
set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
next next
edit "g-google-translate-2" edit "g-google-translate-2"
set hostname ".*\\.translate\\.goog" set hostname ".*\\.translate\\.goog"
set url "^\\/" set url "^\\/"
set safesearch translate set safesearch translate
set safesearch-str "case::google-translate"
next next
edit "g-twitter" edit "g-twitter"
set hostname "twitter\\.com" set hostname "twitter\\.com"
set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName" set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
set query "variables=" set query "variables="
set safesearch translate set safesearch translate
set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
next next
edit "g-vimeo" edit "g-vimeo"
set hostname ".*vimeo.*" set hostname ".*vimeo.*"
@ -538,7 +541,7 @@ config webfilter search-engine
next next
edit "g-yandex" edit "g-yandex"
set hostname "yandex\\..*" set hostname "yandex\\..*"
set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?" set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
set query "text=" set query "text="
set safesearch url set safesearch url
set safesearch-str "&family=yes" set safesearch-str "&family=yes"
@ -571,12 +574,6 @@ config webfilter search-engine
set url "www.youtube.com/youtubei/v1/navigator" set url "www.youtube.com/youtubei/v1/navigator"
set safesearch yt-scan set safesearch yt-scan
next next
edit "translate"
set hostname "translate\\.google\\..*"
set url "^\\/translate\\?"
set query "u="
set safesearch translate
next
edit "yt-video" edit "yt-video"
set url "www.youtube.com/watch" set url "www.youtube.com/watch"
set safesearch yt-video set safesearch yt-video

8
configs/fortigate/vdom_root/casb.cfg Normal file
View File

@ -0,0 +1,8 @@
config casb saas-application
end
config casb user-activity
end
config casb profile
edit "default"
next
end

103
configs/fortigate/vdom_root/dlp.cfg
View File

@ -1,3 +1,81 @@
config dlp data-type
edit "g-credit-card"
set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
set verify "builtin)credit-card"
set look-back 20
set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
next
edit "g-edm-keyword"
set pattern ".+"
set transform "/\\b\\0\\b/i"
next
edit "g-hex"
set pattern "built-in"
next
edit "g-keyword"
set pattern "built-in"
next
edit "g-mip-label"
set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
set transform "built-in"
next
edit "g-regex"
set pattern "built-in"
next
edit "g-ssn-us"
set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
set look-back 12
set transform "\\b\\1-\\2-\\3\\b"
next
end
config dlp dictionary
edit "SSN-Sensor-r1d"
config entries
edit 1
set type "g-regex"
set pattern "WebEx"
next
end
next
edit "def-cc-dict"
config entries
edit 1
set type "g-credit-card"
next
end
next
edit "def-ssn-dict"
config entries
edit 1
set type "g-ssn-us"
next
end
next
end
config dlp sensor
edit "SSN-Sensor-r1s"
config entries
edit 1
set dictionary "SSN-Sensor-r1d"
next
end
next
edit "def-cc-sensor"
config entries
edit 1
set dictionary "def-cc-dict"
next
end
next
edit "def-ssn-sensor"
config entries
edit 1
set dictionary "def-ssn-dict"
next
end
next
end
config dlp filepattern config dlp filepattern
edit 1 edit 1
set name "builtin-patterns" set name "builtin-patterns"
@ -70,9 +148,9 @@ config dlp sensitivity
edit "Warning" edit "Warning"
next next
end end
config dlp sensor config dlp profile
edit "g-default" edit "g-default"
set comment "Default sensor." set comment "Default profile."
next next
edit "g-sniffer-profile" edit "g-sniffer-profile"
set comment "Log a summary of email and web traffic." set comment "Log a summary of email and web traffic."
@ -89,11 +167,13 @@ config dlp sensor
next next
edit "Credit-Card" edit "Credit-Card"
set feature-set proxy set feature-set proxy
config filter config rule
edit 1 edit 1
set name "Credit-Card-Filter" set name "Credit-Card-Filter"
set severity high set severity high
set proto smtp pop3 imap http-get http-post mapi set proto smtp pop3 imap http-get http-post mapi
set filter-by sensor
set sensor "def-cc-sensor"
set action log-only set action log-only
next next
edit 2 edit 2
@ -101,17 +181,18 @@ config dlp sensor
set severity high set severity high
set type message set type message
set proto smtp pop3 imap http-post mapi set proto smtp pop3 imap http-post mapi
set filter-by sensor
set sensor "def-cc-sensor"
set action log-only set action log-only
next next
end end
next next
edit "Large-File" edit "Large-File"
set feature-set proxy set feature-set proxy
config filter config rule
edit 1 edit 1
set name "Large-File-Filter" set name "Large-File-Filter"
set proto smtp pop3 imap http-get http-post mapi set proto smtp pop3 imap http-get http-post mapi
set filter-by file-size
set file-size 5120 set file-size 5120
set action log-only set action log-only
next next
@ -120,28 +201,30 @@ config dlp sensor
edit "SSN-Sensor" edit "SSN-Sensor"
set comment "Match SSN numbers but NOT WebEx invite emails." set comment "Match SSN numbers but NOT WebEx invite emails."
set feature-set proxy set feature-set proxy
config filter config rule
edit 1 edit 1
set name "SSN-Sensor-Filter" set name "SSN-Sensor-Filter"
set severity high set severity high
set type message set type message
set proto smtp pop3 imap mapi set proto smtp pop3 imap mapi
set filter-by regexp set filter-by sensor
set regexp "WebEx" set sensor "SSN-Sensor-r1s"
next next
edit 2 edit 2
set name "SSN-Sensor-Filter" set name "SSN-Sensor-Filter"
set severity high set severity high
set type message set type message
set proto smtp pop3 imap mapi set proto smtp pop3 imap mapi
set filter-by ssn set filter-by sensor
set sensor "def-ssn-sensor"
set action log-only set action log-only
next next
edit 3 edit 3
set name "SSN-Sensor-Filter" set name "SSN-Sensor-Filter"
set severity high set severity high
set proto smtp pop3 imap http-get http-post ftp mapi set proto smtp pop3 imap http-get http-post ftp mapi
set filter-by ssn set filter-by sensor
set sensor "def-ssn-sensor"
set action log-only set action log-only
next next
end end

83
configs/fortigate/vdom_root/firewall.cfg
View File

@ -1,4 +1,12 @@
config firewall address config firewall address
edit "EMS_ALL_UNKNOWN_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "EMS_ALL_UNMANAGEABLE_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "none" edit "none"
set subnet 0.0.0.0 255.255.255.255 set subnet 0.0.0.0 255.255.255.255
next next
@ -217,6 +225,22 @@ config firewall service category
next next
end end
config firewall service custom config firewall service custom
edit "ALL"
set category "General"
set protocol IP
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "DNS" edit "DNS"
set category "Network Services" set category "Network Services"
set tcp-portrange 53 set tcp-portrange 53
@ -280,22 +304,6 @@ config firewall service custom
set category "File Access" set category "File Access"
set tcp-portrange 445 set tcp-portrange 445
next next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "ALL"
set category "General"
set protocol IP
next
edit "ALL_TCP" edit "ALL_TCP"
set category "General" set category "General"
set tcp-portrange 1-65535 set tcp-portrange 1-65535
@ -330,7 +338,6 @@ config firewall service custom
set protocol-number 50 set protocol-number 50
next next
edit "AOL" edit "AOL"
set visibility disable
set tcp-portrange 5190-5194 set tcp-portrange 5190-5194
next next
edit "BGP" edit "BGP"
@ -342,11 +349,9 @@ config firewall service custom
set udp-portrange 67-68 set udp-portrange 67-68
next next
edit "FINGER" edit "FINGER"
set visibility disable
set tcp-portrange 79 set tcp-portrange 79
next next
edit "GOPHER" edit "GOPHER"
set visibility disable
set tcp-portrange 70 set tcp-portrange 70
next next
edit "H323" edit "H323"
@ -359,7 +364,6 @@ config firewall service custom
set udp-portrange 500 4500 set udp-portrange 500 4500
next next
edit "Internet-Locator-Service" edit "Internet-Locator-Service"
set visibility disable
set tcp-portrange 389 set tcp-portrange 389
next next
edit "IRC" edit "IRC"
@ -372,7 +376,6 @@ config firewall service custom
set udp-portrange 1701 set udp-portrange 1701
next next
edit "NetMeeting" edit "NetMeeting"
set visibility disable
set tcp-portrange 1720 set tcp-portrange 1720
next next
edit "NFS" edit "NFS"
@ -381,7 +384,6 @@ config firewall service custom
set udp-portrange 111 2049 set udp-portrange 111 2049
next next
edit "NNTP" edit "NNTP"
set visibility disable
set tcp-portrange 119 set tcp-portrange 119
next next
edit "NTP" edit "NTP"
@ -407,19 +409,16 @@ config firewall service custom
next next
edit "TIMESTAMP" edit "TIMESTAMP"
set protocol ICMP set protocol ICMP
set visibility disable
set icmptype 13 set icmptype 13
unset icmpcode unset icmpcode
next next
edit "INFO_REQUEST" edit "INFO_REQUEST"
set protocol ICMP set protocol ICMP
set visibility disable
set icmptype 15 set icmptype 15
unset icmpcode unset icmpcode
next next
edit "INFO_ADDRESS" edit "INFO_ADDRESS"
set protocol ICMP set protocol ICMP
set visibility disable
set icmptype 17 set icmptype 17
unset icmpcode unset icmpcode
next next
@ -433,15 +432,12 @@ config firewall service custom
set tcp-portrange 1723 set tcp-portrange 1723
next next
edit "QUAKE" edit "QUAKE"
set visibility disable
set udp-portrange 26000 27000 27910 27960 set udp-portrange 26000 27000 27910 27960
next next
edit "RAUDIO" edit "RAUDIO"
set visibility disable
set udp-portrange 7070 set udp-portrange 7070
next next
edit "REXEC" edit "REXEC"
set visibility disable
set tcp-portrange 512 set tcp-portrange 512
next next
edit "RIP" edit "RIP"
@ -449,11 +445,9 @@ config firewall service custom
set udp-portrange 520 set udp-portrange 520
next next
edit "RLOGIN" edit "RLOGIN"
set visibility disable
set tcp-portrange 513:512-1023 set tcp-portrange 513:512-1023
next next
edit "RSH" edit "RSH"
set visibility disable
set tcp-portrange 514:512-1023 set tcp-portrange 514:512-1023
next next
edit "SCCP" edit "SCCP"
@ -483,7 +477,6 @@ config firewall service custom
set udp-portrange 514 set udp-portrange 514
next next
edit "TALK" edit "TALK"
set visibility disable
set udp-portrange 517-518 set udp-portrange 517-518
next next
edit "TELNET" edit "TELNET"
@ -495,23 +488,18 @@ config firewall service custom
set udp-portrange 69 set udp-portrange 69
next next
edit "MGCP" edit "MGCP"
set visibility disable
set udp-portrange 2427 2727 set udp-portrange 2427 2727
next next
edit "UUCP" edit "UUCP"
set visibility disable
set tcp-portrange 540 set tcp-portrange 540
next next
edit "VDOLIVE" edit "VDOLIVE"
set visibility disable
set tcp-portrange 7000-7010 set tcp-portrange 7000-7010
next next
edit "WAIS" edit "WAIS"
set visibility disable
set tcp-portrange 210 set tcp-portrange 210
next next
edit "WINFRAME" edit "WINFRAME"
set visibility disable
set tcp-portrange 1494 2598 set tcp-portrange 1494 2598
next next
edit "X-WINDOWS" edit "X-WINDOWS"
@ -520,7 +508,6 @@ config firewall service custom
next next
edit "PING6" edit "PING6"
set protocol ICMP6 set protocol ICMP6
set visibility disable
set icmptype 128 set icmptype 128
unset icmpcode unset icmpcode
next next
@ -563,11 +550,9 @@ config firewall service custom
set udp-portrange 1812 1813 set udp-portrange 1812 1813
next next
edit "RADIUS-OLD" edit "RADIUS-OLD"
set visibility disable
set udp-portrange 1645 1646 set udp-portrange 1645 1646
next next
edit "CVSPSERVER" edit "CVSPSERVER"
set visibility disable
set tcp-portrange 2401 set tcp-portrange 2401
set udp-portrange 2401 set udp-portrange 2401
next next
@ -586,12 +571,10 @@ config firewall service custom
set udp-portrange 554 set udp-portrange 554
next next
edit "MMS" edit "MMS"
set visibility disable
set tcp-portrange 1755 set tcp-portrange 1755
set udp-portrange 1024-5000 set udp-portrange 1024-5000
next next
edit "NONE" edit "NONE"
set visibility disable
set tcp-portrange 0 set tcp-portrange 0
next next
edit "webproxy" edit "webproxy"
@ -639,6 +622,16 @@ config firewall shaper traffic-shaper
set maximum-bandwidth 1024 set maximum-bandwidth 1024
next next
end end
config firewall proxy-address
edit "IPv4-address"
set type host-regex
set host-regex "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}$"
next
edit "IPv6-address"
set type host-regex
set host-regex "^\\[(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\\]$"
next
end
config firewall schedule recurring config firewall schedule recurring
edit "always" edit "always"
set day sunday monday tuesday wednesday thursday friday saturday set day sunday monday tuesday wednesday thursday friday saturday
@ -747,6 +740,7 @@ config firewall ssl-ssh-profile
config https config https
set ports 443 set ports 443
set status deep-inspection set status deep-inspection
set quic inspect
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -775,6 +769,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic inspect
end end
config ssl-exempt config ssl-exempt
edit 1 edit 1
@ -910,6 +905,7 @@ config firewall ssl-ssh-profile
config https config https
set ports 443 set ports 443
set status deep-inspection set status deep-inspection
set quic inspect
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -938,6 +934,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic inspect
end end
config ssl-exempt config ssl-exempt
edit 1 edit 1
@ -1072,6 +1069,7 @@ config firewall ssl-ssh-profile
set comment "Read-only profile that does no inspection." set comment "Read-only profile that does no inspection."
config https config https
set status disable set status disable
set quic bypass
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -1096,6 +1094,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic bypass
end end
next next
edit "certificate-inspection" edit "certificate-inspection"
@ -1103,6 +1102,7 @@ config firewall ssl-ssh-profile
config https config https
set ports 443 set ports 443
set status certificate-inspection set status certificate-inspection
set quic inspect
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -1127,6 +1127,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic inspect
end end
next next
end end

3
configs/fortigate/vdom_root/ips.cfg
View File

@ -79,3 +79,6 @@ config ips sensor
end end
next next
end end
config ips settings
set proxy-inline-ips disable
end

1
configs/fortigate/vdom_root/log.cfg
View File

@ -82,5 +82,4 @@ config log setting
set local-in-allow enable set local-in-allow enable
set local-in-deny-unicast enable set local-in-deny-unicast enable
set local-in-deny-broadcast enable set local-in-deny-broadcast enable
set local-out enable
end end

13
configs/fortigate/vdom_root/switch-controller.cfg
View File

@ -26,6 +26,7 @@ config switch-controller security-policy 802-1X
set framevid-apply enable set framevid-apply enable
set radius-timeout-overwrite disable set radius-timeout-overwrite disable
set authserver-timeout-vlan disable set authserver-timeout-vlan disable
set dacl disable
next next
end end
config switch-controller security-policy local-access config switch-controller security-policy local-access
@ -170,6 +171,8 @@ config switch-controller storm-control-policy
next next
end end
config switch-controller auto-config policy config switch-controller auto-config policy
edit "pse"
next
edit "default" edit "default"
next next
edit "default-icl" edit "default-icl"
@ -208,12 +211,12 @@ config switch-controller switch-profile
edit "default" edit "default"
next next
end end
config switch-controller ptp settings config switch-controller ptp profile
set mode disable edit "default"
end next
config switch-controller ptp policy end
config switch-controller ptp interface-policy
edit "default" edit "default"
set status enable
next next
end end
config switch-controller remote-log config switch-controller remote-log

12
configs/fortigate/vdom_root/system.cfg
View File

@ -34,8 +34,8 @@ config system sdwan
config health-check config health-check
edit "Default_Office_365" edit "Default_Office_365"
set server "www.office.com" set server "www.office.com"
set protocol http set protocol https
set interval 1000 set interval 120000
set probe-timeout 1000 set probe-timeout 1000
set recoverytime 10 set recoverytime 10
config sla config sla
@ -61,8 +61,8 @@ config system sdwan
next next
edit "Default_Google Search" edit "Default_Google Search"
set server "www.google.com" set server "www.google.com"
set protocol http set protocol https
set interval 1000 set interval 120000
set probe-timeout 1000 set probe-timeout 1000
set recoverytime 10 set recoverytime 10
config sla config sla
@ -75,8 +75,8 @@ config system sdwan
next next
edit "Default_FortiGuard" edit "Default_FortiGuard"
set server "fortiguard.com" set server "fortiguard.com"
set protocol http set protocol https
set interval 1000 set interval 120000
set probe-timeout 1000 set probe-timeout 1000
set recoverytime 10 set recoverytime 10
config sla config sla

4
configs/fortigate/vdom_root/virtual-patch.cfg Normal file
View File

@ -0,0 +1,4 @@
config virtual-patch profile
edit "g-default"
next
end

2
configs/fortigate/vdom_root/voip.cfg
View File

@ -1,6 +1,8 @@
config voip profile config voip profile
edit "default" edit "default"
set comment "Default VoIP profile." set comment "Default VoIP profile."
config sip
end
next next
edit "strict" edit "strict"
config sip config sip

8
configs/fortigate/vdom_root/vpn.cfg
View File

@ -16,6 +16,11 @@ config vpn certificate local
set range global set range global
set source factory set source factory
next next
edit "Fortinet_GUI_Server"
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
set range global
set source factory
next
edit "Fortinet_SSL_RSA1024" edit "Fortinet_SSL_RSA1024"
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. " set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global set range global
@ -294,8 +299,7 @@ config vpn ssl web portal
next next
end end
config vpn ssl settings config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert "Fortinet_Factory" set servercert "Fortinet_Factory"
set port 443 set port 443
end end
config vpn ocvpn
end

11
configs/fortigate/vdom_root/webfilter.cfg
View File

@ -1263,17 +1263,20 @@ config webfilter search-engine
set url "^\\/translate" set url "^\\/translate"
set query "u=" set query "u="
set safesearch translate set safesearch translate
set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
next next
edit "g-google-translate-2" edit "g-google-translate-2"
set hostname ".*\\.translate\\.goog" set hostname ".*\\.translate\\.goog"
set url "^\\/" set url "^\\/"
set safesearch translate set safesearch translate
set safesearch-str "case::google-translate"
next next
edit "g-twitter" edit "g-twitter"
set hostname "twitter\\.com" set hostname "twitter\\.com"
set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName" set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
set query "variables=" set query "variables="
set safesearch translate set safesearch translate
set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
next next
edit "g-vimeo" edit "g-vimeo"
set hostname ".*vimeo.*" set hostname ".*vimeo.*"
@ -1290,7 +1293,7 @@ config webfilter search-engine
next next
edit "g-yandex" edit "g-yandex"
set hostname "yandex\\..*" set hostname "yandex\\..*"
set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?" set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
set query "text=" set query "text="
set safesearch url set safesearch url
set safesearch-str "&family=yes" set safesearch-str "&family=yes"
@ -1323,12 +1326,6 @@ config webfilter search-engine
set url "www.youtube.com/youtubei/v1/navigator" set url "www.youtube.com/youtubei/v1/navigator"
set safesearch yt-scan set safesearch yt-scan
next next
edit "translate"
set hostname "translate\\.google\\..*"
set url "^\\/translate\\?"
set query "u="
set safesearch translate
next
edit "yt-video" edit "yt-video"
set url "www.youtube.com/watch" set url "www.youtube.com/watch"
set safesearch yt-video set safesearch yt-video

8
configs/fortigate/vdom_scsd/casb.cfg Normal file
View File

@ -0,0 +1,8 @@
config casb saas-application
end
config casb user-activity
end
config casb profile
edit "default"
next
end

35
configs/fortigate/vdom_scsd/dlp.cfg
View File

@ -1,3 +1,34 @@
config dlp data-type
edit "g-credit-card"
set pattern "\\b([2-6]{1}\\d{3})[- ]?(\\d{4})[- ]?(\\d{2})[- ]?(\\d{2})[- ]?(\\d{2,4})\\b"
set verify "builtin)credit-card"
set look-back 20
set transform "\\b\\1[- ]?\\2[- ]?\\3[- ]?\\4[- ]?\\5\\b"
next
edit "g-edm-keyword"
set pattern ".+"
set transform "/\\b\\0\\b/i"
next
edit "g-hex"
set pattern "built-in"
next
edit "g-keyword"
set pattern "built-in"
next
edit "g-mip-label"
set pattern "^[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}$"
set transform "built-in"
next
edit "g-regex"
set pattern "built-in"
next
edit "g-ssn-us"
set pattern "\\b(\\d{3})-(\\d{2})-(\\d{4})\\b"
set verify "(?<!-)\\b(?!666|000|9\\d{2})\\d{3}-(?!00)\\d{2}-(?!0{4})\\d{4}\\b(?!-)"
set look-back 12
set transform "\\b\\1-\\2-\\3\\b"
next
end
config dlp filepattern config dlp filepattern
edit 1 edit 1
set name "builtin-patterns" set name "builtin-patterns"
@ -70,9 +101,9 @@ config dlp sensitivity
edit "Warning" edit "Warning"
next next
end end
config dlp sensor config dlp profile
edit "g-default" edit "g-default"
set comment "Default sensor." set comment "Default profile."
next next
edit "g-sniffer-profile" edit "g-sniffer-profile"
set comment "Log a summary of email and web traffic." set comment "Log a summary of email and web traffic."

114
configs/fortigate/vdom_scsd/firewall.cfg
View File

@ -1,4 +1,12 @@
config firewall address config firewall address
edit "EMS_ALL_UNKNOWN_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "EMS_ALL_UNMANAGEABLE_CLIENTS"
set type dynamic
set sub-type ems-tag
next
edit "SSLVPN_TUNNEL_ADDR1" edit "SSLVPN_TUNNEL_ADDR1"
set type iprange set type iprange
set start-ip 10.212.134.200 set start-ip 10.212.134.200
@ -2943,9 +2951,9 @@ config firewall addrgrp
set color 6 set color 6
next next
edit "City_Side_VoIP_Park_Place_Group" edit "City_Side_VoIP_Park_Place_Group"
set allow-routing enable
set member "City_Side_VoIP_1_Park_Place_A" "City_Side_VoIP_1_Park_Place_B" set member "City_Side_VoIP_1_Park_Place_A" "City_Side_VoIP_1_Park_Place_B"
set color 28 set color 28
set allow-routing enable
next next
edit "SchoolTool_Cloud_Internal" edit "SchoolTool_Cloud_Internal"
set member "21JumpSt" "DataTools" "Fileserver03" "Nighttime_Inside" "Tableau" "DC01_A" "DC01_B" "DC01_C" "HVDC02" "HVDC03_A" "HVDC03_B" "DocHolliday" "SchoolTool webjs" "Elastic" set member "21JumpSt" "DataTools" "Fileserver03" "Nighttime_Inside" "Tableau" "DC01_A" "DC01_B" "DC01_C" "HVDC02" "HVDC03_A" "HVDC03_B" "DocHolliday" "SchoolTool webjs" "Elastic"
@ -3024,10 +3032,10 @@ config firewall addrgrp
set color 6 set color 6
next next
edit "City_Side_CGR_Group" edit "City_Side_CGR_Group"
set allow-routing enable
set member "City_Side_CGR_01" "City_Side_CGR_02" set member "City_Side_CGR_01" "City_Side_CGR_02"
set comment "City Lights CGR Subnets on their side." set comment "City Lights CGR Subnets on their side."
set color 28 set color 28
set allow-routing enable
next next
edit "Access_Control_VLAN_72_Group" edit "Access_Control_VLAN_72_Group"
set member "Access_Control_40_Porter" "Access_Control_01_NOC" "Access_Control_02_ITC" "Access_Control_03_PSLA" "Access_Control_04_Nottingham" "Access_Control_06_Henninger" "Access_Control_07_Corcoran" "Access_Control_08_Clary" "Access_Control_09_Grant" "Access_Control_10_Levy" set member "Access_Control_40_Porter" "Access_Control_01_NOC" "Access_Control_02_ITC" "Access_Control_03_PSLA" "Access_Control_04_Nottingham" "Access_Control_06_Henninger" "Access_Control_07_Corcoran" "Access_Control_08_Clary" "Access_Control_09_Grant" "Access_Control_10_Levy"
@ -3038,16 +3046,16 @@ config firewall addrgrp
set comment "Microsoft to Barracuda Archivers" set comment "Microsoft to Barracuda Archivers"
next next
edit "City_Side_VoIP_Group" edit "City_Side_VoIP_Group"
set allow-routing enable
set member "City_Side_VoIP_30" "City_Side_VoIP_56" "City_Side_VoIP_61" "City_Side_VoIP_62" "City_Side_VoIP_63" "City_Side_VoIP_64" "City_Side_VoIP_65" "City_Side_VoIP_66" "City_Side_VoIP_67" "City_Side_VoIP_68" "City_Side_VoIP_72" "City_Side_VoIP_74" "City_Side_VoIP_75" "City_Side_VoIP_76" "City_Side_VoIP_77" "City_Side_VoIP_88" "City_Side_VoIP_132" "City_Side_VoIP_1_Park_Place_A" "City_Side_VoIP_1_Park_Place_B" "City_Side_VoIP_Router_A" "City_Side_VoIP_Router_B" set member "City_Side_VoIP_30" "City_Side_VoIP_56" "City_Side_VoIP_61" "City_Side_VoIP_62" "City_Side_VoIP_63" "City_Side_VoIP_64" "City_Side_VoIP_65" "City_Side_VoIP_66" "City_Side_VoIP_67" "City_Side_VoIP_68" "City_Side_VoIP_72" "City_Side_VoIP_74" "City_Side_VoIP_75" "City_Side_VoIP_76" "City_Side_VoIP_77" "City_Side_VoIP_88" "City_Side_VoIP_132" "City_Side_VoIP_1_Park_Place_A" "City_Side_VoIP_1_Park_Place_B" "City_Side_VoIP_Router_A" "City_Side_VoIP_Router_B"
set comment "City VoIP Group - except Parks and Water Recorder" set comment "City VoIP Group - except Parks and Water Recorder"
set color 28 set color 28
set allow-routing enable
next next
edit "SPD_Side_Firewall_Group" edit "SPD_Side_Firewall_Group"
set allow-routing enable
set member "SPD_Side_A" "SPD_Side_B" set member "SPD_Side_A" "SPD_Side_B"
set comment "IP Range of SPD Side Firewalls" set comment "IP Range of SPD Side Firewalls"
set color 2 set color 2
set allow-routing enable
next next
edit "Country Allow" edit "Country Allow"
set member "Microsoft 1" set member "Microsoft 1"
@ -3058,35 +3066,35 @@ config firewall addrgrp
set color 20 set color 20
next next
edit "Genetec_Inside_Group" edit "Genetec_Inside_Group"
set allow-routing enable
set member "NVR-NOC" "NVR-FAILOVER" "NVR-RING1-CLAR" "NVR-RING1-CLAR2" "NVR-RING1-CORC" "NVR-RING1-CORC2" "NVR-RING2-DANF" "NVR-RING2-DANF2" "NVR-RING3-PSLA" "NVR-RING3-PSLA2" "NVR-RING4-BLOD" "NVR-RING4-FRAZ" "NVR-RING5-CENT" "NVR-RING6-EDSM" "NVR-RING6-HWSM" "NVR-RING6-HWSM2" "NVR-RING6-NOTT" "NVR-RING7-BELL" "NVR-RING7-GRAN" "NVR-RING7-GRAN2" "NVR-RING8-HENN" "NVR-RING8-HENN2" "NVR-RING8-HUNT" "Genetec-Dir" "Genetec-DirBU" "Genetec-Media" "Genetec-MRouter" set member "NVR-NOC" "NVR-FAILOVER" "NVR-RING1-CLAR" "NVR-RING1-CLAR2" "NVR-RING1-CORC" "NVR-RING1-CORC2" "NVR-RING2-DANF" "NVR-RING2-DANF2" "NVR-RING3-PSLA" "NVR-RING3-PSLA2" "NVR-RING4-BLOD" "NVR-RING4-FRAZ" "NVR-RING5-CENT" "NVR-RING6-EDSM" "NVR-RING6-HWSM" "NVR-RING6-HWSM2" "NVR-RING6-NOTT" "NVR-RING7-BELL" "NVR-RING7-GRAN" "NVR-RING7-GRAN2" "NVR-RING8-HENN" "NVR-RING8-HENN2" "NVR-RING8-HUNT" "Genetec-Dir" "Genetec-DirBU" "Genetec-Media" "Genetec-MRouter"
set comment "District NVRs and Genetec Servers for SPD Federation" set comment "District NVRs and Genetec Servers for SPD Federation"
set color 2 set color 2
set allow-routing enable
next next
edit "MS_Teams_External_Group" edit "MS_Teams_External_Group"
set member "MS_Teams_External_A" "MS_Teams_External_B" set member "MS_Teams_External_A" "MS_Teams_External_B"
next next
edit "SchoolTool_AWS_Internal" edit "SchoolTool_AWS_Internal"
set member "DataTools" "ST_Internal_2"
set allow-routing enable set allow-routing enable
set member "DataTools" "ST_Internal_2"
next next
edit "SchoolTool_AWS_External" edit "SchoolTool_AWS_External"
set member "ST_External_4" "ST_External_5" "ST_External_6" "ST_External_1" "ST_External_2" "ST_External_3"
set allow-routing enable set allow-routing enable
set member "ST_External_4" "ST_External_5" "ST_External_6" "ST_External_1" "ST_External_2" "ST_External_3"
next next
edit "HighStreet_Local" edit "HighStreet_Local"
set member "DataTools" "Nighttime_Inside" set member "DataTools" "Nighttime_Inside"
set comment "Internal IPs for Highstreet Tunnel" set comment "Internal IPs for Highstreet Tunnel"
next next
edit "DPS_local" edit "DPS_local"
set allow-routing enable
set member "DPS_local_subnet_1" set member "DPS_local_subnet_1"
set comment "VPN: DPS (Created by VPN wizard)" set comment "VPN: DPS (Created by VPN wizard)"
set allow-routing enable
next next
edit "DPS_remote" edit "DPS_remote"
set allow-routing enable
set member "DPS_remote_subnet_1" set member "DPS_remote_subnet_1"
set comment "VPN: DPS (Created by VPN wizard)" set comment "VPN: DPS (Created by VPN wizard)"
set allow-routing enable
next next
edit "Nutanix_CVM" edit "Nutanix_CVM"
set member "Patty_CT_NOC_CVM" "Pigpen_CT_NOC_CVM" "RedBaron_CT_NOC_CVM" "Sally_CT_NOC_CVM" "Schroeder _CT_NOC_CVM" set member "Patty_CT_NOC_CVM" "Pigpen_CT_NOC_CVM" "RedBaron_CT_NOC_CVM" "Sally_CT_NOC_CVM" "Schroeder _CT_NOC_CVM"
@ -3229,6 +3237,22 @@ config firewall service category
next next
end end
config firewall service custom config firewall service custom
edit "ALL"
set category "General"
set protocol IP
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "DNS" edit "DNS"
set category "Network Services" set category "Network Services"
set tcp-portrange 53 set tcp-portrange 53
@ -3292,22 +3316,6 @@ config firewall service custom
set category "File Access" set category "File Access"
set tcp-portrange 445 set tcp-portrange 445
next next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "ALL"
set category "General"
set protocol IP
next
edit "ALL_TCP" edit "ALL_TCP"
set category "General" set category "General"
set tcp-portrange 1-65535 set tcp-portrange 1-65535
@ -3342,7 +3350,6 @@ config firewall service custom
set protocol-number 50 set protocol-number 50
next next
edit "AOL" edit "AOL"
set visibility disable
set tcp-portrange 5190-5194 set tcp-portrange 5190-5194
next next
edit "BGP" edit "BGP"
@ -3354,11 +3361,9 @@ config firewall service custom
set udp-portrange 67-68 set udp-portrange 67-68
next next
edit "FINGER" edit "FINGER"
set visibility disable
set tcp-portrange 79 set tcp-portrange 79
next next
edit "GOPHER" edit "GOPHER"
set visibility disable
set tcp-portrange 70 set tcp-portrange 70
next next
edit "H323" edit "H323"
@ -3371,7 +3376,6 @@ config firewall service custom
set udp-portrange 500 4500 set udp-portrange 500 4500
next next
edit "Internet-Locator-Service" edit "Internet-Locator-Service"
set visibility disable
set tcp-portrange 389 set tcp-portrange 389
next next
edit "IRC" edit "IRC"
@ -3384,7 +3388,6 @@ config firewall service custom
set udp-portrange 1701 set udp-portrange 1701
next next
edit "NetMeeting" edit "NetMeeting"
set visibility disable
set tcp-portrange 1720 set tcp-portrange 1720
next next
edit "NFS" edit "NFS"
@ -3393,7 +3396,6 @@ config firewall service custom
set udp-portrange 111 2049 set udp-portrange 111 2049
next next
edit "NNTP" edit "NNTP"
set visibility disable
set tcp-portrange 119 set tcp-portrange 119
next next
edit "NTP" edit "NTP"
@ -3419,19 +3421,16 @@ config firewall service custom
next next
edit "TIMESTAMP" edit "TIMESTAMP"
set protocol ICMP set protocol ICMP
set visibility disable
set icmptype 13 set icmptype 13
unset icmpcode unset icmpcode
next next
edit "INFO_REQUEST" edit "INFO_REQUEST"
set protocol ICMP set protocol ICMP
set visibility disable
set icmptype 15 set icmptype 15
unset icmpcode unset icmpcode
next next
edit "INFO_ADDRESS" edit "INFO_ADDRESS"
set protocol ICMP set protocol ICMP
set visibility disable
set icmptype 17 set icmptype 17
unset icmpcode unset icmpcode
next next
@ -3445,15 +3444,12 @@ config firewall service custom
set tcp-portrange 1723 set tcp-portrange 1723
next next
edit "QUAKE" edit "QUAKE"
set visibility disable
set udp-portrange 26000 27000 27910 27960 set udp-portrange 26000 27000 27910 27960
next next
edit "RAUDIO" edit "RAUDIO"
set visibility disable
set udp-portrange 7070 set udp-portrange 7070
next next
edit "REXEC" edit "REXEC"
set visibility disable
set tcp-portrange 512 set tcp-portrange 512
next next
edit "RIP" edit "RIP"
@ -3461,11 +3457,9 @@ config firewall service custom
set udp-portrange 520 set udp-portrange 520
next next
edit "RLOGIN" edit "RLOGIN"
set visibility disable
set tcp-portrange 513:512-1023 set tcp-portrange 513:512-1023
next next
edit "RSH" edit "RSH"
set visibility disable
set tcp-portrange 514:512-1023 set tcp-portrange 514:512-1023
next next
edit "SCCP" edit "SCCP"
@ -3495,7 +3489,6 @@ config firewall service custom
set udp-portrange 514 set udp-portrange 514
next next
edit "TALK" edit "TALK"
set visibility disable
set udp-portrange 517-518 set udp-portrange 517-518
next next
edit "TELNET" edit "TELNET"
@ -3507,23 +3500,18 @@ config firewall service custom
set udp-portrange 69 set udp-portrange 69
next next
edit "MGCP" edit "MGCP"
set visibility disable
set udp-portrange 2427 2727 set udp-portrange 2427 2727
next next
edit "UUCP" edit "UUCP"
set visibility disable
set tcp-portrange 540 set tcp-portrange 540
next next
edit "VDOLIVE" edit "VDOLIVE"
set visibility disable
set tcp-portrange 7000-7010 set tcp-portrange 7000-7010
next next
edit "WAIS" edit "WAIS"
set visibility disable
set tcp-portrange 210 set tcp-portrange 210
next next
edit "WINFRAME" edit "WINFRAME"
set visibility disable
set tcp-portrange 1494 2598 set tcp-portrange 1494 2598
next next
edit "X-WINDOWS" edit "X-WINDOWS"
@ -3532,7 +3520,6 @@ config firewall service custom
next next
edit "PING6" edit "PING6"
set protocol ICMP6 set protocol ICMP6
set visibility disable
set icmptype 128 set icmptype 128
unset icmpcode unset icmpcode
next next
@ -3575,11 +3562,9 @@ config firewall service custom
set udp-portrange 1812 1813 set udp-portrange 1812 1813
next next
edit "RADIUS-OLD" edit "RADIUS-OLD"
set visibility disable
set udp-portrange 1645 1646 set udp-portrange 1645 1646
next next
edit "CVSPSERVER" edit "CVSPSERVER"
set visibility disable
set tcp-portrange 2401 set tcp-portrange 2401
set udp-portrange 2401 set udp-portrange 2401
next next
@ -3598,12 +3583,10 @@ config firewall service custom
set udp-portrange 554 set udp-portrange 554
next next
edit "MMS" edit "MMS"
set visibility disable
set tcp-portrange 1755 set tcp-portrange 1755
set udp-portrange 1024-5000 set udp-portrange 1024-5000
next next
edit "NONE" edit "NONE"
set visibility disable
set tcp-portrange 0 set tcp-portrange 0
next next
edit "webproxy" edit "webproxy"
@ -3958,6 +3941,16 @@ config firewall shaper traffic-shaper
set maximum-bandwidth 1024 set maximum-bandwidth 1024
next next
end end
config firewall proxy-address
edit "IPv4-address"
set type host-regex
set host-regex "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}$"
next
edit "IPv6-address"
set type host-regex
set host-regex "^\\[(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\\]$"
next
end
config firewall schedule recurring config firewall schedule recurring
edit "always" edit "always"
set day sunday monday tuesday wednesday thursday friday saturday set day sunday monday tuesday wednesday thursday friday saturday
@ -4401,6 +4394,7 @@ config firewall ssl-ssh-profile
config https config https
set ports 443 set ports 443
set status certificate-inspection set status certificate-inspection
set quic inspect
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -4425,6 +4419,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic inspect
end end
next next
edit "deep-inspection" edit "deep-inspection"
@ -4432,6 +4427,7 @@ config firewall ssl-ssh-profile
config https config https
set ports 443 set ports 443
set status deep-inspection set status deep-inspection
set quic inspect
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -4460,6 +4456,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic inspect
end end
config ssl-exempt config ssl-exempt
edit 1 edit 1
@ -4595,6 +4592,7 @@ config firewall ssl-ssh-profile
config https config https
set ports 443 set ports 443
set status deep-inspection set status deep-inspection
set quic inspect
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -4623,6 +4621,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic inspect
end end
config ssl-exempt config ssl-exempt
edit 1 edit 1
@ -4760,6 +4759,7 @@ config firewall ssl-ssh-profile
set comment "Read-only profile that does no inspection." set comment "Read-only profile that does no inspection."
config https config https
set status disable set status disable
set quic bypass
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -4784,6 +4784,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic bypass
end end
next next
edit "custom-cert-inspection" edit "custom-cert-inspection"
@ -4791,6 +4792,7 @@ config firewall ssl-ssh-profile
config https config https
set ports 443 set ports 443
set status certificate-inspection set status certificate-inspection
set quic inspect
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -4815,6 +4817,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic inspect
end end
next next
edit "SCSD custom-deep-inspection" edit "SCSD custom-deep-inspection"
@ -4822,6 +4825,7 @@ config firewall ssl-ssh-profile
config https config https
set ports 443 set ports 443
set status deep-inspection set status deep-inspection
set quic inspect
set unsupported-ssl-version allow set unsupported-ssl-version allow
end end
config ftps config ftps
@ -4850,6 +4854,7 @@ config firewall ssl-ssh-profile
end end
config dot config dot
set status disable set status disable
set quic inspect
end end
config ssl-exempt config ssl-exempt
edit 1 edit 1
@ -5015,7 +5020,6 @@ config firewall policy
set schedule "always" set schedule "always"
set service "ALL" set service "ALL"
set logtraffic all set logtraffic all
set match-vip enable
set comments "Block specific countries" set comments "Block specific countries"
next next
edit 110 edit 110
@ -5027,7 +5031,6 @@ config firewall policy
set schedule "always" set schedule "always"
set service "ALL" set service "ALL"
set logtraffic all set logtraffic all
set match-vip enable
set comments "Block specific countries" set comments "Block specific countries"
next next
edit 10020 edit 10020
@ -5039,7 +5042,6 @@ config firewall policy
set schedule "always" set schedule "always"
set service "ALL" set service "ALL"
set logtraffic all set logtraffic all
set match-vip enable
set comments "Block Known Attachers" set comments "Block Known Attachers"
next next
edit 10022 edit 10022
@ -5051,7 +5053,6 @@ config firewall policy
set schedule "always" set schedule "always"
set service "ALL" set service "ALL"
set logtraffic all set logtraffic all
set match-vip enable
set comments "Block Known Attachers" set comments "Block Known Attachers"
next next
edit 112 edit 112
@ -5844,6 +5845,7 @@ config firewall policy
set schedule "always" set schedule "always"
set service "DNS" set service "DNS"
set logtraffic disable set logtraffic disable
set match-vip disable
set comments "Deny SPD DNS" set comments "Deny SPD DNS"
next next
edit 55 edit 55
@ -6564,18 +6566,15 @@ config firewall sniffer
set interface "vpn-0fc50345" set interface "vpn-0fc50345"
set host "172.30.45.35" set host "172.30.45.35"
set port "3389" set port "3389"
set max-packet-count 100
next next
edit 4 edit 4
set interface "city_phones lag" set interface "city_phones lag"
set host "10.250.229.0/24" set host "10.250.229.0/24"
set max-packet-count 2000
next next
edit 6 edit 6
set interface "city_phones lag" set interface "city_phones lag"
set host "10.1.150.20" set host "10.1.150.20"
set port "8445" set port "8445"
set max-packet-count 50
next next
edit 5 edit 5
set interface "vpn-0403e61" set interface "vpn-0403e61"
@ -6610,7 +6609,6 @@ config firewall sniffer
edit 15 edit 15
set interface "RAP" set interface "RAP"
set host "192.168.79.2" set host "192.168.79.2"
set max-packet-count 10000
next next
edit 16 edit 16
set interface "city_phones lag" set interface "city_phones lag"

3
configs/fortigate/vdom_scsd/ips.cfg
View File

@ -44,3 +44,6 @@ config ips sensor
end end
next next
end end
config ips settings
set proxy-inline-ips disable
end

1
configs/fortigate/vdom_scsd/log.cfg
View File

@ -82,5 +82,4 @@ config log setting
set local-in-allow enable set local-in-allow enable
set local-in-deny-unicast enable set local-in-deny-unicast enable
set local-in-deny-broadcast enable set local-in-deny-broadcast enable
set local-out enable
end end

1
configs/fortigate/vdom_scsd/router.cfg
View File

@ -202,6 +202,7 @@ config router static
set dst 172.30.44.0 255.255.254.0 set dst 172.30.44.0 255.255.254.0
set distance 253 set distance 253
set blackhole enable set blackhole enable
set vrf 0
next next
edit 30 edit 30
set dst 10.11.0.0 255.255.240.0 set dst 10.11.0.0 255.255.240.0

13
configs/fortigate/vdom_scsd/switch-controller.cfg
View File

@ -26,6 +26,7 @@ config switch-controller security-policy 802-1X
set framevid-apply enable set framevid-apply enable
set radius-timeout-overwrite disable set radius-timeout-overwrite disable
set authserver-timeout-vlan disable set authserver-timeout-vlan disable
set dacl disable
next next
end end
config switch-controller security-policy local-access config switch-controller security-policy local-access
@ -170,6 +171,8 @@ config switch-controller storm-control-policy
next next
end end
config switch-controller auto-config policy config switch-controller auto-config policy
edit "pse"
next
edit "default" edit "default"
next next
edit "default-icl" edit "default-icl"
@ -208,12 +211,12 @@ config switch-controller switch-profile
edit "default" edit "default"
next next
end end
config switch-controller ptp settings config switch-controller ptp profile
set mode disable edit "default"
end next
config switch-controller ptp policy end
config switch-controller ptp interface-policy
edit "default" edit "default"
set status enable
next next
end end
config switch-controller remote-log config switch-controller remote-log

13
configs/fortigate/vdom_scsd/system.cfg
View File

@ -6,6 +6,7 @@ config system settings
set h323-direct-model enable set h323-direct-model enable
set gui-voip-profile enable set gui-voip-profile enable
set gui-local-in-policy enable set gui-local-in-policy enable
set gui-sslvpn enable
set gui-wireless-controller disable set gui-wireless-controller disable
set gui-switch-controller disable set gui-switch-controller disable
set gui-dnsfilter disable set gui-dnsfilter disable
@ -53,8 +54,8 @@ config system sdwan
next next
edit "Default_Office_365" edit "Default_Office_365"
set server "www.office.com" set server "www.office.com"
set protocol http set protocol https
set interval 1000 set interval 120000
set probe-timeout 1000 set probe-timeout 1000
set recoverytime 10 set recoverytime 10
config sla config sla
@ -80,8 +81,8 @@ config system sdwan
next next
edit "Default_Google Search" edit "Default_Google Search"
set server "www.google.com" set server "www.google.com"
set protocol http set protocol https
set interval 1000 set interval 120000
set probe-timeout 1000 set probe-timeout 1000
set recoverytime 10 set recoverytime 10
config sla config sla
@ -94,8 +95,8 @@ config system sdwan
next next
edit "Default_FortiGuard" edit "Default_FortiGuard"
set server "fortiguard.com" set server "fortiguard.com"
set protocol http set protocol https
set interval 1000 set interval 120000
set probe-timeout 1000 set probe-timeout 1000
set recoverytime 10 set recoverytime 10
config sla config sla

2
configs/fortigate/vdom_scsd/user.cfg
View File

@ -5509,7 +5509,7 @@ end
config user local config user local
edit "jorge-mike" edit "jorge-mike"
set type password set type password
set passwd-time 2025-10-03 11:14:17 set passwd-time 2025-10-02 19:14:17
set passwd ENC *HIDDEN* set passwd ENC *HIDDEN*
next next
end end

4
configs/fortigate/vdom_scsd/virtual-patch.cfg Normal file
View File

@ -0,0 +1,4 @@
config virtual-patch profile
edit "g-default"
next
end

4
configs/fortigate/vdom_scsd/voip.cfg
View File

@ -1,6 +1,8 @@
config voip profile config voip profile
edit "default" edit "default"
set comment "Default VoIP profile." set comment "Default VoIP profile."
config sip
end
next next
edit "strict" edit "strict"
config sip config sip
@ -37,5 +39,7 @@ config voip profile
next next
edit "parks_sip" edit "parks_sip"
set comment "VoIP Profile for Parks SIP" set comment "VoIP Profile for Parks SIP"
config sip
end
next next
end end

17
configs/fortigate/vdom_scsd/vpn.cfg
View File

@ -20,6 +20,11 @@ config vpn certificate local
set range global set range global
set source factory set source factory
next next
edit "Fortinet_GUI_Server"
set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
set range global
set source factory
next
edit "Fortinet_SSL_RSA1024" edit "Fortinet_SSL_RSA1024"
set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. " set comments "This certificate is embedded in the hardware at the factory and is unique to this unit. "
set range global set range global
@ -337,56 +342,48 @@ config vpn ssl web portal
edit "Obiwan_RDP" edit "Obiwan_RDP"
set apptype rdp set apptype rdp
set host "10.1.48.202" set host "10.1.48.202"
set security any
set port 3389 set port 3389
set sso auto set sso auto
next next
edit "HanSolo_RDP" edit "HanSolo_RDP"
set apptype rdp set apptype rdp
set host "10.1.48.201" set host "10.1.48.201"
set security any
set port 3389 set port 3389
set sso auto set sso auto
next next
edit "C3PO_RDP" edit "C3PO_RDP"
set apptype rdp set apptype rdp
set host "10.1.48.133" set host "10.1.48.133"
set security any
set port 3389 set port 3389
set sso auto set sso auto
next next
edit "Chewbacca_RDP" edit "Chewbacca_RDP"
set apptype rdp set apptype rdp
set host "10.1.48.129" set host "10.1.48.129"
set security any
set port 3389 set port 3389
set sso auto set sso auto
next next
edit "Skywalker_RDP" edit "Skywalker_RDP"
set apptype rdp set apptype rdp
set host "10.1.48.63" set host "10.1.48.63"
set security any
set port 3389 set port 3389
set sso auto set sso auto
next next
edit "Yoda_RDP" edit "Yoda_RDP"
set apptype rdp set apptype rdp
set host "10.1.48.103" set host "10.1.48.103"
set security any
set port 3389 set port 3389
set sso auto set sso auto
next next
edit "MANDO_RDP" edit "MANDO_RDP"
set apptype rdp set apptype rdp
set host "10.1.40.72" set host "10.1.40.72"
set security any
set port 3389 set port 3389
set sso auto set sso auto
next next
edit "GROGU_RDP" edit "GROGU_RDP"
set apptype rdp set apptype rdp
set host "10.1.40.224" set host "10.1.40.224"
set security any
set port 3389 set port 3389
set sso auto set sso auto
next next
@ -545,14 +542,12 @@ config vpn ssl web portal
edit "411app" edit "411app"
set apptype rdp set apptype rdp
set host "10.1.40.216" set host "10.1.40.216"
set security any
set port 3389 set port 3389
set sso auto set sso auto
next next
edit "411sql" edit "411sql"
set apptype rdp set apptype rdp
set host "10.1.40.225" set host "10.1.40.225"
set security any
set port 3389 set port 3389
set sso auto set sso auto
next next
@ -644,6 +639,7 @@ config vpn ssl web portal
next next
end end
config vpn ssl settings config vpn ssl settings
set banned-cipher SHA1 SHA256 SHA384
set servercert "StarCert-Expire03202026" set servercert "StarCert-Expire03202026"
set idle-timeout 3600 set idle-timeout 3600
set auth-timeout 36000 set auth-timeout 36000
@ -732,7 +728,6 @@ config vpn ssl web user-bookmark
edit "My_PC" edit "My_PC"
set apptype rdp set apptype rdp
set host "10.1.7.137" set host "10.1.7.137"
set security any
set port 3389 set port 3389
set sso auto set sso auto
next next

11
configs/fortigate/vdom_scsd/webfilter.cfg
View File

@ -511,17 +511,20 @@ config webfilter search-engine
set url "^\\/translate" set url "^\\/translate"
set query "u=" set query "u="
set safesearch translate set safesearch translate
set safesearch-str "regex::(?:\\?|&)u=([^&]+)::\\1"
next next
edit "g-google-translate-2" edit "g-google-translate-2"
set hostname ".*\\.translate\\.goog" set hostname ".*\\.translate\\.goog"
set url "^\\/" set url "^\\/"
set safesearch translate set safesearch translate
set safesearch-str "case::google-translate"
next next
edit "g-twitter" edit "g-twitter"
set hostname "twitter\\.com" set hostname "twitter\\.com"
set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName" set url "^\\/i\\/api\\/graphql\\/.*\\/UserByScreenName"
set query "variables=" set query "variables="
set safesearch translate set safesearch translate
set safesearch-str "regex::%22screen_name%22:%22([A-Za-z0-9_]{4,15})%22::twitter.com/\\1"
next next
edit "g-vimeo" edit "g-vimeo"
set hostname ".*vimeo.*" set hostname ".*vimeo.*"
@ -538,7 +541,7 @@ config webfilter search-engine
next next
edit "g-yandex" edit "g-yandex"
set hostname "yandex\\..*" set hostname "yandex\\..*"
set url "^\\/((yand|images\\/|video\\/)(search)|search\\/)\\?" set url "^\\/((|yand|images\\/|video\\/)(search)|search\\/)\\?"
set query "text=" set query "text="
set safesearch url set safesearch url
set safesearch-str "&family=yes" set safesearch-str "&family=yes"
@ -571,12 +574,6 @@ config webfilter search-engine
set url "www.youtube.com/youtubei/v1/navigator" set url "www.youtube.com/youtubei/v1/navigator"
set safesearch yt-scan set safesearch yt-scan
next next
edit "translate"
set hostname "translate\\.google\\..*"
set url "^\\/translate\\?"
set query "u="
set safesearch translate
next
edit "yt-video" edit "yt-video"
set url "www.youtube.com/watch" set url "www.youtube.com/watch"
set safesearch yt-video set safesearch yt-video