config firewall address edit "EMS_ALL_UNKNOWN_CLIENTS" set type dynamic set sub-type ems-tag next edit "EMS_ALL_UNMANAGEABLE_CLIENTS" set type dynamic set sub-type ems-tag next edit "none" set subnet 0.0.0.0 255.255.255.255 next edit "login.microsoftonline.com" set type fqdn set fqdn "login.microsoftonline.com" next edit "login.microsoft.com" set type fqdn set fqdn "login.microsoft.com" next edit "login.windows.net" set type fqdn set fqdn "login.windows.net" next edit "gmail.com" set type fqdn set fqdn "gmail.com" next edit "wildcard.google.com" set type fqdn set fqdn "*.google.com" next edit "wildcard.dropbox.com" set type fqdn set fqdn "*.dropbox.com" next edit "SSLVPN_TUNNEL_ADDR1" set type iprange set start-ip 10.212.134.200 set end-ip 10.212.134.210 next edit "all" next edit "FIREWALL_AUTH_PORTAL_ADDRESS" next edit "FABRIC_DEVICE" set comment "IPv4 addresses of Fabric Devices." next edit "FCTEMS_ALL_FORTICLOUD_SERVERS" set type dynamic set sub-type ems-tag next end config firewall multicast-address edit "all_hosts" set start-ip 224.0.0.1 set end-ip 224.0.0.1 next edit "all_routers" set start-ip 224.0.0.2 set end-ip 224.0.0.2 next edit "Bonjour" set start-ip 224.0.0.251 set end-ip 224.0.0.251 next edit "EIGRP" set start-ip 224.0.0.10 set end-ip 224.0.0.10 next edit "OSPF" set start-ip 224.0.0.5 set end-ip 224.0.0.6 next edit "all" set start-ip 224.0.0.0 set end-ip 239.255.255.255 next end config firewall address6 edit "all" next edit "none" set ip6 ::/128 next edit "SSLVPN_TUNNEL_IPv6_ADDR1" set ip6 fdff:ffff::/120 next end config firewall multicast-address6 edit "all" set ip6 ff00::/8 next end config firewall addrgrp edit "G Suite" set member "gmail.com" "wildcard.google.com" next edit "Microsoft Office 365" set member "login.microsoftonline.com" "login.microsoft.com" "login.windows.net" next end config firewall wildcard-fqdn custom edit "g-Adobe Login" set wildcard-fqdn "*.adobelogin.com" next edit "g-Gotomeeting" set wildcard-fqdn "*.gotomeeting.com" next edit "g-Windows update 2" set wildcard-fqdn "*.windowsupdate.com" next edit "g-adobe" set wildcard-fqdn "*.adobe.com" next edit "g-android" set wildcard-fqdn "*.android.com" next edit "g-apple" set wildcard-fqdn "*.apple.com" next edit "g-appstore" set wildcard-fqdn "*.appstore.com" next edit "g-auth.gfx.ms" set wildcard-fqdn "*.auth.gfx.ms" next edit "g-autoupdate.opera.com" set wildcard-fqdn "*autoupdate.opera.com" next edit "g-cdn-apple" set wildcard-fqdn "*.cdn-apple.com" next edit "g-citrix" set wildcard-fqdn "*.citrixonline.com" next edit "g-dropbox.com" set wildcard-fqdn "*.dropbox.com" next edit "g-eease" set wildcard-fqdn "*.eease.com" next edit "g-firefox update server" set wildcard-fqdn "aus*.mozilla.org" next edit "g-fortinet" set wildcard-fqdn "*.fortinet.com" next edit "g-google-drive" set wildcard-fqdn "*drive.google.com" next edit "g-google-play" set wildcard-fqdn "*play.google.com" next edit "g-google-play2" set wildcard-fqdn "*.ggpht.com" next edit "g-google-play3" set wildcard-fqdn "*.books.google.com" next edit "g-googleapis.com" set wildcard-fqdn "*.googleapis.com" next edit "g-icloud" set wildcard-fqdn "*.icloud.com" next edit "g-itunes" set wildcard-fqdn "*itunes.apple.com" next edit "g-live.com" set wildcard-fqdn "*.live.com" next edit "g-microsoft" set wildcard-fqdn "*.microsoft.com" next edit "g-mzstatic-apple" set wildcard-fqdn "*.mzstatic.com" next edit "g-skype" set wildcard-fqdn "*.messenger.live.com" next edit "g-softwareupdate.vmware.com" set wildcard-fqdn "*.softwareupdate.vmware.com" next edit "g-swscan.apple.com" set wildcard-fqdn "*swscan.apple.com" next edit "g-update.microsoft.com" set wildcard-fqdn "*update.microsoft.com" next edit "g-verisign" set wildcard-fqdn "*.verisign.com" next end config firewall service category edit "General" set comment "General services." next edit "Web Access" set comment "Web access." next edit "File Access" set comment "File access." next edit "Email" set comment "Email services." next edit "Network Services" set comment "Network services." next edit "Authentication" set comment "Authentication service." next edit "Remote Access" set comment "Remote access." next edit "Tunneling" set comment "Tunneling service." next edit "VoIP, Messaging & Other Applications" set comment "VoIP, messaging, and other applications." next edit "Web Proxy" set comment "Explicit web proxy." next end config firewall service custom edit "ALL" set category "General" set protocol IP next edit "FTP" set category "File Access" set tcp-portrange 21 next edit "FTP_GET" set category "File Access" set tcp-portrange 21 next edit "FTP_PUT" set category "File Access" set tcp-portrange 21 next edit "DNS" set category "Network Services" set tcp-portrange 53 set udp-portrange 53 next edit "HTTP" set category "Web Access" set tcp-portrange 80 next edit "HTTPS" set category "Web Access" set tcp-portrange 443 next edit "IMAP" set category "Email" set tcp-portrange 143 next edit "IMAPS" set category "Email" set tcp-portrange 993 next edit "LDAP" set category "Authentication" set tcp-portrange 389 next edit "DCE-RPC" set category "Remote Access" set tcp-portrange 135 set udp-portrange 135 next edit "POP3" set category "Email" set tcp-portrange 110 next edit "POP3S" set category "Email" set tcp-portrange 995 next edit "SAMBA" set category "File Access" set tcp-portrange 139 next edit "SMTP" set category "Email" set tcp-portrange 25 next edit "SMTPS" set category "Email" set tcp-portrange 465 next edit "KERBEROS" set category "Authentication" set tcp-portrange 88 464 set udp-portrange 88 464 next edit "LDAP_UDP" set category "Authentication" set udp-portrange 389 next edit "SMB" set category "File Access" set tcp-portrange 445 next edit "ALL_TCP" set category "General" set tcp-portrange 1-65535 next edit "ALL_UDP" set category "General" set udp-portrange 1-65535 next edit "ALL_ICMP" set category "General" set protocol ICMP unset icmptype next edit "ALL_ICMP6" set category "General" set protocol ICMP6 unset icmptype next edit "GRE" set category "Tunneling" set protocol IP set protocol-number 47 next edit "AH" set category "Tunneling" set protocol IP set protocol-number 51 next edit "ESP" set category "Tunneling" set protocol IP set protocol-number 50 next edit "AOL" set tcp-portrange 5190-5194 next edit "BGP" set category "Network Services" set tcp-portrange 179 next edit "DHCP" set category "Network Services" set udp-portrange 67-68 next edit "FINGER" set tcp-portrange 79 next edit "GOPHER" set tcp-portrange 70 next edit "H323" set category "VoIP, Messaging & Other Applications" set tcp-portrange 1720 1503 set udp-portrange 1719 next edit "IKE" set category "Tunneling" set udp-portrange 500 4500 next edit "Internet-Locator-Service" set tcp-portrange 389 next edit "IRC" set category "VoIP, Messaging & Other Applications" set tcp-portrange 6660-6669 next edit "L2TP" set category "Tunneling" set tcp-portrange 1701 set udp-portrange 1701 next edit "NetMeeting" set tcp-portrange 1720 next edit "NFS" set category "File Access" set tcp-portrange 111 2049 set udp-portrange 111 2049 next edit "NNTP" set tcp-portrange 119 next edit "NTP" set category "Network Services" set tcp-portrange 123 set udp-portrange 123 next edit "OSPF" set category "Network Services" set protocol IP set protocol-number 89 next edit "PC-Anywhere" set category "Remote Access" set tcp-portrange 5631 set udp-portrange 5632 next edit "PING" set category "Network Services" set protocol ICMP set icmptype 8 unset icmpcode next edit "TIMESTAMP" set protocol ICMP set icmptype 13 unset icmpcode next edit "INFO_REQUEST" set protocol ICMP set icmptype 15 unset icmpcode next edit "INFO_ADDRESS" set protocol ICMP set icmptype 17 unset icmpcode next edit "ONC-RPC" set category "Remote Access" set tcp-portrange 111 set udp-portrange 111 next edit "PPTP" set category "Tunneling" set tcp-portrange 1723 next edit "QUAKE" set udp-portrange 26000 27000 27910 27960 next edit "RAUDIO" set udp-portrange 7070 next edit "REXEC" set tcp-portrange 512 next edit "RIP" set category "Network Services" set udp-portrange 520 next edit "RLOGIN" set tcp-portrange 513:512-1023 next edit "RSH" set tcp-portrange 514:512-1023 next edit "SCCP" set category "VoIP, Messaging & Other Applications" set tcp-portrange 2000 next edit "SIP" set category "VoIP, Messaging & Other Applications" set tcp-portrange 5060 set udp-portrange 5060 next edit "SIP-MSNmessenger" set category "VoIP, Messaging & Other Applications" set tcp-portrange 1863 next edit "SNMP" set category "Network Services" set tcp-portrange 161-162 set udp-portrange 161-162 next edit "SSH" set category "Remote Access" set tcp-portrange 22 next edit "SYSLOG" set category "Network Services" set udp-portrange 514 next edit "TALK" set udp-portrange 517-518 next edit "TELNET" set category "Remote Access" set tcp-portrange 23 next edit "TFTP" set category "File Access" set udp-portrange 69 next edit "MGCP" set udp-portrange 2427 2727 next edit "UUCP" set tcp-portrange 540 next edit "VDOLIVE" set tcp-portrange 7000-7010 next edit "WAIS" set tcp-portrange 210 next edit "WINFRAME" set tcp-portrange 1494 2598 next edit "X-WINDOWS" set category "Remote Access" set tcp-portrange 6000-6063 next edit "PING6" set protocol ICMP6 set icmptype 128 unset icmpcode next edit "MS-SQL" set category "VoIP, Messaging & Other Applications" set tcp-portrange 1433 1434 next edit "MYSQL" set category "VoIP, Messaging & Other Applications" set tcp-portrange 3306 next edit "RDP" set category "Remote Access" set tcp-portrange 3389 next edit "VNC" set category "Remote Access" set tcp-portrange 5900 next edit "DHCP6" set category "Network Services" set udp-portrange 546 547 next edit "SQUID" set category "Tunneling" set tcp-portrange 3128 next edit "SOCKS" set category "Tunneling" set tcp-portrange 1080 set udp-portrange 1080 next edit "WINS" set category "Remote Access" set tcp-portrange 1512 set udp-portrange 1512 next edit "RADIUS" set category "Authentication" set udp-portrange 1812 1813 next edit "RADIUS-OLD" set udp-portrange 1645 1646 next edit "CVSPSERVER" set tcp-portrange 2401 set udp-portrange 2401 next edit "AFS3" set category "File Access" set tcp-portrange 7000-7009 set udp-portrange 7000-7009 next edit "TRACEROUTE" set category "Network Services" set udp-portrange 33434-33535 next edit "RTSP" set category "VoIP, Messaging & Other Applications" set tcp-portrange 554 7070 8554 set udp-portrange 554 next edit "MMS" set tcp-portrange 1755 set udp-portrange 1024-5000 next edit "NONE" set tcp-portrange 0 next edit "webproxy" set proxy enable set category "Web Proxy" set protocol ALL set tcp-portrange 0-65535:0-65535 next end config firewall service group edit "Email Access" set member "DNS" "IMAP" "IMAPS" "POP3" "POP3S" "SMTP" "SMTPS" next edit "Web Access" set member "DNS" "HTTP" "HTTPS" next edit "Windows AD" set member "DCE-RPC" "DNS" "KERBEROS" "LDAP" "LDAP_UDP" "SAMBA" "SMB" next edit "Exchange Server" set member "DCE-RPC" "DNS" "HTTPS" next end config firewall shaper traffic-shaper edit "high-priority" set maximum-bandwidth 1048576 set per-policy enable next edit "medium-priority" set maximum-bandwidth 1048576 set priority medium set per-policy enable next edit "low-priority" set maximum-bandwidth 1048576 set priority low set per-policy enable next edit "guarantee-100kbps" set guaranteed-bandwidth 100 set maximum-bandwidth 1048576 set per-policy enable next edit "shared-1M-pipe" set maximum-bandwidth 1024 next end config firewall proxy-address edit "IPv4-address" set type host-regex set host-regex "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}$" next edit "IPv6-address" set type host-regex set host-regex "^\\[(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\\]$" next end config firewall schedule recurring edit "always" set day sunday monday tuesday wednesday thursday friday saturday next edit "none" next edit "default-darrp-optimize" set start 01:00 set end 01:30 set day sunday monday tuesday wednesday thursday friday saturday next end config firewall ssh local-key edit "g-Fortinet_SSH_DSA1024" set password ENC *HIDDEN* set source built-in next edit "g-Fortinet_SSH_ECDSA256" set password ENC *HIDDEN* set source built-in next edit "g-Fortinet_SSH_ECDSA384" set password ENC *HIDDEN* set source built-in next edit "g-Fortinet_SSH_ECDSA521" set password ENC *HIDDEN* set source built-in next edit "g-Fortinet_SSH_ED25519" set password ENC *HIDDEN* set source built-in next edit "g-Fortinet_SSH_RSA2048" set password ENC *HIDDEN* set source built-in next end config firewall ssh local-ca edit "g-Fortinet_SSH_CA" set password ENC *HIDDEN* set source built-in next edit "g-Fortinet_SSH_CA_Untrusted" set password ENC *HIDDEN* set source built-in next end config firewall ssh setting set caname "g-Fortinet_SSH_CA" set untrusted-caname "g-Fortinet_SSH_CA_Untrusted" set hostkey-rsa2048 "g-Fortinet_SSH_RSA2048" set hostkey-dsa1024 "g-Fortinet_SSH_DSA1024" set hostkey-ecdsa256 "g-Fortinet_SSH_ECDSA256" set hostkey-ecdsa384 "g-Fortinet_SSH_ECDSA384" set hostkey-ecdsa521 "g-Fortinet_SSH_ECDSA521" set hostkey-ed25519 "g-Fortinet_SSH_ED25519" end config firewall profile-protocol-options edit "default" set comment "All default services." config http set ports 80 unset options unset post-lang end config ftp set ports 21 set options splice end config imap set ports 143 set options fragmail end config mapi set ports 135 set options fragmail end config pop3 set ports 110 set options fragmail end config smtp set ports 25 set options fragmail splice end config nntp set ports 119 set options splice end config ssh unset options end config dns set ports 53 end config cifs set ports 445 unset options end next end config firewall ssl-ssh-profile edit "certificate-inspection" set comment "Read-only SSL handshake inspection profile." config https set ports 443 set status certificate-inspection set quic inspect set unsupported-ssl-version allow end config ftps set status disable set unsupported-ssl-version allow end config imaps set status disable set unsupported-ssl-version allow end config pop3s set status disable set unsupported-ssl-version allow end config smtps set status disable set unsupported-ssl-version allow end config ssh set ports 22 set status disable end config dot set status disable set quic inspect end next edit "deep-inspection" set comment "Read-only deep inspection profile." config https set ports 443 set status deep-inspection set quic inspect set unsupported-ssl-version allow end config ftps set ports 990 set status deep-inspection set unsupported-ssl-version allow end config imaps set ports 993 set status deep-inspection set unsupported-ssl-version allow end config pop3s set ports 995 set status deep-inspection set unsupported-ssl-version allow end config smtps set ports 465 set status deep-inspection set unsupported-ssl-version allow end config ssh set ports 22 set status disable end config dot set status disable set quic inspect end config ssl-exempt edit 1 set fortiguard-category 31 next edit 2 set fortiguard-category 33 next edit 3 set type wildcard-fqdn set wildcard-fqdn "g-adobe" next edit 4 set type wildcard-fqdn set wildcard-fqdn "g-Adobe Login" next edit 5 set type wildcard-fqdn set wildcard-fqdn "g-android" next edit 6 set type wildcard-fqdn set wildcard-fqdn "g-apple" next edit 7 set type wildcard-fqdn set wildcard-fqdn "g-appstore" next edit 8 set type wildcard-fqdn set wildcard-fqdn "g-auth.gfx.ms" next edit 9 set type wildcard-fqdn set wildcard-fqdn "g-citrix" next edit 10 set type wildcard-fqdn set wildcard-fqdn "g-dropbox.com" next edit 11 set type wildcard-fqdn set wildcard-fqdn "g-eease" next edit 12 set type wildcard-fqdn set wildcard-fqdn "g-firefox update server" next edit 13 set type wildcard-fqdn set wildcard-fqdn "g-fortinet" next edit 14 set type wildcard-fqdn set wildcard-fqdn "g-googleapis.com" next edit 15 set type wildcard-fqdn set wildcard-fqdn "g-google-drive" next edit 16 set type wildcard-fqdn set wildcard-fqdn "g-google-play2" next edit 17 set type wildcard-fqdn set wildcard-fqdn "g-google-play3" next edit 18 set type wildcard-fqdn set wildcard-fqdn "g-Gotomeeting" next edit 19 set type wildcard-fqdn set wildcard-fqdn "g-icloud" next edit 20 set type wildcard-fqdn set wildcard-fqdn "g-itunes" next edit 21 set type wildcard-fqdn set wildcard-fqdn "g-microsoft" next edit 22 set type wildcard-fqdn set wildcard-fqdn "g-skype" next edit 23 set type wildcard-fqdn set wildcard-fqdn "g-softwareupdate.vmware.com" next edit 24 set type wildcard-fqdn set wildcard-fqdn "g-verisign" next edit 25 set type wildcard-fqdn set wildcard-fqdn "g-Windows update 2" next edit 26 set type wildcard-fqdn set wildcard-fqdn "g-live.com" next edit 27 set type wildcard-fqdn set wildcard-fqdn "g-google-play" next edit 28 set type wildcard-fqdn set wildcard-fqdn "g-update.microsoft.com" next edit 29 set type wildcard-fqdn set wildcard-fqdn "g-swscan.apple.com" next edit 30 set type wildcard-fqdn set wildcard-fqdn "g-autoupdate.opera.com" next edit 31 set type wildcard-fqdn set wildcard-fqdn "g-cdn-apple" next edit 32 set type wildcard-fqdn set wildcard-fqdn "g-mzstatic-apple" next end next edit "custom-deep-inspection" set comment "Customizable deep inspection profile." config https set ports 443 set status deep-inspection set quic inspect set unsupported-ssl-version allow end config ftps set ports 990 set status deep-inspection set unsupported-ssl-version allow end config imaps set ports 993 set status deep-inspection set unsupported-ssl-version allow end config pop3s set ports 995 set status deep-inspection set unsupported-ssl-version allow end config smtps set ports 465 set status deep-inspection set unsupported-ssl-version allow end config ssh set ports 22 set status disable end config dot set status disable set quic inspect end config ssl-exempt edit 1 set fortiguard-category 31 next edit 2 set fortiguard-category 33 next edit 3 set type wildcard-fqdn set wildcard-fqdn "g-adobe" next edit 4 set type wildcard-fqdn set wildcard-fqdn "g-Adobe Login" next edit 5 set type wildcard-fqdn set wildcard-fqdn "g-android" next edit 6 set type wildcard-fqdn set wildcard-fqdn "g-apple" next edit 7 set type wildcard-fqdn set wildcard-fqdn "g-appstore" next edit 8 set type wildcard-fqdn set wildcard-fqdn "g-auth.gfx.ms" next edit 9 set type wildcard-fqdn set wildcard-fqdn "g-citrix" next edit 10 set type wildcard-fqdn set wildcard-fqdn "g-dropbox.com" next edit 11 set type wildcard-fqdn set wildcard-fqdn "g-eease" next edit 12 set type wildcard-fqdn set wildcard-fqdn "g-firefox update server" next edit 13 set type wildcard-fqdn set wildcard-fqdn "g-fortinet" next edit 14 set type wildcard-fqdn set wildcard-fqdn "g-googleapis.com" next edit 15 set type wildcard-fqdn set wildcard-fqdn "g-google-drive" next edit 16 set type wildcard-fqdn set wildcard-fqdn "g-google-play2" next edit 17 set type wildcard-fqdn set wildcard-fqdn "g-google-play3" next edit 18 set type wildcard-fqdn set wildcard-fqdn "g-Gotomeeting" next edit 19 set type wildcard-fqdn set wildcard-fqdn "g-icloud" next edit 20 set type wildcard-fqdn set wildcard-fqdn "g-itunes" next edit 21 set type wildcard-fqdn set wildcard-fqdn "g-microsoft" next edit 22 set type wildcard-fqdn set wildcard-fqdn "g-skype" next edit 23 set type wildcard-fqdn set wildcard-fqdn "g-softwareupdate.vmware.com" next edit 24 set type wildcard-fqdn set wildcard-fqdn "g-verisign" next edit 25 set type wildcard-fqdn set wildcard-fqdn "g-Windows update 2" next edit 26 set type wildcard-fqdn set wildcard-fqdn "g-live.com" next edit 27 set type wildcard-fqdn set wildcard-fqdn "g-google-play" next edit 28 set type wildcard-fqdn set wildcard-fqdn "g-update.microsoft.com" next edit 29 set type wildcard-fqdn set wildcard-fqdn "g-swscan.apple.com" next edit 30 set type wildcard-fqdn set wildcard-fqdn "g-autoupdate.opera.com" next edit 31 set type wildcard-fqdn set wildcard-fqdn "g-cdn-apple" next edit 32 set type wildcard-fqdn set wildcard-fqdn "g-mzstatic-apple" next end next edit "no-inspection" set comment "Read-only profile that does no inspection." config https set status disable set quic bypass set unsupported-ssl-version allow end config ftps set status disable set unsupported-ssl-version allow end config imaps set status disable set unsupported-ssl-version allow end config pop3s set status disable set unsupported-ssl-version allow end config smtps set status disable set unsupported-ssl-version allow end config ssh set ports 22 set status disable end config dot set status disable set quic bypass end next end config firewall policy edit 1 set name "Default" set srcintf "any" set dstintf "any" set srcaddr "all" set dstaddr "all" set srcaddr6 "all" set dstaddr6 "all" set service "ALL" set ssl-ssh-profile "certificate-inspection" next end