INSTALL GUIDE FortiGate-60B FortiOS 3.0 MR6 www.fortinet.
FortiGate-60B Install Guide FortiOS 3.0 MR6 10 September 2008 01-30006-0446-20080910 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Contents Contents Contents.............................................................................................. 3 Introduction ........................................................................................ 7 Register your FortiGate unit ............................................................................. 7 About the FortiGate-60B ................................................................................... 8 About this document..............................................
Contents Configure a DNS server ....................................................................... 22 Adding a default route and gateway ..................................................... 22 Adding firewall policies ......................................................................... 23 Configuring Transparent mode...................................................................... 23 Using the web-based manager ...................................................................
Contents Configuring the PCMCIA modem card .......................................................... 45 FortiGate Firmware .......................................................................... 47 Downloading firmware .................................................................................... 47 Using the web-based manager....................................................................... 48 Upgrading the firmware ..........................................................................
Contents 6 FortiGate-60B FortiOS 3.
Introduction Register your FortiGate unit Introduction Welcome and thank you for selecting Fortinet products for your real-time network protection. The FortiGate Unified Threat Management System improves network security, reduces network misuse and abuse, and helps you use communications resources more efficiently without compromising the performance of your network. The FortiGate Unified Threat Management System are ICSA-certified for firewall, IPSec, and antivirus services.
About the FortiGate-60B Introduction About the FortiGate-60B The FortiGate-60B multi-threat security solution offers Small and Medium Business and SOHO/ROBO users enterprise-class protection against blended threats targeting 3G broadband, wireless LAN and wired infrastructure. The FortiGate-60B supports a wide array of wireless broadband PC Cards. The FortiGate-60B offers enterprise-class security for the SOHO/ROBO users and the flexibility needed for quick Point of Sales deployment.
Introduction Further Reading Note: Highlights useful additional information. ! Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment. Typographic conventions FortiGate documentation uses the following typographical conventions: Convention Example Keyboard input In the Gateway Name field, type a name for the remote VPN peer or client (for example, Central_Office_1).
Customer service and technical support Introduction • FortiGate Log Message Reference Available exclusively from the Fortinet Knowledge Center, the FortiGate Log Message Reference describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units. • FortiGate High Availability User Guide Contains in-depth information about the high availability feature and the clustering protocol.
Installing Environmental specifications Installing This chapter describes installing your FortiGate unit in your server room, environmental specifications and how to mount the FortiGate in a rack if applicable.
Cautions and warnings Installing • Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. • Consult the dealer or an experienced radio/TV technician for help. The equipment compliance with FCC radiation exposure limit set forth for uncontrolled Environment. Cautions and warnings Review the following cautions before installing your FortiGate unit. ! Caution: Risk of Explosion if battery is replaced by an incorrect type.
Installing Plugging in the FortiGate Mounting If required to fit into a rack unit, remove the rubber feet from the bottom of the FortiGate unit. Adhere the rubber feet included in the package to the underside of the FortiGate unit, near the corners of the device. Place the FortiGate unit on any flat, stable surface. Ensure the unit has sufficient clearance on each side to ensure adequate airflow for cooling.
Turning off the FortiGate unit 14 Installing FortiGate-60B FortiOS 3.
Configuring NAT vs. Transparent mode Configuring This section provides an overview of the operating modes of the FortiGate unit, NAT/Route and Transparent, and how to configure the FortiGate unit for each mode. There are two ways you can configure the FortiGate unit, using the web-based manager or the command line interface (CLI). This section will step through using both methods. Use whichever you are most comfortable with. This section includes the following topics: • NAT vs.
Connecting to the FortiGate unit Configuring Transparent mode In Transparent mode, the FortiGate unit is invisible to the network. Similar to a network bridge, all FortiGate interfaces must be on the same subnet. You only have to configure a management IP address to make configuration changes. The management IP address is also used for antivirus and attack definition updates. Figure 3: FortiGate unit in Transparent mode 10.10.10.1 Management IP Internet Gateway to public network 204.23.1.2 10.10.10.
Configuring Connecting to the FortiGate unit To support a secure HTTPS authentication method, the FortiGate unit ships with a self-signed security certificate, which is offered to remote clients whenever they initiate a HTTPS connection to the FortiGate unit. When you connect, the FortiGate unit displays two security warnings in a browser. The first warning prompts you to accept and optionally install the FortiGate unit’s self-signed security certificate.
Configuring NAT mode Configuring Configuring NAT mode Configuring NAT mode involves defining interface addresses and default routes, and simple firewall policies. You can use the web-based manager or the CLI to configure the FortiGate unit in NAT/Route mode. Using the web-based manager After connecting to the web-based manager, you can use the following procedures to complete the basic configuration of the FortiGate unit.
Configuring Configuring NAT mode Initial PADT Timeout Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. Your ISP must support PADT. To disable the PADT timeout, set the value to 0. Distance Enter the administrative distance, between 1 and 255 for the default gateway retrieved from the DHCP server.
Configuring NAT mode Configuring For an initial configuration, you must edit the factory configured static default route to specify a different default gateway for the FortiGate unit. This will enable the flow of data through the FortiGate unit. For details on adding additional static routes, see the FortiGate Administration Guide. To modify the default gateway 1 Go to Router > Static.
Configuring Configuring NAT mode 3 Set the following and select OK. Source Interface Select the port connected to the Internet. Source Address All Destination Interface Select the port connected to the network. Destination Address All Schedule always Service Any Action Accept Firewall policy configuration is the same in NAT/Route mode and Transparent mode. Note that these policies allow all traffic through. No protection profiles have been applied.
Configuring NAT mode Configuring To set an interface to use PPPoE addressing config system interface edit external set mode pppoe set username set password set ipunnumbered set disc-retry-timeout set padt-retry-timeout set distance set defaultgw {enable | disable} set dns-server-override {enable | disable} end The CLI lists the IP address, netmask, and other settings for each of the FortiGate interfaces.
Configuring Configuring Transparent mode For an initial configuration, you must edit the factory configured static default route to specify a different default gateway for the FortiGate unit. This will enable the flow of data through the FortiGate unit. For details on adding additional static routes, see the FortiGate Administration Guide.
Configuring Transparent mode Configuring Using the web-based manager After connecting to the web-based manager, you can use the following procedures to complete the basic configuration of the FortiGate unit. Ensure you read the section “Connecting to the web-based manager” on page 16 before beginning. Switching to Transparent mode The FortiGate unit comes preset to NAT mode. You need to switch to Transparent mode. To switch to Transparent mode 1 Go to System > Status.
Configuring Configuring Transparent mode To add an outgoing traffic firewall policy 1 Go to Firewall > Policy. 2 Select Create New. 3 Set the following and select OK. Source Interface Select the port connected to the network. Source Address All Destination Interface Select the port connected to the Internet. Destination Address All Schedule always Service Any Action Accept To add an incoming traffic firewall policy 1 Go to Firewall > Policy. 2 Select Create New.
Configuring Transparent mode Configuring Configure a DNS server A DNS server is a service that converts symbolic node names to IP addresses. A domain name server (DNS server) implements the protocol. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com when browsing the Internet. DNS server IP addresses are typically provided by your internet service provider.
Configuring Verify the configuration Verify the configuration Your FortiGate unit is now configured and connected to the network. To verify the FortiGate unit is connected and configured correctly, use your web browser to browse a web site, or use your email client to send and receive email. If you cannot browse to the web site or retrieve/send email from your account, review the previous steps to ensure all information was entered correctly and try again. Remember, to verify the firewall policies.
Restoring a configuration Configuring Restoring a configuration Should you need to restore the configuration file, use the following steps. To restore the FortiGate configuration 1 Go to System > Maintenance > Backup & Restore. 2 Select to upload the restore file from your PC or a USB key. The USB Disk option will be grayed out if the FortiGate unit supports USB disks but none are connected. 3 Enter the path and file name of the configuration file, or select Browse to locate the file.
Configuring Additional configuration To change the administrator password 1 Go to System > Admin > Administrators. 2 Select Change Password and enter a new password. 3 Select OK. Alternatively, you can also add new administrator users by selecting Create New, however, you cannot remove the admin administrator. Applying a password for this account is recommended.
Additional configuration 30 Configuring FortiGate-60B FortiOS 3.
Advanced configuration Protection profiles Advanced configuration The FortiGate unit and the FortiOS operating system provide a wide range of features that enable you to control network and internet traffic and protect your network. This chapter describes some of these options and how to configure them.
Firewall policies Advanced configuration Web Apply virus scanning and web content blocking to HTTP traffic. Unfiltered Apply no scanning, blocking or IPS. Use the unfiltered content profile if no content protection for content traffic is required. Add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. The best way to begin creating your own protection profile is to open a predefined profile.
Advanced configuration Antivirus options Configuring firewall policies To add or edit a firewall policy go to Firewall > Policy and select Edit on an existing policy, or select Create New to add a policy. The source and destination Interface/Zone match the firewall policy with the source and destination of a communication session. The Address Name matches the source and destination address of the communication session. Schedule defines when the firewall policy is enabled.
AntiSpam options Advanced configuration • Grayware - These are unsolicited commercial software programs that are installed on computers, often without the user's consent or knowledge. Grayware programs are generally considered an annoyance, but these programs can cause system performance problems or be used for malicious ends. The FortiGate unit scans for known grayware executable programs in each enabled category.
Advanced configuration Web filtering Banned word lists are specific words that may be typically found in email. The FortiGate unit searches for words or patterns in email messages. If matches are found, values assigned to the words are totalled. If the defined threshold value is exceeded, the message is marked as spam. If no match is found, the email message is passed along to the next filter. You configure banned words by going to Antispam > Banned Word.
Logging Advanced configuration To configure content blocking, go to Web Filter > Content Block. URL filter enables you to control additional web sites that you can block or allow. This enables you greater control over certain URLs or sub-URLs. The FortiGate unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead. To configure URL filters, go to Web Filter > URL Filter.
Configuring the modem interface Selecting a modem mode Configuring the modem interface This chapter describes the modem interface configuration options. The FortiGate unit supports the modem interface only when running in NAT/Route mode. You can configure the modem interface for stand alone mode, the direct connection to the Internet, or for redundant mode, to act as a backup connection to the Internet, should the primary connection fail.
Configuring modem settings Configuring the modem interface When the Ethernet interface can connect to its network again, the FortiGate unit disconnects the modem interface and switches back to the Ethernet interface. Note: Do not add firewall policies for connections between the Ethernet interface that the modem replaces and other interfaces. Note: Do not add a default route to the Ethernet interface that the modem interface replaces.
Configuring the modem interface Configuring modem settings Dial on demand Select to dial the modem when packets are routed to the modem interface. The modem disconnects after the idle timeout period if there is no network activity. When traffic occurs on the interface, the FortiGate unit dials the modem again. In Standalone mode, you cannot select Dial on demand if Auto-dial is selected. Idle timeout (Stand alone mode only) Enter the timeout duration in minutes.
Configuring the modem using the CLI Configuring the modem interface Configuring the modem using the CLI Configure the modem settings using the CLI.
Configuring the modem interface Configuring the modem using the CLI Keywords and variables Description account_relation {equal | fallback} When using a PCMCIA wireless equal modem, set the relationship between the wireless modem and the internal modem. equal - both accounts are equal. When the FortiGate unit attempts to connect, it tries both modems, and the first one to connect becomes the primary account connection. fallback - the first account in the list is the primary connection account.
Configuring the modem using the CLI 42 Configuring the modem interface Keywords and variables Description Default holddown-timer Used only when the modem is 60 configured as a backup for an interface. Set the time (1-60 seconds) that the FortiGate unit waits before switching from the modem interface to the primary interface, after the primary interface has been restored. This is available only when mode is set to redundant.
Configuring the modem interface Configuring the modem using the CLI Keywords and variables Description Default phone1 Enter the phone number required to No default. connect to the dialup account. Do not add spaces to the phone number. Make sure to include standard special characters for pauses, country codes, and other functions as required by your modem to connect to your dialup account. phone2 Enter the phone number required to No default.
Adding a Ping Server Configuring the modem interface config system modem set action dial set status enable set holddown-timer 5 set interface wan1 set passwd1 acct1passwd set phone1 1234567891 set redial 10 set username1 acct1user end Adding a Ping Server Adding a ping server is required for routing failover for the modem in redundant mode. A ping server confirms the connectivity to an Ethernet interface.
Configuring the modem interface Adding firewall policies for modem connections Adding firewall policies for modem connections The modem interface requires firewall addresses and policies. You can add one or more addresses to the modem interface. For information about adding addresses, see the FortiGate Administration Guide. When you add addresses, the modem interface appears on the policy grid.
Configuring the PCMCIA modem card 7 Configuring the modem interface If a security pin is required, enter in the Extra Initialization String field in the following format: at+cpin=5555 where 5555 is the pin provided to you by your ISP. 8 Select Apply. Create a static route, firewall policies and VPN configuration using this modem interface, just as you would any physical interface. 46 FortiGate-60B FortiOS 3.
FortiGate Firmware Downloading firmware FortiGate Firmware Fortinet periodically updates the FortiGate firmware to include new features and address issues. After you have registered your FortiGate unit, you can download FortiGate firmware updates is available for download at the support web site, http://support.fortinet.com. You can also use the instructions in this chapter to downgrade, or revert, to a previous version.
Using the web-based manager FortiGate Firmware To download firmware 1 Log into the site using your user name and password. 2 Go to Firmware Images > FortiGate. 3 Select the most recent FortiOS version, and MR release and patch release. 4 Locate the firmware for your FortiGate unit, right-click the link and select the Download option for your browser. Note: Always review the Release Notes for a new firmware release before installing.
FortiGate Firmware Using the web-based manager Note: To use this procedure, you must log in using the admin administrator account, or an administrator account that has system configuration read and write privileges. To revert to a previous firmware version 1 Copy the firmware image file to the management computer. 2 Log into the FortiGate web-based manager. 3 Go to System > Status. 4 Under System Information > Firmware Version, select Update.
Using the CLI FortiGate Firmware Note: You need an unencrypted configuration file for this feature. Also the default files, image.out and system.conf, must be in the root directory of the USB key. Note: Make sure at least FortiOS v3.0MR1 is installed on the FortiGate unit before installing. To configure the USB Auto-Install 1 Go to System > Maintenance > Backup and Restore. 2 Select the blue arrow to expand the Advanced options.
FortiGate Firmware Using the CLI 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image Where is the name of the firmware image file and is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image image.out 192.168.1.
Installing firmware from a system reboot using the CLI 4 FortiGate Firmware Make sure the FortiGate unit can connect to the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server’s IP address is 192.168.1.168: execute ping 192.168.1.
FortiGate Firmware Installing firmware from a system reboot using the CLI If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file. Note: Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date.
Installing firmware from a system reboot using the CLI 9 FortiGate Firmware Type the address of the TFTP server and press Enter: The following message appears: Enter Local Address [192.168.1.188]: 10 Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network the interface is connected to. Make sure you do not enter the IP address of another device on this network. The following message appears: Enter File Name [image.
FortiGate Firmware Installing firmware from a system reboot using the CLI To restore configuration using the CLI 1 Log into the CLI. 2 Enter the following command to restore the configuration files: exec restore image usb The FortiGate unit responds with the following message: This operation will replace the current firmware version! Do you want to continue? (y/n) 3 Type y.
Testing new firmware before installing FortiGate Firmware Testing new firmware before installing You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed.
FortiGate Firmware Testing new firmware before installing 8 Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 9 Type the address of the TFTP server and press Enter: The following message appears: Enter Local Address [192.168.1.188]: 10 Type an IP address of the FortiGate unit to connect to the TFTP server.
Testing new firmware before installing 58 FortiGate Firmware FortiGate-60B FortiOS 3.
Index Index A adding a default route 19, 22 additional resources 9 admin password 28 air flow 11 altmode system modem 41 ambient temperature 11 antispam options 34 antivirus options 33 auto-dial 38 system modem 41 auto-install 49 auto-install from CLI 55 B backing up 27 C certificate, security 17 China, PPP option 41 CLI 17 upgrading the firmware 50 configure backup 27 DNS 19, 22, 24 FortiGuard 29 interfaces 18, 21 restore 28 configuring redundant mode 37 standalone mode 38 connecting to the CLI 17 web-b
Index Initial Disc Timeout 18 interface system modem 42 interface, configure 21 interface, configuring 18 K Knowledge Center 10 L logging 36 S M security certificate 17 shielded twisted pair 12 shut down 13 signatures, update 29 standalone mode configuring 38 modem 38 static route 19, 22 status system modem 43 system reboot, installing 52 management IP 24 mode system modem 42 modem adding firewall policies 45 auto-dial 41 backup switchover 42 dial-on-demand 41 mode 38 redundant 42 standalone 42 stand
Index 61 FortiGate-60B FortiOS 3.
Index 62 FortiGate-60B FortiOS 3.
Index 63 FortiGate-60B FortiOS 3.
Index 64 FortiGate-60B FortiOS 3.
www.fortinet.
www.fortinet.
