灰心之餘,趁沒人喵了一下好萊塢第二波外洩照後打道回府
結果今天上班,竟然會動了,是有人幫我施展了神奇的魔法嗎?
謝謝各位大大的關心,感恩啦!
個人積分:0分
文章編號:52380647
個人積分:405分
文章編號:52457722
1. 當開啟UTM後, 使用了AV和Web Filter. 但是一個是flow-mode, 另一個則是proxy-mode. 那實際上會是怎樣的情況?
A: 一個建議是一個policy啟用UTM全部在同一個mode.
根據這個問題, flow-mode會被FOS隱性轉換成proxy-mode操作. 因此AV會是proxy-based.
2.flow-mode和proxy-mode的差別? 為什麼proxy-mode需要消費較高的系統資源?
A: 當一個HTTP下載請由一個檔案時, proxy-mode因為檔案的內容偵測(頭到尾), 會需要把請求資源緩衝到系統記憶體. 這會造成一定程度的系統負載(根據目前FGT的預設組態).
例如開啟AV使用proxy scan engine, 一個HTTP請求資源時, 會需要將該資源緩衝到記憶體, 然後再傳送到AV engine進行AV掃描.
在flow-mode則不需要將請求資源緩衝到系統記憶體, flow-mode透過AV scan engine會特定連接到IPS scan engine協助操作. 由於沒有內容偵測, 對於多態以及檔案的支持度較差, 相對性能以及吞吐量遠高出proxy-mode.
3. 為什麼使用proxy-mode的UTM服務後, 像是從FTP請求較大的資源時, 速度會非常慢呢? 甚至timeout直接離線?
A: proxy-mode由於buffering的關係, 會增加一定程度的延遲率, 間接導致判定無回應直接timeout. 為了應付這種情況, 需要開啟Comfort Clients定期傳送小數量的封包來避免timeout.
Policy&Objects > Policy > Proxy Options
4.為什麼開啟Traffic Shapping功能, CPU資源會上升? 甚至影響網路速度?
A: 這要根據使用的FGT有沒有提供H/W Traffic Shapping. H/W Traffic Shapping目前只有NP2, NP4以及NP6加速器支援.
5. 為什麼使用Soft-switch, LAN的速度會變的非常慢以及提高CPU負載?
A: Soft-Switch是軟體模擬交換器, 它是由CPU來操作(store and forward), 因此全部流量會經過CPU(slow-path; cpu port).
6. FWF的wifi功能, 透過建立VAP傳送流量. 為什麼較大的I/O傳輸, CPU會大規模上升?
A: FWF的wifi使用CAPWAP機制建立tunnel, CAPWAP流量無法被目前的ASIC加速, 他只能被CPU操作.
目前支持CAPWAP加速的ASIC只有高端的NP6(40Gbps x1)加速器. FWF無法轉用bridge; 5.0開始也無法支持WTP mode.
7. IPv6流量目前有辦法被ASIC加速嗎?
A: 目前只有高端的NP6(40Gbps x1)以及SP2加速器提供支持.
8. 為什麼刷到v5.2.1, FortiView的顯示畫面跟網路上圖片提供的畫面有所落差? 是少了甚麼嗎?
A: 高級的階層式FortiView需要支持SSD/HDD的FGT機種. 60C/60D/80C等都無法提供.
9. FGT設計的phy port, 似乎跟一般的網路產品有些不同. 例如DMZ port. 他幾乎與其他port的設計毫無差別, 僅僅是名稱上的不同. 真的沒有差異?
A: Yes, 全部的port幾乎毫無差異, 雖然定義了DMZ port, 基本上只是分類上的歸屬. FGT是完全由FortiOS的policy邏輯進行控制, 因此安全設定會是全由policy操作, 任何port都不會有差異.
除了internal port對於security mode提供了802.1x支持以及可以切換switch/interface mode.
10. FortiOS v5.x之後提供的基於端對端的BYOD, 它似乎可以針對不同的client設備偵測出採用甚麼樣的系統(IOS, Andriod或著Linux). 這是如何做到的?
A: FortiOS內置了一種device identifcation database, 基於MAC address設計結合了VCI, SYN封包資訊以及返回的HTTP user-agent字串. 因此可以達到不同設備規格的偵測, 因為他是基於MAC address探測, 因此他無法在L3以上的domain有效識別. 要跨domain需要在client安裝FortiClient的agent透過TCP 8010傳送端點資訊到FGT/FWF. device identifcation database是採hard-code的方式, 無法被更新.
11. 有沒有辦法將多WAN的頻寬有效利用?
A: 最有效的方式還是ISP端將多路bonding的設計效益最佳. 但是自v5.2開始提供了一種virtual-wan-link設計, 它可以將多wan採用智能化的方式進行頻寬分配(取決管理者對virtual-wan-link的頻寬服務設定).
NOTE: virtual-wan-link目前對於VIP沒辦法有效工作.
12. FortiOS對於wireless提供local bridge以及tunnel(CAPWAP), 這兩種模式效能上有無差異?
A: Yes, 它是有差異的. tunnel mode會將FAP與FGT建立起CAPWAP tunnel操作I/O, CAPWAP協定需要額外的系統負載以及開銷.
wireless提供的tunnel模式會完全的使用CAPWAP協定, 因此資源傳輸會封裝在基於CAPWAP的data channel.
local bridge只有封裝control channel(5246), 因此不會建立data channel. 對於沒有提供CAPWAP加速器的機種, local bridge幾乎不會對CPU造成殺傷力.
NOTE: 高端的NP6加速可以操作CAPWAP協定, 使得CPU能完全避免其開銷.
13. FGT提供的機種包括x86以及ARM規格, 目前這兩款規格效能上有很大差距嗎?
A: 以目前採用ARM的SoC規格, ARM機種依然跟x86機種相比有很大的效能差距.
早期的80C/110C採用Celeron@600MHz CPU, 論CPU效能依然遠遠快過採用ARMv7@800MHz CPU的60D機種.
14. FGT內置的CP加速器能提供那些加速服務?
A:
a. UTM加速: 為了針對不同應用服務提供準確的探測, 不管是封包甚至是檔案要進行拆解包括協定解析, CP加速器承攬了這項業務(Content Processing).
b. IPS加速: IPS的名單比對在CP加速器提供了這項支持, 拆解封包透過IPS engine的protocol decoder進行解析, 比對IPS資料庫的名單資料. 目前只有CP8, SoC1和SoC2提供這項加速服務.
c. VPN加速: CP加速器能完全操作VPN的加解密計算, 進而節省CPU資源, 這包括了SSL-VPN加速.
15. CP加速器能夠乘載DDoS攻擊防護嗎?
A: 不能. 目前只有高端的SP加速器可完全支持DDoS prevention.
另外在NP2以上的加速器也提供了DDoS攻擊防護機制.
個人積分:230分
文章編號:52459069
個人積分:405分
文章編號:52462033
只能有時間再說明FOS的QoS...
可先揀去取代裡面文字內容用...
這是Shared Shaping..
我不愛用Per-IP Shaping, 所以沒設定...
要注意FGT機種所能支持的Shaping Item數量
60D/C, 80C以及200B以下的機種最大支持32條..
我DSCP習慣只拿00(BE), 26和46這三個值, 因為item數量有限, 所以只拿個三個...
NOTE:
任何traffic shaping啟用在一條policy, interface排入該policy的traffic至queue都會被改變..
就算套入某個甚麼都不設定的shaping item, 與未套入的queue順序都會不同...
公式說明:
SA[H,M,L]P[nnn]M[mmm]M[DSCP]
DSCP={00, 26, 46}
SA(default)=> All polices using this shaper
H(高), M和L(低)表示不同優先權, 這會導致排入interface的queue會不一樣...
[nnn]M為最大頻寬(這會依據FOS採用token bucket演算法來控制)
[mmm]M為保證頻寬, 傳輸低於這個值都會保證queue的優先權最高...
DSCP(Differentiated Services Code Point)數值保證排入後不同等級的服務優先權..
一般都是00, 這是BE表示大家都是同等, 因此相互競爭頻寬..
數值愈高, 優先權愈高(46>26>00)..
26和46的DSCP確保較低的drop precendence
46是EF, 即Critical, 可調用在一些"鑽石"業務上..
先考慮鑽石業務, 在考慮上傳頻寬, 其次是下載頻寬, 最後低服務品質的業務
config firewall shaper traffic-shaper
edit "SAHP000M000M00"
next
edit "SAHP000M000M26"
set diffserv enable
set diffservcode 011010
next
edit "SAHP000M000M46"
set diffserv enable
set diffservcode 101110
next
edit "SAMP000M000M00"
set priority medium
next
edit "SAMP000M000M26"
set diffserv enable
set diffservcode 011010
set priority medium
next
edit "SAMP000M000M46"
set diffserv enable
set diffservcode 101110
set priority medium
next
edit "SALP000M000M00"
set priority low
next
edit "SALP000M000M26"
set diffserv enable
set diffservcode 011010
set priority low
next
edit "SALP000M000M46"
set diffserv enable
set diffservcode 101110
set priority low
next
edit "SAHP255M000M00"
set maximum-bandwidth 261120
set guaranteed-bandwidth 26112
next
edit "SAHP255M025M26"
set diffserv enable
set maximum-bandwidth 261120
set guaranteed-bandwidth 26112
set diffservcode 011010
next
edit "SAHP255M025M46"
set diffserv enable
set maximum-bandwidth 261120
set guaranteed-bandwidth 26112
set diffservcode 101110
next
edit "SAMP255M000M00"
set maximum-bandwidth 261120
set guaranteed-bandwidth 26112
set priority medium
next
edit "SAMP255M025M26"
set diffserv enable
set maximum-bandwidth 261120
set guaranteed-bandwidth 26112
set diffservcode 011010
set priority medium
next
edit "SAMP255M025M46"
set diffserv enable
set maximum-bandwidth 261120
set guaranteed-bandwidth 26112
set diffservcode 101110
set priority medium
next
edit "SALP255M000M00"
set maximum-bandwidth 261120
set guaranteed-bandwidth 26112
set priority low
next
edit "SALP255M025M26"
set diffserv enable
set maximum-bandwidth 261120
set guaranteed-bandwidth 26112
set diffservcode 011010
set priority low
next
edit "SALP255M025M46"
set diffserv enable
set maximum-bandwidth 261120
set guaranteed-bandwidth 26112
set diffservcode 101110
set priority low
next
edit "SAHP150M015M00"
set maximum-bandwidth 153600
set guaranteed-bandwidth 15360
next
edit "SAHP150M015M26"
set diffserv enable
set maximum-bandwidth 153600
set guaranteed-bandwidth 15360
set diffservcode 011010
next
edit "SAHP150M015M46"
set diffserv enable
set maximum-bandwidth 153600
set guaranteed-bandwidth 15360
set diffservcode 101110
next
edit "SAMP150M015M00"
set maximum-bandwidth 153600
set guaranteed-bandwidth 15360
set priority medium
next
edit "SAMP150M015M26"
set diffserv enable
set maximum-bandwidth 153600
set guaranteed-bandwidth 15360
set diffservcode 011010
set priority medium
next
edit "SAMP150M015M46"
set diffserv enable
set maximum-bandwidth 153600
set guaranteed-bandwidth 15360
set diffservcode 101110
set priority medium
next
edit "SALP150M015M00"
set maximum-bandwidth 153600
set guaranteed-bandwidth 15360
set priority low
next
edit "SALP150M015M26"
set diffserv enable
set maximum-bandwidth 153600
set guaranteed-bandwidth 15360
set diffservcode 011010
set priority low
next
edit "SALP150M015M46"
set diffserv enable
set maximum-bandwidth 153600
set guaranteed-bandwidth 15360
set diffservcode 101110
set priority low
next
edit "SAHP075M007M00"
set maximum-bandwidth 76800
set guaranteed-bandwidth 7680
next
edit "SAHP075M007M26"
set diffserv enable
set maximum-bandwidth 76800
set guaranteed-bandwidth 7680
set diffservcode 011010
next
edit "SAHP075M007M46"
set diffserv enable
set maximum-bandwidth 76800
set guaranteed-bandwidth 7680
set diffservcode 101110
next
edit "SAMP075M007M00"
set maximum-bandwidth 76800
set guaranteed-bandwidth 7680
set priority medium
next
edit "SAMP075M007M26"
set diffserv enable
set maximum-bandwidth 76800
set guaranteed-bandwidth 7680
set diffservcode 011010
set priority medium
next
edit "SAMP075M007M46"
set diffserv enable
set maximum-bandwidth 76800
set guaranteed-bandwidth 7680
set diffservcode 101110
set priority medium
next
edit "SALP075M007M00"
set maximum-bandwidth 76800
set guaranteed-bandwidth 7680
set priority low
next
edit "SALP075M007M26"
set diffserv enable
set maximum-bandwidth 76800
set guaranteed-bandwidth 7680
set diffservcode 011010
set priority low
next
edit "SALP075M007M46"
set diffserv enable
set maximum-bandwidth 76800
set guaranteed-bandwidth 7680
set diffservcode 101110
set priority low
next
edit "SAHP085M008M00"
set maximum-bandwidth 87040
set guaranteed-bandwidth 8704
next
edit "SAHP085M008M26"
set diffserv enable
set maximum-bandwidth 87040
set guaranteed-bandwidth 8704
set diffservcode 011010
next
edit "SAHP085M008M46"
set diffserv enable
set maximum-bandwidth 87040
set guaranteed-bandwidth 8704
set diffservcode 101110
next
edit "SAMP085M008M00"
set maximum-bandwidth 87040
set guaranteed-bandwidth 8704
set priority medium
next
edit "SAMP085M008M26"
set diffserv enable
set maximum-bandwidth 87040
set guaranteed-bandwidth 8704
set diffservcode 011010
set priority medium
next
edit "SAMP085M008M46"
set diffserv enable
set maximum-bandwidth 87040
set guaranteed-bandwidth 8704
set diffservcode 101110
set priority medium
next
edit "SALP085M008M00"
set maximum-bandwidth 87040
set guaranteed-bandwidth 8704
set priority low
next
edit "SALP085M008M26"
set diffserv enable
set maximum-bandwidth 87040
set guaranteed-bandwidth 8704
set diffservcode 011010
set priority low
next
edit "SALP085M008M46"
set diffserv enable
set maximum-bandwidth 87040
set guaranteed-bandwidth 8704
set diffservcode 101110
set priority low
next
edit "SAHP050M005M00"
set maximum-bandwidth 51200
set guaranteed-bandwidth 5120
next
edit "SAHP050M005M26"
set diffserv enable
set maximum-bandwidth 51200
set guaranteed-bandwidth 5120
set diffservcode 011010
next
edit "SAHP050M005M46"
set diffserv enable
set maximum-bandwidth 51200
set guaranteed-bandwidth 5120
set diffservcode 101110
next
edit "SAMP050M005M00"
set maximum-bandwidth 51200
set guaranteed-bandwidth 5120
set priority medium
next
edit "SAMP050M005M26"
set diffserv enable
set maximum-bandwidth 51200
set guaranteed-bandwidth 5120
set diffservcode 011010
set priority medium
next
edit "SAMP050M005M46"
set diffserv enable
set maximum-bandwidth 51200
set guaranteed-bandwidth 5120
set diffservcode 101110
set priority medium
next
edit "SALP050M005M00"
set maximum-bandwidth 51200
set guaranteed-bandwidth 5120
set priority low
next
edit "SALP050M005M26"
set diffserv enable
set maximum-bandwidth 51200
set guaranteed-bandwidth 5120
set diffservcode 011010
set priority low
next
edit "SALP050M005M46"
set diffserv enable
set maximum-bandwidth 51200
set guaranteed-bandwidth 5120
set diffservcode 101110
set priority low
next
edit "SAHP025M002M00"
set maximum-bandwidth 25600
set guaranteed-bandwidth 2560
next
edit "SAHP025M002M26"
set diffserv enable
set maximum-bandwidth 25600
set guaranteed-bandwidth 2560
set diffservcode 011010
next
edit "SAHP025M002M46"
set diffserv enable
set maximum-bandwidth 25600
set guaranteed-bandwidth 2560
set diffservcode 101110
next
edit "SAMP025M002M00"
set maximum-bandwidth 25600
set guaranteed-bandwidth 2560
set priority medium
next
edit "SAMP025M002M26"
set diffserv enable
set maximum-bandwidth 25600
set guaranteed-bandwidth 2560
set diffservcode 011010
set priority medium
next
edit "SAMP025M002M46"
set diffserv enable
set maximum-bandwidth 25600
set guaranteed-bandwidth 2560
set diffservcode 101110
set priority medium
next
edit "SALP025M002M00"
set maximum-bandwidth 25600
set guaranteed-bandwidth 2560
set priority low
next
edit "SALP025M002M26"
set diffserv enable
set maximum-bandwidth 25600
set guaranteed-bandwidth 2560
set diffservcode 011010
set priority low
next
edit "SALP025M002M46"
set diffserv enable
set maximum-bandwidth 25600
set guaranteed-bandwidth 2560
set diffservcode 101110
set priority low
next
end
個人積分:0分
文章編號:52544655
vxr wrote:
lan介面是軟體sw...(恕刪)
V大,
LAN可以拆成WIFI跟Internal
但要如何將Internal 改回Physical Interface呢?
照手冊打CLI命令似乎沒作用,這個LAN還是SOFTWARE SWITCH
GUI選單對這個LAN也只能EDIT,不能DELETE
還是說60D這種比較入門的機種,功能就是如此?選單截圖
個人積分:405分
文章編號:52559871
個人積分:148分
文章編號:52574235
個人積分:0分
文章編號:52646359
)
個人積分:0分
文章編號:52673581
個人積分:405分
文章編號:52719084
僅啟用AV和WebFilter...
<?xml version="1.0" encoding="UTF-8" ?>
<forticlient_configuration>
<partial_configuration>1</partial_configuration>
<system>
<ui>
<ads>0</ads>
<flashing_system_tray_icon />
<hide_system_tray_icon>0</hide_system_tray_icon>
<suppress_admin_prompt>0</suppress_admin_prompt>
<password />
</ui>
<log_settings>
<level>6</level>
<!--0=emergency, 1=alert, 2=critical, 3=error, 4=warning, 5=notice, 6=info, 7=debug, -->
<log_events>ipsecvpn,sslvpn,scheduler,update,firewall,av,proxy,shield,webfilter,endpoint,fssoma,wanacc,configd,vuln</log_events>
<remote_logging>
<log_upload_enabled>0</log_upload_enabled>
<log_upload_server />
<log_upload_ssl_enabled>1</log_upload_ssl_enabled>
<log_retention_days>90</log_retention_days>
<log_upload_freq_minutes>90</log_upload_freq_minutes>
<netlog_categories>7</netlog_categories>
</remote_logging>
</log_settings>
<update>
<use_custom_server>0</use_custom_server>
<server />
<port>80</port>
<timeout>60</timeout>
<failoverport>8000</failoverport>
<fail_over_to_fdn>1</fail_over_to_fdn>
<update_action>notify_only</update_action>
<scheduled_update>
<enabled>1</enabled>
<type>interval</type>
<daily_at>03:00</daily_at>
<update_interval_in_hours>3</update_interval_in_hours>
</scheduled_update>
</update>
</system>
<endpoint_control>
<enabled>1</enabled>
<socket_connect_timeouts>1:5</socket_connect_timeouts>
<custom_ping_server />
<offnet_update>1</offnet_update>
<user />
<corporate_id />
<conf_recv_time />
<vdom />
<system_data />
<disable_unregister>0</disable_unregister>
<show_bubble_notifications>1</show_bubble_notifications>
<ui>
<display_antivirus>1</display_antivirus>
<display_webfilter>1</display_webfilter>
<display_firewall>0</display_firewall>
<display_vpn>0</display_vpn>
<display_vulnerability_scan>0</display_vulnerability_scan>
<registration_dialog>
<show_profile_details>0</show_profile_details>
</registration_dialog>
</ui>
<fortigates>
<fortigate>
<serial_number />
<name />
<registration_password />
<addresses />
</fortigate>
</fortigates>
</endpoint_control>
<vpn>
<options>
<autoconnect_tunnel />
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<keep_running_max_tries>0</keep_running_max_tries>
<save_password>1</save_password>
<minimize_window_on_connect>1</minimize_window_on_connect>
<allow_personal_vpns>1</allow_personal_vpns>
<disable_connect_disconnect>0</disable_connect_disconnect>
<show_vpn_before_logon>0</show_vpn_before_logon>
<use_windows_credentials>0</use_windows_credentials>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
<show_negotiation_wnd>0</show_negotiation_wnd>
<vendor_id />
</options>
<sslvpn>
<options>
<enabled>1</enabled>
<keep_connection_alive>0</keep_connection_alive>
</options>
<connections />
</sslvpn>
<ipsecvpn>
<options>
<enabled>1</enabled>
<beep_if_error>0</beep_if_error>
<usewincert>1</usewincert>
<use_win_current_user_cert>1</use_win_current_user_cert>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<block_ipv6>1</block_ipv6>
<uselocalcert>1</uselocalcert>
<usesmcardcert>1</usesmcardcert>
<enable_udp_checksum>0</enable_udp_checksum>
<disable_default_route>0</disable_default_route>
</options>
<connections />
</ipsecvpn>
</vpn>
<antivirus>
<enabled>1</enabled>
<signature_expired_notification>0</signature_expired_notification>
<scan_on_insertion>0</scan_on_insertion>
<shell_integration>1</shell_integration>
<antirootkit>2147483647</antirootkit>
<fortiguard_analytics>1</fortiguard_analytics>
<multi_process_limit>0</multi_process_limit>
<on_demand_scanning>
<use_extreme_db>1</use_extreme_db>
<on_virus_found>4</on_virus_found>
<pause_on_battery_power>0</pause_on_battery_power>
<automatic_virus_submission>
<enabled>0</enabled>
<smtp_server />
<username />
<password />
</automatic_virus_submission>
<compressed_files>
<scan>1</scan>
<maxsize>0</maxsize>
</compressed_files>
<riskware>
<enabled>1</enabled>
</riskware>
<adware>
<enabled>1</enabled>
</adware>
<heuristic_scanning>
<level>1</level>
<action>3</action>
</heuristic_scanning>
<scan_file_types>
<all_files>1</all_files>
<file_types>
<extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.CPT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.FON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.WSH,.XLS,.XML,.XTP</extensions>
<include_files_with_no_extension>0</include_files_with_no_extension>
</file_types>
</scan_file_types>
<exclusions>
<!--the element below can exist 0-n times-->
<file />
<!--the element below can exist 0-n times-->
<folder />
<file_types>
<extensions />
</file_types>
</exclusions>
</on_demand_scanning>
<real_time_protection>
<enabled>1</enabled>
<use_extreme_db>1</use_extreme_db>
<when>0</when>
<ignore_system_when>0</ignore_system_when>
<on_virus_found>4</on_virus_found>
<popup_alerts>1</popup_alerts>
<popup_registry_alerts>0</popup_registry_alerts>
<cloud_based_detection>
<on_virus_found>4</on_virus_found>
</cloud_based_detection>
<compressed_files>
<scan>1</scan>
<maxsize>256</maxsize>
</compressed_files>
<riskware>
<enabled>1</enabled>
</riskware>
<adware>
<enabled>1</enabled>
</adware>
<heuristic_scanning>
<level>0</level>
<action>3</action>
</heuristic_scanning>
<scan_file_types>
<all_files>0</all_files>
<file_types>
<extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.CPT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.FON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.WSH,.XLS,.XML,.XTP</extensions>
<include_files_with_no_extension>0</include_files_with_no_extension>
</file_types>
</scan_file_types>
<exclusions>
<!--the element below can exist 0-n times-->
<file />
<!--the element below can exist 0-n times-->
<folder />
<file_types>
<extensions>.zip,.gzip,.msc,.rar,.tar,.tgz,.lzh,.CAB,.BZIP2,.7Z,.BZIP,.ARJ</extensions>
</file_types>
</exclusions>
</real_time_protection>
<email>
<smtp>1</smtp>
<pop3>1</pop3>
<outlook>1</outlook>
<wormdetection>
<enabled>1</enabled>
<action>0</action>
</wormdetection>
<heuristic_scanning>
<enabled>1</enabled>
<action>0</action>
</heuristic_scanning>
</email>
<quarantine>
<cullage>60</cullage>
</quarantine>
<server>
<exchange>
<integrate>0</integrate>
<action>0</action>
<excludefilesystemfromscanning>0</excludefilesystemfromscanning>
<excludefileextensionsfromscanning>0</excludefileextensionsfromscanning>
</exchange>
<sqlserver>
<excludefilesystemfromscanning>0</excludefilesystemfromscanning>
<excludefileextensionsfromscanning>0</excludefileextensionsfromscanning>
</sqlserver>
</server>
</antivirus>
<webfilter>
<https_enabled>1</https_enabled>
<!--use enable_filter to enable/disable WebFiltering-->
<enable_filter>1</enable_filter>
<!--enabled enables/disables the FortiGuard querying service.-->
<enabled>1</enabled>
<log_all_urls>0</log_all_urls>
<white_list_has_priority>0</white_list_has_priority>
<current_profile>1000</current_profile>
<partial_match_host>0</partial_match_host>
<disable_when_managed>0</disable_when_managed>
<max_violations>5000</max_violations>
<max_violation_age>7</max_violation_age>
<replacement_messages>
<!-- unregistered FortiClients ignore this section -->
<remote />
<local />
</replacement_messages>
<profiles>
<profile>
<id>1000</id>
<cate_ver>6</cate_ver>
<description />
<name />
<temp_whitelist_timeout>300</temp_whitelist_timeout>
<categories>
<fortiguard>
<enabled>1</enabled>
<url />
<rate_ip_addresses>0</rate_ip_addresses>
</fortiguard>
<!--'enabled' enables/disables FortiGuard URL querying.-->
<category>
<id>0
<!--Unrated (Unrated)-->
</id>
<action>monitor</action>
</category>
<category>
<id>2
<!--Alternative Beliefs (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>7
<!--Abortion (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>8
<!--Other Adult Materials (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>9
<!--Advocacy Organizations (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>11
<!--Gambling (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>12
<!--Extremist Groups (Potentially Liable)-->
</id>
<action>monitor</action>
</category>
<category>
<id>13
<!--Nudity and Risque (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>14
<!--Pornography (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>15
<!--Dating (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>16
<!--Weapons (Sales) (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>17
<!--Advertising (General Interest - Personal)-->
</id>
<action>monitor</action>
</category>
<category>
<id>19
<!--Freeware and Software Downloads (Bandwidth Consuming)-->
</id>
<action>monitor</action>
</category>
<category>
<id>24
<!--File Sharing and Storage (Bandwidth Consuming)-->
</id>
<action>monitor</action>
</category>
<category>
<id>25
<!--Streaming Media and Download (Bandwidth Consuming)-->
</id>
<action>monitor</action>
</category>
<category>
<id>26
<!--Malicious Websites (Security Risk)-->
</id>
<action>deny</action>
</category>
<category>
<id>57
<!--Marijuana (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>61
<!--Phishing (Security Risk)-->
</id>
<action>deny</action>
</category>
<category>
<id>63
<!--Sex Education (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>64
<!--Alcohol (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>65
<!--Tobacco (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>66
<!--Lingerie and Swimsuit (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>67
<!--Sports Hunting and War Games (Adult/Mature Content)-->
</id>
<action>monitor</action>
</category>
<category>
<id>72
<!--Peer-to-peer File Sharing (Bandwidth Consuming)-->
</id>
<action>monitor</action>
</category>
<category>
<id>75
<!--Internet Radio and TV (Bandwidth Consuming)-->
</id>
<action>monitor</action>
</category>
<category>
<id>76
<!--Internet Telephony (Bandwidth Consuming)-->
</id>
<action>monitor</action>
</category>
<category>
<id>86
<!--Spam URLs (Security Risk)-->
</id>
<action>deny</action>
</category>
<category>
<id>140</id>
<action>monitor</action>
</category>
<category>
<id>141</id>
<action>monitor</action>
</category>
</categories>
<safe_search>
<enabled>0</enabled>
<search_engines>
<enabled>1</enabled>
<engine>
<name>Bing</name>
<host>
<![CDATA[www\.bing\.com]]>
</host>
<url>
<![CDATA[^(\/images|\/videos)?(\/search|\/async|\/asyncv2)\?]]>
</url>
<query>
<![CDATA[q=]]>
</query>
<safe_search_string>
<![CDATA[&adlt=strict]]>
</safe_search_string>
<cookie_name>SRCHHPGUSR</cookie_name>
<cookie_value>
<![CDATA[adlt=strict]]>
</cookie_value>
</engine>
<engine>
<name>Google</name>
<host>
<![CDATA[.*\.google\..*]]>
</host>
<url>
<![CDATA[^\/((custom|search|images|videosearch|webhp)\?)]]>
</url>
<query>
<![CDATA[q=]]>
</query>
<safe_search_string>
<![CDATA[&safe=active]]>
</safe_search_string>
</engine>
<engine>
<name>Yahoo</name>
<host>
<![CDATA[.*\.yahoo\..*]]>
</host>
<url>
<![CDATA[^\/search(\/video|\/images){0,1}(\?|;)]]>
</url>
<query>
<![CDATA[p=]]>
</query>
<safe_search_string>
<![CDATA[&vm=r]]>
</safe_search_string>
</engine>
<engine>
<name>Yandex</name>
<host>
<![CDATA[yandex\..*]]>
</host>
<url>
<![CDATA[^\/((yand){0,1}(search))|((images|video)\/search)[\/]{0,}.{0,}\?]]>
</url>
<query>
<![CDATA[text=]]>
</query>
<safe_search_string>
<![CDATA[&fyandex=1]]>
</safe_search_string>
</engine>
<engine>
<name>YouTube</name>
<host>
<![CDATA[.*\.youtube\..*]]>
</host>
<cookie_name>PREF</cookie_name>
<cookie_value>
<![CDATA[f2=8000000]]>
</cookie_value>
</engine>
</search_engines>
<youtube_education_filter>
<enabled>0</enabled>
<filter_id>
<![CDATA[]]>
</filter_id>
</youtube_education_filter>
</safe_search>
</profile>
</profiles>
</webfilter>
</forticlient_configuration>
