Administration Guide FortiGate 100A INTERNAL PWR STATUS WAN 1 WAN 2 DMZ 1 DMZ 2 1 2 3 4 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 A FortiGate-100A Administration Guide Version 2.
© Copyright 2004 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FortiGate-100A Administration Guide Version 2.
Contents Table of Contents Introduction .......................................................................................................... 13 About FortiGate Antivirus Firewalls................................................................................... Antivirus protection ....................................................................................................... Web content filtering ...............................................................................................
Contents Management ..................................................................................................................... DNS .................................................................................................................................. Routing table (Transparent Mode) .................................................................................... Routing table list .....................................................................................................
Contents Replacement messages ................................................................................................. Replacement messages list ........................................................................................ Changing replacement messages .............................................................................. FortiManager...................................................................................................................
Contents Policy .............................................................................................................................. Policy route list............................................................................................................ Policy route options..................................................................................................... RIP ....................................................................................................................
Contents Address........................................................................................................................... Address list ................................................................................................................. Address options .......................................................................................................... Configuring addresses ................................................................................................
Contents RADIUS .......................................................................................................................... RADIUS server list ...................................................................................................... RADIUS server options............................................................................................... LDAP...............................................................................................................................
Contents VPN configuration procedures ........................................................................................ IPSec configuration procedures.................................................................................. PPTP configuration procedures .................................................................................. L2TP configuration procedures................................................................................... CLI configuration............................
Contents Web filter............................................................................................................. 309 Content block .................................................................................................................. Web content block list ................................................................................................. Web content block options..........................................................................................
Contents MIME headers................................................................................................................. MIME headers list ....................................................................................................... MIME headers options ................................................................................................ Configuring the MIME headers list.............................................................................. Banned word.............
Contents 12 01-28007-0068-20041203 Fortinet Inc.
FortiGate-100A Administration Guide Version 2.80 MR7 Introduction FortiGate Antivirus Firewalls support network-based deployment of application-level services, including antivirus protection and full-scan content filtering. FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network.
Antivirus protection Introduction The FortiGate-100A also supports advanced features such as multiple WAN and DMZ interfaces, 802.1Q VLAN, virtual domains, high availability (HA), and the RIP and OSPF routing protocols. Antivirus protection FortiGate ICSA-certified antivirus protection scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate unit. FortiGate antivirus protection uses pattern matching and heuristics to find viruses.
Introduction Spam filtering To prevent unintentionally blocking legitimate web pages, you can add URLs to an exempt list that overrides the URL blocking and content blocking lists. The exempt list also exempts web traffic this address from virus scanning. Web content filtering also includes a script filter feature that can block unsecure web content such as Java applets, cookies, and ActiveX. Spam filtering FortiGate spam filtering can scan all POP3, SMTP, and IMAP email content for spam.
VLANs and virtual domains Introduction NAT/Route mode In NAT/Route mode, the FortiGate unit is a Layer 3 device. This means that each of its interfaces is associated with a different IP subnet and that it appears to other devices as a router. This is how a firewall is normally deployed. In NAT/Route mode, you can create NAT mode policies and Route mode policies. • NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network.
Introduction Intrusion Prevention System (IPS) Intrusion Prevention System (IPS) The FortiGate Intrusion Prevention System (IPS) combines signature and anomaly based intrusion detection and prevention. The FortiGate unit can record suspicious traffic in logs, can send alert email to system administrators, and can log, pass, drop, reset, or clear suspicious packets or sessions. Both the IPS predefined signatures and the IPS engine are upgradeable through the FortiProtect Distribution Network (FDN).
High availability Introduction High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the same model and must be running the same FortiOS firmware image.
Introduction Secure installation, configuration, and management The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options that are not available from the web-based manager. This Administration Guide contains information about basic and advanced CLI commands. For a more complete description about connecting to and using the FortiGate CLI, see the FortiGate CLI Reference Guide.
Secure installation, configuration, and management Introduction You enter: execute restore config myfile.bak indicates an ASCII string that does not contain new-lines or carriage returns. indicates an integer string that is a decimal (base 10) number. indicates a hexadecimal string that uses the digits 0-9 and letters A-F. indicates a dotted decimal IPv4 address. indicates a dotted decimal IPv4 netmask.
Introduction Fortinet Knowledge Center FortiGate documentation Information about FortiGate products is available from the following guides: • FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit. • FortiGate Installation Guide Describes how to install a FortiGate unit. Includes a hardware reference, default configuration information, installation procedures, connection procedures, and basic configuration procedures.
FortiManager documentation Introduction Related documentation Additional information about Fortinet products is available from the following related documentation. FortiManager documentation • FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings. • FortiManager System Administration Guide Describes how to use the FortiManager System to manage FortiGate devices.
Introduction FortiLog documentation FortiLog documentation • FortiLog Administration Guide Describes how to install and configure a FortiLog unit to collect FortiGate and FortiMail log files. It also describes how to view FortiGate and FortiMail log files, generate and view log reports, and use the FortiLog unit as a NAS server. • FortiLog online help Provides a searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work.
FortiLog documentation 24 Introduction 01-28007-0068-20041203 Fortinet Inc.
FortiGate-100A Administration Guide Version 2.80 MR7 System status You can connect to the web-based manager and view the current system status of the FortiGate unit. The status information that is displayed includes the system status, unit information, system resources, and session log.
Viewing system status System status Connect Select Connect to connect to the CLI. Disconnect Select Disconnect to disconnect from the CLI. Clear screen Select Clear screen to start a new page. Status View the system status page, also known as the system dashboard, for a snap shot of the current operating status of the FortiGate unit. All FortiGate administrators with read access to system configuration can view system status information.
System status Viewing system status Automatic Refresh Select to control how often the web-based manager updates the system status display. Interval Go Select to set the selected automatic refresh interval. Refresh Select to manually update the system status display. System status UP Time The time in days, hours, and minutes since the FortiGate unit was last started. System Time The current time according to the FortiGate unit internal clock.
Viewing system status System status Reset Select to reset the count values in the table to zero. HTTP The number of URLs visited. Select Details to see the list of URLs, the time they were accessed and the IP address of the host that accessed them. Email The number of email sent and received. Select Details to see the date and time, the sender, the recipient and the subject of each email. FTP The number of URLs visited and the number of files uploaded and downloaded.
System status Changing unit information Figure 3: Sample system resources history History The history page displays 6 graphs representing the following system resources and protection: CPU Usage History CPU usage for the previous minute. Memory Usage History Memory usage for the previous minute. Session History Session history for the previous minute. Network Utilization History Network utilization for the previous minute. Virus History The virus detection history over the last 20 hours.
Changing unit information System status To change FortiGate host name The FortiGate host name appears on the Status page and in the FortiGate CLI prompt. The host name is also used as the SNMP system name. For information about the SNMP system name, see “SNMP” on page 97. The default host name is FortiGate-100A. Note: If the FortiGate unit is part of an HA cluster, you should set a unique name to distinguish the unit from others in the cluster. 1 Go to System > Status > Status.
System status Changing unit information 3 In the Attack Definitions field of the Unit Information section, select Update. The Intrusion Detection System Definitions Update dialog box appears. 4 In the Update File field, type the path and filename for the attack definitions update file, or select Browse and locate the attack definitions update file. 5 Select OK to copy the attack definitions update file to the FortiGate unit. The FortiGate unit updates the attack definitions.
Changing unit information System status Session list The session list displays information about the communications sessions currently being processed by the FortiGate unit. You can use the session list to view current sessions.
System status Upgrading to a new firmware version Changing the FortiGate firmware FortiGate administrators whose access profiles contain system configuration read and write privileges and the FortiGate admin user can change the FortiGate firmware. After you download a FortiGate firmware image from Fortinet, you can use the procedures listed in Table 1 to install the firmware image on your FortiGate unit.
Upgrading to a new firmware version System status 3 Go to System > Status. 4 Under Unit Information > Firmware Version, select Update. 5 Type the path and filename of the firmware image file, or select Browse and locate the file. 6 Select OK. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process takes a few minutes. 7 Log into the web-based manager.
System status Reverting to a previous firmware version Where is the name of the firmware image file and is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build183-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build183-FORTINET.out 192.168.1.
Reverting to a previous firmware version 2 System status Log into the FortiGate web-based manager. Note: To use this procedure you must login using the admin administrator account, or an administrator account that has system configuration read and write privileges. 3 Go to System > Status. 4 Under Unit Information > Firmware Version, select Update. 5 Type the path and filename of the firmware image file, or select Browse and locate the file. 6 Select OK.
System status Reverting to a previous firmware version To use the following procedure you must have a TFTP server that the FortiGate unit can connect to. To revert to a previous firmware version using the CLI 1 Make sure that the TFTP server is running. 2 Copy the firmware image file to the root directory of the TFTP server. 3 Log into the FortiGate CLI.
Installing firmware images from a system reboot using the CLI 11 System status Update antivirus and attack definitions. For information, see “To update antivirus and attack definitions” on page 120, or from the CLI, enter: execute update_now Installing firmware images from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to default settings.
System status Installing firmware images from a system reboot using the CLI 5 To confirm that the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168, enter: execute ping 192.168.1.
Installing firmware images from a system reboot using the CLI System status 10 Type an IP address that the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network that the interface is connected to. Make sure you do not enter the IP address of another device on this network. The following message appears: Enter File Name [image.out]: 11 Enter the firmware image filename and press Enter.
System status Testing a new firmware image before installing it Testing a new firmware image before installing it You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed.
Testing a new firmware image before installing it System status If you successfully interrupt the startup process, one of the following messages appears: • FortiGate unit running v2.x BIOS Enter TFTP Server Address [192.168.1.168]: Go to step 9. • FortiGate unit running v3.x BIOS [G]: [F]: [Q]: [H]: Get firmware image from TFTP server. Format boot device. Quit menu and continue to boot with default firmware. Display this list of options.
System status Installing and using a backup firmware image Installing and using a backup firmware image If the FortiGate unit is running BIOS version v3.x, you can install a backup firmware image. Once the backup firmware image is installed you can switch to this backup image when required.
Installing and using a backup firmware image System status 7 Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 8 Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: 9 Type an IP address that can be used by the FortiGate unit to connect to the FTP server.
System status Installing and using a backup firmware image Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must log in and repeat the execute reboot command. If you successfully interrupt the startup process, the following message appears: [G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware.
Installing and using a backup firmware image 46 System status 01-28007-0068-20041203 Fortinet Inc.
FortiGate-100A Administration Guide Version 2.80 MR7 System network System network settings control how the FortiGate unit connects to and interacts with your network. Basic network settings start with configuring FortiGate interfaces to connect to your network and configuring the FortiGate DNS settings. More advanced network settings include adding VLAN subinterfaces and zones to the FortiGate network configuration.
Interface settings System network Figure 5: Interface list Create New Select Create New to create a VLAN. Virtual Domain Select a virtual domain to display the interfaces added to this virtual domain. Only available if you have added a virtual domain. Name The names of the physical interfaces available to your FortiGate unit.
System network Interface settings Figure 6: Interface settings See the following procedures for configuring interfaces: • To bring down an interface that is administratively up • To start up an interface that is administratively down • To add interfaces to a zone • To add an interface to a virtual domain • To change the static IP address of an interface • To configure an interface for DHCP • To configure an interface for PPPoE • To configure support for dynamic DNS services • To add a se
Interface settings System network The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN subinterface. For more information on VLANs, see “VLAN overview” on page 63. Virtual Domain Select a virtual domain to add the interface or VLAN subinterface to this virtual domain. Virtual domain is only available if you have added a virtual domain.
System network Interface settings initializing No activity. connecting The interface is attempting to connect to the DHCP server. connected The interface retrieves an IP address, netmask, and other settings from the DHCP server. failed The interface was unable to retrieve an IP address and other information from the DHCP server. PPPoE If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoE request.
Interface settings System network Connect to server Enable Connect to Server so that the interface automatically attempts to connect to a PPPoE server. Disable this option if you are configuring the interface offline. Status Displays PPPoE status messages as the FortiGate unit connects to the PPPoE server and gets addressing information. Select Status to refresh the addressing mode status message. initializing No activity. connecting The interface is attempting to connect to the PPPoE server.
System network Configuring interfaces SSH To allow SSH connections to the CLI through this interface. SNMP To allow a remote SNMP manager to request SNMP information by connecting to this interface. See “Configuring SNMP” on page 98. TELNET To allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.
Configuring interfaces System network To add a VLAN subinterface See “To add a VLAN subinterface in NAT/Route mode” on page 65. To bring down an interface that is administratively up You can bring down physical interfaces or VLAN subinterfaces. Bringing down a physical interface also brings down the VLAN subinterfaces associated with it. 1 Go to System > Network > Interface. The interface list is displayed. 2 Select Bring Down for the interface that you want to stop.
System network Configuring interfaces To change the static IP address of an interface You can change the static IP address of any FortiGate interface. 1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 Set Addressing Mode to Manual. 4 Change the IP address and Netmask as required. 5 Select OK to save your changes.
Configuring interfaces System network 9 Select the Connect to Server check box if you want the FortiGate unit to connect to the PPPoE server. 10 Select Apply. The FortiGate unit attempts to contact the PPPoE server from the interface to set the IP address, netmask, and optionally default gateway IP address and DNS server IP addresses. 11 Select Status to refresh the addressing mode status message. 12 Select OK.
System network Configuring interfaces 3 Set Ping Server to the IP address of the next hop router on the network connected to the interface. 4 Select the Enable check box. 5 Select OK to save the changes. To control administrative access to an interface For a FortiGate unit running in NAT/Route mode, you can control administrative access to an interface to control how administrators access the FortiGate unit and the FortiGate interfaces to which administrators can connect.
Zone settings System network Zone You can use zones to group related interfaces and VLAN subinterfaces. Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. If you group interfaces and VLAN subinterfaces into a zone, you can configure policies for connections to and from this zone, rather than to and from each interface and VLAN subinterface. You can add zones, rename and edit zones, and delete zones from the zone list.
System network Zone settings To add a zone 1 If you have added a virtual domain, go to System > Virtual Domain > Current Virtual Domain and select the virtual domain to which you want to add the zone. 2 Go to System > Network > Zone. 3 Select Create New. 4 In the New Zone dialog box, type a name for the zone. 5 Select the Block intra-zone traffic check box if you want to block traffic between interfaces or VLAN subinterfaces in the same zone.
Zone settings System network Controlling administrative access to a FortiGate interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet. However, allowing remote administration from the Internet could compromise the security of the FortiGate unit. You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration.
System network Zone settings DNS Several FortiGate functions, including Alert E-mail and URL blocking, use DNS. You can add the IP addresses of the DNS servers to which your FortiGate unit can connect. DNS server IP addresses are usually supplied by your ISP. You can configure primary and secondary DNS server addresses, or you can configure the FortiGate unit to obtain DNS server addresses automatically. To obtain addresses automatically, at least one interface must use the DHCP or PPPoE addressing mode.
Routing table list System network Routing table (Transparent Mode) In Transparent mode, you can configure routing to add static routes from the FortiGate unit to local routers. Routing table list Figure 12: Routing table Create New Select Create New to add a new route. # Route number. IP The destination IP address for this route. Mask The netmask for this route. Gateway The IP address of the next hop router to which this route directs traffic.
System network Transparent mode route settings 4 Set Gateway to the IP address of the next hop routing gateway. For an Internet connection, the next hop routing gateway routes traffic to the Internet. 5 Select OK to save the route. VLAN overview A VLAN is group of PCs, servers, and other network devices that communicate as if they were on the same LAN segment, even though they may not be.
FortiGate units and VLANs System network FortiGate units and VLANs In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN tags to packets. Packets passing between devices in the same VLAN can be handled by layer 2 switches. Packets passing between devices in different VLANs must be handled by a layer 3 device such as router, firewall, or layer 3 switch.
System network Adding VLAN subinterfaces Note: If you are unable to change your existing configurations to prevent IP overlap, enter the CLI command config system global and set ip-overlap enable to allow IP address overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface. This command is recommended for advanced users only. Figure 15 shows a simplified NAT/Route mode VLAN configuration.
Adding VLAN subinterfaces System network 5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. 6 Select the virtual domain to which to add this VLAN subinterface. See “System virtual domain” on page 131 for information about virtual domains. 7 Select the name of a zone if you want this VLAN subinterface to belong to a zone. You can only select a zone that has been added to the virtual domain selected in the previous step.
System network Adding VLAN subinterfaces If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you can configure a FortiGate unit operating in Transparent mode to provide security for network traffic passing between different VLANs. To support VLAN traffic in Transparent mode, you add virtual domains to the FortiGate unit configuration. A virtual domain consists of two or more VLAN subinterfaces or zones. In a virtual domain, a zone can contain one or more VLAN subinterfaces.
Rules for VLAN IDs System network Figure 17: FortiGate unit in Transparent mode VLAN 1 VLAN ID = 100 VLAN 2 VLAN ID = 200 VLAN switch VLAN 3 VLAN ID = 300 POWER VLAN Trunk FortiGate unit operating in Transparent mode VLAN 1 VLAN 2 VLAN 3 Internal Esc Enter External VLAN 1 VLAN VLAN 2 Trunk VLAN 3 VLAN switch POWER Untagged packets Router Internet Rules for VLAN IDs In Transparent mode two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID.
System network Transparent mode VLAN list Transparent mode VLAN list In Transparent mode, go to System > Network > Interface to add VLAN subinterfaces. Figure 18: Sample Transparent mode VLAN list Create New Select Create New to add a VLAN subinterface to a FortiGate interface. Virtual Domain Select a virtual domain to display the VLAN interfaces added to this virtual domain. Name The name of the interface or VLAN subinterface. Access The administrative access configuration for the interface.
Transparent mode VLAN settings System network To add a VLAN subinterface in Transparent mode The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4096. You add VLAN subinterfaces to the physical interface that receives VLANtagged packets. Note: A VLAN must not have the same name as a virtual domain or zone. 1 Go to System > Network > Interface. 2 Select Create New to add a VLAN subinterface.
System network Transparent mode VLAN settings FortiGate IPv6 support You can assign both an IPv4 and an IPv6 address to any interface on a FortiGate unit. The interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets. FortiGate units support static routing, periodic router advertisements, and tunneling of IPv6-addressed traffic over an IPv4-addressed network. All of these features must be configured through the Command Line Interface (CLI).
Transparent mode VLAN settings 72 System network 01-28007-0068-20041203 Fortinet Inc.
FortiGate-100A Administration Guide Version 2.80 MR7 System DHCP You can configure DHCP server or DHCP relay agent functionality on any FortiGate interface or VLAN subinterface. A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. An interface cannot provide both functions at the same time. Note: To configure DHCP server or DHCP relay functionality on an interface, the FortiGate unit must be in NAT/Route mode and the interface must have a static IP address.
DHCP service settings System DHCP DHCP service settings Go to System > DHCP > Service and select an edit or view icon to view to modify the DHCP service configuration for an interface. Figure 21: View or edit DHCP service settings for an interface Interface The name of the interface. None No DHCP services provided by the interface. DHCP Relay Agent Select to configure the interface to be a DHCP relay agent. Type Select the type of DHCP relay agent.
System DHCP DHCP service settings To configure an interface to be a DHCP server You can configure a DHCP server for any FortiGate interface. As a DHCP server, the interface dynamically assigns IP addresses to hosts on the network connected to the interface. You can also configure a DHCP server for more than one FortiGate interface. 1 Go to System > DHCP > Service. 2 Select Edit beside the interface to which you want to add a DHCP server. 3 Select DHCP Server. 4 Select OK.
DHCP server settings System DHCP DHCP server settings Figure 23: Server options Name Enter a name for the DHCP server configuration. Interface Select the interface for which to configure the DHCP server. Domain Enter the domain that the DHCP server assigns to DHCP clients. Default Gateway Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.
System DHCP DHCP server settings 3 Add a name for the DHCP server. 4 Select the interface 5 Configure the DHCP server. The IP range must match the subnet address of the network from which the DHCP request was received. Usually this would be the subnet connected to the interface for which you are added the DHCP server. 6 Select OK to save the DHCP server configuration.
DHCP exclude range settings System DHCP DHCP exclude range settings The range cannot exceed 65536 IP addresses. Figure 25: Exclude range settings Starting IP Enter the starting IP of an exclude range. Ending IP Enter the ending IP of an exclude range. To add an exclusion range 1 Go to System > DHCP > Exclude Range. 2 Select Create New. 3 Add the starting IP and ending IP. 4 Select OK to save the exclusion range.
System DHCP DHCP IP/MAC binding settings DHCP IP/MAC binding settings Figure 27: IP/MAC binding options Name Enter a name for the IP/MAC address pair. IP Address Enter the IP address for the IP and MAC address pair. The IP address must be within the configured IP range. MAC Address Enter the MAC address of the device. To add a DHCP IP/MAC binding pair 1 Go to System > DHCP > IP/MAC Binding. 2 Select Create New. 3 Add a name for the IP/MAC pair. 4 Add the IP address and MAC address.
DHCP IP/MAC binding settings 80 System DHCP 01-28007-0068-20041203 Fortinet Inc.
FortiGate-100A Administration Guide Version 2.80 MR7 System config Use the System Config page to make any of the following changes to the FortiGate system configuration: • System time • Options • HA • SNMP • Replacement messages • FortiManager System time Go to System > Config > Time to set the FortiGate system time. For effective scheduling and logging, the FortiGate system time must be accurate.
System config Automatically adjust clock for daylight saving changes Select the Automatically adjust clock for daylight saving changes check box if you want the FortiGate system clock to be adjusted automatically when your time zone changes to daylight saving time and back to standard time. Set Time Select Set Time to set the FortiGate system date and time to the correct date and time.
System config Figure 29: System config options Idle Timeout Set the idle time out to control the amount of inactive time before the administrator must log in again. The maximum admintimeout is 480 minutes (8 hours). To improve security keep the idle timeout at the default value of 5 minutes. Auth Timeout Set the firewall user authentication timeout to control how long an authenticated connection can be idle before the user must authenticate again. The maximum authtimeout is 480 minutes (8 hours).
System config Note: You should select the language that the management computer operating system uses. To modify the dead gateway detection settings Modify dead gateway detection to control how the FortiGate unit confirms connectivity with a ping server added to an interface configuration. For information about adding a ping server to an interface, see “To add a ping server to an interface” on page 56. 1 Go to System > Config > Options.
System config HA configuration An active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a primary FortiGate unit that processes traffic, and one or more subordinate FortiGate units. The subordinate FortiGate units are connected to the network and to the primary FortiGate unit but do not process traffic. Active-active (A-A) HA load balances network traffic all the FortiGate units in the cluster.
HA configuration System config Cluster Members When the cluster is operating, you can select Cluster Members to view the status of all FortiGate units in the cluster. Status information includes the cluster ID, status, up time, weight, and monitor information. For more information, see “To view the status of each cluster member” on page 95. Mode All members of the HA cluster must be set to the same HA mode. Active-Active Load balancing and failover HA.
System config HA configuration You can use the unit priority to control the order in which cluster units become the primary cluster unit when a cluster unit fails. For example, if you have three FortiGate-3600s in a cluster you can set the unit priorities as shown in Table 4. Cluster unit A will always be the primary cluster unit because it has the highest priority.
HA configuration System config Schedule If you are configuring an active-active cluster, select a load balancing schedule. None No load balancing. Select None when the cluster interfaces are connected to load balancing switches. Hub Load balancing if the cluster interfaces are connected to a hub. Traffic is distributed to cluster units based on the Source IP and Destination IP of the packet. LeastConnection Least connection load balancing.
System config HA configuration You can enable heartbeat communications for physical interfaces, but not for VLAN subinterfaces. Enabling the HA heartbeat for more interfaces increases reliability. If an interface fails, the HA heartbeat can be diverted to another interface. HA heartbeat traffic can use a considerable amount of network bandwidth. If possible, enable HA heartbeat traffic on interfaces only used for HA heartbeat traffic or on interfaces connected to less busy networks.
Configuring an HA cluster System config Monitor priorities Monitor priorities and link failover is not supported for the internal interface. Enable or disable monitoring a FortiGate interface to verify that the interface is functioning properly and connected to its network. If a monitored interface fails or is disconnected from its network the interface leaves the cluster.
System config Configuring an HA cluster Note: The following procedure does not include steps for configuring interface heartbeat devices and interface monitoring. Interface monitoring should be configured after the cluster is up and running. 1 Power on the FortiGate unit to be configured. 2 Connect to the web-based manager. 3 Give the FortiGate unit a unique host name. See “To change FortiGate host name” on page 30. Use host names to identify individual cluster units. 4 Go to System > Config > HA.
Configuring an HA cluster System config To connect a FortiGate HA cluster Use the following procedure to connect a cluster operating in NAT/Route mode or Transparent mode. Connect the FortiGate units in the cluster to each other and to your network. You must connect all matching interfaces in the cluster to the same hub or switch. Then you must connect these interfaces to their networks using the same hub or switch. Fortinet recommends using switches for all cluster connections for the best performance.
System config Configuring an HA cluster Figure 31: HA network configuration Internet WAN1 Internal INTERNAL PWR STATUS WAN 1 WAN 2 DMZ 1 DMZ 2 1 2 3 4 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 A DMZ 2 Hub or Switch Hub or Switch DMZ 2 INTERNAL PWR STATUS WAN 1 WAN 2 DMZ 1 DMZ 2 1 2 3 4 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 Router A WAN1 Internal Internal Network 2 Power on all the FortiGate un
Managing an HA cluster System config To configure weighted-round-robin weights By default, in active-active HA mode the weighted round-robin schedule assigns the same weight to each FortiGate unit in the cluster. If you configure a cluster to use the weighted round-robin schedule, from the CLI you can use config system ha weight to configure a weight value for each cluster unit.
System config Managing an HA cluster You can use the web-based manager to monitor the status and logs of individual cluster members. See “To view the status of each cluster member” on page 95 and “To view and manage logs for individual cluster units” on page 96. You can manage individual cluster units by using SSH to connect to the CLI of the cluster. From the CLI you can use the execute ha manage command to connect to the CLI of each unit in the cluster.
Managing an HA cluster System config CPU Usage The current CPU status of each cluster unit. The web-based manager displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. Memory Usage The current memory status of each cluster unit. The web-based manager displays memory usage for core processes only.
System config Managing an HA cluster If a subordinate unit fails, the cluster continues to function normally. Failure of a subordinate unit results in the following: • The cluster contains fewer FortiGate units. The failed unit no longer appears on the Cluster Members list.
Configuring SNMP System config RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II) (for more information, see “FortiGate MIBs” on page 101). This section describes: • Configuring SNMP • SNMP community • FortiGate MIBs • FortiGate traps • Fortinet MIB fields Configuring SNMP Go to System > Config > SNMP v1/v2c to configure the SNMP agent. Figure 33: Configuring SNMP 98 SNMP Agent Enable the FortiGate SNMP agent.
System config SNMP community SNMP community An SNMP community is a grouping of equipment for network administration purposes. Add SNMP communities so that SNMP managers can connect to the FortiGate unit to view system information and receive SNMP traps. You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiGate unit for a different set of events.
SNMP community System config IP Address The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit. You can also set the IP address to 0.0.0.0 to so that any SNMP manager can use this SNMP community. Interface Optionally select the name of the interface that this SNMP manager uses to connect to the FortiGate unit. You only have to select the interface if the SNMP manager is not on the same subnet as the FortiGate unit.
System config FortiGate MIBs To add an SNMP community 1 Go to System > Config > SNMP v1/v2c. 2 Select Create New. 3 Enter a Community Name to identify the SNMP community. 4 Configure Hosts, Queries, Traps, and SNMP Events. 5 Select OK. FortiGate MIBs The FortiGate SNMP agent supports FortiGate proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs.
FortiGate traps System config FortiGate traps The FortiGate agent can send traps to SNMP managers that you have added to SNMP communities. For SNMP managers to receive traps, you must load and compile the Fortinet trap MIB (file name fortinet.trap.2.80.mib) onto the SNMP manager. All traps include the trap message as well as the FortiGate unit serial number. Table 7: Generic FortiGate traps Trap message Description ColdStart WarmStart LinkUp LinkDown Standard traps as described in RFC 1215.
System config Fortinet MIB fields Table 10: FortiGate IPS traps Trap message Description Syn flood attack. (IdsSynFlood) NIDS attack prevention detects and provides protection from a syn flood attack. Port scan attack. (IdsPortScan) NIDS attack prevention detects and provides protection from a port scan attack.
Fortinet MIB fields System config Table 14: System MIB fields MIB field Description model FortiGate model number, for example, 400 for the FortiGate-400. serial FortiGate unit serial number. version The firmware version currently running on the FortiGate unit. versionAv The antivirus definition version installed on the FortiGate unit. versionNids The attack definition version installed on the FortiGate unit.
System config Fortinet MIB fields Table 16: Administrator accounts MIB field Description index The index number of the administrator account added to the FortiGate unit. name The user name of an administrator account added to the FortiGate unit. addr Up to three trusted host IP addresses for the administrator account. mask Up to three trusted host netmasks for the administrator account. perm The access profile assigned to the account.
Replacement messages list System config Replacement messages Change replacement messages to customize alert email and information that the FortiGate unit adds to content streams such as email messages, web pages, and FTP sessions. The FortiGate unit adds replacement messages to a variety of content streams. For example, if a virus is found in an email message, the file is removed from the email and replaced with a replacement message.
System config Changing replacement messages Changing replacement messages Figure 37: Sample HTTP virus replacement message Replacement messages can be text or HTML messages. You can add HTML code to HTML messages. In addition, replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message. Table 20 lists the replacement message tags that you can add.
Changing replacement messages System config Table 20: Replacement message tags (Continued) Tag Description %%EMAIL_FROM%% The email address of the sender of the message from which the file was removed. %%EMAIL_TO%% The email address of the intended receiver of the message from which the file was removed. %%NIDSEVENT%% The IPS attack message. %%NIDSEVENT%% is added to alert email intrusion messages. %%SERVICE%% The name of the web filtering service.
FortiGate-100A Administration Guide Version 2.80 MR7 System administration When the FortiGate unit is first installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each of these administrator accounts and control the IP address from which the administrator account can connect to the FortiGate unit. Each administrator account belongs to an access profile.
Administrators list System administration Administrators list Figure 39: Administrators list Create New Add an administrator account. Name The login name for an administrator account. Trusted hosts The trusted host IP address and netmask from which the administrator can log in. Permission The permission profile for the administrator. The Delete, Edit/View, or Change Password icon. The admin administrator account cannot be deleted.
System administration Administrators options 3 Type a login name for the administrator account. 4 Type and confirm a password for the administrator account. 5 Optionally type a Trusted Host IP address and netmask from which the administrator can log into the web-based manager. 6 Select the access profile for the administrator. 7 Select OK. Figure 41: Change an administrator password To change an administrator password 1 Go to System > Admin > Administrators.
Access profile list System administration Access profile list Figure 42: Access profile list Create New Add a new access profile. Profile Name The name of the access profile. The Delete, and Edit icons. You cannot delete the prof_admin access profile. Access profile options Figure 43: Access profile option Profile Name Enter the name of the access profile. Access Control Access Control lists the items that can be controlled by the access profile.
System administration Access profile options To configure an access profile 1 Go to System > Admin > Access Profile. 2 Select Create New to add an access profile, or select the edit icon to edit an existing access profile. 3 Enter a name for the access profile. 4 Select or clear the Access Control check boxes as required. 5 Select OK.
Access profile options 114 System administration 01-28007-0068-20041203 Fortinet Inc.
FortiGate-100A Administration Guide Version 2.80 MR7 System maintenance Use the web-based manager to maintain the FortiGate unit. Backup and restore You can back up system configuration, VPN certificate, web and spam filtering files to the management computer. You can also restore system configuration, VPN certificate, web and spam filtering files from previously downloaded backup files. Figure 44: Backup and restore list Category The list of files that can be backed up and restored.
Backing up and Restoring System maintenance System Configuration Restore or back up the FortiGate system configuration file. Reset the FortiGate unit to factory defaults. This procedure deletes all changes that you have made to the FortiGate configuration and reverts the system to its original configuration, including resetting interface addresses. This procedure does not change the firmware version or the antivirus or attack definitions. Debug Log Download debug log.
System maintenance Backing up and Restoring 5 Select OK to restore all configuration files to the FortiGate unit. The FortiGate unit restarts, loading the new configuration files. 6 Reconnect to the web-based manager and review your configuration to confirm that the uploaded configuration files have taken effect. To back up individual categories 1 Go to System > Maintenance > Backup & Restore. 2 Select the Backup icon for the type of file you want to back up. 3 Save the file.
Backing up and Restoring System maintenance Update center You can configure the FortiGate unit to connect to the FortiProtect Distribution Network (FDN) to update the antivirus (including grayware), Spam Filter and attack definitions and engines. Before the FortiGate unit can receive antivirus and attack updates, it must be able to connect to the FortiProtect Distribution Network (FDN). The FortiGate unit uses HTTPS on port 8890 to connect to the FDN.
System maintenance Backing up and Restoring Figure 45: Update center FortiProtect Distribution Network The status of the connection to the FortiProtect Distribution Network (FDN). A green indicator means that the FortiGate unit can connect to the FDN. You can configure the FortiGate unit for scheduled updates. See “To enable scheduled updates” on page 121. A red-yellow flashing indicator means that the FortiGate unit cannot connect to the FDN. Check your configuration.
Updating antivirus and attack definitions System maintenance Version The version numbers of the definition files and engines currently installed on the FortiGate unit. Expiry date The expiry date of your license for definition and engine updates. Last update attempt The date and time on which the FortiGate unit last attempted to download definition and engine updates. Last update status The result of the last update attempt.
System maintenance Updating antivirus and attack definitions 2 Select Update Now to update the antivirus and attack definitions and engines. If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following: Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update.
Updating antivirus and attack definitions 4 System maintenance Select Apply. The FortiGate unit tests the connection to the override server. If the FortiProtect Distribution Network setting changes to available, the FortiGate unit has successfully connected to the override server. If the FortiProtect Distribution Network stays set to not available, the FortiGate unit cannot connect to the override server.
System maintenance Enabling push updates There are no special tunneling requirements if you have configured an override server address to connect to the FDN. Enabling push updates The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates. See “To register a FortiGate unit” on page 128.
Enabling push updates System maintenance The FortiGate unit sends the SETUP message if you change the interface 2 IP address manually or if you have set the interface 2 addressing mode to DHCP or PPPoE and your DHCP or PPPoE server changes the IP address. If you have redundant connections to the Internet, the FortiGate unit also sends the SETUP message when one Internet connection goes down and the FortiGate unit fails over to the other Internet connection.
System maintenance Enabling push updates 8 In the Map to IP section, type the IP address of the FortiGate unit on the internal network. If the FortiGate unit is operating in NAT/Route mode, enter the IP address of the external interface. If the FortiGate unit is operating in Transparent mode, enter the management IP address. 9 Set the Map to Port to 9443. 10 Select OK. To add a firewall policy to the FortiGate NAT device 1 Add a new external to internal firewall policy.
Sending a bug report System maintenance Figure 46: Support Report Bug Select Report Bug to submit problems with the FortiGate unit to Fortinet Support. FDS Registration Select FDS Registration to register the FortiGate unit with FortiNet. Sending a bug report Use the Report Bug form to send bug information to Fortinet support. Figure 47: Bug report Contact Information Enter the contact information so that FortiNet support can reply to your bug report. Items marked with an * are required.
System maintenance Registering a FortiGate unit Send email by Submit the bug report using a customized mail relay. customized mailrelay SMTP Server The SMTP server to use for sending bug report email. User Name A valid user name on the specified SMTP server. Password If the SMTP server requires authentication, enter the password required. Authentication Select No if the SMTP server does not require authentication. Select Yes if the SMTP server does require authentication.
Registering a FortiGate unit System maintenance Soon you will also be able to: • Access Fortinet user documentation • Access the Fortinet knowledge base All registration information is stored in the Fortinet Customer Support database. This information is used to make sure that your registered FortiGate units can be kept up to date. All information is strictly confidential. Fortinet does not share this information with any third-party organizations for any reason.
System maintenance Registering a FortiGate unit FortiCare Support Contract numbers, if you purchased FortiCare Support Contracts for the FortiGate units that you want to register. 1 Go to System > Maintenance > Support. 2 Select FDS Registration. 3 Enter your contact information on the product registration form. 4 Provide a security question and an answer to the security question. 5 Select the model number of the Product Model to register. 6 Enter the Serial Number of the FortiGate unit.
Registering a FortiGate unit System maintenance 2 Select Reboot. 3 Select Apply. The FortiGate unit restarts. To shut down the system You can restart the FortiGate unit after shutdown only by turning the power off and then on. 1 Go to System > Maintenance > Shutdown. 2 Select Shutdown. 3 Select Apply. The FortiGate unit shuts down and all traffic flow stops. To reset the FortiGate unit to factory defaults Use the following procedure to reset system settings to the values set at the factory.
FortiGate-100A Administration Guide Version 2.80 MR7 System virtual domain FortiGate virtual domains provide multiple logical firewalls and routers in a single FortiGate unit. Using virtual domains, one FortiGate unit can provide exclusive firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network.
Exclusive virtual domain properties System virtual domain Virtual domain properties By default, each FortiGate unit runs a virtual domain named root. This virtual domain includes all of the FortiGate physical interfaces, VLAN subinterfaces, zones, firewall policies, routing settings, and VPN settings. Once you add a virtual domain you can configure it by adding VLAN subinterfaces, zones, firewall policies, routing settings, and VPN settings.
System virtual domain Shared configuration settings Shared configuration settings The following configuration settings are shared by all virtual domains. Even if you have configured multiple virtual domains, there are no changes to how you configure the following settings.
Administration and management System virtual domain Administration and management In addition to the global properties, virtual domains share a common administrative model. Administrators have access to all of the virtual domains on the FortiGate unit. Administrators logging into the CLI or web-based manager always log into the root domain and then must enter the virtual domain that they want to administer.
System virtual domain Adding a virtual domain See the following procedures for configuring virtual domains: • To add VLAN subinterfaces to a virtual domain • To view the interfaces in a virtual domain • To add zones to a virtual domain • To select a management virtual domain and add a management IP • To configure routing for a virtual domain in NAT/Route mode • To configure the routing table for a virtual domain in Transparent mode • To add firewall policies to a virtual domain • To add fir
Adding interfaces, VLAN subinterfaces, and zones to a virtual domain System virtual domain To select a management virtual domain The following procedure applies to NAT/Route mode only. 1 Go to System > Virtual Domain > Virtual Domains. 2 Select Change beside the listed Management virtual domain. 3 Choose the management domain and select OK. Note: You cannot delete a management virtual domain. You must first select a different domain for system management.
System virtual domain Adding interfaces, VLAN subinterfaces, and zones to a virtual domain 2 Set Virtual domain to All or to the name of the virtual domain that currently contains the interface. 3 Select Edit for the physical interface you want to move. 4 Choose the Virtual Domain to which to move the interface. 5 Select OK. The physical interface moves to the virtual domain. Firewall IP pools and virtual IP added for this interface are deleted.
Configuring routing for a virtual domain System virtual domain 4 Select OK. 5 Go to System > Network > Zone. 6 Select Create new. See “Zone” on page 58. Any zones that you add are added to the current virtual domain. Configuring routing for a virtual domain To configure routing for a virtual domain in NAT/Route mode 1 Go to System > Virtual domain > Virtual domains. 2 Select Change following the current virtual domain name above the table.
System virtual domain Configuring firewall policies for a virtual domain 6 Select Create new to add firewall policies to the current virtual domain. See “Policy” on page 190. You can only add firewall policies for the physical interfaces, VLAN subinterfaces, or zones added to the current virtual domain. The firewall policies that you add are only visible when you are viewing the current virtual domain.
Configuring IPSec VPN for a virtual domain System virtual domain Configuring IPSec VPN for a virtual domain To configure VPN for a virtual domain The following procedure applies to NAT/Route and Transparent mode. 140 1 Go to System > Virtual domain > Virtual domains. 2 Select Change following the current virtual domain name above the table. 3 Choose the virtual domain for which to configure VPN. 4 Select OK. 5 Go to VPN. 6 Configure IPSec VPN, PPTP, L2TP, and certificates as required.
FortiGate-100A Administration Guide Version 2.80 MR7 Router This chapter describes how to configure FortiGate routing and RIP. It contains the following sections: • Static • Policy • RIP • Router objects • Monitor • CLI configuration Static A static route specifies where to forward packets that have a particular destination IP address.
Router For example, consider Figure 50, which shows a FortiGate unit connected to a router. To ensure that all outbound packets destined to any network beyond the router are routed to the correct destination, you must edit the default configuration and make the router the default gateway for the FortiGate unit. Figure 50: Making a router the default gateway Internet Router 192.168.10.1 external FortiGate_1 Esc Enter Internal network 192.168.20.
Router Static route list Figure 51: Destinations on networks behind internal routers Internet FortiGate_1 Esc Enter internal Router_1 192.168.10.1 Network_1 192.168.20.0/24 dmz Router_2 192.168.10.2 Network_2 192.168.30.0/24 To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.30.0/24 Gateway: 192.168.10.
Static route options Router Create New Add a new static route. # The sequence number for this route. IP The destination IP address for this route. Mask The netmask for this route. Gateway The IP address of the first next hop router to which this route directs traffic. Device The name of the FortiGate interface through which to route traffic. Distance The administrative distance for the route. The Delete, Edit, and Move to icons.
Router Policy route list Figure 54: Move a static route 3 For Move to, select either Before or After and type the number that you want to place this route before or after. 4 Select OK. The route is displayed in the new location on the static route list.
Policy route options Router Policy route options Figure 56: Policy route configuration Protocol Match packets that have this protocol number. Incoming Interface Match packets that are received on this interface. Source Address / Mask Match packets that have this source IP address and netmask. Destination Address / Mask Match packets that have this destination IP address and netmask. Destination Ports Match packets that have this destination port range.
Router General RIP is a distance-vector routing protocol intended for small, relatively homogeneous, networks. RIP uses hop count as its routing metric. Each network is usually counted as one hop. The network diameter is limited to 15 hops. General Figure 57: RIP General settings RIP Version Enable sending and receiving RIP version 1 packets, RIP version 2 packets, or both for all RIP-enabled interfaces. You can override this setting on a per interface basis. See “Interface options” on page 150.
Networks list Router Route-map Enter the name of the route map to use for the redistributed connected routes. For information on how to configure route maps, see “Route-map list” on page 157. Static Advertise routes learned from static routes. Metric Enter the metric to be used for the redistributed static routes. Route-map Enter the name of the route map to use for the redistributed static routes. For information on how to configure route maps, “Route-map list” on page 157.
Router Networks options Networks options Figure 59: RIP Networks configuration To configure a RIP network 1 Go to Router > RIP > Networks. 2 Select Create New to add a new RIP network or select the edit icon beside an existing RIP network to edit that RIP network. 3 Enter the IP address and netmask for the network. 4 Select OK. Interface list Configure RIP version 2 authentication, RIP version send and receive for the specified interface, and configure and enable split horizon.
Interface options Router Interface options Figure 61: RIP interface configuration 150 Interface The FortiGate interface name. Send Version RIP routing messages are UDP packets that use port 520. Select 1 to configure RIP to send RIP version 1 messages from an interface. Select 2 to configure RIP to send RIP version 2 messages from an interface. Select Both to configure RIP to send both RIP version 1 and RIP version 2 messages from an interface.
Router Distribute list Password Enter a password (key) to use for authentication for RIP version 2 packets sent and received by this interface. Enter a password here when you only want to configure one key. The key can be up to 35 characters long. Key-chain Enter the name of the key chain to use for authentication for RIP version 2 packets sent and received by this interface. Use key chains when you want to configure multiple keys.
Distribute list options Router Create New Add a new distribute list. Direction The direction for the filter. Filter The type of filter and the filter name. Interface The interface to use this filter on. If no interface name is displayed, this distribute list is used for all interfaces. Enable The status of this distribute list. The Delete and Edit icons. Distribute list options Figure 63: RIP Distribute list configuration Direction Set the direction for the filter.
Router Offset list Offset list Use offset lists to add the specified offset to the metric of a route. Note: By default, all offset lists for the root virtual domain are displayed. If you create additional virtual domains, the offset lists belonging to the current virtual domain only are displayed. To view the settings associated with a different virtual domain, go to System > Virtual Domain > Virtual Domains and select the virtual domain. Figure 64: RIP Offset list Create New Add a new offset list.
Access list Router 3 Set Direction to In or Out. 4 Enter the offset number. 5 Select the interface to match for this offset list. 6 Check or clear the Enable check box to enable or disable this offset list. 7 Select OK. Router objects Router objects are a set of tools used by routing protocols and features. Access list Access lists are filters used by FortiGate routing features.
Router New access list entry To add an access list name 1 Go to Router > Router Objects > Access List. 2 Select Create New. 3 Enter a name for the access list. 4 Select OK. New access list entry Figure 68: Access list entry configuration list Entry The access list name and the number of this entry. Action Set the action to take for this prefix to Permit or Deny. Prefix Select Match any to match any prefix.
New Prefix list Router The FortiGate unit attempts to match a packet against the rules in a prefix list starting at the top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found the default action is deny. For a prefix list to take effect it must be called by another FortiGate routing feature such as RIP or OSPF. Figure 69: Prefix list Create New Add a new prefix list name. An access list and a prefix list cannot have the same name.
Router New prefix list entry New prefix list entry Figure 71: Prefix list entry configuration list Entry The prefix list name and the number of this entry. Action Set the action to take for this prefix to Permit or Deny. Prefix Select Match any to match any prefix. Select Match a network address and enter the prefix (IP address and netmask) for this prefix list entry. The length of the netmask should be less than the setting for Greater or equal to.
New Route-map Router The FortiGate unit attempts to match the rules in a route map starting at the top of the list. If it finds a match it makes the changes defined in the set statements and then takes the action specified for the rule. If no match is found in the route map the default action is deny. If no match statements are defined in a rule, the default action is to match everything.
Router Route-map list entry Route-map list entry Figure 74: Route map entry configuration Route-map entry The route map name and the ID number of this route map entry. Action Select Permit to permit routes that match this entry. Select Deny to deny routes that match this entry. Match: The criteria to match. Interface Match a route with the selected destination interface. Address Match a route if the destination address is included in the selected access list or prefix list.
Key chain list Router 4 Under Match, select the criteria to match. 5 Under Set, select the criteria to change. 6 Select OK. Key chain list RIP version 2 uses authentication keys to ensure that the routing information exchanged between routers is reliable. For authentication to work both the sending and receiving routers must be set to use authentication, and must be configured with the same keys. A key chain is a list of one or more keys and the send and receive lifetimes for each key.
Router Key chain list entry 3 Enter a name for the key chain. 4 Select OK. Key chain list entry Figure 77: Key chain entry configuration Key-chain entry The key chain name and the ID number for this key chain entry. Key The key (password) can be up to 35 characters long. Accept Lifetime Set the time period during which the key can be received. Send Lifetime Set the time period during which the key can be sent.
Routing monitor list Router 5 Under Accept Lifetime, select Infinite, Duration or End time. • If you selected Duration, enter the time in seconds that this key should be active. • If you selected End time, select the required hour, minute, second, year, month and day to stop using this key for received routing updates. 6 Under Send Lifetime, select the required hour, minute, second, year, month and day to start using this key for sending routing updates.
Router get router info ospf 3 Specify the network for which to display routes. 4 Specify a gateway to display the routes using that gateway. 5 Select Apply Filter. Note: You can configure Type, Network, and Gateway filters individually or in any combination. CLI configuration This guide only covers Command Line Interface (CLI) commands, keywords, or variables (in bold) that are not represented in the web-based manager.
get router info rip Router get router info rip Use this command to display information about RIP. Command syntax get router info rip router info rip command keywords and variables Keywords and variables Description database Show the entries in the RIP routing database. interface Show the status of the FortiGate interfaces and whether RIP is enabled for each interface. Availability All models. All models.
Router config router ospf config summary-address Note: In the following table, only the router-id keyword is required. All other keywords are optional.
config router ospf Router ospf command keywords and variables (Continued) Keywords and variables default-metric Description Specify the default metric that OSPF should use for redistributed routes. The valid range for metric_integer is 1 to 16777214. distance Configure the administrative distance for all OSPF routes. Using administrative distance you can specify the relative priorities of different routes to the same destination.
Router config router ospf get router ospf This example shows how to display the OSPF configuration. show router ospf config area Access the config area subcommand using the config router ospf command. Use this command to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings called areas. Areas are linked together by area border routers (ABRs). There must be a backbone area that all areas can connect to.
config router ospf Router area command keywords and variables Keywords and Description variables authentication Set the authentication type. {md5 | none | text} Use the authentication keyword to define the authentication used for OSPF packets sent and received in this area. If you select none, no authentication is used. If you select text, the authentication key is sent as plain text. If you select md5, an authentication key is used to generate an MD5 hash.
Router config router ospf area command keywords and variables (Continued) Keywords and variables nssa-translatorrole {always | candidate | never} shortcut {default | disable | enable} stub-type {no-summary | summary} type {nssa | regular | stub} Description Default Availability A NSSA border router can translate the candidate All models.
config router ospf Router This example shows how to display the configuration for area 15.1.1.1. config router ospf config area edit 15.1.1.1 show end config filter-list Access the config filter-list subcommand using the config area subcommand. Use filter lists to control the import and export of LSAs into and out of an area. You can use access or prefix lists for OSPF area filter lists. For more information, see “Access list” on page 154 and “Prefix list” on page 155.
Router config router ospf Example This example shows how to use an access list named acc_list1 to filter packets entering area 15.1.1.1. config router ospf config area edit 15.1.1.1 config filter-list edit 1 set direction in set list acc_list1 end end This example shows how to display the settings for area 15.1.1.1. config router ospf config area edit 15.1.1.1 get end This example shows how to display the configuration for area 15.1.1.1. config router ospf config area edit 15.1.1.
config router ospf Router config range edit get end config range edit show end Note: Only the prefix keyword is required. All other keywords are optional. range command keywords and variables Keywords and variables advertise {disable | enable} prefix substitute substitute-status {disable | enable} Description Default Availability Enable or disable advertising the specified enable range. All models.
Router config router ospf config router ospf config area edit 15.1.1.1 show end config virtual-link Access the config virtual-link subcommand using the config area command. Use virtual links to connect an area to the backbone when the area has no direct connection to the backbone. A virtual link allows traffic from the area to transit a directly connected area to reach the backbone. The transit area cannot be a stub area. Virtual links can only be set up between two area border routers (ABRs).
config router ospf Router virtual-link command keywords and variables Keywords and variables authentication {md5 | none | text} Description Set the authentication type. Use the authentication keyword to define the authentication used for OSPF packets sent and received over this virtual link. If you select none, no authentication is used. If you select text, the authentication key is sent as plain text. If you select md5, an authentication key is used to generate an MD5 hash.
Router config router ospf virtual-link command keywords and variables (Continued) Keywords and variables retransmitinterval transmit-delay Description Default Availability The time, in seconds, to wait before 5 sending a LSA retransmission. The value for the retransmit interval must be greater than the expected roundtrip delay for a packet. The valid range for seconds_integer is 1 to 65535.
config router ospf Router Use this command to use an access list to filter the networks in routing updates. Routes not matched by any of the distribute lists will not be advertised. You must configure the access list that you want the distribute list to use before you configure the distribute list. For more information on configuring access lists, see “Access list” on page 154.
Router config router ospf config router ospf config distribute-list edit 2 set access-list acc_list1 set protocol static end end This example shows how to display the settings for distribute list 2. config router ospf config distribute-list edit 2 get end This example shows how to display the configuration for distribute list 2. config router ospf config distribute-list edit 2 show end config neighbor Access the config neighbor subcommand using the config router ospf command.
config router ospf Router config neighbor edit show end Note: Only the ip keyword is required. All other keywords are optional. neighbor command keywords and variables Keywords and variables cost Description Enter the cost to use for this neighbor. The valid range for cost_integer is 1 to 65535. ip Enter the IP address of the neighbor. poll-interval Enter the time, in seconds, between hello packets sent to the neighbor in the down state.
Router config router ospf config network Access the config network subcommand using the config router ospf command. Use this command to identify the interfaces to include in the specified OSPF area. The prefix keyword can define one or multiple interfaces.
config router ospf Router This example shows how to display the settings for network 2. config router ospf config network edit 2 get end This example shows how to display the configuration for network 2. config router ospf config network edit 2 show end config ospf-interface Access the config ospf-interface subcommand using the config router ospf command. Use this command to change interface related OSPF settings.
Router config router ospf ospf-interface command keywords and variables Keywords and variables authentication {md5 | none | text} authentication-key cost database-filter-out {disable | enable} dead-interval FortiGate-100A Administration Guide Description Use the authentication keyword to define the authentication used for OSPF packets sent and received by this interface. If you select none, no authentication is used.
config router ospf Router ospf-interface command keywords and variables (Continued) Keywords and variables hello-interval Description The time, in seconds, between hello packets. All routers on the network must use the same value for hello-interval. The valid range for seconds_integer is 1 to 65535. interface Enter the name of the interface to associate with this OSPF configuration. ip Enter the IP address of the interface named by the interface keyword.
Router config router ospf ospf-interface command keywords and variables (Continued) Keywords and variables network-type {broadcast | nonbroadcast | point-tomultipoint | point-to-point} priority retransmit-interval status {disable | enable} transmit-delay FortiGate-100A Administration Guide Description Specify the type of network to which the interface is connected. OSPF supports four different types of network.
config router ospf Router Example This example shows how to assign an OSPF interface configuration named test to the interface named internal and how to configure text authentication for this interface. config router ospf config ospf-interface edit test set interface internal set ip 192.168.20.3 set authentication text set authentication-key a2b3c4d5e end end This example shows how to display the settings for the OSPF interface configuration named test.
Router config router ospf config redistribute command syntax pattern config redistribute {connected | static | rip} set end config redistribute {connected | static | rip} unset end get router ospf show router ospf redistribute command keywords and variables Keywords and variables Description metric Enter the metric to be used for the redistributed routes. The metric_integer range is from 1 to 16777214.
config router ospf Router Use this command to summarize external routes for redistribution into OSPF. This command works only for summarizing external routes on an Autonomous System Boundary Router (ASBR). For information on summarization between areas, see “config range” on page 171. By replacing the LSAs for each route with one aggregate route, you reduce the size of the OSPF link-state database.
Router config router static6 This example shows how to display the OSPF configuration. show router ospf config router static6 Use this command to add, edit, or delete static routes for IPv6 traffic. Add static routes to control the destination of traffic exiting the FortiGate unit. You configure routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses.
config router static6 Router Example This example shows how to add an IPV6 static route that has the sequence number 2. config router static6 edit 2 set dev internal set dst 12AB:0:0:CD30::/60 set gateway 12AB:0:0:CD30:123:4567:89AB:CDEF end This example shows how to display the list of IPV6 static route numbers. get router static6 This example shows how to display the settings for IPV6 static route 2. get router static6 2 This example shows how to display the IPV6 static route configuration.
FortiGate-100A Administration Guide Version 2.80 MR7 Firewall Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (by port number).
How policy matching works Firewall Policy Go to Firewall > Policy to add firewall policies to control connections and traffic between FortiGate interfaces, zones, and VLAN subinterfaces. The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific to more general. For example, the default policy is a very general policy because it matches all connection attempts.
Firewall Policy options The policy list has the following icons and features. Create new Select Create New to add a firewall policy. ID The policy identifier. Policies are numbered in the order they are added to the policy list. Source The source address or address group to which the policy applies. See “Address” on page 198. Dest The destination address or address group to which the policy applies. “Address” on page 198. Schedule The schedule that controls when the policy should be active.
Policy options Firewall Figure 81: Standard policy options Policy has the following standard options: 192 Interface / Zone Source Select the source interface name to which the policy will apply. Destination Select the destination interface name to which the policy will apply. Interfaces and zones are listed and configured in System > Network. See “System network” on page 47. Address Name Source Select a source address or address group to which the policy will apply.
Firewall Policy options Action Select how you want the firewall to respond when the policy matches a connection attempt. • ACCEPT: Select accept to accept connections matched by the policy. You can also configure NAT and Authentication for the policy. • DENY: Select deny to reject connections matched by the policy. the connection. The only other policy option that you can configure is Log Traffic, to log the connections denied by this policy.
Advanced policy options Firewall Advanced policy options Figure 82: Advanced policy options Authentication You must add users and a firewall protection profile to a user group before you can select Authentication. For information about adding and configuring user groups, see “User group” on page 239. Select Authentication and select one or more user groups to require users to enter a user name and password before the firewall accepts the connection.
Firewall Advanced policy options In most cases you should make sure that users can use DNS through the firewall without authentication. If DNS is not available users cannot connect to a web, FTP, or Telnet server using a domain name. Traffic Shaping Traffic Shaping controls the bandwidth available to and sets the priority of the traffic processed by the policy.
Configuring firewall policies Firewall . Original (forward) DSCP value Reverse (reply) DSCP value Set the DSCP value for packets accepted by the policy. For example, for an Internal->External policy the value is applied to outgoing packets as they exit the external interface and are forwarded to their destination. Set the DSCP value for reply packets.
Firewall Policy CLI configuration 3 Select the position for the policy. 4 Select OK. To disable a policy Disable a policy to temporarily prevent the firewall from selecting the policy. Disabling a policy does not stop active communications sessions that have been allowed by the policy. 1 Go to Firewall > Policy. 2 Clear the Enable check box beside the policy you want to disable. To enable a policy 1 Go to Firewall > Policy. 2 Select Enable.
Policy CLI configuration Firewall firewall policy command keywords and variables Keywords and variables Description Default http_retry_count Define the number of times to retry 0 establishing an HTTP connection when the connection fails. natip Availability All models. Configure natip for a firewall policy 0.0.0.0 All models. with action set to encrypt and with 0.0.0.0 Encrypt outbound NAT enabled.
Firewall Address list This section describes: • Address list • Address options • Configuring addresses • Address group list • Address group options • Configuring address groups Address list You can add addresses to the list and edit existing addresses. The FortiGate unit comes configured with the default ‘All’ address which represents any IP address on the network. Figure 84: Sample address list The address list has the following icons and features.
Configuring addresses Firewall Type Select the type of address. Each type reveals the corresponding fields to configure. IP Range/Subnet Enter the firewall IP address, forward slash, and subnet mask or enter an IP address range separated by a hyphen An IP/Mask address can represent: • The address of a subnet (for example, for a class C subnet, IP address: 192.168.20.0 and Netmask: 255.255.255.0). • A single IP address (for example, IP Address: 192.168.20.1 and Netmask: 255.255.255.
Firewall Address group list Note: To change the address name you must delete the address and add it again with a new name. To avoid confusion in firewall policies, an address and a virtual IP cannot have the same name. 4 Select OK. To delete an address Deleting an address removes it from the address list. To delete an address that has been added to a policy, you must first remove the address from the policy. 1 Go to Firewall > Address > Address.
Configuring address groups Firewall Figure 87: Address group options Address group has the following options: Group Name Enter a name to identify the address group. Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall policies. Available Addresses The list of configured and default firewall addresses. Use the arrows to move addresses between the lists. Members The list of addresses in the group. Use the arrows to move addresses between the lists.
Firewall Predefined service list 3 Make any required changes. Note: To change the address group name you must delete the address group and add it with a new name. 4 Select OK. Service Use services to determine the types of communication accepted or denied by the firewall. You can add any of the predefined services to a policy. You can also create custom services and add services to service groups.
Predefined service list Firewall Table 21: FortiGate predefined services 204 Service name Description ANY Match connections on any port. A connection all that uses any of the predefined services is allowed through the firewall. all GRE Generic Routing Encapsulation. A protocol that allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol, by encapsulating the packets of the protocol within GRE packets. 47 AH Authentication Header.
Firewall Predefined service list Table 21: FortiGate predefined services (Continued) Service name Description Protocol IRC Internet Relay Chat allows people connected tcp to the Internet to join live discussions. 6660-6669 L2TP L2TP is a PPP-based tunnel protocol for remote access. 1701 LDAP Lightweight Directory Access Protocol is a set tcp of protocols used to access information directories.
Custom service list Firewall Table 21: FortiGate predefined services (Continued) Service name Description SMTP Simple Mail Transfer Protocol is used to send tcp mail between email servers on the Internet. 25 SNMP Simple Network Management Protocol is a set of protocols for managing complex networks tcp 161-162 udp 161-162 Secure Shell is a service for secure connections to computers for remote management. tcp 22 udp 22 SYSLOG Syslog service for remote logging.
Firewall Custom service options Custom service options Different options appear depending on the protocol type of custom service you want to define. Choose from TCP, UDP, ICMP, or IP. TCP and UDP custom service options Figure 90: TCP and UDP custom service options Name The name of the TCP or UDP custom service. Protocol Type Select the protocol type of the service you are adding: TCP or UDP. TCP and UDP options are the same.
Configuring custom services Firewall IP custom service options Figure 92: IP custom service options Name The name of the IP custom service. Protocol Type Select the protocol type of the service you are adding: IP. Protocol Number The IP protocol number for the service. Configuring custom services To add a custom TCP or UDP service 1 Go to Firewall > Service > Custom. 2 Select Create New. 3 Enter a name for the new custom TCP or UDP service. 4 Select TCP or UDP as the Protocol Type.
Firewall Service group list 6 Select OK. You can now add this custom service to a policy. To delete a custom service 1 Go to Firewall > Service > Custom. 2 Select the Delete icon beside the service you want to delete. 3 Select OK. To edit a custom service 1 Go to Firewall > Service > Custom. 2 Select the Edit icon beside the service you want to edit. 3 Modify the custom service as required. Note: To change the custom service name you must delete the service and add it with a new name.
Configuring service groups Firewall Figure 94: Service group options Service group has the following options. Group Name Enter a name to identify the address group. Available Services The list of configured and predefined services. Use the arrows to move services between the lists. Members The list of services in the group. Use the arrows to move services between the lists. Configuring service groups To organize services into a service group 1 Go to Firewall > Service > Group.
Firewall One-time schedule list Note: To change the service group name you must delete the service group and add it with a new name. 4 Select OK. Schedule Use schedules to control when policies are active or inactive. You can create one-time schedules and recurring schedules. You can use one-time schedules to create policies that are effective once for the period of time specified in the schedule. Recurring schedules repeat weekly.
One-time schedule options Firewall One-time schedule options Figure 96: One-time schedule options One-time schedule has the following options. Name Enter the name to identify the one-time schedule. Start Enter the start date and time for the schedule. Stop Enter the stop date and time for the schedule. Configuring one-time schedules To add a one-time schedule 1 Go to Firewall > Schedule > One-time. 2 Select Create New. 3 Type a name for the schedule.
Firewall Recurring schedule list Recurring schedule list You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week. For example, you might want to prevent game play during working hours by creating a recurring schedule. Note: If you create a recurring schedule with a stop time that occurs before the start time, the schedule starts at the start time and finishes at the stop time on the next day.
Configuring recurring schedules Firewall Configuring recurring schedules To add a recurring schedule 1 Go to Firewall > Schedule > Recurring. 2 Select Create New. 3 Enter a name for the schedule. 4 Select the days of the week that you want the schedule to be active. 5 Set the Start and Stop time for the recurring schedule. Recurring schedules use a 24-hour clock. 6 Select OK. To delete a recurring schedule 1 Go to Firewall > Schedule > Recurring.
Firewall Virtual IP list You can create three types of virtual IPs: Static NAT Used to translate an address on a source network to a hidden address on a destination network. Static NAT translates the source address of return packets to the address on the source network. Port Forwarding Used to translate an address and a port number on a source network to a hidden address and, optionally, a different port number on a destination network.
Configuring virtual IPs Firewall Figure 100:Virtual IP options; static NAT Figure 101:Virtual IP options; port forwarding Virtual IP has the following options. Name Enter the name to identify the virtual IP. Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall policies. External Interface Select the virtual IP external interface from the list. Type Select Static NAT or Port Forwarding.
Firewall Configuring virtual IPs 4 Select the virtual IP External Interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. You can select any firewall interface or a VLAN subinterface. You can set the virtual IP external interface to any FortiGate interface. Table 22 on page 217 contains example virtual IP external interface settings and describes the policies to which you can add the resulting virtual IP.
Configuring virtual IPs Firewall 6 Enter the External IP Address that you want to map to an address on the destination interface. You can set the external IP address to the IP address of the external interface selected in step 4 or to any other address. For example, if the virtual IP provides access from the Internet to a server on your internal network, the external IP address must be a static IP address obtained from your ISP for this server.
Firewall Configuring virtual IPs 10 Select OK. To delete a virtual IP 1 Go to Firewall > Virtual IP. 2 Select the Delete icon beside the virtual IP you want to delete. 3 Select OK. To edit a virtual IP 1 Go to Firewall > Virtual IP. 2 Select the Edit icon beside the virtual IP you want to modify. 3 Select OK. IP pool An IP pool (also called a dynamic IP pool) is a range of IP addresses added to a firewall interface.
IP pool list Firewall IP pool list Figure 102:Sample IP pool list The IP pool list has the following icons and features. Create New Select Create New to add an IP pool. Start IP The start IP defines the start of an address range. End IP The end IP defines the end of an address range. The Delete and Edit/View icons. IP pool options Figure 103:IP pool options Virtual IP has the following options. Interface Select the interface to which to add an IP pool. Name Enter a name for the IP pool.
Firewall IP Pools for firewall policies that use fixed ports 5 Select OK. To delete an IP pool 1 Go to Firewall > IP Pool. 2 Select the Delete icon beside the IP pool you want to delete. 3 Select OK. To edit a IP pool 1 Go to Firewall > IP Pool. 2 For the IP pool that you want to edit, select Edit beside it. 3 Modify the IP pool as required. 4 Select OK to save the changes.
Protection profile list Firewall Protection profile Use protection profiles to apply different protection settings for traffic that is controlled by firewall policies.
Firewall Default protection profiles Default protection profiles The FortiGate unit comes preconfigured with four protection profiles. Strict To apply maximum protection to HTTP, FTP, IMAP, POP3, and SMTP traffic. You may not wish to use the strict protection profile under normal circumstances but it is available if you have extreme problems with viruses and require maximum screening. Web To apply virus scanning and web content blocking to HTTP traffic.
Protection profile options Firewall Configuring antivirus options Figure 106:Protection profile antivirus options The following options are available for antivirus through the protection profile. See “Antivirus” on page 289 for more antivirus configuration options. Virus Scan Enable or disable virus scanning (for viruses and worms) for each protocol (HTTP, FTP, IMAP, POP3, SMTP). Grayware, if enabled in Antivirus > Config > Config, is included with the Virus Scan.
Firewall Protection profile options Configuring web filtering options Figure 107:Protection profile web filtering options The following options are available for web filtering through the protection profile. See “Web filter” on page 309 for more web filter configuration options. Web Content Block Enable or disable web page blocking for HTTP traffic based on the banned words and patterns in the content block list.
Protection profile options Firewall The following options are available for web category filtering through the protection profile. See “Category block” on page 317 for more category blocking configuration options. Enable category block (HTTP Enable FortiGuard category blocking. only) Block unrated websites (HTTP only) Block any web pages that have not been rated by the web filtering service.
Firewall Protection profile options Return e-mail DNS check Enable or disable checking that the domain specified in the reply-to or from address has an A or MX record. MIME headers check Enable or disable checking source MIME headers against the configured spam filter MIME header list. Banned word check Enable or disable checking source email against the configured spam filter banned word list. Spam Action The action for the spam filter to take.
Configuring protection profiles Firewall The following options are available for content archive through the protection profile. Display content metainformation on the system dashboard Enable to have meta-information for each type of traffic display in the Content Summary section of the FortiGate status page. There you can view statistics for HTTP traffic, FTP traffic, and Email traffic (IMAP, POP3, and SMTP combined).
Firewall Profile CLI configuration To add a protection profile to a policy You can enable protection profiles for firewall policies with action set to allow or encrypt and with service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services. 1 Go to Firewall > Policy. 2 Select a policy list to which you want to add a protection profile.
Profile CLI configuration Firewall firewall profile command keywords and variables Keywords and variables ftp {block content-archive no-content-summary oversize quarantine scan splice} http {bannedword block catblock chunkedbypass content-archive no-content-summary oversize quarantine rangeblock scan scriptfilter urlblock urlexempt} 230 Description Default Availability Select the actions that this profile will splice All models. use for filtering FTP traffic for a policy.
Firewall Profile CLI configuration firewall profile command keywords and variables (Continued) Keywords and variables smtp {bannedword block content-archive fragmail no-content-summary oversize quarantine scan spamemailbwl spamfsip spamhdrcheck spamhelodns spamipbwl spamraddrdns spamrbl splice} Description Default Availability Select the actions that this profile will fragmail All models. use for filtering SMTP traffic for a splice policy.
Profile CLI configuration 232 Firewall 01-28007-0068-20041203 Fortinet Inc.
FortiGate-100A Administration Guide Version 2.80 MR7 Users and authentication You can control access to network resources by defining lists of authorized users, called user groups. To use a particular resource, such as a network or a VPN tunnel, the user must belong to one of the user groups that is allowed access. The user then must correctly enter a user name and password to prove his or her identity. This is called authentication.
Local user list Users and authentication Setting authentication timeout Authentication timeout controls how long an authenticated firewall connection can be idle before the user must authenticate again. To set authentication timeout 1 Go to System > Config > Options. 2 In Auth Timeout, type a number, in minutes. The default authentication timeout is 15 minutes. Local Go to User > Local to add local user names and configure authentication.
Users and authentication RADIUS server list LDAP Select LDAP to require the user to authenticate to an LDAP server. Select the name of the LDAP server to which the user must authenticate. You can only select an LDAP server that has been added to the FortiGate LDAP configuration. See “LDAP” on page 236. Radius Select Radius to require the user to authenticate to a RADIUS server. Select the name of the RADIUS server to which the user must authenticate.
RADIUS server options Users and authentication Server Name/IP The domain name or IP address of the RADIUS server. The Delete and Edit icons. RADIUS server options Figure 115:RADIUS configuration Name Enter a name to identify the RADIUS server. Server Name/IP Enter the domain name or IP address of the RADIUS server. Server Secret Enter the RADIUS server secret. To configure the FortiGate unit for RADIUS authentication 1 Go to User > RADIUS.
Users and authentication LDAP server list The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3. FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers. FortiGate LDAP support does not supply information to the user about why authentication failed.
LDAP server options Users and authentication Common Name Enter the common name identifier for the LDAP server. Identifier The common name identifier for most LDAP servers is cn. However some servers use other common name identifiers such as uid. Distinguished Name Enter the distinguished name used to look up entries on the LDAP server. Enter the base distinguished name for the server using the correct X.500 or LDAP format. The FortiGate unit passes this distinguished name unchanged to the server.
Users and authentication User group list User group To enable authentication, you must add user names, RADIUS servers, and LDAP servers to one or more user groups. You can then assign a firewall protection profile to the user group. You can configure authentication as follows: • Firewall policies that require authentication: You can choose the user groups that are allowed to authenticate with these policies.
User group options Users and authentication User group options Figure 119:User group configuration Group Name Enter the name of the user group. Available Users The list of users, RADIUS servers, or LDAP servers that can be added to a user group. Members The list of users, RADIUS servers, or LDAP servers added to a user group. Protection Profile Select a protection profile for this user group. To configure a user group 240 1 Go to User > User Group.
Users and authentication peer To delete a user group You cannot delete a user group that is included in a firewall policy, a dialup user phase 1 configuration, or a PPTP or L2TP configuration. 1 Go to User > User Group. 2 Select Delete beside the user group that you want to delete. 3 Select OK. CLI configuration This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager.
peergrp Users and authentication config user peer edit branch_office set ca set cn set cn-type end This example shows how to display the list of configured peers. get user peer This example shows how to display the settings for the peer branch_office. get user peer branch_office This example shows how to display the configuration for all the peers. show user peer This example shows how to display the configuration for the peer branch_office.
Users and authentication peergrp config user peergrp edit EU_branches set member Sophia_branch Valencia_branch Cardiff_branch end This example shows how to display the list of configured peer groups. get user peergrp This example shows how to display the settings for the peergrp EU_branches. get user peergrp EU_branches This example shows how to display the configuration for all the peers groups. show user peergrp This example shows how to display the configuration for the peergrp EU_branches.
peergrp 244 Users and authentication 01-28007-0068-20041203 Fortinet Inc.
FortiGate-100A Administration Guide Version 2.
Phase 1 list VPN Phase 1 The basic phase 1 settings associate IPSec phase 1 parameters with a remote gateway and determine: • whether the various phase 1 parameters will be exchanged in multiple rounds with encrypted authentication information (main mode) or in a single message with authentication information that is not encrypted (aggressive mode) • whether a preshared key or digital certificates will be used to authenticate the identities of the two VPN peers • whether a peer identifier, certificat
VPN Phase 1 basic settings Encryption Algorithm The names of the encryption and authentication algorithms used by each phase 1 configuration. Edit, view, or delete phase 1 configurations. Phase 1 basic settings Figure 121:Phase 1 basic settings Gateway Name Type a name for the remote VPN peer or client. Enter a name that reflects the origination of the remote connection.
Phase 1 basic settings VPN Pre-shared Key If Preshared Key is selected, type the preshared key that the FortiGate unit will use to authenticate itself to the remote peer during phase 1 negotiations. You must define the same value at the remote peer. The key must contain at least 6 printable characters and should only be known by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters.
VPN Phase 1 advanced settings Phase 1 advanced settings Figure 122:Phase 1 advanced settings P1 Proposal Select the encryption and authentication algorithms that will be used to generate keys for protecting negotiations. Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations. The remote peer must be configured to use at least one of the proposals that you define.
Phase 1 advanced settings VPN DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, and 5. When using aggressive mode, DH groups cannot be negotiated. • If both VPN peers have static IP addresses and use aggressive mode, select a single DH group. The setting on the FortiGate unit must be identical to the setting on the remote peer or client.
VPN Phase 2 list 2 Follow the general guidelines in these sections: • “Phase 2 list” on page 251 • “Phase 2 basic settings” on page 251 • “Phase 2 advanced options” on page 252 For information about how to choose the correct phase 2 settings for your particular situation, refer to the FortiGate VPN Guide. Note: The procedures in this section assume that you want the FortiGate unit to generate unique IPSec encryption and authentication keys automatically.
Phase 2 advanced options VPN Tunnel Name Type a name to identify the tunnel configuration. Remote Gateway Select the phase 1 configuration to assign to this tunnel. See “Phase 1” on page 246. The phase 1 configuration describes how remote peers or clients will be authenticated on this tunnel, and how the connection to the remote peer or client will be secured. Concentrator If the tunnel will be included in a hub-and-spoke configuration, you may select the concentrator from the list.
VPN Phase 2 advanced options You can select either of the following message digests to check the authenticity of messages during an encrypted session: • NULL-Do not use a message digest. • MD5-Message Digest 5, the hash algorithm developed by RSA Data Security. • SHA1-Secure Hash Algorithm 1, which produces a 160-bit message digest. To specify one combination only, set the Encryption and Authentication options of the second combination to NULL.
Manual key list VPN In both cases, you do not specify IPSec phase 1 and phase 2 parameters; you define manual keys on the VPN > IPSEC > Manual Key tab instead. If one of the VPN peers uses specific authentication and encryption keys to establish a tunnel, both VPN peers must be configured to use the same encryption and authentication algorithms and keys.
VPN Manual key options Manual key options Figure 127:Adding a manual key VPN tunnel VPN Tunnel Name Type a name for the VPN tunnel. Local SPI Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles outbound traffic on the local FortiGate unit. The valid range is from 0xbb8 to 0xffffffff. This value must match the Remote SPI value in the manual key configuration at the remote peer.
Concentrator list VPN Authentication Algorithm Select one of the following message digests: • MD5-Message Digest 5 algorithm, which produces a 128-bit message digest. • SHA1-Secure Hash Algorithm 1, which produces a 160-bit message digest. Authentication Key If you selected: • MD5, type a 32-character hexadecimal number (0-9, a-f) separated into two segments of 16 characters.
VPN Concentrator options Create New Select Create New to define a new concentrator for an IPSec hub-andspoke configuration. Concentrator Name The names of existing IPSec VPN concentrators. Members The tunnels that are associated with the concentrator. Edit, view, or delete concentrators. Concentrator options Figure 129:Creating a concentrator for a hub-and-spoke configuration Concentrator Name Type a name for the concentrator. Available Tunnels A list of defined IPsec VPN tunnels.
Ping generator options VPN 2 Select Enable. 3 In the Source IP 1 field, type the private IP address or subnet address from which traffic may originate locally (for example, 192.168.20.12 or 192.168.20.0 respectively). 4 In the Destination IP 1 field, enter the IP address of a remote computer: • For a peer-to-peer configuration, the destination address is the private IP address of a server or host behind the remote VPN peer (for example, 172.16.5.1/32).
VPN Dialup monitor To establish or take down a VPN tunnel 1 Go to VPN > IPSEC > Monitor. 2 In the list of tunnels, select the Bring down tunnel or Bring up tunnel button in the row that corresponds to the tunnel that you want to bring down or up. If you take down an active tunnel while a dialup client such as FortiClient is still connected, FortiClient will continue to show the tunnel connected and idle. The dialup client must disconnect before another tunnel can be initiated.
PPTP range VPN Name The name of the tunnel. Remote gateway The IP address and UDP port of the remote gateway. For dynamic DNS tunnels, the IP address is updated dynamically. Timeout The time before the next key exchange. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife. Proxy ID Source The IP address of the host, server, or private network behind the FortiGate unit.
VPN L2TP range Enable PPTP You must add a user group before you can select the option. Starting IP Type the starting address in the range of reserved IP addresses. Ending IP Type the ending address in the range of reserved IP addresses. User Group Select the name of the PPTP user group that you defined. Disable PPTP Select the option to disable PPTP support. L2TP A FortiGate unit can be configured to act as an L2TP network server.
Local certificate list VPN Certificates Digital certificates are downloadable files that you can install on the FortiGate unit and on remote peers and clients for authentication purposes. An X.509 digital certificate contains information that has been digitally signed by a trusted third party known as a certificate authority (CA). Because CAs can be trusted, the certificates issued by a CA are deemed to be trustworthy. To view and manage local certificates 1 Go to VPN > Certificates > Local Certificates.
VPN Certificate request Figure 136:Certificate details Certificate request To obtain a personal or site certificate, you must send a request to a CA that provides digital certificates that adhere to the X.509 standard. The FortiGate unit provides a way for you to generate the request. The generated request includes information such as the FortiGate unit’s public static IP address, domain name, or email address. To generate a certificate request 1 Go to VPN > Certificates > Local Certificates.
Importing signed certificates VPN Certification Name Type a certificate name. Typically, this would be the name of the FortiGate unit. Subject Information Enter the information needed to identify the FortiGate unit. Preferably use an IP address or domain name. If this is impossible (such as with a dialup client), use an email address. • For Host IP, enter the public IP address of the FortiGate unit being certified.
VPN CA certificate list CA certificate list Follow the CA instructions to download their root certificate, and then install the root certificate on the FortiGate unit. The installed CA certificates are displayed in the CA certificate list. Figure 139:CA certificate list Import Select to import a CA root certificate. See “Importing CA certificates” on page 265. Name The names of existing CA root certificates.
IPSec configuration procedures VPN VPN configuration procedures The FortiGate VPN Guide uses a task-based approach to provide all of the procedures needed to create different types of VPN configurations. The guide contains the following chapters: • “Configuring IPSec VPNs” describes how to set up various IPSec VPN configurations. • “Configuring PPTP VPNs” describes how to configure a PPTP tunnel between a FortiGate unit and a PPTP client.
VPN IPSec configuration procedures 2 In the Address Name field, type a name that represents the local network, server(s), or host(s) from which IP packets may originate on the private network behind the local FortiGate unit. 3 In the IP Range/Subnet field, type the corresponding IP address and subnet mask (for example, 172.16.5.0/24 for a subnet, or 172.16.5.1/32 for a server or host) or IP address range (for example, 192.168.10.[80-100]). 4 Select OK.
PPTP configuration procedures VPN 3 You may enable a protection profile, and/or event logging, or select advanced settings to shape traffic or differentiate services. See the “Firewall” chapter of the FortiGate Administration Guide. 4 Select OK. 5 Place the policy in the policy list above any other policies having similar source and destination addresses.
VPN ipsec phase1 CLI configuration This section provides information about features that must be configured through CLI commands. CLI commands provide additional network options that cannot be configured through the web-based manager. For complete descriptions and examples of how to use CLI commands, see the FortiGate CLI Reference Guide. ipsec phase1 In the web-based manager, the Dead Peer Detection option can be enabled when you define advanced Phase 1 options.
ipsec phase1 VPN ipsec phase1 command keywords and variables (Continued) Keywords and variables dpd-retrycount Description Default The DPD retry count when dpd is set to 3 enable. Set the number of times that the local VPN peer sends a DPD probe before it considers the link to be dead and tears down the security association (SA). The dpd-retrycount range is 0 to 10.
VPN ipsec phase2 ipsec phase2 Use the config vpn ipsec phase2 CLI command to add or edit an IPSec VPN phase 2 configuration.
ipsec vip VPN ipsec phase2 command keywords and variables (Continued) Keywords and variables selector { policy | wildcard | specify} single-source {disable | enable} srcaddr Description Enter the method for choosing selectors for IKE negotiations: • Select policy to choose a selector from a firewall encryption policy. The VPN tunnel referenced in the firewall encryption policy will be referenced. • Select wildcard to disable selector negotiation for this tunnel.
VPN ipsec vip Note: The interface to the destination network must be associated with a VPN tunnel through a firewall encryption policy (action must be set to encrypt). The policy determines which VPN tunnel will be selected to forward traffic to the destination. When you create IPSec VIP entries, check the encryption policy on the FortiGate interface to the destination network to ensure that it meets your requirements. For more information, see “Configuring IPSec virtual IP addresses” on page 274.
ipsec vip VPN Note: Typing next lets you define another VIP address without leaving the vip shell. This example shows how to display the settings for the vpn ipsec vip command. get vpn ipsec vip This example shows how to display the settings for the VIP entry named 1. get vpn ipsec vip 1 This example shows how to display the current configuration of all existing VIP entries.
VPN ipsec vip When Host_1 attempts to send a packet to Host_2 for the first time, Host_1 issues an ARP request locally for the MAC address of Host_2. However, because Host_2 resides on a remote network, it does not respond. Instead, the FortiGate unit responds with its own MAC address. From that point, Host_1 adds the MAC address of the FortiGate unit to its ARP cache and the FortiGate unit will act as a proxy for Host_2.
ipsec vip 276 VPN 01-28007-0068-20041203 Fortinet Inc.
FortiGate-100A Administration Guide Version 2.80 MR7 IPS The FortiGate Intrusion Prevention System (IPS) combines signature- and anomalybased intrusion detection and prevention with low latency and excellent reliability. The FortiGate unit can record suspicious traffic in logs, can send alert email to system administrators, and can log, pass, drop, reset, or clear suspicious packets or sessions. You can adjust some IPS anomaly thresholds to work best with the normal traffic on the protected networks.
Predefined IPS This chapter describes: • Signature • Anomaly • Configuring IPS logging and alert email • Default fail open setting Signature The FortiGate IPS matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinet’s FortiProtect infrastructure ensures the rapid identification of new threats and the development of new attack signatures.
IPS Predefined Predefined signature list You can enable or disable groups of predefined signatures and configure the settings for individual predefined signatures from the predefined signature list. Figure 142:A portion of the predefined signature list Group Name The signature group names. Enable The status of the signature group. A white check mark in a green circle indicates the signature group is enabled. A white X in a grey circle indicates the signature group is disabled.
Predefined IPS Table 24: Actions to select for each predefined signature Reset Client The FortiGate unit drops the packet that triggered the signature, sends a reset to the client, and removes the session from the FortiGate session table. Used for TCP connections only. If you set this action for non-TCP connection based attacks, the action will behave as Clear Session. If the Reset Client action is triggered before the TCP connection is fully established it acts as Clear Session.
IPS Predefined 4 Select the Enable box to enable the signature or clear the Enable box to disable the signature. 5 Select the Logging box to enable logging for this signature or clear the Logging box to disable logging for this signature. 6 Select the Action for the FortiGate unit to take when traffic matches this signature. (See Table 24.) 7 Select OK. To restore the recommended settings of a signature 1 Go to IPS > Signature > Predefined.
Custom IPS idle_timeout If a session is idle for longer than this number of seconds, the session will not be maintained by tcp_reassembler. min_ttl A packet with a higher ttl number in its IP header than the number specified here is not processed by tcp_reassembler. port_list A comma separated list of ports. The dissector can decode these TCP ports. bad_flag_list A comma separated list of bad TCP flags. reassembly_ direction Valid settings are from-server, from-client, or both.
IPS Custom Clear all custom Remove all the custom signatures from the custom signature group. signatures Reset to recommended settings? Reset all the custom signatures to the recommended settings. Name The custom signature names. Revision The revision number for each custom signature. The revision number is a number you assign to the signature when you create or revise it. Enable The status of each custom signature. A white check mark in a green circle indicates the signature is enabled.
Custom IPS ! Caution: Restoring the custom signature list overwrites the existing file. Anomaly The FortiGate IPS uses anomaly detection to identify network traffic that does not fit known or preset traffic patterns. The FortiGate IPS identifies the four statistical anomaly types for the TCP, UDP, and ICMP protocols. Flooding If the number of sessions targeting a single destination in one second is over a threshold, the destination is experiencing flooding.
IPS Custom Action The action set for each anomaly. Action can be Pass, Drop, Reset, Reset Client, Reset Server, Drop Session, Clear Session, or Pass Session. Modify The Edit and Reset icons. If you have changed the settings for an anomaly, you can use the Reset icon to change the settings back to the recommended settings. Configuring an anomaly Each anomaly is preset with a recommended configuration. By default all anomaly signatures are enabled.
Custom IPS Reset The FortiGate unit drops the packet that triggered the anomaly, sends a reset to both the client and the server, and removes the session from the FortiGate session table. Used for TCP connections only. If you set this action for non-TCP connection based attacks, the action will behave as Clear Session. If the Reset action is triggered before the TCP connection is fully established it acts as Clear Session.
IPS Anomaly CLI configuration Anomaly CLI configuration Note: This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide. (config ips anomaly) config limit Note: This command has more keywords than are listed in this Guide. See the FortiGate CLI Reference Guide for a complete list of commands and keywords.
Anomaly CLI configuration IPS Configuring IPS logging and alert email Whenever the IPS detects or prevents an attack, it generates an attack message. You can configure the FortiGate unit to add the message to the attack log and to send an alert email to administrators. You can configure how often the FortiGate unit sends alert email.
FortiGate-100A Administration Guide Version 2.80 MR7 Antivirus Antivirus provides configuration access to most of the antivirus options you enable when you create a firewall protection profile. While antivirus settings are configured for system-wide use, you can implement specific settings on a per profile basis. Table 25 describes the antivirus settings and where to configure and access them.
Antivirus Protection profile configuration For information about configuring Protection Profiles, see “Protection profile” on page 222. For information about adding protection profiles to firewall policies, see “To add a protection profile to a policy” on page 229. Order of antivirus operations Antivirus processing includes various modules and engines that perform separate tasks.
Antivirus File block list This section describes: • File block list • Configuring the file block list File block list The file block list is preconfigured with a default list of file patterns: • executable files (*.bat, *.com, and *.exe) • compressed or archive files (*.gz, *.rar, *.tar, *.tgz, and *.zip) • dynamic link libraries (*.dll) • HTML application (*.hta) • Microsoft Office files (*.doc, *.ppt, *.xl?) • Microsoft Works files (*.wps) • Visual Basic files (*.
Configuring the file block list Antivirus FTP Displays a check mark if file blocking is enabled to block the file pattern in FTP traffic. IMAP Displays a check mark if file blocking is enabled to block the file pattern in IMAP traffic. POP3 Displays a check mark if file blocking is enabled to block the file pattern in POP3 traffic. SMTP Displays a check mark if file blocking is enabled to block the file pattern in SMTP traffic. The Delete and Edit/View icons.
Antivirus Quarantined files list options Figure 153:Sample quarantined files list Quarantined files list options The quarantined files list has the following features and displays the following information about each quarantined file: Apply Select Apply to apply the sorting and filtering selections to the quarantined files list. Sort by: Sort the list. Choose from: status, service, file name, date, TTL, or duplicate count. Click apply to complete the sort. Filter: Filter the list.
AutoSubmit list Antivirus AutoSubmit list You can configure the FortiGate unit to automatically upload suspicious files to Fortinet for analysis. You can add file patterns to the AutoSubmit list using wildcard characters (* or ?). File patterns are applied for AutoSubmit regardless of file blocking settings. You can also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly from the quarantined files list.
Antivirus Config Config Go to Config to set quarantine configuration options including whether to quarantine blocked or infected files and from which service. You can also configure the time to live and file size values, and enable AutoSubmit settings. Figure 156:Quarantine configuration Quarantine configuration has the following options: Options Quarantine Infected Files: Select the protocols from which to quarantine infected files identified by antivirus scanning.
Virus list Antivirus Config Config displays a list of the current viruses blocked by the FortiGate unit. You can also configure file and email size limits, and grayware blocking. This section describes: • Virus list • Config • Grayware • Grayware options Virus list The virus list displays the current viruses blocked in alphabetical order. You can view the entire list or parts of the list by selecting the number or alphabet ranges.
Antivirus Grayware Figure 158:Example threshold configuration You can enable oversized file blocking in a firewall protection profile. To access protection profiles go to Firewall > Protection Profile, select Anti-Virus > Oversized File/Email and choose to pass or block oversized email and files for each protocol. Further file size limits for uncompressed files can be configured as an advanced feature via the CLI. See “CLI configuration” on page 299.
Grayware options Antivirus The categories may change or expand when the FortiGate unit receives updates. In the example above you can choose to enable the following grayware categories. Enabling a grayware category blocks all files listed in the category. 298 Adware Select enable to block adware programs. Adware is usually embedded in freeware programs and causes ads to pop up whenever the program is opened or used. Dial Select enable to block dialer programs.
Antivirus config antivirus heuristic CLI configuration Note: This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide. config antivirus heuristic The FortiGate heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators.
config antivirus quarantine Antivirus This example shows how to display the settings for the antivirus heuristic command. get antivirus heuristic This example shows how to display the configuration for the antivirus heuristic command. show antivirus heuristic config antivirus quarantine The quarantine command also allows configuration of heuristic related settings. Note: This command has more keywords than are listed in this Guide.
Antivirus config antivirus service http config antivirus service http unset end get antivirus service [http] show antivirus service [http] antivirus service http command keywords and variables Keywords and variables memfilesizelimit port uncompsizelimit Description Default Set the maximum file size (in megabytes) 10 (MB) that can be buffered to memory for virus scanning. The maximum file size allowed is 10% of the FortiGate RAM size.
config antivirus service ftp Antivirus Example This example shows how to set the maximum file size that can be buffered to memory for scanning at 12 MB, the maximum uncompressed file size that can be buffered to memory for scanning at 15 MB, and how to enable antivirus scanning on ports 70, 80, and 443 for HTTP traffic. config antivirus service http set memfilesizelimit 12 set uncompsizelimit 15 set port 70 set port 80 set port 443 end This example shows how to display the antivirus HTTP traffic settings.
Antivirus config antivirus service ftp antivirus service ftp command keywords and variables Keywords and Description variables memfilesizelimit Set the maximum file size that can be buffered to memory for virus scanning. The maximum file size allowed is 10% of the FortiGate RAM size. For example, a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB. Oversized files can be passed or blocked in a firewall protection profile.
config antivirus service pop3 Antivirus config antivirus service pop3 Use this command to configure how the FortiGate unit handles antivirus scanning of large files in POP3 traffic and what ports the FortiGate unit scans for POP3.
Antivirus config antivirus service imap Example This example shows how to set the maximum file size that can be buffered to memory for scanning at 20 MB, the maximum uncompressed file size that can be buffered to memory for scanning at 60 MB, and how to enable antivirus scanning on ports 110, 111, and 992 for POP3 traffic.
config antivirus service imap Antivirus antivirus service imap command keywords and variables Keywords and variables memfilesizelimi t port uncompsizelimit Description Default Set the maximum file size that can be buffered 10 (MB) to memory for virus scanning. The maximum file size allowed is 10% of the FortiGate RAM size. For example, a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB.
Antivirus config antivirus service smtp config antivirus service smtp Use this command to configure how the FortiGate unit handles antivirus scanning of large files in SMTP traffic, what ports the FortiGate unit scans for SMTP, and how the FortiGate unit handles interaction with an SMTP server for delivery of email with infected email file attachments.
config antivirus service smtp Antivirus Example This example shows how to set the maximum file size that can be buffered to memory for scanning at 100 MB, the maximum uncompressed file size that can be buffered to memory for scanning at 1 GB (1000 MB), and how to enable antivirus scanning on ports 25, and 465 for SMTP traffic. config antivirus service smtp set memfilesizelimit 100 set uncompsizelimit 1000 set port 25 set port 465 end This example shows how to display the antivirus SMTP traffic settings.
FortiGate-100A Administration Guide Version 2.80 MR7 Web filter Web filter provides configuration access to the Web filtering and Web category filtering options you enable when you create a firewall Protection Profile. To access protection profile web filter options go to Firewall > Protection Profile, select edit or Create New, and select Web Filtering or Web Category Filtering. See “Protection profile options” on page 223.
Web filter Table 28: Web filter and Protection Profile web category filtering configuration Protection Profile web category filtering Web Filter setting Enable category block (HTTP only) Web Filter > Category Block > Configuration Enable FortiGuard web filtering. Enable or disable FortiGuard and enable and set the size limit for the cache. Block unrated websites (HTTP only) Block any web pages that have not been rated by the FortiGuard.
Web filter Web content block list Content block Control web content by blocking specific words or word patterns. The FortiGate unit blocks web pages containing banned words and displays a replacement message instead. You can use Perl regular expressions or wildcards to add banned word patterns to the list. See “Using Perl regular expressions” on page 335. Note: Perl regular expression patterns are case sensitive for Web Filter content block.
Configuring the web content block list Web filter Configuring the web content block list Figure 161:Adding a banned word to the content block list When you select Create New or Edit you can configure the following settings for the banned word. Banned word Enter the word or pattern you want to include in the banned word list Pattern type Select the pattern type for the banned word. Choose from wildcard or regular expression. See “Using Perl regular expressions” on page 335.
Web filter Web URL block list Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com. Instead, you can use firewall policies to deny FTP connections.
Configuring the web URL block list Web filter Configuring the web URL block list Note: Do not use regular expressions in the web URL block list. You can use regular expressions in the web pattern block list to create URL patterns to block. See “Web pattern block list” on page 314. Note: You can type a top-level domain suffix (for example, “com” without the leading period) to block access to all URLs with this suffix. To add a URL to the web URL block list 1 Go to Web Filter > URL Block.
Web filter Web pattern block options Figure 164:Sample web pattern block list Web pattern block options Web pattern block has the following icons and features: Create New Select Create New to add a new pattern to the web pattern block list. Pattern The current list of blocked patterns. Select the check box to enable all the web patterns in the list. The Delete and Edit/View icons. Configuring web pattern block To add a pattern to the web pattern block list 1 Go to Web Filter > URL Block.
URL exempt list Web filter URL exempt list You can configure specific URLs as exempt from web filtering. URLs on the exempt list are not scanned for viruses. If users on your network download files through the FortiGate unit from trusted website, you can add the URL of this website to the exempt list so that the FortiGate unit does not virus scan files downloaded from this URL.
Web filter FortiGuard managed web filtering service Category block You can filter http content by specific categories using the FortiGuard managed web filtering service.
Category block configuration options Web filter FortiGuard licensing Every FortiGate unit comes with a free 30-day FortiGuard trial license. FortiGuard license management is done by Fortinet servers, so there is no need to enter a license number. The FortiGate unit will then automatically contact a FortiGuard Service Point when you enable FortiGuard category blocking. When you want to renew your FortiGuard license after the free trial, contact Fortinet Technical Support.
Web filter Configuring web category block TTL Time to live. The number of seconds to store URL ratings in the cache before contacting the server again. To have a URL’s... To have a URL's category rating re-evaluated, please click here. Select the link to have a web site re-evaluated if you think the category rating is incorrect. You must provide a complete valid URL. Configuring web category block To enable FortiGuard web filtering 1 Go to Web Filter > Category Block. 2 Select Enable Service.
Category block reports options Web filter Category block reports options The following table describes the options for generating reports: Profile Select the profile for which you want to generate a report. Report Type Select the time frame for which you want to generate the report. Choose from hour, day, or all historical statistics. Report Range Select the time range (24 hour clock) or day range (from six days ago to today) for which you want the report.
Web filter Category block CLI configuration Command syntax pattern config webfilter catblock set end config webfilter catblock unset end get webfilter catblock show webfilter catblock catblock command keywords and variables Keywords and variables ftgd_hostname Description Default Availability The hostname of the FortiGuard Service Point. The FortiGate comes preconfigured with the host name. Use this command only if you need to change the host name. guard.
Web script filter options Web filter Figure 170:Script filtering options Note: Blocking any of these items may prevent some web pages from functioning and displaying correctly. Note: Enable Web filtering > Web Script Filter in your firewall Protection Profile to activate the script filter settings. Web script filter options You can configure the following options for script filtering: 322 Javascript Select Javascript to block all Javascript-based pages or applications.
FortiGate-100A Administration Guide Version 2.80 MR7 Spam filter Spam filter provides configuration access to the spam filtering options you enable when you create a firewall protection profile. While spam filters are configured for system-wide use, you can enable the filters on a per profile basis. Spam filter can be configured to manage unsolicited commercial email by detecting spam email messages and identifying spam transmissions from known or suspected spam servers.
Spam filter Table 29: Spam Filter and Protection Profile spam filtering configuration Protection Profile spam filtering options Spam filter setting E-mail address BWL check Spam Filter > E-mail Address Enable or disable checking incoming email addresses against the configured spam filter email address list. Add to and edit email addresses to the list, with the option of using wildcards and regular expressions. You can configure the action to take as spam or reject for each email address.
Spam filter Order of spam filter operations Generally, incoming email is passed through the spam filters in the order the filters appear in the spam filtering options list in a firewall protection profile (and in Table 29): FortiShield, IP address, RBL & ORDBL, HELO DNS lookup, email address, return email DNS check, MIME header, and banned word (content block). Each filter passes the email to the next if no matches or problems are found.
FortiShield options Spam filter Both FortiShield antispam processes are completely automated and configured by Fortinet. With constant monitoring and dynamic updates, FortiShield is always current. You can enable or disable FortiShield in a firewall protection profile. See “Configuring spam filtering options” on page 226.
Spam filter IP address list 4 Select Apply. You can now enable FortiShield for any firewall protection profile you create. See “Configuring spam filtering options” on page 226. Once you select Apply, the FortiShield license type and expiration date appears on the configuration screen (Spam Filter > FortiShield). IP address The FortiGate unit uses the IP address list to filter incoming email. The FortiGate unit compares the IP address of the sender to the list in sequence.
Configuring the IP address list Spam filter Action The action to take on email from the configured IP address. Actions are: Mark as Spam to apply the spam action configured in the protection profile, Mark as Clear to let the email pass to the next filter, or Mark as Reject (SMTP only) to drop the session. The Delete and Edit/View icons. Configuring the IP address list To add an IP address to the IP address list 1 Go to Spam Filter > IP Address. 2 Select Create New.
Spam filter RBL & ORDBL list Note: Because the FortiGate unit uses the server domain name to connect to the RBL or ORDBL server, it must be able to look up this name on the DNS server. For information on configuring DNS, see “DNS” on page 61. This section describes: • RBL & ORDBL list • RBL & ORDBL options • Configuring the RBL & ORDBL list RBL & ORDBL list You can configure the FortiGate unit to filter email by accessing RBL or ORDBL servers. You can mark a match by each server as spam or reject.
Email address list Spam filter Figure 175:Adding an RBL or ORDBL server 3 Enter the domain name of the RBL or ORDBL server you want to add. 4 Select the action to take on email matched by the server. 5 Select Enable. 6 Select OK. Email address The FortiGate unit uses the email address list to filter incoming email. The FortiGate unit compares the email address or domain of the sender to the list in sequence. If a match is found, the corresponding protection profile action is taken.
Spam filter Configuring the email address list Email address The current list of email addresses. Pattern Type The pattern type used in the email address entry. Choose from wildcard or regular expression. See “Using Perl regular expressions” on page 335. Action The action to take on email from the configured address. Actions are: Mark as Spam to apply the spam action configured in the protection profile, or Mark as Clear to let the email pass to the next filter. The Delete and Edit/View icons.
MIME headers list Spam filter You can use the MIME headers list to mark email from certain bulk mail programs or with certain types of content that are common in spam messages. You can choose to mark the email as spam or clear for each header you configure. The FortiGate unit compares the MIME header key-value pair of incoming email to the list pair in sequence. If a match is found, the corresponding protection profile action is taken. If no match is found, the email is passed on to the next spam filter.
Spam filter Configuring the MIME headers list Configuring the MIME headers list To add a MIME header to the list 1 Go to Spam Filter > MIME headers. 2 Select Create New. Figure 179:Adding a MIME header 3 Enter the MIME header key. 4 Enter the MIME header value. 5 Select a pattern type for the list entry. 6 Select the action to take on email with that MIME header key-value. 7 Select OK. Banned word Control spam by blocking email containing specific words or patterns.
Banned word list Spam filter Banned word list You can add one or more banned words to sort email containing those words in the email subject, body, or both. Words can be marked as spam or clear. Banned words can be one word or a phrase up to 127 characters long. If you enter a single word, the FortiGate unit blocks all email that contain that word. If you enter a phrase, the FortiGate unit blocks all email containing the exact phrase. To block any word in a phrase, use Perl regular expressions.
Spam filter Configuring the banned word list Figure 181:Adding a banned word Pattern Enter the word or phrase you want to include in the banned word list. Pattern Type Select the pattern type for the banned word. Choose from wildcard or regular expression. See “Using Perl regular expressions” on page 335. Language Select the character set for the banned word. Choose from: Chinese Simplified, Chinese Traditional, French, Japanese, Korean, Thai, or Western.
Configuring the banned word list Spam filter Regular expression vs. wildcard match pattern In Perl regular expressions, ‘.’ character refers to any single character. It is similar to the ‘?’ character in wildcard match pattern. As a result: • fortinet.com not only matches fortinet.com but also matches fortinetacom, fortinetbcom, fortinetccom and so on. To match a special character such as '.' and ‘*’ use the escape character ‘\’. For example: • To mach fortinet.
Spam filter Configuring the banned word list Table 30: Perl regular expression formats [Aa]bc either of Abc and abc [abc]+ any (nonempty) string of a's, b's and c's (such as a, abba, acbabcacaa) [^abc]+ any (nonempty) string which does not contain any of a, b and c (such as defg) \d\d any two decimal digits, such as 42; same as \d{2} /i makes the pattern case insensitive. For example, /bad language/i blocks any instance of bad language regardless of case.
Configuring the banned word list 338 Spam filter 01-28007-0068-20041203 Fortinet Inc.
FortiGate-100A Administration Guide Version 2.80 MR7 Log & Report FortiGate units provide extensive logging capabilities for traffic, system and network protection functions. You can set the severity level of the messages that are logged, and you can choose the types of events that are logged. All types of log messages except traffic and content can be saved in internal memory. FortiGate units support external logging to a FortiLog unit, WebTrends and other Syslog servers.
Log Setting options Log & Report Figure 182:Example alert email From: admin@example.com Sent: Tuesday, April 27, 2004 5:30 PM To: example@test.com Subject: Message meets Alert condition Message meets Alert condition 2004-04-27 13:28:52 device_id=APS3012803033139 log_id=0101023002 type=event subtype=ipsec pri=notice loc_ip=172.16.81.2 loc_port=500 rem_ip=172.16.81.1 rem_port=500 out_if=dmz vpn_tunnel=ToDmz action=negotiate init=local mode= stage=-112 dir=inbound status=success msg="Initiator: tunnel 172.16.
Log & Report Log Setting options Memory The FortiGate system memory. The FortiGate system memory has a limited capacity and only displays the most recent log entries. Traffic and content logs cannot be stored in the memory buffer. When the memory is full, the FortiGate unit begins to overwrite the oldest messages. All log entries are deleted when the FortiGate unit restarts. Syslog A remote computer running a syslog server.
Log Setting options Log & Report Table 31: Logging severity levels Level Description Emergency The system has become unstable. Alert Immediate action is required. Critical Functionality is affected. Error An error condition exists and functionality could be affected. Warning Functionality could be affected. Notification Notification of normal events. Information General information about system operations.
Log & Report Log Setting options To configure log file uploading 1 Select the blue arrow to expand Log file upload settings. 2 Select Upload When Rolling. 3 Enter the IP address of the logging server. 4 Enter the port number on the logging server. The default is 21 (FTP). 5 Enter the Username and Password required on the logging server. 6 Enter the remote directory in which to save the log files. 7 Select the types of log files to upload. 8 Select Apply.
Alert E-mail options Log & Report Alert E-mail options In Alert E-mail options you specify the mail server and recipients for email messages and you specify the severity level and frequency of the messages. Figure 184:Alert email configuration settings 344 Authentication Enable Select the Authentication Enable check box to enable SMTP authentication. SMTP Server The name/address of the SMTP server for email. SMTP User The SMTP user name. Password The SMTP password.
Log & Report Log filter options Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email. You can select specific events to trigger alert email in Log Filter, described in “Log filter options” on page 345. To configure alert email Note: Before configuring alert email make sure you configure at least one DNS server.
Log filter options Log & Report Figure 185:Example traffic and event log filter settings Traffic log The Traffic Log records all the traffic to and through the FortiGate interfaces. You can configure logging for traffic controlled by firewall policies and for traffic between any source and destination addresses. You can also apply global settings, such as session or packet log.
Log & Report Log filter options System Activity event The FortiGate unit logs all system-related events, such as ping server failure and gateway status. IPSec negotiation event The FortiGate unit logs all IPSec negotiation events, such as progress and error reports. DHCP service event The FortiGate unit logs all DHCP-events, such as the request and response log. L2TP/PPTP/PPPoE service event The FortiGate unit logs all protocol-related events, such as manager and socket creation processes.
Configuring log filters Log & Report Attack log The Attack Log records attacks detected and prevented by the FortiGate unit. You can apply the following filters: Attack Signature The FortiGate unit logs all detected and prevented attacks based on the attack signature, and the action taken by the FortiGate unit. Attack Anomaly The FortiGate unit logs all detected and prevented attacks based on unknown or suspicious traffic patterns, and the action taken by the FortiGate unit.
Log & Report Viewing log messages To enable traffic logging for a firewall policy You can enable traffic logging for a firewall policy. All connections accepted by the firewall policy are recorded in the traffic log. 1 Go to Firewall > Policy. 2 Select the Edit icon for a policy. 3 Select Log Traffic. 4 Select OK. 5 Make sure you enable traffic log under Log Filter for a logging location and set the logging severity level to Notification or lower.
Viewing log messages Log & Report The following table describes the features and icons you can use to navigate and search the logs when viewing logs through the web-based manager. Type The location of the log messages: memory. Go to previous page icon. View to the previous page in the log file. Go to next page icon. View to the next page in the log file. View per page Select the number of log messages displayed on each page. Line: / Type the line number of the first line you want to display.
Log & Report Searching log messages <- Left arrow button. Select to move selected fields from the Show these fields list to the Available fields list. Show these fields in this order The fields that are displayed as columns in the log messages list. The fields are listed in order with the first column at the top of the list. Move up Move selected field up one position in the Show these fields list. Move down Move selected field down one position in the Show these fields list.
fortilog setting Log & Report Figure 189:Search for log messages 3 If you want to search for log messages in a particular date range, select the From and To dates. 4 Select one of the following options: all of the following The message must contain all of the keywords any of the following The message must contain at least one of the keywords none of the following The message must contain none of the keywords 5 In the Keywords field, type the keywords for the search. 6 Select OK.
Log & Report fortilog setting get log fortilog setting show log fortilog setting log fortilog setting command keywords and variables Keywords and variables encrypt {enable | disable} localid psksecret Description Default Availability Enter enable to enable encrypted communication with the FortiLog unit. disable All models. Enter the local ID for an IPSec VPN tunnel to a FortiLog unit.
syslogd setting Log & Report syslogd setting Note: The only command keyword for syslog setting that is not represented in the webbased manager is the facility keyword. Use this command to configure log settings for logging to a remote syslog server. You can configure the FortiGate unit to send logs to a remote computer running a syslog server.
Log & Report syslogd setting Table 32: Facility types Facility type Description alert audit auth security/authorization messages authpriv security/authorization messages (private) clock clock daemon cron cron daemon performing scheduled commands daemon system daemons running background system processes ftp File Transfer Protocol (FTP) daemon kernel kernel messages local0 – local7 reserved for local use lpr line printer subsystem mail email system news network news subsystem ntp Ne
syslogd setting 356 Log & Report 01-28007-0068-20041203 Fortinet Inc.
FortiGate-100A Administration Guide Version 2.80 MR7 FortiGuard categories FortiGuard is a web filtering solution provided by Fortinet. FortiGuard sorts thousands of Web pages into a wide variety of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard server to determine the category of a requested Web page and then follows the policy configured for that user or interface.
FortiGuard categories Table 33: FortiGuard categories Category name Description 5. Racism or Hate Sites that promote the identification of racial groups, the denigration or subjection of groups, or the superiority of any group. 6. Violence Sites that feature or promote violence or bodily harm, including self-inflicted harm; or that gratuitously display images of death, gore, or injury; or that feature images or descriptions that are grotesque or frightening and of no redeeming value.
FortiGuard categories Table 33: FortiGuard categories Category name Description 16. Weapons Sites that provide information about, promote, or support the sale of weapons and related items.Sport Hunting and Gun Clubs -- Sites that provide information about or directories of gun clubs and similar groups, including war-game and paintball facilities. Potentially Non-productive 17. Advertisement Sites that provide advertising graphics or other ad content files. 18.
FortiGuard categories Table 33: FortiGuard categories Category name Description General Interest 360 28. Arts and Entertainment Sites that provide information about or promote motion pictures, non-news radio and television, music and programming guides, books, humor, comics, movie theatres, galleries, artists or review on entertainment, and magazines. 29.
FortiGuard categories Table 33: FortiGuard categories Category name Description 39. Reference Materials Sites that offer reference-shelf content such as atlases, dictionaries, encyclopedias, formularies, white and yellow pages, and public statistical data. 40. Religion Traditional Religions -- Sites that provide information about or promote Buddhism, Bahai, Christianity, Christian Science, Hinduism, Islam, Judaism, Mormonism, Shinto, and Sikhism, as well as atheism. 41.
FortiGuard categories Table 33: FortiGuard categories Category name Description Business Oriented 49. Business and Economy Sites sponsored by or devoted to business firms, business associations, industry groups, or business in general. 50. Computer Security Computer Security -- Sites that provide information about or free downloadable tools for computer security. 51.
Glossary Glossary address: An IP address (logical address) or the address of a physical interface (hardware address). An Ethernet address is sometimes called a MAC address. See also IP address. Diffie-Hellman group: FortiGate units support DiffieHellman groups 1, 2 and 5.
Glossary Ethernet: Can refer to the IEEE 802.3 signaling protocol, or an Ethernet controller (also known as a Media Access Controller or MAC). Internet: The network that encompasses the world. As a generic term, it refers to any collection of interdependent networks. external interface: The FortiGate interface that connects to the Internet. IP, Internet Protocol: The component of TCP/IP that handles routing.
Glossary MTU, Maximum Transmission Unit: The largest physical packet size, measured in bytes, that a network can transmit. Any packets larger than the MTU are divided into smaller packets before they are sent. NAT, Network Address Translation: A way of routing IPv4 packets transparently. Using NAT, a router or FortiGate unit between a private and public network translates private IP addresses to public addresses and the other way around. netmask, network mask: Also sometimes called subnet mask.
Glossary SMTP, Simple Mail Transfer Protocol: A protocol that supports email delivery services. SNMP, Simple Network Management Protocol: A set of protocols for managing networks. SNMP agents store and return data about themselves to SNMP requesters. TCP, Transmission Control Protocol: One of the main protocols in TCP/IP networks. TCP guarantees delivery of data and also guarantees that packets are delivered in the same order sent. trojan horse: A harmful program that disguises itself as another program.
FortiGate-100A Administration Guide Version 2.
Index csv 354 custom TCP service 206, 207, 208 custom UDP service 206, 207, 208 customer service 23 D database 163 RIP 164 database-filter-out 181 database-overflow 165 database-overflow-max-lsas 165 database-overflow-time-to-recover 165 date setting 81 DDNS 56 Dead Peer Detection 250 dead-interval 174, 181 debug log back up 116 restore 116 default heartbeat device configuration HA 89 default-cost 168 default-information-metric 165 default-information-metric-type 165 default-information-originate 165 defau
Index go High Availability 85 high availability introduction 18 http 230 HTTPS 18, 204 hub HA schedule 88 HA monitor 95 group ID HA 86 grouping services 209 groups user 239 guaranteed bandwidth 195, 196 I H HA 84, 85 add a new unit to a functioning cluster 93 cluster ID 95 cluster members 86 configuration 85 configure a FortiGate unit for HA operation 90 configure weighted-round-robin weights 94 connect a FortiGate HA cluster 92 default heartbeat device configuration 89 device failover 84 group ID 86 he
Index L L2TP 239 configuring gateway 261 enabling 261 overview 261 language web-based manager 83 Least-Connection HA schedule 88 Lifetime (sec/kb) 251 link failover HA 84 list 170 Local certificate list 262 Local certificate options 263 Local ID 250 Local SPI, Manual Key 255 Log & report 339 Log file upload settings 342 Log filter options 345 Log settings 340 Logging 349 logging 19 logs managing for individual cluster units 96 M manage cluster units HA 97 Managing digital certificates 262 Manual Key 253 m
Index peer 174 Peer option 248 Phase 1 246 Phase 1 advanced options 249 Phase 1 basic settings 247 Phase 1 list 246 Phase 2 250 Phase 2 advanced options 252 Phase 2 basic settings 251 Phase 2 list 251 ping generator IPSec VPN 257 policy enabling authentication 239 guaranteed bandwidth 195, 196 IPSec VPN 266 matching 190 maximum bandwidth 195, 196 policy routing 145 poll-interval 178 POP3 205 port 301, 303, 304, 306, 307, 354 port forward dynamic 215 port forwarding virtual IP 215 PPTP 239 predefined service
Index service 203 custom TCP 206, 207, 208 custom UDP 206, 207, 208 group 209 predefined 203 service name 204 user-defined TCP 206, 207, 208 user-defined UDP 206, 207, 208 service ftp 302 service http 300 service imap 305 service pop3 304 service smtp 307 Service, Policy 267 set time 82 shortcut 169 Signature list 279 Signatures 278 single-source 272 SMTP 206 smtp 231 SNMP contact information 98 MIBs 101 traps 102 source IP address example 267 spam banned word 333 Spam filter 323 spf-timers 166 split tunnel
Index URL options 313 user groups configuring 239 User-defined signatures 282 user-defined TCP services 206, 207, 208 user-defined UDP services 206, 207, 208 Username 259 VPN certificates restore 117 upload 117 VPN Tunnel, Policy 267 VPNs 245 V web content filtering introduction 14 Web filter 309, 357 content block 311 Web pattern block 314 Web script filter options 322 Web URL block list 313 web-based manager introduction 18 language 83 timeout 83 WebTrends logging settings 343 weighted round-robin HA s
Index 374 01-28007-0068-20041203 Fortinet Inc.
