Installation and Configuration Guide FortiGate 400 Esc Enter CONSOLE 1 2 3 4 / HA FortiGate User Manual Volume 1 Version 2.
© Copyright 2003 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FortiGate-400 Installation and Configuration Guide Version 2.
Contents Table of Contents Introduction .......................................................................................................... 15 Antivirus protection ........................................................................................................... Web content filtering ......................................................................................................... Email filtering ........................................................................................
Contents Planning your FortiGate configuration .............................................................................. NAT/Route mode .......................................................................................................... NAT/Route mode with multiple external network connections...................................... Transparent mode......................................................................................................... Configuration options .......................
Contents Completing the configuration ............................................................................................ 64 Setting the date and time .............................................................................................. 64 Enabling antivirus protection......................................................................................... 64 Registering your FortiGate............................................................................................
Contents System status....................................................................................................... 93 Changing the FortiGate host name................................................................................... 94 Changing the FortiGate firmware...................................................................................... 94 Upgrade to a new firmware version ..............................................................................
Contents Updating registration information .................................................................................... Recovering a lost Fortinet support password.............................................................. Viewing the list of registered FortiGate units .............................................................. Registering a new FortiGate unit ................................................................................
Contents Adding RIP filters ............................................................................................................ Adding a single RIP filter............................................................................................. Adding a RIP filter list.................................................................................................. Adding a neighbors filter .............................................................................................
Contents Services .......................................................................................................................... Predefined services .................................................................................................... Providing access to custom services .......................................................................... Grouping services ....................................................................................................... Schedules ......
Contents IPSec VPN........................................................................................................... 209 Key management............................................................................................................ Manual Keys ............................................................................................................... Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... Manual key IPSec VPNs............................
Contents Network Intrusion Detection System (NIDS) ................................................... 249 Detecting attacks ............................................................................................................ Selecting the interfaces to monitor.............................................................................. Disabling the NIDS...................................................................................................... Configuring checksum verification ........
Contents URL blocking................................................................................................................... Using the FortiGate web filter ..................................................................................... Using the Cerberian web filter..................................................................................... Script filtering ..................................................................................................................
Contents Glossary ............................................................................................................. 295 Index ....................................................................................................................
Contents 14 Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 Introduction The FortiGate Antivirus Firewall supports network-based deployment of application-level services—including antivirus protection and full-scan content filtering. FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network.
Web content filtering Introduction For extra protection, you also configure antivirus protection to block files of specified file types from passing through the FortiGate unit. You can use the feature to stop files that may contain new viruses. If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined. The FortiGate administrator can download quarantined files, so that they can be virus scanned, cleaned, and forwarded to the intended recipient.
Introduction Firewall You can configure Email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentional tagging of email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned word lists. Firewall The FortiGate ICSA-certified firewall protects your computer networks from the hostile environment of the Internet. ICSA has granted FortiGate firewalls version 4.
VLAN Introduction Transparent mode Transparent mode provides the same basic firewall protection as NAT mode. Packets received by the FortiGate unit are intelligently forwarded or blocked according to firewall policies. The FortiGate unit can be inserted in your network at any point without the need to make changes to your network or any of its components. However, VPN, VLAN, multi-zone functionality, and some advanced firewall features are only available in NAT/Route mode.
Introduction VPN VPN Using FortiGate virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network.
Secure installation, configuration, and management Introduction Secure installation, configuration, and management Installation is quick and simple. The first time you turn on the FortiGate unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the setup wizard to customize FortiGate IP addresses for your network, and the FortiGate unit is set to protect your network.
Introduction Secure installation, configuration, and management Command line interface You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial Console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network connected to the FortiGate, including the Internet. The CLI supports the same configuration and monitoring functionality as the web-based manager.
What’s new in Version 2.50 Introduction What’s new in Version 2.50 This section presents a brief summary of some of the new features in FortiOS v2.50: System administration • Improved graphical FortiGate system health monitoring that includes CPU and memory usage, session number and network bandwidth usage, and the number of viruses and intrusions detected. See “System status” on page 110.
Introduction What’s new in Version 2.50 HA • Active-active HA using switches and with the ability to select the schedule • Transparent mode HA • A/V update for HA clusters • Configuration synchronizing for HA See “High availability” on page 75. Replacement messages You can customize messages sent by the FortiGate unit: • When a virus is detected, • When a file is blocked, • When a fragmented email is blocked • When an alert email is sent See “Customizing replacement messages” on page 164.
What’s new in Version 2.50 Introduction NIDS See the FortiGate NIDS Guide for a complete description of FortiGate NIDS functionality. New features include: • Attack detection signature groups • User-configuration attack prevention • Monitor multiple interfaces for attacks • Monitor VLAN subinterfaces for attacks • User-defined attack detection signatures Antivirus See the FortiGate Content Protection Guide for a complete description of FortiGate antivirus functionality.
Introduction About this document About this document This installation and configuration guide describes how to install and configure the FortiGate-400. This document contains the following information: • Getting started describes unpacking, mounting, and powering on the FortiGate. • NAT/Route mode installation describes how to install the FortiGate if you are planning on running it in NAT/Route mode.
Document conventions Introduction Document conventions This guide uses the following conventions to describe CLI command syntax. • angle brackets < > to indicate variable keywords For example: execute restore config You enter restore config myfile.bak indicates an ASCII string variable keyword. indicates an integer variable keyword. indicates an IP address variable keyword.
Introduction Fortinet documentation Fortinet documentation Information about FortiGate products is available from the following FortiGate User Manual volumes: • Volume 1: FortiGate Installation and Configuration Guide Describes installation and basic configuration for the FortiGate unit.
Customer service and technical support Introduction Customer service and technical support For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com. You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and modify your registration information at any time.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 Getting started This chapter describes unpacking, setting up, and powering on your FortiGate Antivirus Firewall. When you have completed the procedures in this chapter, you can proceed to one of the following: • If you are going to operate the FortiGate unit in NAT/Route mode, go to “NAT/Route mode installation” on page 45.
Package contents Getting started Package contents The FortiGate-400 package contains the following items: • FortiGate-400 Antivirus Firewall • one orange crossover ethernet cable • one gray regular ethernet cable • one null modem cable • FortiGate-400 QuickStart Guide • one power cable • CD containing the FortiGate user documentation • two 19-inch rack mount brackets Figure 2: FortiGate-400 package contents Ethernet Cables: Orange - Crossover Grey - Straight-through Front Esc CONSOLE E
Getting started Powering on Power requirements • Power dissipation: 180 W (max) • AC input voltage: 100 to 240 VAC • AC input current: 4 A • Frequency: 47 to 63 Hz Environmental specifications • Operating temperature: 32 to 104°F (0 to 40°C) • Storage temperature: -13 to 158°F (-25 to 70°C) • Humidity: 5 to 95% non-condensing Powering on To power on the FortiGate-400 unit: 1 Make sure that the power switch on the back is turned off.
Connecting to the web-based manager Getting started Connecting to the web-based manager Use the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately without the need to reset the firewall or interrupt service. To connect to the web-based manager, you need: • • • a computer with an ethernet connection, Internet Explorer version 4.0 or higher, a crossover cable or an ethernet hub and two ethernet cables.
Getting started Connecting to the command line interface (CLI) Connecting to the command line interface (CLI) As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI. Configuration changes made with the CLI are effective immediately without the need to reset the firewall or interrupt service.
Factory default FortiGate configuration settings Getting started If you are planning on operating the FortiGate unit in Transparent mode, you can switch to transparent mode from the factory default configuration and then configure the FortiGate unit onto your network in Transparent mode. Once the network configuration is complete, you can perform additional configuration tasks such as setting system time, configuring virus and attack definition updates, and registering the FortiGate unit.
Getting started Factory default FortiGate configuration settings Table 2: Factory default NAT/Route mode network configuration (Continued) Interface 4/HA IP: 0.0.0.0 Netmask: 0.0.0.0 Management Access: Ping Factory default Transparent mode network configuration If you switch the FortiGate unit to Transparent mode, it has the default network configuration listed in Table 3.
Factory default FortiGate configuration settings Getting started Table 4: Factory default firewall configuration (Continued) Action ACCEPT ; NAT Traffic Shaping Authentication Antivirus & Web Filter Log Traffic The policy action. ACCEPT means that the policy allows connections. NAT is selected for the NAT/Route mode default policy so that the policy applies network address translation to the traffic processed by the policy. NAT is not available for Transparent mode policies.
Getting started Factory default FortiGate configuration settings Strict content profile Use the strict content profile to apply maximum content protection to HTTP, FTP, IMAP, POP3, and SMTP content traffic. You would not use the strict content profile under normal circumstances, but it is available if you are having extreme problems with viruses and require maximum content screening protection.
Factory default FortiGate configuration settings Getting started Web content profile Use the web content profile to apply antivirus scanning and Web content blocking to HTTP content traffic. You can add this content profile to firewall policies that control HTTP traffic.
Getting started Planning your FortiGate configuration Planning your FortiGate configuration Before beginning to configure the FortiGate unit, you need to plan how to integrate the unit into your network. Among other things, you have to decide whether or not the unit will be visible to the network, which firewall functions it will provide, and how it will control the traffic flowing between its interfaces. Your configuration plan is dependent upon the operating mode that you select.
Planning your FortiGate configuration Getting started Figure 4: Example NAT/Route mode network configuration NAT/Route mode with multiple external network connections In NAT/Route mode, you can configure the FortiGate unit with multiple redundant connections to the external network (usually the Internet). For example, you could create the following configuration: • Interface 1 is the interface to the internal network.
Getting started Planning your FortiGate configuration Transparent mode In Transparent mode, the FortiGate unit is invisible to the network. Similar to a network bridge, all of FortiGate interfaces must be on the same subnet. You only have to configure a management IP address so that you can make configuration changes. The management IP address is also used for antivirus and attack definition updates.
FortiGate model maximum values matrix Getting started CLI If you are configuring the FortiGate unit to operate in NAT/Route mode, you can add the administration password and all interface addresses. Using the CLI, you can also add DNS server IP addresses and a default route for the external interface.
Getting started Next steps Table 9: FortiGate maximum values matrix FortiGate model 50 60 100 200 300 400 500 1000 2000 3000 3600 IP pool 50 50 50 50 50 50 50 50 50 50 50 RADIUS server 6 6 6 6 6 6 6 6 6 6 6 File pattern 56 56 56 56 56 56 56 56 56 56 56 PPTP user 500 500 500 500 500 500 500 500 500 500 500 L2TP user 500 500 500 500 500 500 500 500 500 500 500 URL block no limit no limit no limit no limit no limit no limit no limit no l
Next steps 44 Getting started Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 NAT/Route mode installation This chapter describes how to install your FortiGate unit in NAT/Route mode. To install your FortiGate unit in Transparent mode, see “Transparent mode installation” on page 61. To install two or more FortiGate units in HA mode, see “High availability” on page 75.
Using the setup wizard NAT/Route mode installation Table 10: NAT/Route mode settings (Continued) Interface 4/HA Internal servers IP: _____._____._____._____ Netmask: _____._____._____._____ Web Server: _____._____._____._____ SMTP Server: _____._____._____._____ POP3 Server: _____._____._____._____ IMAP Server: _____._____._____._____ FTP Server: _____._____._____.
NAT/Route mode installation Using the front control buttons and LCD Using the front control buttons and LCD As an alternative to the setup wizard, use the information that you recorded in Table 10 on page 45 to complete the following procedure. Starting with Main Menu displayed on the LCD, use the front control buttons and LCD: 1 Press Enter three times to configure the PORT1 IP address. 2 Set the PORT1 IP address.
Using the command line interface 48 NAT/Route mode installation 3 Set the IP address and netmask of interface 2 to the external IP address and netmask that you recorded in Table 10 on page 45. set system interface port2 mode static ip Example set system interface port2 mode static ip 204.23.1.5 255.255.255.0 4 Set the IP address and netmask of interface 3 or 4 to the IP addresses and netmasks that you recorded in Table 10 on page 45.
NAT/Route mode installation Connecting the FortiGate unit to your networks Connecting the FortiGate unit to your networks When you have completed the initial configuration, you can connect the FortiGate unit between your internal network and the Internet. The FortiGate-400 has four 10/100Base-TX connectors that can be connected to up to four different networks. You can connect them in any configuration.
Configuring your network NAT/Route mode installation Figure 7: FortiGate-400 NAT/Route mode connections Configuring your network If you are running the FortiGate unit in NAT/Route mode, your networks must be configured to route all Internet traffic to the IP address of the FortiGate interface to which they are connected. Completing the configuration Use the information in this section to complete the initial configuration of the FortiGate unit.
NAT/Route mode installation Completing the configuration Configuring interface 4/HA Use the following procedure to configure interface 4/HA to connect to a network: 1 Log into the web-based manager. 2 Go to System > Network > Interface. 3 Choose port4/ha and select Modify 4 Make sure that Work as HA is not selected. 5 Change the IP address and Netmask as required. 6 Select Apply. .
Configuration example: Multiple connections to the Internet NAT/Route mode installation Configuring virus and attack definition updates You can go to System > Update to configure the FortiGate unit to automatically check to see if new versions of the virus definitions and attack definitions are available. If it finds new versions, the FortiGate unit automatically downloads and installs the updated definitions. The FortiGate unit uses HTTPS on port 8890 to check for updates.
NAT/Route mode installation Configuration example: Multiple connections to the Internet Figure 8: Example multiple Internet connection configuration Configuring Ping servers Use the following procedure to make Gateway 1 the ping server for port2 and Gateway 2 the ping server for port3. 1 Go to System > Network > Interface. 2 For port2, select Modify 3 . • Ping Server: 1.1.1.1 • Select Enable Ping Server • Select OK For port3, select Modify . • Ping Server: 2.2.2.
Configuration example: Multiple connections to the Internet NAT/Route mode installation Using the CLI 1 Add a ping server to port2. set system interface port2 config detectserver 1.1.1.1 gwdetect enable 2 Add a ping server to port3. set system interface port3 config detectserver 2.2.2.
NAT/Route mode installation Configuration example: Multiple connections to the Internet Load sharing You can also configure destination routing to direct traffic through both gateways at the same time. If users on your internal network connect to the networks of ISP1 and ISP2, you can add routes for each of these destinations. Each route can include a backup destination to the network of the other ISP. Table 12: Load sharing routes Destination IP‘ Mask Gateway #1 Device #1 Gateway #2 Device #2 100.
Configuration example: Multiple connections to the Internet 3 4 5 NAT/Route mode installation Select New to add a route for connections to the network of ISP1. • Destination IP: 100.100.100.0 • Mask: 255.255.255.0 • Gateway #1: 1.1.1.1 • Gateway #2: 2.2.2.1 • Device #1: port2 • Device #2: port3 Select New to add a route for connections to the network of ISP2. • Destination IP: 200.200.200.0 • Mask: 255.255.255.0 • Gateway #1: 2.2.2.1 • Gateway #2: 1.1.1.
NAT/Route mode installation Configuration example: Multiple connections to the Internet Policy routing examples Policy routing can be added to increase the control you have over how packets are routed. Policy routing works on top of destination-based routing. This means you should configure destination-based routing first and then build policy routing on top to increase the control provided by destination-based routing.
Configuration example: Multiple connections to the Internet NAT/Route mode installation Firewall policy example Firewall policies control how traffic flows through the FortiGate unit. Once routing for multiple internet connections has been configured you must create firewall policies to control which traffic is allowed through the FortiGate unit and the interfaces through which this traffic can connect.
NAT/Route mode installation Configuration example: Multiple connections to the Internet Adding more firewall policies In most cases your firewall configuration includes more than just the default policy. However, the basic premise of creating redundant policies applies even as the firewall configuration becomes more complex.
Configuration example: Multiple connections to the Internet 60 NAT/Route mode installation Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 Transparent mode installation This chapter describes how to install your FortiGate unit in Transparent mode. If you want to install the FortiGate unit in NAT/Route mode, see “NAT/Route mode installation” on page 45. If you want to install two or more FortiGate units in HA mode, see “High availability” on page 75.
Using the setup wizard Transparent mode installation Using the setup wizard From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiGate unit. To connect to the web-based manager, see “Connecting to the web-based manager” on page 32. Changing to Transparent mode The first time that you connect to the FortiGate unit, it is configured to run in NAT/Route mode. To switch to Transparent mode using the web-based manager: 1 Go to System > Status.
Transparent mode installation Using the front control buttons and LCD Using the front control buttons and LCD This procedure describes how to use the control buttons and LCD to configure Transparent mode IP addresses. Use the information that you recorded in Table 14 on page 61 to complete this procedure. Starting with Main Menu displayed on the LCD, use the front control buttons and LCD: 1 Press Enter three times to configure the management interface IP address. 2 Set the manager interface IP address.
Completing the configuration Transparent mode installation Configuring the Transparent mode management IP address 1 Log into the CLI if you are not already logged in. 2 Set the management IP address and netmask to the IP address and netmask that you recorded in Table 14 on page 61. Enter: set system management ip Example set system management ip 10.10.10.2 255.255.255.0 3 Confirm that the address is correct.
Transparent mode installation Connecting the FortiGate unit to your networks Registering your FortiGate After purchasing and installing a new FortiGate unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased. Registration is quick and easy.
Transparent mode configuration examples Transparent mode installation Figure 9: FortiGate-400 Transparent mode connections Transparent mode configuration examples A FortiGate unit operating in Transparent mode still requires a basic configuration to operate as a node on the IP network. As a minimum, the FortiGate unit must be configured with an IP address and subnet mask. These are used for management access and to allow the unit to receive antivirus and definitions updates.
Transparent mode installation Transparent mode configuration examples This section describes: • Default routes and static routes • Example default route to an external network • Example static route to an external destination • Example static route to an internal destination Default routes and static routes To create a route to a destination, you need to define an IP prefix which consists of an IP network address and a corresponding netmask value.
Transparent mode configuration examples Transparent mode installation Figure 10: Default route to an external network General configuration steps 68 1 Set the FortiGate unit to operate in Transparent mode. 2 Configure the Management IP address and Netmask of the FortiGate unit. 3 Configure the default route to the external network. Fortinet Inc.
Transparent mode installation Transparent mode configuration examples Web-based manager example configuration steps To configure basic Transparent mode settings and a default route using the web-based manager: 1 Go to System > Status. • Select Change to Transparent Mode. • Select Transparent in the Operation Mode list. • Select OK. The FortiGate unit changes to Transparent mode. 2 Go to System > Network > Management. • Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.
Transparent mode configuration examples Transparent mode installation Note: This is an example configuration only. To configure a static route, you require a destination IP address. Figure 11: Static route to an external destination General configuration steps 70 1 Set the FortiGate unit to operate in Transparent mode. 2 Configure the Management IP address and Netmask of the FortiGate unit. 3 Configure the static route to the FortiResponse server.
Transparent mode installation Transparent mode configuration examples Web-based manager example configuration steps To configure the basic FortiGate settings and a static route using the web-based manager: 1 Go to System > Status. • Select Change to Transparent Mode. • Select Transparent in the Operation Mode list. • Select OK. The FortiGate unit changes to Transparent mode. 2 Go to System > Network > Management. • Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.
Transparent mode configuration examples Transparent mode installation Example static route to an internal destination Figure 12 shows a FortiGate unit where the FDN is located on an external subnet and the management computer is located on a remote, internal subnet. To reach the FDN, you need to enter a single default route that points to the upstream router as the next hop/default gateway. To reach the management computer, you need to enter a single static route that leads directly to it.
Transparent mode installation Transparent mode configuration examples Web-based manager example configuration steps To configure the FortiGate basic settings, a static route, and a default route using the web-based manager: 1 Go to System > Status. • Select Change to Transparent Mode. • Select Transparent in the Operation Mode list. • Select OK. The FortiGate unit changes to Transparent mode. 2 Go to System > Network > Management. • Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.
Transparent mode configuration examples 74 Transparent mode installation Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). The FortiGate units in the HA cluster enforce the same overall security policy and share the same configuration settings. You can add up to 32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the same model and be running the same FortiOS firmware image.
Active-active HA High availability During startup the members of an HA cluster negotiate to select the primary unit. The primary unit allows other FortiGate units to join the HA cluster as subordinate units and assigns each subordinate unit a priority. The primary FortiGate unit sends session messages to the subordinate units through the FortiGate HA interfaces. All FortiGate units in the cluster maintain all session information.
High availability HA in NAT/Route mode During startup the members of the HA cluster negotiate to select the primary unit. The primary unit allows other FortiGate units to join the HA cluster as subordinate units and assigns each subordinate unit a priority. The FortiGate units in the HA cluster communicate status and session information using their HA interfaces. All FortiGate units in the cluster maintain all session information.
HA in NAT/Route mode High availability The 4/HA interface of each FortiGate-400 unit must be configured with a different IP address. The addresses of the 4/HA interfaces must be on the same subnet and they must be configured for management access. Repeat the following procedure for each FortiGate unit in the HA cluster: 1 Connect to the FortiGate unit and log into the web-based manager. 2 Go to System > Network > Interface.
High availability HA in NAT/Route mode 4 Select the HA mode. Select Active-Passive mode to create an Active-Passive HA cluster, in which one FortiGate unit in the HA cluster is actively processing all connections and the others are passively monitoring the status and remaining synchronized with the active FortiGate unit.
HA in NAT/Route mode High availability 8 Under Monitor on Interface, select the names of the interfaces to be monitored. Monitor FortiGate interfaces to make sure they are functioning properly and that they are connected to their networks. If a monitored interface fails or is disconnected from its network, the FortiGate unit stops processing traffic and is removed from the cluster.
High availability HA in NAT/Route mode The network equipment to use and the procedure to follow are the same, whether you are configuring the FortiGate units for active-active HA or active-passive HA. To connect the FortiGate units to your network: 1 Connect port 1 of each FortiGate unit to a switch or hub connected to your internal network. 2 Connect port 2 of each FortiGate unit to a switch or hub connected to your external network.
HA in Transparent mode High availability Starting the HA cluster After all of the FortiGate units in the cluster are configured for HA and once the cluster is connected, use the following procedure to start the HA cluster. 1 Power on all of the HA units in the cluster. As the units power on they negotiate to choose the primary cluster unit and the subordinate units. This negotiation occurs with no user intervention. When negotiation is complete the cluster is ready to begin processing network traffic.
High availability HA in Transparent mode HTTPS To allow secure HTTPS connections to the web-based manager through this interface. PING If you want this interface to respond to pings. Use this setting to verify your installation and for testing. HTTP To allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party. SSH To allow secure SSH connections to the CLI through this interface.
HA in Transparent mode High availability 7 84 If you are configuring Active-Active HA, select a schedule. The schedule controls load balancing among the FortiGate units in the active-active HA cluster. The schedule must be the same for all FortiGate units in the HA cluster. None No load balancing. Select None when the cluster interfaces are connected to load balancing switches. Hub Load balancing for hubs. Select Hub if the cluster interfaces are connected to a hub.
High availability HA in Transparent mode Figure 15: Sample active-passive HA configuration 10 Repeat this procedure to add each FortiGate unit in the HA cluster. When you have configured all of the FortiGate units, proceed to “Connecting the HA cluster to your network”. Connecting the HA cluster to your network To connect the HA cluster to your network you must connect all matching interfaces in the cluster to the same hub or switch.
Managing the HA cluster High availability Starting the HA cluster After all of the FortiGate units in the cluster are configured for HA and once the cluster is connected, use the following procedure to start the HA cluster. 1 Power on all of the HA units in the cluster. As the units power on they negotiate to choose the primary cluster unit and the subordinate units. This negotiation occurs with no user intervention. When negotiation is complete the cluster is ready to begin processing network traffic.
High availability Managing the HA cluster Figure 16: Example cluster members list Monitoring cluster members To monitor health information for each cluster member. 1 Connect to the cluster and log into the web-based manager. 2 Go to System > Status > Monitor. CPU, Memory Status, and Hard disk status is displayed for each cluster member. The primary unit is identified as Local and the other units in the cluster are listed by serial number.
Managing the HA cluster High availability 4 Select Virus & Intrusions. Virus and intrusions status is displayed for each cluster member. The primary unit is identified as Local and the other units in the cluster are listed by serial number. The display includes bar graphs of the number viruses and intrusions detected per hour as well as line graphs of the number of viruses and intrusions detected for the last 20 hours. For more information, see “Viewing virus and intrusions status” on page 112.
High availability Managing the HA cluster Note: Note you can view and manage log messages for all cluster members. However, from the primary unit you can only configure logging for the primary unit. To configure logging for other units in the cluster you must manage individual cluster units. Managing individual cluster units You can manage individual cluster units by connecting to each unit’s HA interface using either the web-based manager or the CLI.
Managing the HA cluster High availability Table 16: execute ha synchronize keywords Keyword Description config Synchronize the FortiGate configuration. This includes normal system configuration, firewall configuration, VPN configuration and so on stored in the FortiGate configuration file. avupd Synchronize the antivirus engine and antivirus definitions received by the primary unit from the FortiResponse Distribution Network (FDN).
High availability Advanced HA options Advanced HA options The following advanced HA options are available from the FortiGate CLI: • Selecting a FortiGate unit to a permanent primary unit • Configuring weighted-round-robin weights Selecting a FortiGate unit to a permanent primary unit In a typical FortiGate cluster configuration, the primary unit selection process is automatic. The primary unit can be different each time the cluster starts up.
Advanced HA options High availability Configuring weighted-round-robin weights By default, in active-active HA mode the weighted round-robin schedule assigns the same weight to each FortiGate unit in the cluster. Once the cluster is configured to use the weighted round-robin schedule, you can use the set system ha weight command to configure a weight value for each cluster unit.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 System status You can connect to the web-based manager and go to System > Status to view the current status of your FortiGate unit. The status information that is displayed includes the current firmware version, the current virus and attack definitions, and the FortiGate unit serial number.
Changing the FortiGate host name System status Changing the FortiGate host name The FortiGate host name appears on the System > Status page and on the FortiGate CLI prompt. The host name is also used as the SNMP System Name (see “Configuring SNMP” on page 162). The default host name is FortiGate-400. To change the FortiGate host name: 1 Go to System > Status. 2 Select Edit Host Name 3 Enter a new host name. 4 Select OK. .
System status Changing the FortiGate firmware Upgrade to a new firmware version Use the following procedures to upgrade your FortiGate to a newer firmware version. Upgrading the firmware using the web-based manager Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
Changing the FortiGate firmware 5 System status Enter the following command to copy the firmware image from the TFTP server to the FortiGate: execute restore image Where is the name of the firmware image file on the TFTP server and is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.
System status Changing the FortiGate firmware Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. When you have installed new firmware, use the procedure “Manually updating antivirus and attack definitions” on page 119 to make sure that antivirus and attack definitions are up-to-date. 1 Copy the firmware image file to your management computer.
Changing the FortiGate firmware System status Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. When you have installed new firmware, use the procedure “Manually updating antivirus and attack definitions” on page 119 to make sure that antivirus and attack definitions are up-to-date. You can also use the CLI command execute updatecenter updatenow to update the antivirus and attack definitions.
System status Changing the FortiGate firmware 12 To confirm that the antivirus and attack definitions have been updated, enter the following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information. get system objver Install a firmware image from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to default settings.
Changing the FortiGate firmware 6 System status Enter the following command to restart the FortiGate unit: execute reboot As the FortiGate units starts, a series of system startup messages are displayed. When one of the following messages appears: • FortiGate unit running v2.x BIOS Press Any Key To Download Boot Image. ... • FortiGate unit running v3.x BIOS Press any key to enter configuration menu..... ...... 7 Immediately press any key to interrupt the system startup.
System status Changing the FortiGate firmware 11 Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear. • FortiGate unit running v2.x BIOS Do You Want To Save The Image? [Y/n] Type Y. • FortiGate unit running v3.x BIOS Save as Default firmware/Run image without saving:[D/R] Save as Default firmware/Backup firmware/Run image without saving:[D/B/R] Type D.
Changing the FortiGate firmware System status To test a new firmware image: 1 Connect to the CLI using a null modem cable and FortiGate console port. 2 Make sure the TFTP server is running. 3 Copy the new firmware image file to the root directory of the TFTP server. 4 Make sure that port1 is connected to the same network as the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168: execute ping 192.
System status Changing the FortiGate firmware Note: The local IP address is only used to download the firmware image. After the firmware is installed the address of this interface is changed back to the default IP address for this interface. The following message appears: Enter File Name [image.out]: 11 Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear. • FortiGate unit running v2.
Changing the FortiGate firmware 4 System status To confirm that the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the TFTP server’s IP address is 192.168.1.168: execute ping 192.168.1.168 5 Enter the following command to restart the FortiGate unit: execute reboot As the FortiGate units starts, a series of system startup messages are displayed.
System status Changing the FortiGate firmware Switching to the backup firmware image Use this procedure to switch your FortiGate unit to operating with a backup firmware image that you have previous installed. When you switch the FortiGate unit to the backup firmware image, the FortiGate unit operates using the configuration that was saved with that firmware image. If you install a new backup image from a reboot the configuration saved with this firmware image is the factory default configuration.
Manual virus definition updates System status Switching back to the default firmware image Use this procedure to switch your FortiGate unit to operating with the backup firmware image that had been running as the default firmware image. When you switch to this backup firmware image, the configuration saved with this firmware image is restored. 1 Connect to the CLI using the null modem cable and FortiGate console port.
System status Manual attack definition updates 5 Select OK to copy the antivirus definitions update file to the FortiGate unit. The FortiGate unit updates the antivirus definitions. This takes about 1 minute. 6 Go to System > Status to confirm that the Antivirus Definitions Version information has been updated.
Backing up system settings System status Backing up system settings You can back up system settings by downloading them to a text file on the management computer: 1 Go to System > Status. 2 Select System Settings Backup. 3 Select Backup System Settings. 4 Type a name and location for the file. The system settings file is backed up to the management computer. 5 Select Return to go back to the Status page.
System status Changing to Transparent mode Changing to Transparent mode Use the following procedure to switch the FortiGate unit from NAT/Route mode to Transparent mode. When the FortiGate unit has changed to Transparent mode its configuration resets to Transparent mode factory defaults. 1 Go to System > Status. 2 Select Change to Transparent Mode. 3 Select Transparent in the operation mode list. 4 Select OK. The FortiGate unit changes operation mode.
Shutting down the FortiGate unit System status Shutting down the FortiGate unit 1 Go to System > Status. 2 Select Shutdown. The FortiGate unit shuts down and all traffic flow stops. The FortiGate unit can only be restarted after shutdown by turning the power off, then on. System status You can use the system status monitor to display FortiGate system health information.
System status System status Figure 1: CPU and memory status monitor CPU and memory intensive processes such as encrypting and decrypting IPSec VPN traffic, virus scanning, and processing high levels of network traffic containing small packets will increase CPU and memory usage. 1 Go to System > Status > Monitor. CPU & Memory status is displayed. The display includes bar graphs of current CPU and memory usage as well as line graphs of CPU and memory usage for the last minute.
System status System status Network utilization displays the total network bandwidth being used through all FortiGate interfaces. Network utilization also displays network utilization as a percentage of the maximum network bandwidth that can be processed by the FortiGate unit. 1 Go to System > Status > Monitor. 2 Select Sessions & Network. Sessions and network status is displayed.
System status Session list Figure 3: Sessions and network status monitor 3 Set the automatic refresh interval and select Go to control how often the web-based manager updates the display. More frequent updates use system resources and increase network traffic. However, this only occurs when you are viewing the display using the web-based manager. The line graph scales are shown on the upper right corner of the graph. 4 Select Refresh to manually update the information displayed.
Session list System status To IP The destination IP address of the connection. To Port The destination port of the connection. Expire The time, in seconds, before the connection expires. Clear Stop an active communication session. Figure 4: Example session list 114 Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 Virus and attack definitions updates and registration You can configure the FortiGate unit to connect to the FortiResponse Distribution Network (FDN) to update the antivirus and attack definitions and antivirus engine.
Updating antivirus and attack definitions Virus and attack definitions updates and registration The System > Update page web-based manager displays the following antivirus and attack definition update information: Version Displays the current antivirus engine, virus definition, and attack definition version numbers. Expiry date Displays the expiry date of your license for antivirus engine, virus definition, and attack definition updates.
Virus and attack definitions updates and registration Updating antivirus and attack definitions To make sure the FortiGate unit can connect to the FDN: 1 Go to System > Config > Time and make sure the time zone is set to the correct time zone for your area. 2 Go to System > Update. 3 Select Refresh. The FortiGate unit tests its connection to the FDN. The test results are displayed at the top of the System Update page.
Updating antivirus and attack definitions 4 Virus and attack definitions updates and registration Select Apply. The FortiGate unit starts the next scheduled update according to the new update schedule. Whenever a scheduled update is run, the event is recorded in the FortiGate event log.
Virus and attack definitions updates and registration Updating antivirus and attack definitions Adding an override server If you cannot connect to the FDN or if your organization provides antivirus and attack updates using their own FortiResponse server, you can use the following procedure to add the IP address of an override FortiResponse server. 1 Go to System > Update. 2 Select Use override server address and add the IP address of a FortiResponse server. 3 Select Apply.
Updating antivirus and attack definitions Virus and attack definitions updates and registration To enable push updates 1 Go to System > Update. 2 Select Allow Push Update. 3 Select Apply. About push updates When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a SETUP message to the FDN.
Virus and attack definitions updates and registration Updating antivirus and attack definitions Figure 2: Example network topology: Push updates through a NAT device General procedure Use the following steps to configure the FortiGate NAT device and the FortiGate unit on the Internal network so that the FortiGate unit on the Internal network can receive push updates: 1 Add a port forwarding virtual IP to the FortiGate NAT device.
Updating antivirus and attack definitions Virus and attack definitions updates and registration Adding a port forwarding virtual IP to the FortiGate NAT device Use the following procedure to configure a FortiGate NAT device to use port forwarding to forward push update connections from the FDN to a FortiGate unit on the internal network. To configure the FortiGate NAT device: 122 1 Go to Firewall > Virtual IP. 2 Select New. 3 Add a name for the virtual IP.
Virus and attack definitions updates and registration Updating antivirus and attack definitions Figure 3: Push update port forwarding virtual IP Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT device: 1 Add a new external to internal firewall policy. 2 Configure the policy with the following settings: 3 Source External_All Destination The virtual IP added above. Schedule Always Service ANY Action Accept NAT Selected. Select OK.
Updating antivirus and attack definitions Virus and attack definitions updates and registration 5 Set Port to the External Service Port added to the virtual IP. For the example topology, enter 45001. 6 Select Apply. The FortiGate unit sends the override push IP address and Port to the FDN. The FDN will now use this IP address and port for push updates to the FortiGate unit on the internal network.
Virus and attack definitions updates and registration Registering FortiGate units There are no special tunneling requirements if you have configured an override server address to connect to the FDN. Push updates are not supported if the FortiGate must connect to the Internet through a proxy server.
Registering FortiGate units Virus and attack definitions updates and registration To activate the FortiCare Support Contract, you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information. You can also register the FortiGate unit without purchasing a FortiCare Support Contract. In this case, when you do purchase a FortiCare Support Contract you can update the registration information to add the support contract number.
Virus and attack definitions updates and registration Registering FortiGate units Figure 5: Registering a FortiGate unit (contact information and security question) 3 Provide a security question and an answer to the security question. 4 Select the model number of the Product Model to register. 5 Enter the Serial Number of the FortiGate unit. 6 If you have purchased a FortiCare Support Contract for this FortiGate unit, enter the support contract number.
Updating registration information Virus and attack definitions updates and registration Updating registration information You can use your Fortinet support user name and password to log on to the Fortinet Support web site at any time to view or update your Fortinet support information.
Virus and attack definitions updates and registration Updating registration information Figure 7: Sample list of registered FortiGate units Registering a new FortiGate unit 1 Go to System > Update > Support and select Support Login. 2 Enter your Fortinet support user name and password. 3 Select Login. 4 Select Add Registration. 5 Select the model number of the Product Model to register. 6 Enter the Serial Number of the FortiGate unit.
Updating registration information 7 Virus and attack definitions updates and registration Select Finish. The list of FortiGate products that you have registered is displayed. The list now includes the new support contract information. Changing your Fortinet support password 1 Go to System > Update > Support and select Support Login. 2 Enter your Fortinet support user name and password. 3 Select Login. 4 Select My Profile. 5 Select Change Password. 6 Enter your current password.
Virus and attack definitions updates and registration Registering a FortiGate unit after an RMA Figure 8: Downloading virus and attack definition updates For information about how to install the downloaded files, see “Manual virus definition updates” on page 106 and “Manual attack definition updates” on page 107. Registering a FortiGate unit after an RMA The Return Material Authorization (RMA) process starts when a customer’s registered FortiGate unit doesn't work properly due to a hardware failure.
Registering a FortiGate unit after an RMA 132 Virus and attack definitions updates and registration Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 Network configuration Go to System > Network to make any of the following changes to the FortiGate network settings: • Configuring zones • Configuring interfaces • Configuring VLANs • Configuring routing • Providing DHCP services to your internal network Configuring zones In NAT/Route mode, you can use zones to group related interfaces or VLAN subinterfaces.
Configuring zones Network configuration 3 Type a Name for the zone. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 4 Optionally select Block intra-zone traffic to block traffic between interfaces in the same zone. 5 Select OK to add the zone. The zone now appears on the firewall policy grid. Adding interfaces to a zone You can add one or more interfaces to a zone.
Network configuration Configuring interfaces Deleting zones You must remove all interfaces and VLAN subinterfaces from a zone before you can delete the zone. You can only delete zones that have the Delete icon beside them in the zone list. 1 Go to System > Network > Zone. 2 Select Delete 3 Select OK to delete the zone. to remove a zone from the list.
Configuring interfaces Network configuration Changing an interface static IP address Use the following procedure to change the static IP address of any FortiGate interface: 1 Go to System > Network > Interface. 2 Select Modify 3 Change the IP address and Netmask as required. The IP address of the interface must be on the same subnet as the network the interface is connecting to. Two interfaces cannot have the same IP address and cannot have IP addresses on the same subnet.
Network configuration Configuring interfaces Controlling management access to an interface 1 Go to System > Network > Interface. 2 Select Modify 3 Select the management Access methods for the interface. for the interface for which to configure management access. HTTPS To allow secure HTTPS connections to the web-based manager through this interface. PING If you want this interface to respond to pings. Use this setting to verify your installation and for testing.
Configuring interfaces Network configuration 4 Set the MTU size. Set the maximum packet size in the range of 68 to 1500 bytes. The default MTU size is 1500. Experiment by lowering the MTU to find an MTU size for best network performance. Configuring port4/ha You can use port4/ha as a firewall interface or for communication between FortiGate-400 units in an HA group. To configure port4/ha as a firewall interface, you must disable its HA functionality.
Network configuration Configuring VLANs 3 Add a default gateway IP address if the FortiGate unit must connect to a default gateway to reach the management computer. 4 Select the management Access methods for each interface. 5 HTTPS To allow secure HTTPS connections to the web-based manager through this interface. PING If you want this interface to respond to pings. Use this setting to verify your installation and for testing. SSH To allow secure SSH connections to the CLI through this interface.
Configuring VLANs Network configuration Figure 9: Typical VLAN network configuration In a typical VLAN configuration, a number of physical networks could be connected to a single IEEE 802.1Q-compliant router. The router is configured to add VLAN IDs to the packets that it receives from each network and then route the packets out a single interface that is connected to the FortiGate interface.
Network configuration Configuring VLANs Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096. Each VLAN subinterface must also be configured with its own IP address and netmask. You add VLAN subinterfaces to physical interfaces. You can add over 1000 VLAN subinterfaces to a FortiGate unit.
Configuring VLANs Network configuration 6 Enter the IP address and Netmask for the VLAN subinterface. 7 Optionally select a zone to add the VLAN subinterface to a zone. 8 Select the management Access for the VLAN subinterface to control how administrators on the network that connects to this subinterface can connect to and manage the FortiGate unit. HTTPS To allow secure HTTPS connections to the web-based manager through this VLAN subinterface.
Network configuration Configuring routing Configuring routing This section describes how to configure FortiGate routing. You can configure routing to add static routes from the FortiGate unit to local routers. Using policy routing you can increase the flexibility of FortiGate routing to support more advanced routing functions. You can also use routing to create a multiple Internet connection configuration that supports redundancy and load sharing between the two Internet connections.
Configuring routing Network configuration To support routing failover, the IP address of each gateway must be added to the ping server of the interface connected to the same network as the gateway. See “Adding a ping server to an interface” on page 136. Adding destination-based routes to the routing table 1 Go to System > Network > Routing Table. 2 Select New to add a new route. 3 Type the Destination IP address and netmask for the route. 4 Add the IP address of Gateway #1.
Network configuration Configuring routing Note: Any 2 routes in the routing table must differ by something other than just the gateway to be simultaneously active. If two routes added to the routing table are identical except for their gateway IP addresses, only the route closer to the top of the routing table can be active. Note: Arrange routes in the routing table from more specific to more general. To arrange routes in the routing table, see “Configuring the routing table”.
Configuring routing Network configuration Figure 11: Routing table Policy routing Policy routing extends the functions of destination routing. Using policy routing you can route traffic based not only the destination address but also on: • Source address • Protocol, service type, or port range • Incoming or source interface Using policy routing you can build a routing policy database (RPDB) that selects the appropriate route for traffic by executing a set of routing rules.
Network configuration Providing DHCP services to your internal network Providing DHCP services to your internal network If the FortiGate unit is operating in NAT/Route mode, you can use the CLI command set system dhcpserver to configure the FortiGate unit to be the DHCP server for your internal network. Table 2 describes the syntax for the set system dhcpserver command.
Providing DHCP services to your internal network 148 Network configuration Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 RIP configuration The FortiGate implementation of the Routing Information Protocol (RIP) supports both RIP version 1 (as defined by RFC 1058) and RIP version 2 (also called RIP2 and defined by RFC 2453). RIP2 enables RIP messages to carry more information and support simple authentication. RIP2 also supports subnet masks, a feature not available in RIP.
RIP settings RIP configuration This chapter describes how to configure FortiGate RIP: • RIP settings • Configuring RIP for FortiGate interfaces • Adding RIP neighbors • Adding RIP filters RIP settings Configure RIP settings to enable basic RIP functionality and metrics and to configure RIP timers. 1 Go to System > RIP > Settings. 2 Select Enable RIP Server to configure the FortiGate unit to be a RIP server.
RIP configuration RIP settings 7 Update The time interval in seconds between sending routing table updates. The default is 30 seconds. Invalid The time interval in seconds after which a route is declared invalid. Invalid should be at least three times the value of Update. A route becomes invalid when there is an absence of updates that refresh the route. The route then enters holddown. The route is marked inaccessible and advertised as unreachable.
Configuring RIP for FortiGate interfaces RIP configuration Configuring RIP for FortiGate interfaces You can create a unique RIP configuration for each FortiGate interface and VLAN subinterface. This allows you to customize RIP for the network to which each interface or each VLAN subinterface is connected. For example: • If you have a complex network connected to port 1 that contains devices that use the RIP2 protocol, you might want to configure RIP2 send and receive for this interface.
RIP configuration Adding RIP neighbors Note: MD5 authentication is used to verify the integrity of the routing message sent by the FortiGate unit. Using MD5 authentication, the password is added to the routing message and MD5 is applied to create the MD5 digest of the routing message. The password is replaced in the routing message with this MD5 digest and this message is broadcast.
Adding RIP filters RIP configuration 3 Add the IP address of a neighbor router that you want the FortiGate unit to exchange routing information with. 4 Select Enable Send RIP1 to send RIP1 messages to the neighbor. 5 Select Enable Send RIP2 to send RIP2 messages to the neighbor. 6 Select OK to add the RIP neighbor to the list. Adding RIP filters Use RIP filters to control the routing information received by the FortiGate unit and sent by the FortiGate unit.
RIP configuration Adding RIP filters 4 Filter Name Enter a name for the RIP filter. Each RIP filter and RIP filter list must have unique name. The name can be 15 characters long and can contain upper and lower case letters, numbers, and special characters. The name cannot contain spaces. Blank Filter Used for Filter lists. See “Adding a RIP filter list” on page 155. IP Add the IP address of the route. Mask Add the netmask of the route.
Adding RIP filters RIP configuration Adding a neighbors filter You can select a single RIP filter or a RIP filter list to be the neighbors filter. 1 Go to System > RIP > Filter. 2 Add RIP filters and RIP filter lists as required. 3 For Neighbors Filter, select the name of the RIP filter or RIP filter list to become the neighbors filter. 4 Select Apply. Routes received from neighbors are filtered using the selected RIP filter or RIP filter list.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 System configuration Go to System > Config to make any of the following changes to the FortiGate system configuration: • Setting system date and time • Changing web-based manager options • Adding and editing administrator accounts • Configuring SNMP • Customizing replacement messages Setting system date and time For effective scheduling and logging, the FortiGate system time should be accurate.
Changing web-based manager options System configuration 8 Specify how often the FortiGate unit should synchronize its time with the NTP server. A typical Syn Interval would be 1440 minutes for the FortiGate unit to synchronize its time once a day. 9 Select Apply. Figure 1: Example date and time setting Changing web-based manager options On the System > Config > Options page, you can: • Set the system idle timeout. • Set the authentication timeout. • Select the language for the web-base manager.
System configuration Changing web-based manager options To set the Auth timeout 1 For Auth Timeout, type a number in minutes. 2 Select Apply. Auth Timeout controls the amount of inactive time that the firewall waits before requiring users to authenticate again. For more information, see “Users and authentication” on page 201. The default Auth Timeout is 15 minutes. The maximum Auth Timeout is 480 minutes (8 hours).
Adding and editing administrator accounts System configuration Adding and editing administrator accounts When the FortiGate unit is initially installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each of these administrator accounts and, optionally, control the IP address from which the administrator can connect to the FortiGate unit.
System configuration Adding and editing administrator accounts Editing administrator accounts The admin account user can change individual administrator account passwords, configure the IP addresses from which administrators can access the web-based manager, and change the administrator permission levels. Administrator account users with Read & Write access can change their own administrator passwords. To edit an administrator account 1 Go to System > Config > Admin.
Configuring SNMP System configuration Configuring SNMP Configure the FortiGate SNMP agent to report system information and send traps to SNMP managers. The FortiGate SNMP agent supports SNMP v1 and v2c. RFC support includes RFC 1213 and RFC 2665. The FortiGate SNMP implementation is read-only. SNMP v1 and v2c compliant SNMP manager have read-only access to FortiGate system information and can received FortiGate traps.
System configuration Configuring SNMP 4 Trap Community The trap community string functions like a password that is sent with SNMP traps. The default trap community string is “public”. Change the trap community string to the one accepted by your trap receivers. The trap community string can be up to 31 characters long and can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Spaces and the \ < > [ ] ` $ % & characters are not allowed.
Customizing replacement messages System configuration Table 1: FortiGate MIBs MIB file name Description FORTINET.mib The Fortinet MIB is a proprietary MIB that includes detailed FortiGate system configuration information. Add this MIB to your SNMP manager to monitor all FortiGate configuration settings. RFC1213.mib The RFC 1213 MIB is the standard MIB-II MIB that describes network management protocols for TCP/IP networks.
System configuration Customizing replacement messages This section describes: • Customizing replacement messages • Customizing alert emails Figure 3: Sample replacement message Customizing replacement messages Each of the replacement messages in the replacement message list is created by combining replacement message sections. You can use these sections as building blocks to create your own replacement messages.
Customizing replacement messages System configuration Table 3: Replacement message sections Scanning Used for virus scanning (all services). Section Start <**INFECTED**> Allowed Tags %%FILE%% The name of the file that was infected. %%VIRUS%% The name of the virus infecting the file. %%URL%% The URL of the blocked web page or file. Section End <**/BLOCKED**> Quarantine Used when quarantine is enabled (permitted for all scan services and block services for email only).
System configuration Customizing replacement messages Table 4: Alert email message sections %%EMAIL_FROM%% The email address of the sender of the message in which the virus was found. %%EMAIL_TO%% The email address of the intended receiver of the message in which the virus was found. Block alert Used for file block alert email messages Section Start <**BLOCK_ALERT**> Allowed Tags %%FILE%% The name of the file that was blocked. %%PROTOCOL%% The service for which the file was blocked.
Customizing replacement messages 168 System configuration Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 Firewall configuration Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions used by the FortiGate unit to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (port number).
Default firewall configuration Firewall configuration Default firewall configuration By default, the users on the network connected to port1 can connect through the FortiGate unit to the network connected to port2. The firewall blocks all other connections. The firewall is configured with a default policy that matches any connection request received from the network connected to port1 and instructs the firewall to forward the connection to the network connected to port2.
Firewall configuration Default firewall configuration Zones You can add zones to the FortiGate configuration to group together related interfaces and VLAN subinterfaces to simplify firewall policy creation. For more information about zones, see “Configuring zones” on page 133. To add policies for zones, you must use the following steps to add the zones to the firewall policy grid: 1 Add zones to the FortiGate configuration. See “Adding zones” on page 133.
Adding firewall policies Firewall configuration Services Policies can also control connections based on the service or destination port number of packets. The default policy accepts connections to using any service or destination port number. The firewall is configured with over 40 predefined services. You can add these services to a policy for more control over the services that can be used by connections through the firewall. You can also add user-defined services.
Firewall configuration Adding firewall policies Figure 5: Adding a NAT/Route policy Firewall policy options This section describes the options that you can add to firewall policies. Source Select an address or address group that matches the source address of the packet. Before you can add this address to a policy, you must add it to the source interface. To add an address, see “Addresses” on page 179. Destination Select an address or address group that matches the destination address of the packet.
Adding firewall policies Firewall configuration For NAT/Route mode policies where the address on the destination network is hidden from the source network using NAT, the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address. See “Virtual IPs” on page 188. Schedule Select a schedule that controls when the policy is available to be matched with connections. See “Schedules” on page 186.
Firewall configuration Adding firewall policies Allow inbound Select Allow inbound so that users behind the remote VPN gateway can connect to the source address. Allow outbound Select Allow outbound so that users can connect to the destination address behind the remote VPN gateway. Inbound NAT Select Inbound NAT to translate the source address of incoming packets to the FortiGate internal IP address.
Adding firewall policies Firewall configuration In most cases you should make sure that users can use DNS through the firewall without authentication. If DNS is not available users cannot connect to a web, FTP, or Telnet server using a domain name. Anti-Virus & Web filter Enable antivirus protection and web filter content filtering for traffic controlled by this policy.
Firewall configuration Configuring policy lists Log Traffic Select Log Traffic to write messages to the traffic log whenever the policy processes a connection. For more information about logging, see “Logging and reporting” on page 281. Comments Optionally add a description or other information about the policy. The comment can be up to 63 characters long, including spaces.
Configuring policy lists Firewall configuration A policy that is an exception to the default policy, for example, a policy to block FTP connections, must be placed above the default policy in the port1->port2 policy list. In this example, all FTP connection attempts from the internal network would then match the FTP policy and be blocked. Connection attempts for all other kinds of services would not match with the FTP policy but they would match with the default policy.
Firewall configuration Addresses Addresses All policies require source and destination addresses. To add addresses to a policy, you must first add addresses to the address list for the interfaces, zones, or VLAN subinterfaces of the policy. You can add, edit, and delete all firewall addresses as required. You can also organize related addresses into address groups to simplify policy creation. A firewall address consists of an IP address and a netmask.
Addresses Firewall configuration 6 Enter the NetMask. The netmask should correspond to the type of address that you are adding. For example: • The netmask for the IP address of a single computer should be 255.255.255.255. • The netmask for a class A subnet should be 255.0.0.0. • The netmask for a class B subnet should be 255.255.0.0. • The netmask for a class C subnet should be 255.255.255.0. • The netmask for all addresses should be 0.0.0.
Firewall configuration Addresses 3 Choose an address to delete and select Delete 4 Select OK to delete the address. . Organizing addresses into address groups You can organize related addresses into address groups to make it easier to add policies. For example, if you add three addresses and then add them to an address group, you only have to add one policy using the address group rather than a separate policy for each address. You can add address groups to any interface, VLAN subinterface, or zone.
Services Firewall configuration Services Use services to control the types of communication accepted or denied by the firewall. You can add any of the predefined services to a policy. You can also create your own custom services and add services to service groups. This section describes: • Predefined services • Providing access to custom services • Grouping services Predefined services The FortiGate predefined firewall services are listed in Table 6. You can add these services to any policy.
Firewall configuration Services Table 6: FortiGate predefined services (Continued) Service name Description H323 H.323 multimedia protocol. H.323 is a standard tcp approved by the International Telecommunication Union (ITU) that defines how audiovisual conferencing data is transmitted across networks. 1720, 1503 HTTP HTTP is the protocol used by the word wide web for transferring data for web pages.
Services Firewall configuration Table 6: FortiGate predefined services (Continued) Service name Description Protocol Port RAUDIO For streaming real audio multimedia traffic. udp 7070 RLOGIN Rlogin service for remotely logging into a server. tcp 513 RIP Routing Information Protocol is a common distance vector routing protocol. udp 520 SMTP For sending mail between email servers on the tcp Internet.
Firewall configuration Services 5 Specify a Source and Destination Port number range for the service by entering the low and high port numbers. If the service uses one port number, enter this number in both the low and high fields. 6 If the service has more than one port range, select Add to specify additional protocols and port ranges. If you mistakenly add too many port range rows, select Delete to remove each extra row. 7 Select OK to add the custom service.
Schedules Firewall configuration Schedules Use scheduling to control when policies are active or inactive. You can create one-time schedules and recurring schedules. You can use one-time schedules to create policies that are effective once for the period of time specified in the schedule. Recurring schedules repeat weekly. You can use recurring schedules to create policies that are effective only at specified times of the day or on specified days of the week.
Firewall configuration Schedules Creating recurring schedules You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week. For example, you might want to prevent Internet use outside of working hours by creating a recurring schedule. If you create a recurring schedule with a stop time that occurs before the start time, the schedule will start at the start time and finish at the stop time on the next day.
Virtual IPs Firewall configuration Adding a schedule to a policy After you have created schedules, you can add them to policies to schedule when the policies are active. You can add the new schedules to policies when you create the policy, or you can edit existing policies and add a new schedule to them. 1 Go to Firewall > Policy. 2 Select the tab corresponding to the type of policy to add. 3 Select New to add a policy or select Edit 4 Configure the policy as required.
Firewall configuration Virtual IPs This section describes: • Adding static NAT virtual IPs • Adding port forwarding virtual IPs • Adding policies with virtual IPs Adding static NAT virtual IPs 1 Go to Firewall > Virtual IP. 2 Select New to add a virtual IP. 3 Enter a Name for the virtual IP. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Virtual IPs Firewall configuration Note: The firewall translates the source address of outbound packets from the host with the Map to IP address to the virtual IP External IP Address, instead of the firewall external address. 8 Select OK to save the virtual IP. You can now add the virtual IP to firewall policies. Adding port forwarding virtual IPs 190 1 Go to Firewall > Virtual IP. 2 Select New to add a virtual IP. 3 Enter a Name for the virtual IP.
Firewall configuration Virtual IPs Figure 13: Adding a port forwarding virtual IP Adding policies with virtual IPs Use the following procedure to add a policy that uses a virtual IP to forward packets. 1 Go to Firewall > Policy. 2 Select the type of policy to add. 3 • The source interface must match the interface selected in the External Interface list. • The destination interface must match the interface connected to the network with the Map to IP address.
IP pools Firewall configuration Authentication Optionally select Authentication and select a user group to require users to authenticate with the firewall before accessing the server using port forwarding. Log Traffic Select these options to log port-forwarded traffic and apply antivirus Anti-Virus & Web filter and web filter protection to this traffic. 4 Select OK to save the policy. IP pools An IP pool (also called a dynamic IP pool) is a range of IP addresses added to a firewall interface.
Firewall configuration IP/MAC binding Figure 14: Adding an IP Pool IP Pools for firewall policies that use fixed ports Some network configurations will not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service. You can select fixed port for NAT policies to prevent source port translation.
IP/MAC binding Firewall configuration You can enter the static IP addresses and corresponding MAC addresses of trusted computers in the Static IP/MAC table. IP/MAC binding can be enabled for packets connecting to the firewall or passing through the firewall. Note: If you enable IP/MAC binding and change the IP address of a computer with an IP or MAC address in the IP/MAC list, you must also change the entry in the IP/MAC list or the computer will not have access to or through the FortiGate unit.
Firewall configuration IP/MAC binding Configuring IP/MAC binding for packets going to the firewall Use the following procedure to use IP/MAC binding to filter packets that would normally connect with the firewall (for example, when an administrator is connecting to the FortiGate unit for management). 1 Go to Firewall > IP/MAC Binding > Setting. 2 Select Enable IP/MAC binding going to the firewall. 3 Go to Firewall > IP/MAC Binding > Static IP/MAC.
IP/MAC binding Firewall configuration Viewing the dynamic IP/MAC list 1 Go to Firewall > IP/MAC Binding > Dynamic IP/MAC. Enabling IP/MAC binding ! Caution: Make sure that you have added the IP/MAC Address pair of your management computer before enabling IP/MAC binding. 1 Go to Firewall > IP/MAC Binding > Setting. 2 Select Enable IP/MAC binding going through the firewall to turn on IP/MAC binding for packets that could be matched by policies.
Firewall configuration Content profiles Content profiles Use content profiles to apply different protection settings for content traffic controlled by firewall policies.
Content profiles Firewall configuration 3 Type a Profile Name. 4 Enable antivirus protection options. Anti Virus Scan Scan web, FTP, and email traffic for viruses and worms. See “Antivirus scanning” on page 260. File Block Delete files with blocked file patterns even if they do not contain viruses. You should only enable file blocking when a virus has been found that is so new that virus scanning does not detect it. See “File blocking” on page 261.
Firewall configuration Content profiles Figure 16: Example content profile Adding a content profile to a policy You can add content profiles to policies with action set to allow or encrypt and with Service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services. 1 Go to Firewall > Policy. 2 Select a policy list that contains policies to which to add a content profile.
Content profiles 200 Firewall configuration Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 Users and authentication FortiGate units support user authentication to the FortiGate user database, to a RADIUS server, and to an LDAP server. You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database. You can also add the names of RADIUS and LDAP servers.
Setting authentication timeout Users and authentication This chapter describes: • Setting authentication timeout • Adding user names and configuring authentication • Configuring RADIUS support • Configuring LDAP support • Configuring user groups Setting authentication timeout To set authentication timeout: 1 Go to System > Config > Options.
Users and authentication Adding user names and configuring authentication 5 Select Try other servers if connect to selected server fails if you have selected Radius and you want the FortiGate unit to try to connect to other RADIUS servers added to the FortiGate RADIUS configuration. 6 Select OK. Figure 17: Adding a user name Deleting user names from the internal database You cannot delete user names that have been added to user groups.
Configuring RADIUS support Users and authentication Configuring RADIUS support If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the FortiGate unit contacts the RADIUS server for authentication. This section describes: • Adding RADIUS servers • Deleting RADIUS servers Adding RADIUS servers To configure the FortiGate unit for RADIUS authentication: 1 Go to User > RADIUS. 2 Select New to add a new RADIUS server.
Users and authentication Configuring LDAP support Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authentication with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated with the FortiGate unit.
Configuring LDAP support Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server. Enter the base distinguished name for the server using the correct X.500 or LDAP format. The FortiGate unit passes this distinguished name unchanged to the server.
Users and authentication Configuring user groups Configuring user groups To enable authentication, you must add user names, RADIUS servers and LDAP servers to one or more user groups. You can then select a user group when you require authentication. You can select a user group to configure authentication for: • Policies that require authentication. Only users in the selected user group or that can authenticate with the RADIUS servers added to the user group can authenticate with these policies.
Configuring user groups Users and authentication Figure 20: Adding a user group 3 Enter a Group Name to identify the user group. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 4 To add users to the user group, select a user from the Available Users list and select the right arrow to add the name to the Members list.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 IPSec VPN A Virtual Private Network (VPN) is an extension of a private network that encompasses links across shared or public networks such as the Internet. For example, a company that has two offices in different cities, each with its own private network, can employ a VPN to create a secure tunnel between the offices. Similarly, a teleworker can use a VPN client to gain remote access to his private office network.
Key management IPSec VPN Key management There are three basic elements in any encryption system: • • • an algorithm which changes information into code, a cryptographic key which serves as a secret starting point for the algorithm, a management system to control the key. IPSec provides two ways to handle key exchange and management: manual keying and IKE for automated key management.
IPSec VPN Manual key IPSec VPNs Manual key IPSec VPNs When manual keys are employed, complementary security parameters must be entered at both ends of the tunnel. In addition to encryption and authentication algorithms and keys, the security parameter index (SPI) is required. The SPI is an arbitrary value that defines the structure of the communication between the peers. With other methods the SPI is generated automatically but with the manual key configuration it must be entered as part of the VPN setup.
Manual key IPSec VPNs IPSec VPN 5 Enter the Remote SPI. The Remote Security Parameter Index is a hexadecimal number of up to eight digits (digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added to the Local SPI at the opposite end of the tunnel. 6 Enter the Remote Gateway. This is the external IP address of the FortiGate unit or other IPSec gateway at the opposite end of the tunnel. 7 Select an Encryption Algorithm from the list.
IPSec VPN AutoIKE IPSec VPNs AutoIKE IPSec VPNs Fortunate supports two methods of Automatic Internet Key Exchange (AutoIKE) for the purpose of establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates.
AutoIKE IPSec VPNs IPSec VPN 3 Enter a Gateway Name for the remote VPN peer. The remote VPN peer can be either a gateway to another network or an individual client on the Internet. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 4 Select a Remote Gateway address type. • If the remote VPN peer has a static IP address, select Static IP Address.
IPSec VPN AutoIKE IPSec VPNs 10 Optionally, enter the Local ID of the FortiGate unit. The entry is required if the FortiGate unit is functioning as a client and uses its local ID to authenticate itself to the remote VPN peer. (If you do not add a local ID, the FortiGate unit will transmit its IP address.) Configure the local ID only with pre-shared keys and aggressive mode. Do not configure the local ID with certificates or main mode. Configuring advanced options 1 Select Advanced Options.
AutoIKE IPSec VPNs IPSec VPN 4 5 6 216 Optionally, configure NAT Traversal. Enable Select Enable if you expect the IPSec VPN traffic to go through a gateway that performs NAT. If no NAT device is detected, enabling NAT traversal will have no effect. Both ends of the VPN (both VPN peers) must have the same NAT traversal setting. Keepalive Frequency If you enable NAT-traversal, you can change the number of seconds in the Keepalive Frequency field.
IPSec VPN AutoIKE IPSec VPNs Figure 21: Adding a phase 1 configuration Adding a phase 2 configuration for an AutoIKE VPN Add a phase 2 configuration to specify the parameters used to create and maintain a VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer (the VPN gateway or client). Note: Adding a Phase 2 configuration is the same for pre-shared key and certification VPNs. To add a phase 2 configuration: 1 Go to VPN > IPSEC > Phase 2.
AutoIKE IPSec VPNs IPSec VPN 4 Select a Remote Gateway to associate with the VPN tunnel. A remote gateway can be either a gateway to another network or an individual client on the Internet. Remote gateways are added as part of the phase 1 configuration. For details, see “Adding a phase 1 configuration for an AutoIKE VPN” on page 213. Choose either a single DIALUP remote gateway, or up to three STATIC remote gateways. Multiple STATIC remote gateways are necessary if you are configuring IPSec redundancy.
IPSec VPN Managing digital certificates Figure 22: Adding a phase 2 configuration Managing digital certificates Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy, prior to an encrypted VPN tunnel being set up between the participants. Fortinet uses a manual procedure to obtain certificates.
Managing digital certificates IPSec VPN Generating the certificate request With this procedure, you generate a private and public key pair. The public key is the base component of the certificate request. To generate the certificate request: 1 Go to VPN > Local Certificates. 2 Select Generate. 3 Enter a Certificate Name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
IPSec VPN Managing digital certificates Figure 23: Adding a Local Certificate Downloading the certificate request With this procedure, you download the certificate request from the FortiGate unit to the management computer. To download the certificate request: 1 Go to VPN > Local Certificates. 2 Select Download 3 Select Save. 4 Name the file and save it in a directory on the management computer. to download the local certificate to the management computer.
Managing digital certificates 4 IPSec VPN Request the signed local certificate. Follow the CA web server instructions to: • add a base64 encoded PKCS#10 certificate request to the CA web server, • paste the certificate request to the CA web server, • submit the certificate request to the CA web server. The certificate request is submitted to the CA for it to sign.
IPSec VPN Managing digital certificates 3 Enter the path or browse to locate the signed local certificate on the management computer. 4 Select OK. The signed local certificate will be displayed on the Local Certificates list with a status of OK. Obtaining a CA certificate For the VPN peers to authenticate themselves to each other, they must both obtain a CA certificate from the same certificate authority.
Configuring encrypt policies IPSec VPN Configuring encrypt policies A VPN connects the local, internal network to a remote, external network. The principal role of the encrypt policy is to define (and limit) which addresses on these networks can use the VPN. A VPN requires only one encrypt policy to control both inbound and outbound connections.
IPSec VPN Configuring encrypt policies Adding a source address The source address is located within the internal network of the local VPN peer. It can be a single computer address or the address of a network. 1 Go to Firewall > Address. 2 Select an internal interface. (Methods will differ slightly between FortiGate models.) 3 Select New to add an address.
Configuring encrypt policies IPSec VPN Inbound NAT The FortiGate unit translates the source address of incoming packets to the IP address of the FortiGate interface connected to the source address network. Typically, this is an internal interface of the FortiGate unit. Inbound NAT makes it impossible for local hosts to see the IP addresses of remote hosts (hosts located on the network behind the remote VPN gateway).
IPSec VPN IPSec VPN concentrators IPSec VPN concentrators In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer known as a hub. The peers that connect to the hub are known as spokes. The hub functions as a concentrator on the network, managing the VPN connections between the spokes. The advantage of a hub-and-spoke network is that the spokes are simpler to configure because they require fewer policy rules.
IPSec VPN concentrators IPSec VPN To create a VPN concentrator configuration: 1 Configure a tunnel for each spoke. Choose between a manual key tunnel or an AutoIKE tunnel. • A manual key tunnel consists of a name for the tunnel, the IP address of the spoke (client or gateway) at the opposite end of the tunnel, and the encryption and authentication algorithms to use for the tunnel. See “Manual key IPSec VPNs” on page 211. • An AutoIKE tunnel consists of phase 1 and phase 2 parameters.
IPSec VPN IPSec VPN concentrators Adding a VPN concentrator To add a VPN concentrator configuration: 1 Go to VPN > IPSec > Concentrator. 2 Select New to add a VPN concentrator. 3 Enter the name of the new concentrator in the Concentrator Name field. 4 To add tunnels to the VPN concentrator, select a VPN tunnel from the Available Tunnels list and select the right arrow. 5 To remove tunnels from the VPN concentrator, select the tunnel in the Members list and select the left arrow.
IPSec VPN concentrators IPSec VPN VPN spoke general configuration steps A remote VPN peer that is functioning as a spoke requires the following configuration: • A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration) for the hub. • The source address of the local VPN spoke. • The destination address of each remote VPN spoke. • A separate outbound encrypt policy for each remote VPN spoke. These policies allow the local VPN spoke to initiate encrypted connections.
IPSec VPN Redundant IPSec VPNs Action ENCRYPT VPN Tunnel The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt policies.) Allow inbound Select allow inbound. Allow outbound Do not enable. Inbound NAT Select inbound NAT if required. Outbound NAT Select outbound NAT if required. See “Adding an encrypt policy” on page 225.
Redundant IPSec VPNs IPSec VPN Configure the two FortiGate units with symmetrical settings for their connections to the Internet. For example, if the remote FortiGate unit has two external interfaces grouped within one zone, then the local FortiGate unit should have two external interfaces grouped within one zone. Similarly, if the remote FortiGate has two external interfaces in separate zones, then the local FortiGate unit should have two external interfaces in separate zones.
IPSec VPN Monitoring and Troubleshooting VPNs Monitoring and Troubleshooting VPNs This section provides a number of general maintenance and monitoring procedures for VPNs. This section describes: • Viewing VPN tunnel status • Viewing dialup VPN connection status • Testing a VPN Viewing VPN tunnel status You can use the IPSec VPN tunnel list to view the status of all IPSec AutoIKE key VPN tunnels. For each tunnel, the list shows the status of each tunnel as well as the tunnel time out.
Monitoring and Troubleshooting VPNs IPSec VPN To view dialup connection status: 1 Go to VPN > IPSec > Dialup. The Lifetime column displays how long the connection has been up. The Timeout column displays the time before the next key exchange. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife. The Proxy ID Source column displays the actual IP address or subnet address of the remote peer.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 PPTP and L2TP VPN You can use PPTP and L2TP to create a virtual private network (VPN) between a remote client PC running the Windows operating system and your internal network. Because they are is a Windows standards, PPTP and L2TP do not require third-party software on the client computer.
Configuring PPTP PPTP and L2TP VPN Figure 29: PPTP VPN between a Windows client and the FortiGate unit Configuring the FortiGate unit as a PPTP gateway Use the following procedures to configure the FortiGate unit as a PPTP gateway: Adding users and user groups To add a user for each PPTP client: 1 Go to User > Local. 2 Add and configure PPTP users. See “Adding user names and configuring authentication” on page 202. 3 Go to User > User Group. 4 Add and configure PPTP user groups.
PPTP and L2TP VPN Configuring PPTP Figure 30: Example PPTP Range configuration Adding a source address Add a source address for every address in the PPTP address range. 1 Go to Firewall > Address. 2 Select the interface to which PPTP clients connect. This can be an interface, VLAN subinterface, or zone. 3 Select New to add an address. 4 Enter the Address Name, IP Address, and NetMask for an address in the PPTP address range. 5 Select OK to save the source address.
Configuring PPTP PPTP and L2TP VPN 5 To remove addresses from the address group, select an address from the Members list and select the left arrow to remove it from the group. Select OK to add the address group. Adding a destination address Add an address to which PPTP users can connect. 1 Go to Firewall > Address. 2 Select the internal interface or the DMZ interface. (Methods will differ slightly between FortiGate models.) 3 Select New to add an address.
PPTP and L2TP VPN Configuring PPTP 4 Select Add. 5 Select Microsoft as the manufacturer. 6 Select Microsoft Virtual Private Networking Adapter. 7 Select OK twice. 8 Insert diskettes or CDs as required. 9 Restart the computer. Configuring a PPTP dialup connection 1 Go to My Computer > Dial-Up Networking > Configuration. 2 Double-click Make New Connection. 3 Name the connection and select Next. 4 Enter the IP address or host name of the FortiGate unit to connect to and select Next.
Configuring PPTP PPTP and L2TP VPN 5 Set Connection Availability to Only for myself and select Next. 6 Select Finish. 7 In the Connect window, select Properties. 8 Select the Security tab. 9 Uncheck Require data encryption. 10 Select OK. Connecting to the PPTP VPN 1 Start the dialup connection that you configured in the previous procedure. 2 Enter your PPTP VPN User Name and Password. 3 Select Connect.
PPTP and L2TP VPN Configuring L2TP 5 Select Advanced to configure advanced settings. 6 Select Settings. 7 Select Challenge Handshake Authentication Protocol (CHAP). 8 Make sure that none of the other settings are selected. 9 Select the Networking tab.
Configuring L2TP PPTP and L2TP VPN Figure 31: L2TP VPN between a Windows client and the FortiGate unit Configuring the FortiGate unit as a L2TP gateway Use the following procedures to configure the FortiGate unit as an L2TP gateway: Adding users and user groups To add a user for each L2TP client: 1 Go to User > Local. 2 Add and configure L2TP users. See “Adding user names and configuring authentication” on page 202. 3 Go to User > User Group. 4 Add and configure L2TP user groups.
PPTP and L2TP VPN Configuring L2TP Figure 32: Sample L2TP address range configuration 6 Add the addresses from the L2TP address range to the External zone address list. The addresses can be grouped into an External address group. 7 Add addresses to the destination zone address list to control the addresses to which L2TP clients can connect. The addresses can be grouped into an address group.
Configuring L2TP PPTP and L2TP VPN 2 Add a new address group to the interface to which L2TP clients connect. This can be an interface, VLAN subinterface, or zone. 3 Enter a Group Name to identify the address group. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
PPTP and L2TP VPN Configuring L2TP Configuring a Windows 2000 client for L2TP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiGate L2TP VPN. Configuring an L2TP dialup connection 1 Go to Start > Settings > Network and Dial-up Connections. 2 Double-click Make New Connection to start the Network Connection Wizard and select Next. 3 For Network Connection Type, select Connect to a private network through the Internet and select Next.
Configuring L2TP PPTP and L2TP VPN 8 Add the following registry value to this key: Value Name: ProhibitIpSec Data Type: REG_DWORD Value: 1 9 Save your changes and restart the computer for the changes to take effect. You must add the ProhibitIpSec registry value to each Windows 2000-based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created.
PPTP and L2TP VPN Configuring L2TP Note: If a RADIUS server is used for authentication do not select Require data encryption. L2TP encryption is not supported for RADIUS server authentication. 5 Select Advanced to configure advanced settings. 6 Select Settings. 7 Select Challenge Handshake Authentication Protocol (CHAP). 8 Make sure that none of the other settings are selected. 9 Select the Networking tab.
Configuring L2TP PPTP and L2TP VPN Connecting to the L2TP VPN 248 1 Connect to your ISP. 2 Start the VPN connection that you configured in the previous procedure. 3 Enter your L2TP VPN User Name and Password. 4 Select Connect. 5 In the connect window, enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password. Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 Network Intrusion Detection System (NIDS) The FortiGate NIDS is a real-time network intrusion detection sensor that uses attack signature definitions to both detect and prevent a wide variety of suspicious network traffic and direct network-based attacks. Also, whenever an attack occurs, the FortiGate NIDS can record the event in a log plus send an alert email to the system administrator.
Detecting attacks Network Intrusion Detection System (NIDS) Selecting the interfaces to monitor 1 Go to NIDS > Detection > General. 2 Select the interfaces to monitor for network attacks. You can select up to 4 interfaces and VLAN subinterfaces. 3 Select Apply. Disabling the NIDS 1 Go to NIDS > Detection > General. 2 Deselect all monitored interfaces. 3 Select Apply.
Network Intrusion Detection System (NIDS) Detecting attacks Viewing the signature list To display the current list of NIDS signature groups and to view the members of a signature group: 1 Go to NIDS > Detection > Signature List. 2 View the names and action status of the signature groups in the list. The NIDS detects attacks listed in all the signature groups that are checked in the Modify or Details column. Note: The user-defined signature group is the last item in the signature list.
Detecting attacks Network Intrusion Detection System (NIDS) Enabling and disabling NIDS attack signatures By default, all NIDS attack signatures are enabled. You can use the NIDS signature list to disable detection of some attacks. Disabling unnecessary NIDS attack signatures can improve system performance and reduce the number of IDS log messages and alert emails that the NIDS generates. For example, the NIDS detects a large number of web server attacks.
Network Intrusion Detection System (NIDS) Preventing attacks Figure 35: Example user-defined signature list Downloading the user-defined signature list You can back up the user-defined signature list by downloading it to a text file on the management computer. 1 Go to NIDS > Detection > User Defined Signature List. 2 Select Download. The FortiGate unit downloads the user-defined signature list to a text file on the management computer.
Preventing attacks Network Intrusion Detection System (NIDS) Enabling NIDS attack prevention signatures The NIDS Prevention module contains signatures that are designed to protect your network against attacks. Some signatures are enabled by default; others must be enabled. For a complete list of NIDS Prevention signatures and descriptions, see the FortiGate NIDS Guide. 1 Go to NIDS > Prevention. 2 Check the box in the Enable column beside each signature that you want to enable.
Network Intrusion Detection System (NIDS) Preventing attacks For example, setting the icmpflood signature threshold to 500 will allow 500 echo requests from a source address, to which the system sends echo replies. If the number of requests is 501 or higher, the FortiGate unit will block the attacker to eliminate disruption of system operations. If you enter a threshold value of 0 or a number out of the allowable range, the FortiGate unit uses the default value.
Logging attacks Network Intrusion Detection System (NIDS) Configuring synflood signature values For synflood signatures, you can set the threshold, queue size, and keep alive values. Value Description Minimum Maximum Default value value value Threshold Number of SYN requests sent to a 30 destination host or server per second. If the SYN requests are being sent to all ports on the destination, as opposed to just one port, the threshold quadruples (4 x).
Network Intrusion Detection System (NIDS) Logging attacks Reducing the number of NIDS attack log and email messages Intrusion attempts may generate an excessive number of attack messages. To help you distinguish real warnings from false alarms, the FortiGate unit provides methods to reduce the number of unnecessary messages. Based on the frequency that messages are generated, the FortiGate unit will automatically delete duplicates.
Logging attacks 258 Network Intrusion Detection System (NIDS) Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 Antivirus protection Antivirus protection is enabled in firewall policies. When you enable antivirus protection for a firewall policy, you select a content profile that controls how the antivirus protection behaves. Content profiles control the type of traffic protected (HTTP, FTP, IMAP, POP3, SMTP), the type of antivirus protection and the treatment of fragmented email and oversized files or email.
Antivirus scanning Antivirus protection 6 Configure the FortiGate unit to send an alert email when it blocks or deletes an infected file. See “Configuring alert email” in the Logging and Message Reference Guide.
Antivirus protection File blocking Figure 37: Example content profile for virus scanning File blocking Enable file blocking to remove all files that pose a potential threat and to provide the best protection from active computer virus attacks. Blocking files is the only protection available from a virus that is so new that antivirus scanning cannot detect it. You would not normally run the FortiGate unit with blocking enabled.
File blocking Antivirus protection By default, when blocking is enabled, the FortiGate unit blocks the following file patterns: • • • • • • • • executable files (*.bat, *.com, and *.exe) compressed or archive files (*.gz, *.rar, *.tar, *.tgz, and *.zip) dynamic link libraries (*.dll) HTML application (*.hta) Microsoft Office files (*.doc, *.ppt, *.xl?) Microsoft Works files (*.wps) Visual Basic files (*.vb?) screen saver files (*.
Antivirus protection Quarantine Quarantine FortiGate with hard disks can be configured to quarantine blocked or infected files. The quarantined files are removed from the content stream and stored on the FortiGate hard disk. Users received a message informing them that the removed file have been quarantined. On the FortiGate, the names of quarantined files are displayed on the quarantine list. The list displays status, duplication, and age information for each quarantined file.
Quarantine Antivirus protection Viewing the quarantine list 1 Go to Anti-Virus > Quarantine. The quarantine list provides the following information. File Name The processed filename of the file that was quarantined. The processed filename has all white space removed. As a file is quarantined, it is 32-bit checksummed and stored on the FortiGate hard disk with the following naming convention: <32bit CRC>. For example, a file named Over Size.exe is stored as 3fc155d2.oversize.exe.
Antivirus protection Quarantine Filtering the quarantine list You can filter the quarantine list to: • • • Display only blocked files Display only infected files Display blocked and infected files found only in IMAP, POP3, SMTP, FTP, or HTTP traffic Deleting files from quarantine 1 Go to Anti-Virus > Quarantine. 2 Select Delete to remove a quarantined file from the list. Downloading quarantined files 1 Go to Anti-Virus > Quarantine.
Blocking oversized files and emails Antivirus protection Blocking oversized files and emails You can configure the FortiGate unit to buffer 1 to 15 percent of available memory to store oversized files and email. The FortiGate unit then blocks a file or email that exceeds this limit instead of bypassing antivirus scanning and sending the file or email directly to the server or receiver.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 Web filtering Web filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how web filtering behaves for HTTP traffic. Content profiles control the following types of content filtering: • • • • blocking unwanted URLs, blocking unwanted content, removing scripts from web pages, exempting of URLs from blocking.
Content blocking Web filtering 4 Configure the messages that users receive when the FortiGate unit blocks unwanted content or unwanted URLs. See “Customizing replacement messages” on page 164. 5 Configure the FortiGate unit to send an alert email when it blocks or deletes an infected file. See “Configuring alert email” in the Logging Configuration and Reference Guide.
Web filtering URL blocking Figure 38: Example banned word list URL blocking You can block the unwanted web URLs using both the FortiGate web filter and the Cerberian web filter. • • Using the FortiGate web filter Using the Cerberian web filter Using the FortiGate web filter You can configure the FortiGate unit to block all pages on a website by adding the toplevel URL or IP address. You can also block individual pages on a website by including the full path and filename of the web page to block.
URL blocking Web filtering 3 Type the URL/Pattern to block. Type a top-level URL or IP address to block access to all pages on a website. For example, www.badsite.com or 122.133.144.155 blocks access to all pages at this website. Type a top-level URL followed by the path and filename to block access to a single page on a website. For example, www.badsite.com/news.html or 122.133.144.155/news.html blocks the news page on this website. To block all pages with a URL that ends with badsite.com, add badsite.
Web filtering URL blocking Downloading the URL block list You can back up the URL block list by downloading it to a text file on the management computer. 1 Go to Web Filter > URL Block. 2 Select Download URL Block List . The FortiGate unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.
URL blocking Web filtering Using the Cerberian web filter The FortiGate unit supports Cerberian web filtering. For information about Cerberian web filter, see www.cerberian.com. Note: If you are operating FortiGate units in active-passive HA mode, each FortiGate unit in the cluster must have its own Cerberian license. Cerberian web filtering is not supported for active-active HA. For information about HA see, “High availability” on page 75.
Web filtering URL blocking 2 Select Cerberian URL Filtering. 3 Select New. 4 Enter the IP address and netmask of the user computers. You can enter the IP address of a single user. For example, 192.168.100.19 255.255.255.255. You can also enter a subnet of a group of users. For example, 192.168.100.0 255.255.255.0. 5 Enter an alias for the user. This alias will be used as the user name when you add the user to a user group on the Cerberian server.
Script filtering Web filtering 3 Select the Cerberian URL Filtering option. 4 Go to Firewall > Content Profile. 5 Create a new or select an existing content profile and enable Web URL Block. 6 Go to Firewall > Policy. 7 Create a new or select an existing policy that will use the content profile. 8 Select Anti-Virus & Web filter. 9 Select the content profile from the Content Profile list. 10 Click OK.
Web filtering Exempt URL list Figure 41: Example script filter settings to block Java applets and ActiveX Exempt URL list Add URLs to the exempt URL list to allow legitimate traffic that might otherwise be blocked by content or URL blocking. For example, if content blocking is set to block pornography-related words and a reputable website runs a story on pornography, web pages from the reputable website would be blocked.
Exempt URL list Web filtering 5 6 Select OK to add the URL to the exempt URL list. You can enter multiple URLs and then select Check All exempt URL list. Each page of the exempt URL list displays 100 URLs. Use Page Down and Page Up to activate all items in the to navigate through the exempt URL list. Figure 42: Example exempt URL list 276 Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 Email filter Email filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how email filtering behaves for email (IMAP and POP3) traffic.
Email banned word list Email filter Email banned word list When the FortiGate unit detects email that contains a word or phrase in the banned word list, the FortiGate unit adds a tag to the subject line of the email and writes a message to the event log. Receivers can then use their mail client software to filter messages based on the subject tag. You can add banned words to the list in many languages using Western, Simplified Chinese, Traditional Chinese, Japanese, or Korean character sets.
Email filter Email block list Email block list You can configure the FortiGate unit to tag all IMAP and POP3 protocol traffic sent from unwanted email addresses. When the FortiGate unit detects an email sent from an unwanted address pattern, the FortiGate unit adds a tag to the subject line of the email and writes a message to the email filter log. Receivers can then use their mail client software to filter messages based on the subject tag.
Adding a subject tag Email filter Adding address patterns to the email exempt list 1 Go to Email Filter > Exempt List. 2 Select New to add an address pattern to the email exempt list. 3 Type the address pattern to exempt. • To exempt email sent from a specific email address, type the email address. For example, sender@abccompany.com. • To exempt email sent from a specific domain, type the domain name. For example, abccompany.com.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 Logging and reporting You can configure the FortiGate unit to log network activity from routine configuration changes and traffic sessions to emergency events. You can also configure the FortiGate unit to send alert email messages to inform system administrators about events such as network attacks, virus incidents, and firewall and VPN events.
Recording logs Logging and reporting This section describes: • Recording logs on a remote computer • Recording logs on a NetIQ WebTrends server • Recording logs on the FortiGate hard disk • Recording logs in system memory Recording logs on a remote computer Use the following procedure to configure the FortiGate unit to record log messages on a remote computer. The remote computer must be configured with a syslog server. 1 Go to Log&Report > Log Setting.
Logging and reporting Recording logs 4 Select the severity level for which you want to record log messages. The FortiGate will log all levels of severity down to but not lower than the level you choose. For example, if you want to record emergency, alert, critical, and error messages, select Error. 5 Select Config Policy. To configure the FortiGate to filter the types of logs and events to record, use the procedures in “Filtering log messages” on page 284 and “Configuring traffic logging” on page 286.
Filtering log messages Logging and reporting Recording logs in system memory If your FortiGate unit does not contain a hard disk, you can use the following procedure to configure the FortiGate unit to reserve some system memory for storing current event, attack, antivirus, web filter and email filter log messages. Logging to memory allows quick access to only the most recent log entries. The FortiGate unit can store a limited number of messages in system memory.
Logging and reporting Filtering log messages Email Filter Log Record activity events, such as detection of email that contains unwanted content and email from unwanted senders. Update Record log messages when the FortiGate connects to the FDN to download antivirus and attack updates. 4 Select the message categories that you want the FortiGate unit to record if you selected Event Log, Virus Log, Web Filtering Log, Attack Log, Email Filter Log, or Update in step 3. 5 Select OK.
Configuring traffic logging Logging and reporting Configuring traffic logging You can configure the FortiGate unit to record traffic log messages for connections to: • Any interface • Any VLAN subinterface • Any firewall policy The FortiGate unit can filter traffic logs for any source and destination address and service. You can also enable the following global settings: • resolve IP addresses to host names, • record session or packet information, • display the port number or service.
Logging and reporting Configuring traffic logging 5 Repeat this procedure for each VLAN subinterface for which you want to enable logging. Enabling traffic logging for a firewall policy If you enable traffic logging for a firewall policy, all connections accepted by firewall policy are recorded in the traffic log. 1 Go to Firewall > Policy. 2 Select a policy tab. 3 Select Log Traffic. 4 Select OK.
Configuring traffic logging Logging and reporting Adding traffic filter entries Add entries to the traffic filter list to filter the messages that are recorded in the traffic log. If you do not add any entries to the traffic filter list, the FortiGate records all traffic log messages. You can add entries to the traffic filter list to limit the traffic logs that are recorded.
Logging and reporting Viewing logs saved to memory Viewing logs saved to memory If the FortiGate is configured to save log messages in system memory, you can use the web-based manager to view, search, and clear the log messages. This section describes: • Viewing logs • Searching logs Viewing logs Log messages are listed with the most recent message at the top. Use the following procedure to view log messages saved in system memory: 1 Go to Log&Report > Logging.
Viewing and managing logs saved to the hard disk Logging and reporting Viewing and managing logs saved to the hard disk If your FortiGate unit contains a hard disk for recording logs, you can use the following procedures to view, search and maintain logs: • Viewing logs • Searching logs • Downloading a log file to the management computer • Deleting all messages in an active log • Deleting a saved log file Viewing logs Log messages are listed with the most recent message at the top.
Logging and reporting Viewing and managing logs saved to the hard disk 8 Keyword To search for any text in a log message. Keyword searching is case-sensitive. Source To search for any source IP address. Destination To search for any destination IP address. Time To search log messages created during the selected year, month, day, and hour. Select OK to run the search. The web-based manager displays the messages that match the search criteria.
Configuring alert email Logging and reporting Deleting a saved log file Use the following procedure to delete a saved log file: 1 Go to Log&Report > Logging. 2 Select Traffic Log, Event Log, Attack log, Antivirus Log, Web Filter Log, or Email Filter Log. The web-based manager lists all saved logs of the selected type, with the active log at the top of the list. For each log, the list shows the date and time at which an entry was last added to the log, the size of the log file, and its name.
Logging and reporting Configuring alert email 6 Type up to three destination email addresses in the Email To fields. These are the actual email addresses to which the FortiGate unit sends alert email. 7 Select Apply. Testing alert email You can test the alert email settings by sending a test email. 1 Go to Log&Report > Alert Mail > Configuration. 2 Select Test to send test email messages from the FortiGate unit to the Email To addresses that you have configured.
Configuring alert email 294 Logging and reporting Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2 Glossary Connection: A link between machines, applications, processes, and so on that can be logical, physical, or both. DMZ, Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network. Typically, the DMZ contains servers accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers and DNS servers.
Glossary LAN, Local Area Network: A computer network that spans a relatively small area. Most LANs connect workstations and personal computers. Each computer on a LAN is able to access data and devices anywhere on the LAN. This means that many users can share data as well as physical resources such as printers. MAC address, Media Access Control address: A hardware address that uniquely identifies each node of a network.
Glossary SSH, Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. SSH provides strong secure authentication and secure communications over insecure channels. Subnet: A portion of a network that shares a common address component. On TCP/IP networks, subnets are defined as all devices whose IP addresses have the same prefix. For example, all devices with IP addresses that start with 100.100.100. would be part of the same subnet.
Glossary 298 Fortinet Inc.
FortiGate-400 Installation and Configuration Guide Version 2.
Index AutoIKE 210 certificates 210 introduction 210 pre-shared keys 210 automatic antivirus and attack definition updates configuring 118 B backing up system settings 108 bandwidth guaranteed 175 maximum 175 banned word list adding words 268, 278 blacklist URL 271 block traffic IP/MAC binding 194, 195 log option 283 blocking access to Internet sites 269, 279 access to URLs 269, 279 adding filename patterns 262 file 261 oversized files and email 266 web pages 268, 278 C certificates introduction 210 checks
Index E email alert testing 293 email filter log 285 enabling policy 178 encrypt policy 174 encrypt policy allow inbound 175 allow outbound 175 Inbound NAT 175 Outbound NAT 175 ending IP address PPTP 236, 242 environmental specifications 31 event log 284 viewing 289 exempt URL list 275, 279 adding URL 275, 280 exempting URLs from content and URL blocking 275, 279 expire system status 114 F factory default restoring system settings 108 FAQs 233 FDN connecting to 116 FortiResponse Distribution Network 116 F
Index HTTPS 20, 139, 183, 295 I ICMP 183, 295 configuring checksum verification 250 idle timeout web-based manager 158 IDS log viewing 289 IKE 295 IMAP 183, 295 Inbound NAT encrypt policy 175 interface RIP 152 internal address example 180 internal address group example 181 internal network configuring 50 Internet blocking access to Internet sites 269, 279 blocking access to URLs 269, 279 Internet key exchange 295 intrusion attempts alert email 293 IP configuring checksum verification 250 IP address IP/MAC
Index logging 21, 281 attack log 284 configuring traffic settings 286, 287 deleting all messages 291 deleting log files 292 downloading log files 291 email filter log 285 enabling alert email 293 event log 284 filtering log messages 284 log to local 283 log to memory 284 log to remote host 282 log to WebTrends 282 recording 281 searching logs 289, 290 selecting what to log 284 traffic log 284 traffic sessions 286 update log 285 viewing logs 290 virus log 284 web filtering log 284 logs maintaining 290 record
Index ping management access 139 policy accept 174 Anti-Virus & Web filter 176 arranging in policy list 177 Comments 177 deny 174 disabling 178 enabling 178 enabling authentication 207 fixed port 174 guaranteed bandwidth 175 Log Traffic 177 matching 177 maximum bandwidth 175 policy list configuring 177 policy routing 146 POP3 183, 296 port address translation 190 port forwarding 190 adding virtual IP 190 virtual IP 188 port number traffic filter display 287 power requirements 31 powering on 31 PPTP 207, 296
Index RMA registering a FortiGate unit 131 route adding default 143 adding to routing table 143 adding to routing table (Transparent mode) 145 destination 143 device 144 router next hop 136 routing 296 adding static routes 143 configuring 143 configuring routing table 145 policy 146 routing table 296 adding default route 143 adding routes 143 adding routes (Transparent mode) 145 configuring 145 S scanning antivirus 260 schedule 186 applying to policy 188 automatic antivirus and attack definition updates 11
Index system settings backing up 108 restoring 108 restoring to factory default 108 system status 93, 149 system status monitor 110, 111, 112, 113 T TCP configuring checksum verification 250 technical support 28 testing alert email 293 time log search 289, 291 setting 157 time zone 157 timeout firewall authentication 159 idle 158 IPSec VPN 233, 234 web-based manager 158 to IP system status 114 to port system status 114 traffic configuring global settings 286, 287 filtering 286 logging 286 traffic filter ad
Index virus definitions updating 115, 119 virus incidents enabling alert email 293 virus list displaying 266 viewing 266 virus log 284 virus protection overview 259 worm protection 15 VLAN configuring 139 network configuration 139 VLAN network typical configuration 140 VPN configuring L2TP gateway 242 configuring PPTP gateway 236, 242 introduction 19 L2TP configuration 242 PPTP configuration 236 Tunnel 174 viewing dialup connection status 233 VPN events enabling alert email 293 VPN tunnel viewing status 233
Index 308 Fortinet Inc.
