Installation and Configuration Guide FortiGate 800 INTERNAL Esc Enter EXTERNAL DMZ HA 1 2 3 4 PWR 8 FortiGate User Manual Volume 1 Version 2.
© Copyright 2004 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FortiGate-800 Installation and Configuration Guide Version 2.
Contents Table of Contents Introduction .......................................................................................................... 15 Antivirus protection ........................................................................................................... Web content filtering ......................................................................................................... Email filtering ........................................................................................
Contents NAT/Route mode installation.............................................................................. 41 Preparing to configure NAT/Route mode.......................................................................... Advanced NAT/Route mode settings............................................................................ DMZ and user-defined interfaces.................................................................................. Using the setup wizard....................................
Contents Transparent mode configuration examples....................................................................... Default routes and static routes .................................................................................... Example default route to an external network............................................................... Example static route to an external destination ............................................................ Example static route to an internal destination ........
Contents Displaying the FortiGate up time..................................................................................... Displaying log hard disk status ....................................................................................... Backing up system settings ............................................................................................ Restoring system settings...............................................................................................
Contents Network configuration....................................................................................... 137 Configuring zones ........................................................................................................... Adding zones .............................................................................................................. Deleting zones ............................................................................................................
Contents Adding RIP filters ............................................................................................................ Adding a RIP filter list.................................................................................................. Assigning a RIP filter list to the neighbors filter........................................................... Assigning a RIP filter list to the incoming filter ............................................................
Contents Services .......................................................................................................................... Predefined services .................................................................................................... Adding custom TCP and UDP services ...................................................................... Adding custom ICMP services .................................................................................... Adding custom IP services.....
Contents IPSec VPN........................................................................................................... 231 Key management............................................................................................................ Manual Keys ............................................................................................................... Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... Manual key IPSec VPNs............................
Contents Network Intrusion Detection System (NIDS) ................................................... 269 Detecting attacks ............................................................................................................ Selecting the interfaces to monitor.............................................................................. Disabling monitoring interfaces................................................................................... Configuring checksum verification ..............
Contents URL blocking................................................................................................................... Configuring FortiGate Web URL blocking ................................................................... Configuring FortiGate Web pattern blocking............................................................... Configuring Cerberian URL filtering ................................................................................ Installing a Cerberian license key .........
Contents Viewing logs saved to memory ....................................................................................... Viewing logs................................................................................................................ Searching logs ............................................................................................................ Viewing and managing logs saved to the hard disk........................................................ Viewing logs...................
Contents 14 Fortinet Inc.
FortiGate-800 Installation and Configuration Guide Version 2.50 Introduction FortiGate Antivirus Firewalls support network-based deployment of application-level services, including antivirus protection and full-scan content filtering. FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network.
Antivirus protection Introduction Antivirus protection FortiGate ICSA-certified antivirus protection scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate unit. If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards a replacement message to the intended recipient.
Introduction Email filtering Email filtering FortiGate email filtering can scan all IMAP and POP3 email content for unwanted senders or unwanted content. If there is a match between a sender address pattern on the email block list, or an email contains a word or phrase in the banned word list, the FortiGate adds an email tag to the subject line of the email. The recipient can use the mail client software to filter messages based on the email tag.
VLANs and virtual domains Introduction NAT/Route mode In NAT/Route mode, you can create NAT mode policies and Route mode policies. • NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network. • Route mode policies accept or deny connections between networks without performing address translation. Transparent mode Transparent mode provides the same basic firewall protection as NAT mode.
Introduction VPN VPN Using FortiGate virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network. Service providers can also use the FortiGate unit to provide VPN services for their clients.
Secure installation, configuration, and management Introduction Secure installation, configuration, and management The first time you power on the FortiGate unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the Setup wizard to customize FortiGate IP addresses for your network, and the FortiGate unit is ready to protect your network.
Introduction Secure installation, configuration, and management Command line interface You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiGate unit, including the Internet. The CLI supports the same configuration and monitoring functionality as the web-based manager.
Document conventions Introduction Document conventions This guide uses the following conventions to describe CLI command syntax. • angle brackets < > to indicate variable keywords For example: execute restore config You enter restore config myfile.bak indicates an ASCII string variable keyword. indicates an integer variable keyword. indicates an IP address variable keyword.
Introduction Customer service and technical support • Volume 4: FortiGate NIDS Guide Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network-based attacks. • Volume 5: FortiGate Logging and Message Reference Guide Describes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference. • Volume 6: FortiGate CLI Reference Guide Describes the FortiGate CLI and contains a reference to all FortiGate CLI commands.
Customer service and technical support Introduction 24 Fortinet Inc.
FortiGate-800 Installation and Configuration Guide Version 2.50 Getting started This chapter describes unpacking, setting up, and powering on a FortiGate Antivirus Firewall unit. When you have completed the procedures in this chapter, you can proceed to one of the following: • If you are going to operate the FortiGate unit in NAT/Route mode, go to “NAT/Route mode installation” on page 41.
Package contents Getting started Package contents The FortiGate-800 package contains the following items: • FortiGate-800 Antivirus Firewall • one orange crossover ethernet cable • one grey regular ethernet cable • one RJ-45 serial cable • one RJ-45 to DB-9 convertor • one power cable • two 19-inch rack mount brackets • FortiGate-800 QuickStart Guide • CD containing Fortinet user documentation Figure 2: FortiGate-800 package contents Front INTERNAL Esc Enter EXTERNAL DMZ HA 1 2 3
Getting started Powering on Power requirements • Power dissipation: 300 W (max) • AC input voltage: 100 to 240 VAC • AC input current: 6 A • Frequency: 50 to 60 Hz Environmental specifications • Operating temperature: 41 to 95°F (5 to 35°C) • Storage temperature: -4 to 176°F (-20 to 80°C) • Humidity: 10 to 90% non-condensing Powering on To power on the FortiGate-800 unit 1 Make sure that the power switch on the back is turned off.
Connecting to the web-based manager Getting started Connecting to the web-based manager Use the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately without resetting the firewall or interrupting service. To connect to the web-based manager, you need: • a computer with an ethernet connection, • Internet Explorer version 4.0 or higher, • a crossover cable or an ethernet hub and two ethernet cables.
Getting started Connecting to the command line interface (CLI) Connecting to the command line interface (CLI) As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI. Configuration changes made with the CLI are effective immediately without resetting the firewall or interrupting service.
Factory default FortiGate configuration settings Getting started Factory default FortiGate configuration settings The FortiGate unit is shipped with a factory default configuration. The default configuration allows you to connect to and use the FortiGate web-based manager to configure the FortiGate unit onto the network. To configure the FortiGate unit onto the network you add an administrator password, change network interface IP addresses, add DNS server IP addresses, and configure routing, if required.
Getting started Factory default FortiGate configuration settings Table 2: Factory default NAT/Route mode network configuration (Continued) External interface DMZ interface HA interface Interface 1 Interface 2 Interface 3 Interface 4 IP: 192.168.100.99 Netmask: 255.255.255.0 Default Gateway: 192.168.100.1 Primary DNS Server: 207.194.200.1 Secondary DNS Server: 207.194.200.129 Management Access: Ping IP: 10.10.10.1 Netmask: 255.255.255.0 Management Access: HTTPS, Ping IP: 0.0.0.
Factory default FortiGate configuration settings Getting started Table 3: Factory default Transparent mode network configuration (Continued) Management access Internal HTTPS, Ping External Ping DMZ HTTPS, Ping Interface 1 Ping Interface 2 Ping Interface 3 Ping Interface 4 Ping Factory default firewall configuration The factory default firewall configuration is the same in NAT/Route and Transparent mode.
Getting started Factory default FortiGate configuration settings Table 4: Factory default firewall configuration (Continued) Authentication Authentication is not selected. Users do not have to authenticate with the firewall before connecting to their destination address. You can configure user groups and select this option to require users to authenticate with the firewall before they can connect through the firewall. ; Antivirus & Web Filter Antivirus & Web Filter is selected.
Factory default FortiGate configuration settings Getting started Table 5: Strict content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan ; ; ; ; ; File Block ; ; ; ; ; Quarantine ; ; ; ; ; Web URL Block ; Web Content Block ; Web Script Filter ; Web Exempt List ; Email Block List ; ; Email Exempt List ; ; Email Content Block ; ; block block Oversized File/Email Block block block block Pass Fragmented Emails Scan content profile Use the scan content pro
Getting started Factory default FortiGate configuration settings Web content profile Use the web content profile to apply antivirus scanning and web content blocking to HTTP content traffic. You can add this content profile to firewall policies that control HTTP traffic.
Planning the FortiGate configuration Getting started Planning the FortiGate configuration Before you configure the FortiGate unit, you need to plan how to integrate the unit into the network. Among other things, you must decide whether you want the unit to be visible to the network, which firewall functions you want it to provide, and how you want it to control the traffic flowing between its interfaces. Your configuration plan depends on the operating mode that you select.
Getting started Planning the FortiGate configuration NAT/Route mode with multiple external network connections In NAT/Route mode, you can configure the FortiGate unit with multiple redundant connections to the external network (usually the Internet). For example, you could create the following configuration: • External is the default interface to the external network (usually the Internet). • Interface 1 is the redundant interface to the external network.
Planning the FortiGate configuration Getting started Figure 6: Example Transparent mode network configuration FortiGate-800 Unit in Transparent mode Gateway to public network 204.23.1.5 Internal network 10.10.10.2 Internet INTERNAL Esc Enter EXTERNAL DMZ HA 1 2 3 4 CONSOLE USB PWR 8 10.10.10.3 (firewall, router) External 10.10.10.
Getting started FortiGate model maximum values matrix Front keypad and LCD If you are configuring the FortiGate unit to operate in NAT/Route mode, you can use the control buttons and LCD to add the IP address of the FortiGate interfaces as well as the external default gateway. If you are configuring the FortiGate unit to operate in Transparent mode, you can use the control buttons and LCD to switch to Transparent mode. Then you can add the management IP address and default gateway.
Next steps Getting started Table 9: FortiGate maximum values matrix FortiGate model 50 60 100 200 300 400 500 800 1000 3000 3600 4000 IP/MAC binding table entries 500 500 500 500 500 500 500 500 500 500 500 500 Firewall content profiles 32 32 32 32 32 32 32 32 32 32 32 32 User names 20 500 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 Radius servers 6 6 6 6 6 6 6 6 6 6 6 6 LDAP servers 6 6 6 6 6 6 6 6 6 6 6 6 User groups 100
FortiGate-800 Installation and Configuration Guide Version 2.50 NAT/Route mode installation This chapter describes how to install the FortiGate unit in NAT/Route mode. For information about installing a FortiGate unit in Transparent mode, see “Transparent mode installation” on page 59. For information about installing two or more FortiGate units in HA mode, see “High availability” on page 73.
Preparing to configure NAT/Route mode NAT/Route mode installation Table 10: NAT/Route mode settings Administrator Password: Internal interface External interface Internal servers IP: _____._____._____._____ Netmask: _____._____._____._____ IP: _____._____._____._____ Netmask: _____._____._____._____ Default Gateway: _____._____._____._____ Primary DNS Server: _____._____._____._____ Secondary DNS Server: _____._____._____._____ Web Server: _____._____._____._____ SMTP Server: _____.
NAT/Route mode installation Using the setup wizard DMZ and user-defined interfaces Use Table 12 to record the IP addresses and netmasks of the FortiGate DMZ and user-defined interfaces if you are configuring them during installation. The HA interface is configured during HA installation. . Table 12: DMZ and user-defined interfaces (Optional) DMZ IP: _____._____._____._____ Netmask: _____._____._____._____ 1 IP: _____._____._____._____ Netmask: _____._____._____._____ 2 IP: _____._____._____.
Using the front control buttons and LCD NAT/Route mode installation Using the front control buttons and LCD As an alternative to the setup wizard, use the information that you recorded in Table 10 on page 42 and Table 12 on page 43 to complete the following procedure. Starting with Main Menu displayed on the LCD, use the front control buttons and LCD: 1 Press Enter three times to configure the internal interface IP address. 2 Set the internal interface IP address.
NAT/Route mode installation Using the command line interface 3 Set the IP address and netmask of the external interface to the external IP address and netmask that you recorded in Table 10 on page 42. set system interface external mode static ip Example set system interface external mode static ip 204.23.1.5 255.255.255.
Connecting the FortiGate unit to your networks 9 NAT/Route mode installation Set the default route to the Default Gateway IP address (not required for DHCP and PPPoE). set system route number dst 0.0.0.0 0.0.0.0 gw1 Example set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 204.23.1.2 Connecting the FortiGate unit to your networks After you complete the initial configuration, you can connect the FortiGate unit between your internal network and the Internet.
NAT/Route mode installation Connecting the FortiGate unit to your networks Figure 7: FortiGate-800 NAT/Route mode connections Internal Network DMZ Network Web Server Mail Server Hub or Switch Internal DMZ INTERNAL Esc Enter EXTERNAL DMZ HA 1 2 3 4 CONSOLE USB PWR 8 FortiGate-800 External Public Switch or Router Internet To connect to FortiGate-800 user-defined interfaces 1 Connect the user-defined interface to the hub or switch connected to the intended network.
Configuring your networks NAT/Route mode installation Figure 8: Example FortiGate-800 user-defined interface connections Internal Network Hub or Switch User-defined Interface 1 INTERNAL Esc Enter EXTERNAL DMZ HA 1 2 3 4 CONSOLE USB PWR 8 FortiGate-800 User-defined Interface 4 Public Switch or Router Internet Configuring your networks If you are running the FortiGate unit in NAT/Route mode, your networks must be configured to route all Internet traffic to the IP address of the FortiGate
NAT/Route mode installation Completing the configuration Completing the configuration Use the information in this section to complete the configuration of the FortiGate unit. Configuring the DMZ interface Use the following procedure to configure the DMZ interface: 1 Log into the web-based manager. 2 Go to System > Network > Interface. 3 Choose the dmz interface and select Modify 4 Change the IP address and Netmask as required. 5 Select Apply. .
Configuration example: Multiple connections to the Internet NAT/Route mode installation Registering your FortiGate unit After purchasing and installing a new FortiGate unit, you can register the unit by going to the System Update Support page, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the FortiGate units that you or your organization have purchased.
NAT/Route mode installation Configuration example: Multiple connections to the Internet Figure 9: Example multiple Internet connection configuration Internal Network 192.168.1.0 Internal 192.168.1.99 INTERNAL Esc Enter EXTERNAL DMZ HA 1 2 3 4 CONSOLE USB PWR 8 External Port3 FortiGate-800 1.1.1.2 Gateway #1: 1.1.1.1 2.2.2.2 Gateway #2: 2.2.2.1 ISP1 ISP2 External Network #1 100.100.100.0 External Network #2 200.200.200.
Configuration example: Multiple connections to the Internet NAT/Route mode installation Using the CLI 1 Add a ping server to the external interface. set system interface external config detectserver 1.1.1.1 gwdetect enable 2 Add a ping server to the DMZ interface. set system interface dmz config detectserver 2.2.2.
NAT/Route mode installation Configuration example: Multiple connections to the Internet Load sharing You can also configure destination routing to direct traffic through both gateways at the same time. If users on the internal network connect to the networks of ISP1 and ISP2, you can add routes for each of these destinations. Each route can include a backup destination to the network of the other ISP. Table 14: Load sharing routes Destination IP‘ Mask Gateway #1 Device #1 Gateway #2 Device #2 100.
Configuration example: Multiple connections to the Internet 3 4 5 NAT/Route mode installation Select New to add a route for connections to the network of ISP1. • Destination IP: 100.100.100.0 • Mask: 255.255.255.0 • Gateway #1: 1.1.1.1 • Gateway #2: 2.2.2.1 • Device #1: external • Device #2: dmz Select New to add a route for connections to the network of ISP2. • Destination IP: 200.200.200.0 • Mask: 255.255.255.0 • Gateway #1: 2.2.2.1 • Gateway #2: 1.1.1.
NAT/Route mode installation Configuration example: Multiple connections to the Internet Policy routing examples Adding policy routing increases your control over how packets are routed. Policy routing works on top of destination-based routing. To increase the control provided by destination-based routing, configure destination-based routing first and then build policy routing on top.
Configuration example: Multiple connections to the Internet NAT/Route mode installation Firewall policy example Firewall policies control how traffic flows through the FortiGate unit. After you configure routing for multiple Internet connections, you must create firewall policies. Firewall policies control which traffic is allowed through the FortiGate unit and the interfaces that this traffic can connect through.
NAT/Route mode installation Configuration example: Multiple connections to the Internet Restricting access to a single Internet connection In some cases you might want to limit some traffic to being able to use only one Internet connection. For example, in the topology shown in Figure 9 on page 51 the organization might want its mail server to be able to connect to only the SMTP mail server of ISP1. To do this, you add a single Internal->External firewall policy for SMTP connections.
Configuration example: Multiple connections to the Internet 58 NAT/Route mode installation Fortinet Inc.
FortiGate-800 Installation and Configuration Guide Version 2.50 Transparent mode installation This chapter describes how to install your FortiGate unit in Transparent mode. If you want to install the FortiGate unit in NAT/Route mode, see “NAT/Route mode installation” on page 41. If you want to install two or more FortiGate units in HA mode, see “High availability” on page 73.
Using the setup wizard Transparent mode installation Using the setup wizard From the web-based manager, you can use the setup wizard to begin the initial configuration of the FortiGate unit. For information about connecting to the web-based manager, see “Connecting to the web-based manager” on page 28. Changing to Transparent mode using the web-based manager The first time that you connect to the FortiGate unit, it is configured to run in NAT/Route mode.
Transparent mode installation Using the front control buttons and LCD Using the front control buttons and LCD This procedure describes how to use the control buttons and LCD to configure Transparent mode IP addresses. Use the information that you recorded in Table 16 on page 59 to complete this procedure. Starting with Main Menu displayed on the LCD, use the front control buttons and LCD: 1 Press Enter three times to configure the management interface IP address. 2 Set the manager interface IP address.
Completing the configuration Transparent mode installation Configuring the Transparent mode management IP address 1 Make sure that you are logged into the CLI. 2 Set the management IP address and netmask to the IP address and netmask that you recorded in Table 16 on page 59. Enter: set system management ip Example set system management ip 10.10.10.2 255.255.255.0 3 Confirm that the address is correct.
Transparent mode installation Connecting the FortiGate unit to your networks Registering your FortiGate unit After purchasing and installing a new FortiGate unit, you can register the unit by going to the System Update Support page, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the FortiGate units that you or your organization have purchased.
Transparent mode configuration examples Transparent mode installation Figure 10: FortiGate-800 Transparent mode connections Internal Network Other Network Hub or Switch Internal D MZ INTERNAL Esc Enter EXTERNAL DMZ HA 1 2 3 4 CONSOLE USB PWR 8 FortiGate-800 External Interface 4 Public Switch or Router Internet Other Network Transparent mode configuration examples A FortiGate unit operating in Transparent mode still requires a basic configuration to operate as a node on the IP netw
Transparent mode installation Transparent mode configuration examples This section describes: • Default routes and static routes • Example default route to an external network • Example static route to an external destination • Example static route to an internal destination Default routes and static routes To create a route to a destination, you need to define an IP prefix which consists of an IP network address and a corresponding netmask value.
Transparent mode configuration examples Transparent mode installation Figure 11: Default route to an external network FortiResponse Distribution Network (FDN) DNS Internet Management Computer Upstream Router Gateway IP 192.168.1.2 DMZ Management IP 192.168.1.1 FortiGate-800 INTERNAL Esc Enter EXTERNAL DMZ HA 1 2 3 4 CONSOLE USB PWR 8 Internal Network General configuration steps 66 1 Set the FortiGate unit to operate in Transparent mode.
Transparent mode installation Transparent mode configuration examples Web-based manager example configuration steps To configure basic Transparent mode settings and a default route using the web-based manager 1 Go to System > Status. • Select Change to Transparent Mode. • Select Transparent in the Operation Mode list. • Select OK. The FortiGate unit changes to Transparent mode. 2 Go to System > Network > Management. • Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.
Transparent mode configuration examples Transparent mode installation Note: This is an example configuration only. To configure a static route, you require a destination IP address. Figure 12: Static route to an external destination 24.102.233.5 FortiResponse Distribution Network (FDN) Internet Upstream Router Gateway IP 192.168.1.2 DNS DMZ Management IP 192.168.1.
Transparent mode installation 2 Transparent mode configuration examples Go to System > Network > Management. • Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.255.255.0 • 3 Select Apply. Go to System > Network > Routing. • Select New to add the static route to the FortiResponse server. Destination IP: 24.102.233.5 Mask: 255.255.255.0 Gateway: 192.168.1.2 • Select OK. • Select New to add the default route to the external network. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.
Transparent mode configuration examples Transparent mode installation Figure 13: Static route to an internal destination FortiResponse Distribution Network (FDN) Internet Upstream Router Gateway IP 192.168.1.2 DNS DMZ Management IP 192.168.1.1 FortiGate-800 INTERNAL Esc Enter EXTERNAL DMZ HA 1 2 3 4 CONSOLE USB PWR 8 Internal Network A Gateway IP 192.168.1.3 Internal Router Internal Network B Management Computer 172.16.1.
Transparent mode installation Transparent mode configuration examples Web-based manager example configuration steps To configure the FortiGate basic settings, a static route, and a default route using the web-based manager: 1 Go to System > Status. • Select Change to Transparent Mode. • Select Transparent in the Operation Mode list. • Select OK. The FortiGate unit changes to Transparent mode. 2 Go to System > Network > Management. • Change the Management IP and Netmask: IP: 192.168.1.1 Mask: 255.
Transparent mode configuration examples 72 Transparent mode installation Fortinet Inc.
FortiGate-800 Installation and Configuration Guide Version 2.50 High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster uses the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the same model and must run the same FortiOS firmware image. FortiGate HA is device redundant.
Configuring an HA cluster High availability An active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a primary FortiGate unit that processes traffic, and one or more subordinate FortiGate units. The subordinate FortiGate units are connected to the network and to the primary FortiGate unit but do not process traffic. Active-active (A-A) HA load balances virus scanning among all the FortiGate units in the cluster.
High availability Configuring an HA cluster 6 Select the HA mode. Select Active-Active mode to create an Active-Active HA cluster. Select Active-Passive mode to create an Active-Passive HA cluster. The HA mode must be the same for all FortiGate units in the HA cluster. 7 Enter and confirm a password for the HA cluster. The password must be the same for all FortiGate units in the HA cluster. 8 Select a Group ID for the HA cluster.
Configuring an HA cluster High availability Figure 14: Example Active-Active HA configuration 11 If you are configuring a NAT/Route mode cluster, power off the FortiGate unit and then repeat this procedure for all the FortiGate units in the cluster. Once all the units are configured, proceed to “Connecting the cluster” on page 76. 12 If you are configuring a Transparent mode cluster, reconnect to the web-based manager. You might have to wait a few minutes before you can reconnect.
High availability Configuring an HA cluster Inserting an HA cluster into your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluster. Also, starting the cluster interrupts network traffic until the individual FortiGate units in the cluster are functioning and the cluster completes negotiation. Cluster negotiation normally takes just a few seconds. During system startup and negotiation all network traffic is dropped.
Managing an HA cluster High availability 2 Power on all the FortiGate units in the cluster. As the units power on they negotiate to choose the primary cluster unit and the subordinate units. This negotiation occurs with no user intervention. When negotiation is complete the you can configure the cluster as if it was a single FortiGate unit.
High availability Managing an HA cluster You can also use SNMP to manage the cluster by configuring a cluster interface for SNMP administrative access. Using an SNMP manager you can get cluster configuration information and receive traps. Note: You cannot connect to the HA interfaces to manage the cluster or to manage individual FortiGate units in the cluster. You can change the cluster configuration by connecting to the cluster and changing the configuration of the primary FortiGate unit.
Managing an HA cluster High availability Note: Only monitor interfaces that are connected to networks. You should not configure cluster interface monitoring until the cluster is connected to your network. To monitor cluster interfaces 1 Connect to the cluster and log into the web-based manager. 2 Go to System > Config > HA. 3 In the Monitor on Interface section, select the names of the interfaces that you want to monitor. 4 Select Apply.
High availability Managing an HA cluster 3 Select Sessions & Network. The cluster displays sessions and network status for each cluster member. The primary unit is identified as Local and the other units in the cluster are listed by serial number. The display includes bar graphs of the current number of sessions and current network utilization as well as line graphs of session and network utilization usage for the last minute. The line graph scales are shown in the upper left corner of the graph.
Managing an HA cluster High availability Viewing cluster sessions To view the cluster communication sessions 1 Connect to the cluster and log into the web-based manager. 2 Go to System > Status > Session. The session table displays the sessions processed by the primary unit in the cluster, including HA communication sessions between the primary unit and the subordinate units. HA communications use: • Port 702 as the destination port, • From and To IP address on the 10.0.0.0 subnet.
High availability Managing an HA cluster Monitoring cluster units for failover If the primary unit in the cluster fails, the units in the cluster renegotiate to select a new primary unit. Failure of the primary unit results in the following: • If SNMP is enabled, the new primary FortiGate unit sends the trap message “HA switch”. This trap indicates that the primary unit in an HA cluster has failed and has been replaced with a new primary unit. • The cluster contains fewer FortiGate units.
Managing an HA cluster High availability To manage a cluster unit 1 Use SSH to connect to the cluster and log into the CLI. Connect to any cluster interface configured for SSH management to log into the cluster. You can also use a direct cable connection to log into the primary unit CLI. (To do this you must know which unit is the primary unit. See “Selecting a FortiGate unit as a permanent primary unit” on page 87 to control which FortiGate unit becomes the primary unit).
High availability Managing an HA cluster Synchronizing the cluster configuration Cluster synchronization keeps all units in the cluster synchronized with the master unit.
Managing an HA cluster High availability 4 Repeat steps 2 and 3 for all the subordinate units in the HA cluster. Upgrading firmware To upgrade the firmware of the FortiGate units in a cluster, you must upgrade the firmware of each unit separately. In most cases, if you are upgrading to a new firmware build within the same firmware version (for example, upgrading from 2.50 build069 to 2.50 build070), you can do firmware upgrades using the following procedure and without interrupting cluster operation.
High availability Advanced HA options Replacing a FortiGate unit after failover A failover can occur because of a hardware or software problem. When a failover occurs, you can attempt to restart the failed FortiGate unit by cycling its power. If the FortiGate unit starts up correctly, it rejoins the HA cluster, which then continues to function normally.
Advanced HA options High availability set system ha override enable Enable override so that the permanent primary unit overrides any other primary unit. For example, if the permanent primary unit shuts down, one of the other units in the cluster replaces it as the primary unit. When the permanent primary unit is restarted, it can become the primary unit again only if override is enabled.
High availability Active-Active cluster packet flow Weight values are entered in order according to the priority of the units in the cluster.
Active-Active cluster packet flow High availability NAT/Route mode packet flow In NAT/Route mode, five MAC addresses are involved in active-active communication between a client and a server if the cluster routes the packets to the subordinate unit in the cluster: • Virtual cluster MAC address (MAC_V) • Client MAC address (MAC_C), • Server MAC address (MAC_S), • Subordinate unit internal MAC address (MAC_S_I), • Subordinate unit external MAC address (MAC_S_E).
High availability Active-Active cluster packet flow The following are examples of switches that are compatible with the FGCP because they use a Global MAC address table: • HP 4100 GL series, • HP2628, • HP5300, • Cisco Catalyst, • Cisco 2850, • Cisco 3550, • Nortel PP8600, • Nortel XLR.
Active-Active cluster packet flow 92 High availability Fortinet Inc.
FortiGate-800 Installation and Configuration Guide Version 2.50 System status You can connect to the web-based manager and view the current system status of the FortiGate unit. The status information that is displayed includes the current firmware version, the current virus and attack definitions, and the FortiGate unit serial number.
Changing the FortiGate host name System status Changing the FortiGate host name The FortiGate host name appears on the Status page and in the FortiGate CLI prompt. The host name is also used as the SNMP system name. For information about the SNMP system name, see “Configuring SNMP” on page 173. The default host name is FortiGate-800. To change the FortiGate host name 1 Go to System > Status. 2 Select Edit Host Name 3 Type a new host name. 4 Select OK.
System status Changing the FortiGate firmware Upgrading to a new firmware version Use the following procedures to upgrade the FortiGate unit to a newer firmware version. Upgrading the firmware using the web-based manager Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
Changing the FortiGate firmware System status 4 Make sure the FortiGate unit can connect to the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168: execute ping 192.168.1.
System status Changing the FortiGate firmware If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore the previous configuration from the backup configuration file. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
Changing the FortiGate firmware System status If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore your previous configuration from the backup configuration file. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
System status Changing the FortiGate firmware 11 Update antivirus and attack definitions. For information, see “Manually initiating antivirus and attack definitions updates” on page 119, or from the CLI, enter: execute updatecenter updatenow 12 To confirm that the antivirus and attack definitions have been updated, enter the following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information.
Changing the FortiGate firmware System status 5 To confirm that the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168, enter: execute ping 192.168.1.168 6 Enter the following command to restart the FortiGate unit: execute reboot As the FortiGate units starts, a series of system startup messages is displayed.
System status Changing the FortiGate firmware 11 Enter the firmware image filename and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following are displayed: • FortiGate unit running v2.x BIOS Do You Want To Save The Image? [Y/n] Type Y. • FortiGate unit running v3.x BIOS Save as Default firmware/Run image without saving:[D/R] Save as Default firmware/Backup firmware/Run image without saving:[D/B/R] Type D.
Changing the FortiGate firmware System status To run this procedure you: • access the CLI by connecting to the FortiGate console port using a null-modem cable, • install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface. To test a new firmware image 1 Connect to the CLI using a null-modem cable and FortiGate console port. 2 Make sure the TFTP server is running.
System status Changing the FortiGate firmware 9 10 Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: Type the address of the internal interface of the FortiGate unit and press Enter. Note: The local IP address is used only to download the firmware image. After the firmware is installed, the address of this interface is changed back to the default IP address for this interface. The following message appears: Enter File Name [image.
Changing the FortiGate firmware System status To install a backup firmware image 1 Connect to the CLI using the null-modem cable and FortiGate console port. 2 Make sure that the TFTP server is running. 3 Copy the new firmware image file to the root directory of your TFTP server. 4 To confirm that the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.
System status Changing the FortiGate firmware Switching to the backup firmware image Use this procedure to switch the FortiGate unit to operating with a backup firmware image that you previously installed. When you switch the FortiGate unit to the backup firmware image, the FortiGate unit operates using the configuration that was saved with that firmware image. If you install a new backup image from a reboot, the configuration saved with this firmware image is the factory default configuration.
Manual virus definition updates System status Switching back to the default firmware image Use this procedure to switch the FortiGate unit to operating with the backup firmware image that had been running as the default firmware image. When you switch to this backup firmware image, the configuration saved with this firmware image is restored. To switch back to the default firmware image 1 Connect to the CLI using the null-modem cable and FortiGate console port.
System status Manual attack definition updates 4 Type the path and filename for the antivirus definitions update file, or select Browse and locate the antivirus definitions update file. 5 Select OK to copy the antivirus definitions update file to the FortiGate unit. The FortiGate unit updates the antivirus definitions. This takes about 1 minute. 6 Go to System > Status to confirm that the Antivirus Definitions Version information has updated.
Displaying the FortiGate up time System status Displaying the FortiGate up time 1 Go to System > Status. The FortiGate up time displays the time in days, hours, and minutes since the FortiGate unit was last started. Displaying log hard disk status 1 Go to System > Status. Log Hard Disk displays Available if the FortiGate unit contains a hard disk and Not Available if no hard disk is installed.
System status Restoring system settings to factory defaults Restoring system settings to factory defaults Use the following procedure to restore system settings to the values set at the factory. This procedure does not change the firmware version or the antivirus or attack definitions. ! Caution: This procedure deletes all changes that you have made to the FortiGate configuration and reverts the system to its original configuration, including resetting interface addresses.
Changing to NAT/Route mode System status Changing to NAT/Route mode Use the following procedure to change the FortiGate unit from Transparent mode to NAT/Route mode. After you change the FortiGate unit to NAT/Route mode, most of the configuration resets to NAT/Route mode factory defaults.
System status System status System status You can use the system status monitor to display FortiGate system health information. The system health information includes memory usage, the number of active communication sessions, and the amount of network bandwidth currently in use. The web-based manager displays current statistics as well as statistics for the previous minute.
System status System status Figure 19: CPU and memory status monitor Viewing sessions and network status Use the session and network status display to track how many network sessions the FortiGate unit is processing and to see what effect the number of sessions has on the available network bandwidth. Also, by comparing CPU and memory usage with session and network status you can see how much demand network traffic is putting on system resources.
System status System status 4 Select Refresh to manually update the information displayed. Figure 20: Sessions and network status monitor Viewing virus and intrusions status Use the virus and intrusions status display to track when viruses are found by the FortiGate antivirus system and to track when the NIDS detects a network-based attack. To view virus and intrusions status 1 Go to System > Status > Monitor. 2 Select Virus & Intrusions. Virus and intrusions status is displayed.
Session list System status Figure 21: Sessions and network status monitor Session list The session list displays information about the communications sessions currently being processed by the FortiGate unit. You can use the session list to view current sessions. FortiGate administrators with read and write permission and the FortiGate admin user can also stop active communication sessions. To view the session list 114 1 Go to System > Status > Session.
System status Session list Each line of the session list displays the following information. Protocol The service protocol of the connection, for example, udp, tcp, or icmp. From IP The source IP address of the connection. From Port The source port of the connection. To IP The destination IP address of the connection. To Port The destination port of the connection. Expire The time, in seconds, before the connection expires. Clear Stop an active communication session.
Session list 116 System status Fortinet Inc.
FortiGate-800 Installation and Configuration Guide Version 2.50 Virus and attack definitions updates and registration You can configure the FortiGate unit to connect to the FortiResponse Distribution Network (FDN) to update the antivirus and attack definitions and the antivirus engine.
Updating antivirus and attack definitions Virus and attack definitions updates and registration The Update page on the web-based manager displays the following antivirus and attack definition update information. Version Current antivirus engine, virus definition, and attack definition version numbers. Expiry date Expiry date of your license for antivirus engine, virus definition, and attack definition updates.
Virus and attack definitions updates and registration Updating antivirus and attack definitions Table 19: Connections to the FDN Connections Status Comments Available The FortiGate unit can connect to the FDN. You can configure the FortiGate unit for scheduled updates. See “Scheduling updates” on page 120. Not available The FortiGate unit cannot connect to the FDN. You must configure your FortiGate unit and your network so that the FortiGate unit can connect to the Internet and to the FDN.
Scheduling updates Virus and attack definitions updates and registration Configuring update logging Use the following procedure to configure FortiGate logging to record log messages when the FortiGate unit updates antivirus and attack definitions. The update log messages are recorded on the FortiGate Event log. To configure update logging 1 Go to Log&Report > Log Setting. 2 Select Config Policy for the type of logs that the FortiGate unit is configured to record.
Virus and attack definitions updates and registration 4 Scheduling updates Select Apply. The FortiGate unit starts the next scheduled update according to the new update schedule. Whenever the FortiGate unit runs a scheduled update, the event is recorded in the FortiGate event log.
Enabling push updates Virus and attack definitions updates and registration Enabling scheduled updates through a proxy server If your FortiGate unit must connect to the Internet through a proxy server, you can use the set system autoupdate tunneling command to allow the FortiGate unit to connect (or tunnel) to the FDN using the proxy server. Using this command you can specify the IP address and port of the proxy server.
Virus and attack definitions updates and registration Enabling push updates When the network configuration permits, configuring push updates is recommended in addition to configuring scheduled updates. On average the FortiGate unit receives new updates sooner through push updates than if the FortiGate unit receives only scheduled updates. However, scheduled updates make sure that the FortiGate unit receives the latest updates.
Enabling push updates Virus and attack definitions updates and registration Enabling push updates through a NAT device If the FDN can connect to the FortiGate unit only through a NAT device, you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration. Using port forwarding, the FDN connects to the FortiGate unit using either port 9443 or an override push port that you specify.
Virus and attack definitions updates and registration Enabling push updates Figure 24: Example network topology: Push updates through a NAT device FortiResponse Distribution Network (FDN) Internet Push update to IP address 64.230.123.149 and port 45001 External IP 64.230.123.149 FortiGate-300 NAT Device Esc Virtual IP maps 64.230.123.149:45001 to 192.168.1.99:9443 Enter External IP or Management IP 192.168.1.
Enabling push updates Virus and attack definitions updates and registration Note: Before completing the following procedure, you should register the internal network FortiGate unit so that it can receive push updates. Adding a port forwarding virtual IP to the FortiGate NAT device Use the following procedure to configure a FortiGate NAT device to use port forwarding to forward push update connections from the FDN to a FortiGate unit on the internal network.
Virus and attack definitions updates and registration Enabling push updates Figure 25: Push update port forwarding virtual IP Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT device 1 Add a new external to internal firewall policy. 2 Configure the policy with the following settings: 3 Source External_All Destination The virtual IP added above. Schedule Always Service ANY Action Accept NAT Selected. Select OK.
Registering FortiGate units 4 Virus and attack definitions updates and registration Set IP to the external IP address added to the virtual IP. For the example topology, enter 64.230.123.149. 5 Set Port to the external service port added to the virtual IP. For the example topology, enter 45001. 6 Select Apply. The FortiGate unit sends the override push IP address and port to the FDN. The FDN now uses this IP address and port for push updates to the FortiGate unit on the internal network.
Virus and attack definitions updates and registration Registering FortiGate units All registration information is stored in the Fortinet Customer Support database. This information is used to make sure that your registered FortiGate units can be kept up to date. All information is strictly confidential. Fortinet does not share this information with any third-party organizations for any reason.
Registering FortiGate units Virus and attack definitions updates and registration Registering the FortiGate unit Before registering a FortiGate unit, you require the following information: • Your contact information including: • • • • • • First and last name Company name Email address (Your Fortinet support login user name and password will be sent to this email address.) Address Contact phone number A security question and an answer to the security question.
Virus and attack definitions updates and registration Updating registration information 4 Select the model number of the Product Model to register. 5 Enter the Serial Number of the FortiGate unit. 6 If you have purchased a FortiCare Support Contract for this FortiGate unit, enter the support contract number. Figure 28: Registering a FortiGate unit (product information) 7 Select Finish.
Updating registration information Virus and attack definitions updates and registration Recovering a lost Fortinet support password If you provided a security question and answer when you registered on the Fortinet support web site, you can use the following procedure to receive a replacement password. If you did not provide a security question and answer, contact Fortinet technical support. To recover a lost Fortinet support password 1 Go to System > Update > Support. 2 Select Support Login.
Virus and attack definitions updates and registration Updating registration information Figure 29: Sample list of registered FortiGate units Registering a new FortiGate unit To register a new FortiGate unit 1 Go to System > Update > Support. 2 Select Support Login. 3 Enter your Fortinet support user name and password. 4 Select Login. 5 Select Add Registration. 6 Select the model number of the product model that you want to register. 7 Enter the serial number of the FortiGate unit.
Updating registration information Virus and attack definitions updates and registration 6 Select the Serial Number of the FortiGate unit for which to add or change a FortiCare Support Contract number. 7 Add the new Support Contract number. 8 Select Finish. The list of FortiGate products that you have registered is displayed. The list now includes the new support contract information. Changing your Fortinet support password To change your Fortinet support password 1 Go to System > Update > Support.
Virus and attack definitions updates and registration Updating registration information Downloading virus and attack definitions updates Use the following procedure to manually download virus and attack definitions updates. This procedure also describes how to install the attack definitions updates on your FortiGate unit. To download virus and attack definitions updates 1 Go to System > Update > Support. 2 Select Support Login. 3 Enter your Fortinet support user name and password. 4 Select Login.
Registering a FortiGate unit after an RMA Virus and attack definitions updates and registration Registering a FortiGate unit after an RMA The Return Material Authorization (RMA) process starts when a registered FortiGate unit does not work properly because of a hardware failure. If this happens while the FortiGate unit is protected by hardware coverage, you can return the FortiGate unit that is not functioning to your reseller or distributor. The RMA is recorded and you will receive a replacement unit.
FortiGate-800 Installation and Configuration Guide Version 2.50 Network configuration You can use the System Network page to change any of the following FortiGate network settings: • Configuring zones • Configuring interfaces • VLAN overview • VLANs in NAT/Route mode • Virtual domains in Transparent mode • Adding DNS server IP addresses • Configuring routing • Configuring DHCP services Configuring zones In NAT/Route mode, you can use zones to group related interfaces and VLAN subinterfaces.
Configuring interfaces Network configuration Adding zones The new zone does not appear in the policy grid until you add an interface to it, see “To add an interface to a zone” below, and add a firewall address for it (see “Adding addresses” on page 197). To add a zone 1 Go to System > Network > Zone. 2 Select New. 3 Type a name for the zone. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
Network configuration Configuring interfaces Viewing the interface list To view the interface list 1 Go to System > Network > Interface. The interface list is displayed.
Configuring interfaces Network configuration To add an interface to a zone 1 Go to System > Network > Interface. 2 Choose the interface or VLAN subinterface to add to a zone and select Modify 3 From the Belong to Zone list, select the zone that you want to add the interface to. The belong to zone list only appears if you have added zones and if you have not added firewall addresses for the interface. 4 Select OK to save the changes.
Network configuration Configuring interfaces 4 Clear the Retrieve default gateway and DNS from server check box if you do not want the FortiGate unit to obtain a default gateway IP address and DNS server IP addresses from the DHCP server. By default, this option is enabled. 5 Clear the Connect to Server check box if you do not want the FortiGate unit to connect to the DHCP server. By default, this option is enabled. 6 Select Apply.
Configuring interfaces Network configuration 7 Select Apply. The FortiGate unit attempts to contact the PPPoE server from the interface to set the IP address, netmask, default gateway IP address, and DNS server IP addresses. 8 Select Status: to refresh the addressing mode status message. Possible messages: 9 initializing No activity connecting The FortiGate unit is attempting to connect to the DHCP server.
Network configuration Configuring interfaces Controlling administrative access to an interface For a FortiGate unit running in NAT/Route mode, you can control administrative access to an interface to control how administrators access the FortiGate unit and the FortiGate interfaces to which administrators can connect. Controlling administrative access for an interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet.
Configuring interfaces Network configuration Changing the MTU size to improve network performance To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits from any interface. Ideally, this MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets.
Network configuration VLAN overview • Enable secure administrative access to this interface using only HTTPS or SSH, • Do not change the system idle timeout from the default value of 5 minutes (see “To set the system idle timeout” on page 170). To configure the management interface in Transparent mode 1 Go to System > Network > Management. 2 Change the Management IP and Netmask as required. This must be a valid address for the network that you want to manage the FortiGate unit from.
VLANs in NAT/Route mode Network configuration In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN tags to packets. Packets passing between devices in the same VLAN can be handled by layer 2 switches. Packets passing between devices in different VLANs must be handled by a layer 3 device such as router, firewall, or layer 3 switch.
Network configuration Virtual domains in Transparent mode Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096. Each VLAN subinterface must also be configured with its own IP address and netmask. You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets. To add VLAN subinterfaces 1 Go to System > Network > Interface.
Virtual domains in Transparent mode Network configuration To support VLANs in Transparent mode, you add virtual domains to the FortiGate unit. A virtual domain contains at least 2 VLAN subinterfaces. For VLAN traffic to be able to pass between the FortiGate Internal and external interface you would add a VLAN subinterface to the internal interface and another VLAN subinterface to the external interface.
Network configuration Virtual domains in Transparent mode Virtual domain properties A virtual domain has the following exclusive properties: • VLAN name, • VLAN ID, • VLAN interface assignment, • VLAN zone assignment (optional), • Firewall policy.
Virtual domains in Transparent mode Network configuration Adding VLAN subinterfaces to a virtual domain Use the following procedure to add VLAN subinterfaces to a virtual domain. You must add at least two VLAN subinterfaces to each virtual domain. In most configurations a virtual domain is used to send VLAN-tagged packets received at one FortiGate physical interface to another FortiGate physical interface (for example, from the internal interface to the external interface).
Network configuration Virtual domains in Transparent mode Figure 32: FortiGate unit containing a virtual domain with zones VLAN Switch or router FortiGate unit VLAN1 VLAN2 Internal VLAN1 VLAN2 VLAN3 VLAN trunk Virtual Domain VLAN1 VLAN1 zone1 zone2 VLAN2 VLAN3 VLAN2 VLAN3 External VLAN1 VLAN2 VLAN3 VLAN Switch VLAN trunk or router Internet VLAN3 Multiple zones in a single virtual domain cannot be connected to a single VLAN trunk.
Virtual domains in Transparent mode Network configuration Adding firewall policies for virtual domains Once the network configuration for the virtual domain is complete, you must create firewall policies for the virtual domain to allow packets to flow through the firewall between VLAN subinterfaces.
Network configuration Adding DNS server IP addresses Deleting virtual domains You must remove all VLAN subinterfaces and zones that have been added to the virtual domain before you can delete the virtual domain. To remove VLAN subinterfaces and zones you must remove all firewall policies and firewall addresses for the VLAN subinterfaces and zones. You can only delete virtual domains that have the Delete icon beside them in the zone list.
Configuring routing Network configuration Adding a default route You can add a default route for network traffic leaving the external interface. To add a default route 1 Go to System > Network > Routing Table. 2 Select New to add a new route. 3 Set the Source IP and Netmask to 0.0.0.0. 4 Set the Destination IP and Netmask to 0.0.0.0. 5 Set Gateway 1 to the IP address of the routing gateway that routes traffic to the Internet. 6 Select OK to save the default route.
Network configuration Configuring routing 6 Set Device #1 to the FortiGate interface or VLAN subinterface through which to route traffic to connect to Gateway #1. You can select the name of an interface, VLAN subinterface, or Auto (the default). If you select the name of an interface or VLAN subinterface the traffic is routed to that interface.
Configuring routing Network configuration 5 Select OK to save the new route. 6 Repeat steps 1 to 5 to add more routes as required. Configuring the routing table The routing table shows the destination IP address and mask of each route that you add, as well as the gateways and devices added to the route. The routing table also displays the gateway connection status.
Network configuration Configuring DHCP services Using policy routing you can build a routing policy database (RPDB) that selects the appropriate route for traffic by applying a set of routing rules. To select a route for traffic, the FortiGate unit matches the traffic with the policy routes added to the RPDB starting at the top of the list. The first policy route that matches is used to set the route for the traffic.
Configuring DHCP services Network configuration Configuring a DHCP relay agent In a DHCP relay configuration, the FortiGate unit forwards DHCP requests from DHCP clients through the FortiGate unit to a DHCP server. The FortiGate unit also returns responses from the DHCP server to the DHCP clients. The DHCP server must have a route to the FortiGate unit that is configured as the DHCP relay so that the packets sent by the DHCP server to the DHCP client arrive at the FortiGate performing DHCP relay.
Network configuration Configuring DHCP services You can add multiple scopes to an interface so that the DHCP server added to that interface can supply IP addresses to computers on multiple subnets. Add multiple scopes if the DHCP server receives DHCP requests from subnets that are not connected directly to the FortiGate unit. In this case, the DHCP requests are sent to the FortiGate unit through DHCP relay.
Configuring DHCP services Network configuration Adding a reserve IP to a DHCP server If you have configured an interface as a DHCP server, you can reserve an IP address for a particular device on the network according to the MAC address of the device. When you add the MAC address of a device and an IP address to the reserve IP list, the DHCP server always assigns this IP address to the device. To add a reserve IP you must first select the interface and scope to which you want to add the reserve IP.
FortiGate-800 Installation and Configuration Guide Version 2.50 RIP configuration The FortiGate implementation of the Routing Information Protocol (RIP) supports both RIP version 1 as defined by RFC 1058, and RIP version 2 as defined by RFC 2453. RIP version 2 enables RIP messages to carry more information, and to support simple authentication and subnet masks. RIP is a distance-vector routing protocol intended for small, relatively homogeneous, networks. RIP uses hop count as its routing metric.
RIP settings RIP configuration 5 6 162 Default Metric RIP uses the default metric to advertise routes learned from other routing protocols. Set Default Metric to a positive integer lower than 16 to advertise that metric for all routes learned from other routing protocols. The default setting for the Default Metric is 2. Input Queue Change the depth of the RIP input queue. The higher the number, the deeper the input queue.
RIP configuration Configuring RIP for FortiGate interfaces Figure 34: Configuring RIP settings Configuring RIP for FortiGate interfaces You can customize a RIP configuration for each FortiGate interface. This allows you to customize RIP for the network to which each interface is connected. To configure RIP for FortiGate interfaces 1 Go to System > RIP > Interface. On this page you can view a summary of the RIP settings for each FortiGate interface.
Configuring RIP for FortiGate interfaces 4 RIP configuration Password Enter the password to be used for RIP version 2 authentication. The password can be up to 16 characters long. Mode Defines the authentication used for RIP version 2 packets sent and received by this interface. If you select Clear, the password is sent as plain text. If you select MD5, the password is used to generate an MD5 hash.
RIP configuration Adding RIP filters Adding RIP filters Use the Filter page to create RIP filter lists and assign RIP filter lists to the neighbors filter, incoming route filter, or outgoing route filter. The neighbors filter allows or denies updates from other routers. The incoming filter accepts or rejects routes in an incoming RIP update packet. The outgoing filter allows or denies adding routes to outgoing RIP update packets.
Adding RIP filters RIP configuration 3 For Filter Name, type a name for the RIP filter list. The name can be 15 characters long and can contain upper and lower case letters, numbers, and special characters. The name cannot contain spaces. 4 Select the Blank Filter check box to create a RIP filter list with no entries, or enter the information for the first entry on the RIP filter list. 5 Enter the IP address and Mask to create the prefix. 6 For Action, select allow or deny.
RIP configuration Adding RIP filters Assigning a RIP filter list to the outgoing filter The outgoing filter allows or denies adding routes to outgoing RIP update packets. You can assign a single RIP filter list to the outgoing filter. To assign a RIP filter list to the outgoing filter 1 Go to System > RIP > Filter. 2 Add RIP filter lists as required. 3 For Outgoing Routes Filter, select the name of the RIP filter list to assign to the outgoing filter. 4 Select Apply.
Adding RIP filters 168 RIP configuration Fortinet Inc.
FortiGate-800 Installation and Configuration Guide Version 2.50 System configuration Use the System Config page to make any of the following changes to the FortiGate system configuration: • Setting system date and time • Changing system options • Adding and editing administrator accounts • Configuring SNMP • Replacement messages Setting system date and time For effective scheduling and logging, the FortiGate system time must be accurate.
Changing system options System configuration 9 Select Apply. Figure 36: Example date and time setting Changing system options On the System Config Options page, you can: • Set the system idle timeout. • Set the authentication timeout. • Select the language for the web-base manager. • Modify the dead gateway detection settings. You can also restrict access to the control buttons and LCD by requiring a PIN (Personal Identification Number).
System configuration Changing system options 3 Select Apply. Auth Timeout controls the amount of inactive time that the firewall waits before requiring users to authenticate again. For more information, see “Users and authentication” on page 223. The default Auth Timeout is 15 minutes. The maximum Auth Timeout is 480 minutes (8 hours). To select a language for the web-based manager 1 Go to System > Config > Options. 2 From the Languages list, select a language for the web-based manager to use.
Adding and editing administrator accounts System configuration Adding and editing administrator accounts When the FortiGate unit is initially installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each of these administrator accounts and control the IP address from which the administrator can connect to the FortiGate unit.
System configuration Configuring SNMP Editing administrator accounts The admin account user can change individual administrator account passwords, configure the IP addresses from which administrators can access the web-based manager, and change the administrator permission levels. Administrator account users with Read & Write access can change their own administrator passwords. To edit an administrator account 1 Go to System > Config > Admin.
Configuring SNMP System configuration RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II) (for more information, see FortiGate MIBs).
System configuration Configuring SNMP To configure SNMP community settings 1 Go to System > Config > SNMP v1/v2c. 2 Select the Enable SNMP check box. 3 Configure the following SNMP settings: System Name Automatically set to the FortiGate host name. To change the System Name, see “Changing the FortiGate host name” on page 94. System Location Describe the physical location of the FortiGate unit.
Configuring SNMP System configuration Figure 37: Sample SNMP configuration FortiGate MIBs The FortiGate SNMP agent supports FortiGate proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. The FortiGate MIBs are listed in Table 20. You can obtain these MIB files from Fortinet technical support. To be able to communicate with the SNMP agent, you must compile all of these MIBs into your SNMP manager.
System configuration Configuring SNMP FortiGate traps The FortiGate agent can send traps to up to three SNMP trap receivers on your network that are configured to receive traps from the FortiGate unit. For these SNMP managers to receive traps, you must load and compile the Fortinet trap MIB onto the SNMP manager. General FortiGate traps Table 21: General FortiGate traps Trap message Description Cold Start The FortiGate unit starts or restarts.
Configuring SNMP System configuration VPN traps Table 23: FortiGate VPN traps Trap message Description VPN tunnel is up An IPSec VPN tunnel starts up and begins processing network traffic. VPN tunnel down An IPSec VPN tunnel shuts down. NIDS traps Table 24: FortiGate NIDS traps Trap message Description Flood attack happened. NIDS attack prevention detects and provides protection from a syn flood attack. Port scan attack happened.
System configuration Configuring SNMP Fortinet MIB fields The Fortinet MIB contains fields for configuration settings and current status information for all parts of the FortiGate product. This section lists the names of the high-level MIB fields and describes the configuration and status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Configuring SNMP System configuration Users and authentication configuration Table 29: User and authentication MIB fields FnUserLocalTable Local user list. FnUserRadiusSrvTable RADIUS server list. FnUserGrpTable User group list. VPN configuration and status Table 30: VPN MIB fields fnVpnIpsec IPSec VPN configuration including the Phase 1 list, Phase 2 list, manual key list, and VPN concentrator list.
System configuration Replacement messages Logging and reporting configuration Table 34: Logging and reporting MIB fields fnLoglogSetting Log setting configuration. fnLoglog Log setting traffic filter configuration. fnLogAlertEmail Alert email configuration.
Replacement messages System configuration Customizing replacement messages Each of the replacement messages in the replacement message list is created by combining replacement message sections. You can use these sections as building blocks to create your own replacement messages. You can edit any of the replacement messages in the replacement message list and add and edit the replacement message sections as required. To customize a replacement message 1 Go to System > Config > Replacement Messages.
System configuration Replacement messages Customizing alert emails Customize alert emails to control the content displayed in alert email messages sent to system administrators. To customize alert emails 1 Go to System > Config > Replacement Messages. 2 For the alert email message that you want to customize, select Modify 3 In the Message setup dialog box, edit the text of the message.
Replacement messages System configuration Table 36: Alert email message sections %%SOURCE_IP%% The IP address from which the block file was received. For email this is the IP address of the email server that sent the email containing the blocked file. For HTTP this is the IP address of web page that sent the blocked file. %%DEST_IP%% The IP address of the computer that would have received the blocked file.
FortiGate-800 Installation and Configuration Guide Version 2.50 Firewall configuration Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (port number).
Default firewall configuration Firewall configuration This chapter describes: • Default firewall configuration • Adding firewall policies • Configuring policy lists • Addresses • Services • Schedules • Virtual IPs • IP pools • IP/MAC binding • Content profiles Default firewall configuration By default, the users on your internal network can connect through the FortiGate unit to the Internet. The firewall blocks all other connections.
Firewall configuration Default firewall configuration Interfaces Add policies to control connections between FortiGate interfaces and between the networks connected to these interfaces. By default, you can add policies for connections that include the internal, external, and DMZ interfaces. To add policies that include the port1 to port4 interfaces, you must use the following steps to add these interfaces to the firewall policy grid: 1 If they are down, start the interfaces up.
Default firewall configuration Firewall configuration Addresses To add policies between interfaces, VLAN subinterfaces, and zones, the firewall configuration must contain addresses for each interface, VLAN subinterface, or zone. By default the firewall configuration includes the addresses listed in Table 37. Table 37: Default addresses Interface Address Description Internal Internal_All This address matches all addresses on the internal network.
Firewall configuration Adding firewall policies Content profiles Add content profiles to policies to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services. The FortiGate unit includes the following default content profiles: • Strict—to apply maximum content protection to HTTP, FTP, IMAP, POP3, and SMTP content traffic. • Scan—to apply antivirus scanning to HTTP, FTP, IMAP, POP3, and SMTP content traffic.
Adding firewall policies Firewall configuration Figure 40: Adding a NAT/Route policy Firewall policy options This section describes the options that you can add to firewall policies. Source Select an address or address group that matches the source address of the packet. Before you can add this address to a policy, you must add it to the source interface. For information about adding an address, see “Addresses” on page 197. 190 Fortinet Inc.
Firewall configuration Adding firewall policies Destination Select an address or address group that matches the destination address of the packet. Before you can add this address to a policy, you must add it to the destination interface, VLAN subinterface, or zone. For information about adding an address, see “Addresses” on page 197.
Adding firewall policies Firewall configuration NAT Configure the policy for NAT. NAT translates the source address and the source port of packets accepted by the policy. If you select NAT, you can also select Dynamic IP Pool and Fixed Port. NAT is not available in Transparent mode. Dynamic IP Pool Select Dynamic IP Pool to translate the source address to an address randomly selected from an IP pool.
Firewall configuration Adding firewall policies Maximum Bandwidth Traffic Priority You can also use traffic shaping to limit the amount of bandwidth available through the firewall for a policy. Limit bandwidth to keep less important services from using bandwidth needed for more important services. Select High, Medium, or Low. Select Traffic Priority so that the FortiGate unit manages the relative priorities of different types of traffic.
Adding firewall policies Firewall configuration Figure 41: Adding a Transparent mode policy Log Traffic Select Log Traffic to write messages to the traffic log whenever the policy processes a connection. For information about logging, see “Logging and reporting” on page 309. Comments You can add a description or other information about the policy. The comment can be up to 63 characters long, including spaces. 194 Fortinet Inc.
Firewall configuration Configuring policy lists Configuring policy lists The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific to more general. For example, the default policy is a very general policy because it matches all connection attempts. When you create exceptions to that policy, you must add them to the policy list above the default policy.
Configuring policy lists Firewall configuration Changing the order of policies in a policy list To change the order of a policy in a policy list 1 Go to Firewall > Policy. 2 Select the policy list that you want to change the order of. 3 Choose the policy that you want to move and select Move To in the policy list. 4 Type a number in the Move to field to specify where in the policy list to move the policy and select OK.
Firewall configuration Addresses Addresses All policies require source and destination addresses. To add addresses to a policy, you must first add addresses to the address list for the interfaces, zones, or VLAN subinterfaces of the policy. You can add, edit, and delete all firewall addresses as required. You can also organize related addresses into address groups to simplify policy creation. A firewall address consists of an IP address and a netmask.
Addresses Firewall configuration 6 Enter the Netmask. The netmask corresponds to the type of address that you are adding. For example: • The netmask for the IP address of a single computer should be 255.255.255.255. • The netmask for a class A subnet should be 255.0.0.0. • The netmask for a class B subnet should be 255.255.0.0. • The netmask for a class C subnet should be 255.255.255.0. • The netmask for all addresses should be 0.0.0.
Firewall configuration Addresses Deleting addresses Deleting an address removes it from an address list. To delete an address that has been added to a policy, you must first remove the address from the policy. To delete an address 1 Go to Firewall > Address. 2 Select the interface list containing the address that you want to delete. You can delete any address that has a Delete Address icon . 3 Choose an address to delete and select Delete 4 Select OK to delete the address. .
Services Firewall configuration Figure 43: Adding an internal address group Services Use services to determine the types of communication accepted or denied by the firewall. You can add any of the predefined services to a policy. You can also create custom services and add services to service groups.
Firewall configuration Services Table 38: FortiGate predefined services (Continued) Service name Description GRE Generic Routing Encapsulation. A protocol that allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol, by encapsulating the packets of the protocol within GRE packets. 47 AH Authentication Header. AH provides source host authentication and data integrity, but not secrecy.
Services Firewall configuration Table 38: FortiGate predefined services (Continued) Service name Description LDAP Lightweight Directory Access Protocol is a set tcp of protocols used to access information directories. 389 NetMeeting NetMeeting allows users to teleconference using the Internet as the transmission medium. 1720 NFS Network File System allows network users to tcp access shared files stored on computers of different types.
Firewall configuration Services Table 38: FortiGate predefined services (Continued) Service name Description Protocol Port TCP All TCP ports. tcp 0-65535 TELNET Telnet service for connecting to a remote computer to run commands. tcp 23 TFTP Trivial file transfer protocol, a simple file transfer protocol similar to FTP but with no security features. udp 69 UDP All UDP ports. udp 0-65535 UUCP Unix to Unix copy utility, a simple file copying udp protocol.
Services Firewall configuration Adding custom ICMP services Add a custom ICMP service if you need to create a policy for a service that is not in the predefined service list. To add a custom ICMP service 1 Go to Firewall > Service > Custom. 2 Select ICMP from the Protocol list. 3 Select New. 4 Type a Name for the new custom ICMP service. This name appears in the service list used when you add a policy.
Firewall configuration Schedules 3 Type a Group Name to identify the group. This name appears in the service list when you add a policy and cannot be the same as a predefined service name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 4 To add services to the service group, select a service from the Available Services list and select the right arrow to copy it to the Members list.
Schedules Firewall configuration Creating one-time schedules You can create a one-time schedule that activates or deactivates a policy for a specified period of time. For example, your firewall might be configured with the default policy that allows access to all services on the Internet at all times. You can add a one-time schedule to block access to the Internet during a holiday period. To create a one-time schedule 1 Go to Firewall > Schedule > One-time. 2 Select New.
Firewall configuration Schedules Creating recurring schedules You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week. For example, you might want to prevent Internet use outside working hours by creating a recurring schedule. If you create a recurring schedule with a stop time that occurs before the start time, the schedule starts at the start time and finishes at the stop time on the next day.
Virtual IPs Firewall configuration Adding schedules to policies After you create schedules, you can add them to policies to schedule when the policies are active. You can add the new schedules to policies when you create the policy, or you can edit existing policies and add a new schedule to them. To add a schedule to a policy 1 Go to Firewall > Policy. 2 Create a new policy or edit a policy to change its schedule. 3 Configure the policy as required.
Firewall configuration Virtual IPs This section describes: • Adding static NAT virtual IPs • Adding port forwarding virtual IPs • Adding policies with virtual IPs Adding static NAT virtual IPs To add a static NAT virtual IP 1 Go to Firewall > Virtual IP. 2 Select New to add a virtual IP. 3 Type a Name for the virtual IP. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.
Virtual IPs Firewall configuration 7 In Map to IP, type the real IP address on the destination network, for example, the IP address of a web server on an internal network. Note: The firewall translates the source address of outbound packets from the host with the Map to IP address to the virtual IP External IP Address, instead of the firewall external address. 8 Select OK to save the virtual IP. You can now add the virtual IP to firewall policies.
Firewall configuration Virtual IPs 6 Enter the External IP Address that you want to map to an address on the destination zone. You can set the external IP address to the IP address of the external interface selected in step 4 or to any other address. If the IP address of the external interface selected in step 4 is set using PPPoE or DHCP, you can enter 0.0.0.0 for the External IP Address. The FortiGate unit substitutes the IP address set for this external interface using PPPoE or DHCP.
Virtual IPs Firewall configuration Figure 48: Adding a port forwarding virtual IP Adding policies with virtual IPs Use the following procedure to add a policy that uses a virtual IP to forward packets. To add a policy with a virtual IP 1 Go to Firewall > Policy. 2 Select the type of policy that you want to add. 3 212 • The source interface must match the interface selected in the External Interface list.
Firewall configuration IP pools Authentication Optionally select Authentication and select a user group to require users to authenticate with the firewall before accessing the server using port forwarding. Log Traffic Select these options to log port-forwarded traffic and apply antivirus Anti-Virus & Web filter and web filter protection to this traffic. 4 Select OK to save the policy. IP pools An IP pool (also called a dynamic IP pool) is a range of IP addresses added to a firewall interface.
IP/MAC binding Firewall configuration Figure 49: Adding an IP Pool IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service. You can select fixed port for NAT policies to prevent source port translation.
Firewall configuration IP/MAC binding You can enter the static IP addresses and corresponding MAC addresses of trusted computers in the static IP/MAC table. If you have trusted computers with dynamic IP addresses that are set by the FortiGate DHCP server, the FortiGate unit adds these IP addresses and their corresponding MAC addresses to the dynamic IP/MAC table. For information about viewing the table, see “Viewing a DHCP server dynamic IP list” on page 160.
IP/MAC binding Firewall configuration For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the IP/MAC binding list: • A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to go on to be matched with a firewall policy. • A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately to prevent IP spoofing.
Firewall configuration IP/MAC binding 3 Enter the IP Address and the MAC Address. You can bind multiple IP addresses to the same MAC address. You cannot bind multiple MAC addresses to the same IP address. However, you can set the IP address to 0.0.0.0 for multiple MAC addresses. This means that all packets with these MAC addresses are matched with the IP/MAC binding list. Similarly, you can set the MAC address to 00:00:00:00:00:00 for multiple IP addresses.
Content profiles Firewall configuration Figure 50: IP/MAC settings Content profiles Use content profiles to apply different protection settings for content traffic that is controlled by firewall policies.
Firewall configuration Content profiles Default content profiles The FortiGate unit has the following four default content profiles that are displayed on the Firewall Content Profile page. You can use the default content profiles or create your own. Strict To apply maximum content protection to HTTP, FTP, IMAP, POP3, and SMTP content traffic.
Content profiles Firewall configuration 6 Web Content Block Block web pages that contain unwanted words or phrases. See “Content blocking” on page 290. Web Script Filter Remove scripts from web pages. See “Script filtering” on page 299. Web Exempt List Exempt URLs from web filtering and virus scanning. See “Exempt URL list” on page 300. Enable the email filter protection options that you want. Email Block List Add a subject tag to email from unwanted addresses. See “Email block list” on page 306.
Firewall configuration Content profiles Adding content profiles to policies You can add content profiles to policies with action set to allow or encrypt and with service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services. To add a content profile to a policy 1 Go to Firewall > Policy. 2 Select a policy list that contains policies that you want to add a content profile to.
Content profiles 222 Firewall configuration Fortinet Inc.
FortiGate-800 Installation and Configuration Guide Version 2.50 Users and authentication FortiGate units support user authentication to the FortiGate user database, a RADIUS server, and an LDAP server. You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database. You can also add the names of RADIUS and LDAP servers.
Setting authentication timeout Users and authentication This chapter describes: • Setting authentication timeout • Adding user names and configuring authentication • Configuring RADIUS support • Configuring LDAP support • Configuring user groups Setting authentication timeout Authentication timeout controls how long authenticated firewall connections can remain idle before users must authenticate again to get access through the firewall.
Users and authentication Adding user names and configuring authentication LDAP Require the user to authenticate to an LDAP server. Select the name of the LDAP server to which the user must authenticate. You can only select an LDAP server that has been added to the FortiGate LDAP configuration. See “Configuring LDAP support” on page 227. Radius Require the user to authenticate to a RADIUS server. Select the name of the RADIUS server to which the user must authenticate.
Configuring RADIUS support Users and authentication Configuring RADIUS support If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the FortiGate unit contacts the RADIUS server for authentication. This section describes: • Adding RADIUS servers • Deleting RADIUS servers Adding RADIUS servers To add a RADIUS server 1 Go to User > RADIUS. 2 Select New to add a new RADIUS server. 3 Type the Name of the RADIUS server. You can type any name.
Users and authentication Configuring LDAP support Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated with the FortiGate unit.
Configuring LDAP support Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server. Enter the base distinguished name for the server using the correct X.500 or LDAP format. The FortiGate unit passes this distinguished name unchanged to the server.
Users and authentication Configuring user groups Configuring user groups To enable authentication, you must add user names, RADIUS servers, and LDAP servers to one or more user groups. You can then select a user group when you require authentication. You can select a user group to configure authentication for: • Policies that require authentication. Only users in the selected user group or users that can authenticate with the RADIUS servers added to the user group can authenticate with these policies.
Configuring user groups Users and authentication Figure 55: Adding a user group 3 Enter a Group Name to identify the user group. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 4 To add users to the user group, select a user from the Available Users list and select the right arrow to add the name to the Members list.
FortiGate-800 Installation and Configuration Guide Version 2.50 IPSec VPN A Virtual Private Network (VPN) is an extension of a private network that encompasses links across shared or public networks such as the Internet. For example, a company that has two offices in different cities, each with its own private network, can use a VPN to create a secure tunnel between the offices. Similarly, a teleworker can use a VPN client for remote access to a private office network.
Key management IPSec VPN Key management There are three basic elements in any encryption system: • an algorithm that changes information into code, • a cryptographic key that serves as a secret starting point for the algorithm, • a management system to control the key.
IPSec VPN Manual key IPSec VPNs In some respects, certificates are simpler to manage than manual keys or pre-shared keys. For this reason, certificates are best suited to large network deployments. Manual key IPSec VPNs When using manual keys, complementary security parameters must be entered at both ends of the tunnel. In addition to encryption and authentication algorithms and keys, the security parameter index (SPI) is required.
Manual key IPSec VPNs IPSec VPN 5 Enter the Remote SPI. The Remote Security Parameter Index is a hexadecimal number of up to eight digits (digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added to the Local SPI at the opposite end of the tunnel. 6 Enter the Remote Gateway. This is the external IP address of the FortiGate unit or other IPSec gateway at the opposite end of the tunnel. 7 Select an Encryption Algorithm from the list.
IPSec VPN AutoIKE IPSec VPNs AutoIKE IPSec VPNs FortiGate units support two methods of Automatic Internet Key Exchange (AutoIKE) for establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates.
AutoIKE IPSec VPNs IPSec VPN 3 Type a Gateway Name for the remote VPN peer. The remote VPN peer can be either a gateway to another network or an individual client on the Internet. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 4 Select a Remote Gateway address type. • If the remote VPN peer has a static IP address, select Static IP Address.
IPSec VPN AutoIKE IPSec VPNs 10 Configure the Local ID the that the FortiGate unit sends to the remote VPN peer. • Preshared key: If the FortiGate unit is functioning as a client and uses its ID to authenticate itself to the remote VPN peer, enter an ID. If no ID is specified, the FortiGate unit transmits its IP address. • RSA Signature: No entry is required because the Local ID field contains the Distinguished Name (DN) of the certificate associated with this phase 1 configuration.
AutoIKE IPSec VPNs IPSec VPN XAuth: Enable as a Server 4 5 6 238 Encryption method Select the encryption method used between the XAuth client, the FortiGate unit and the authentication server. PAP— Password Authentication Protocol. CHAP—Challenge-Handshake Authentication Protocol. MIXED—Select MIXED to use PAP between the XAuth client and the FortiGate unit, and CHAP between the FortiGate unit and the authentication server. Use CHAP whenever possible.
IPSec VPN AutoIKE IPSec VPNs Figure 56: Adding a phase 1 configuration (Standard options) Figure 57: Adding a phase 1 configuration (Advanced options) FortiGate-800 Installation and Configuration Guide 239
AutoIKE IPSec VPNs IPSec VPN Adding a phase 2 configuration for an AutoIKE VPN Add a phase 2 configuration to specify the parameters used to create and maintain a VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer (the VPN gateway or client). Note: Adding a Phase 2 configuration is the same for pre-shared key and certification VPNs. To add a phase 2 configuration 1 Go to VPN > IPSEC > Phase 2. 2 Select New to add a new phase 2 configuration. 3 Enter a Tunnel Name.
IPSec VPN AutoIKE IPSec VPNs 10 Enable Autokey Keep Alive if you want to keep the VPN tunnel running even if no data is being processed. 11 Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration. If you use the procedure, “Adding a VPN concentrator” on page 251 to add the tunnel to a concentrator, the next time you open the tunnel, the Concentrator field displays the name of the concentrator to which you added the tunnel. 12 Select a Quick Mode Identity.
Managing digital certificates IPSec VPN Managing digital certificates Use digital certificates to make sure that both participants in an IPSec communication session are trustworthy, prior to setting up an encrypted VPN tunnel between the participants. Fortinet uses a manual procedure to obtain certificates. This involves copying and pasting text files from your local computer to the certificate authority, and from the certificate authority to your local computer.
IPSec VPN Managing digital certificates 6 7 Organization Unit Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiGate unit (such as Manufacturing or MF). Organization Enter the legal name of the organization that is requesting the certificate for the FortiGate unit (such as Fortinet). Locality Enter the name of the city or town where the FortiGate unit is located (such as Vancouver).
Managing digital certificates IPSec VPN Downloading the certificate request Use the following procedure to download a certificate request from the FortiGate unit to the management computer. To download the certificate request 1 Go to VPN > Certificates > Local Certificates. 2 Select Download 3 Select Save. 4 Name the file and save it in a directory on the management computer. to download the local certificate to the management computer.
IPSec VPN Configuring encrypt policies Obtaining CA certificates For the VPN peers to authenticate themselves to each other, they must both obtain a CA certificate from the same certificate authority. The CA certificate provides the VPN peers with a means to validate the digital certificates that they receive from other devices. The FortiGate unit obtains the CA certificate to validate the digital certificate that it receives from the remote VPN peer.
Configuring encrypt policies IPSec VPN Note: The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway. In addition to defining membership in the VPN by address, you can configure the encrypt policy for services such as DNS, FTP, and POP3, and to allow connections according to a predefined schedule (by the time of the day or the day of the week, month, or year).
IPSec VPN Configuring encrypt policies Adding a destination address The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway. To add a destination address 1 Go to Firewall > Address. 2 Select an external interface. 3 Select New to add an address. 4 Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the remote VPN peer.
Configuring encrypt policies IPSec VPN VPN Tunnel Select an Auto Key tunnel for this encrypt policy. Allow inbound Select Allow inbound to enable inbound users to connect to the source address. Allow outbound Select Allow outbound to enable outbound users to connect to the destination address. Inbound NAT The FortiGate unit translates the source address of incoming packets to the IP address of the FortiGate interface connected to the source address network.
IPSec VPN IPSec VPN concentrators Figure 60: Adding an encrypt policy IPSec VPN concentrators In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer called a hub. The peers that connect to the hub are known as spokes. The hub functions as a concentrator on the network, managing the VPN connections between the spokes. The advantage of a hub-and-spoke network is that the spokes are simpler to configure because they require fewer policy rules.
IPSec VPN concentrators IPSec VPN If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but not to the other spokes). It also requires policies that control its encrypted connections to the other spokes and its non-encrypted connections to other networks, such as the Internet.
IPSec VPN IPSec VPN concentrators Source Internal_All Destination The VPN spoke address. Action ENCRYPT VPN Tunnel The VPN spoke tunnel name. Allow inbound Select allow inbound. Allow outbound Select allow outbound Inbound NAT Select inbound NAT if required. Outbound NAT Select outbound NAT if required. See “Adding an encrypt policy” on page 247.
IPSec VPN concentrators IPSec VPN VPN spoke general configuration steps A remote VPN peer that functions as a spoke requires the following configuration: • A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration) for the hub. • The source address of the local VPN spoke. • The destination address of each remote VPN spoke. • A separate outbound encrypt policy for each remote VPN spoke. These policies allow the local VPN spoke to initiate encrypted connections.
IPSec VPN Redundant IPSec VPNs Action ENCRYPT VPN Tunnel The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt policies.) Allow inbound Select allow inbound. Allow outbound Do not enable. Inbound NAT Select inbound NAT if required. Outbound NAT Select outbound NAT if required. See “Adding an encrypt policy” on page 247.
Redundant IPSec VPNs IPSec VPN Configuring redundant IPSec VPNs Prior to configuring the VPN, make sure that both FortiGate units have multiple connections to the Internet. For each unit, first add multiple (two or more) external interfaces. Then assign each interface to an external zone. Finally, add a route to the Internet through each interface. Configure the two FortiGate units with symmetrical settings for their connections to the Internet.
IPSec VPN Monitoring and Troubleshooting VPNs Monitoring and Troubleshooting VPNs • Viewing VPN tunnel status • Viewing dialup VPN connection status • Testing a VPN Viewing VPN tunnel status You can use the IPSec VPN tunnel list to view the status of all IPSec AutoIKE key VPN tunnels. For each tunnel, the list shows the status and the tunnel time out. To view VPN tunnel status 1 Go to VPN > IPSEC > Phase 2. 2 View the status and timeout for each VPN tunnel. Status The status of each tunnel.
Monitoring and Troubleshooting VPNs Timeout IPSec VPN The time before the next key exchange. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife. Proxy ID Source The actual IP address or subnet address of the remote peer. Proxy ID Destination The actual IP address or subnet address of the local peer.
FortiGate-800 Installation and Configuration Guide Version 2.50 PPTP and L2TP VPN You can use PPTP and L2TP to create a virtual private network (VPN) between a remote client computer that is running Windows and your internal network. Because PPTP and L2TP are supported by Windows you do not require third-party software on the client computer.
Configuring PPTP PPTP and L2TP VPN Configuring the FortiGate unit as a PPTP gateway Use the following procedures to configure the FortiGate unit as a PPTP gateway: To add users and user groups Add a user for each PPTP client. 1 Go to User > Local. 2 Add and configure PPTP users. For information about adding and configuring users, see “Adding user names and configuring authentication” on page 224. 3 Go to User > User Group. 4 Add and configure PPTP user groups.
PPTP and L2TP VPN Configuring PPTP 3 Select New to add an address. 4 Enter the Address Name, IP Address, and NetMask for an address in the PPTP address range. 5 Select OK to save the source address. 6 Repeat for all addresses in the PPTP address range. Note: If the PPTP address range is comprised of an entire subnet, add an address for this subnet. Do not add an address group. To add a source address group Organize the source addresses into an address group. 1 Go to Firewall > Address > Group.
Configuring PPTP PPTP and L2TP VPN 6 Set Service to match the traffic type inside the PPTP VPN tunnel. For example, if PPTP users can access a web server, select HTTP. 7 Set Action to ACCEPT. 8 Select NAT if address translation is required. You can also configure traffic shaping, logging, and antivirus and web filter settings for PPTP policies. 9 Select OK to save the firewall policy.
PPTP and L2TP VPN Configuring PPTP To connect to the PPTP VPN 1 Start the dialup connection that you configured in the previous procedure. 2 Enter your PPTP VPN User Name and Password. 3 Select Connect. Configuring a Windows 2000 client for PPTP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiGate PPTP VPN. To configure a PPTP dialup connection 1 Go to Start > Settings > Network and Dial-up Connections.
Configuring PPTP PPTP and L2TP VPN 5 Name the connection and select Next. 6 If the Public Network dialog box appears, choose the appropriate initial connection and select Next. 7 In the VPN Server Selection dialog, enter the IP address or host name of the FortiGate unit to connect to and select Next. 8 Select Finish. To configure the VPN connection 1 Right-click the Connection icon that you created in the previous procedure. 2 Select Properties > Security.
PPTP and L2TP VPN Configuring L2TP Configuring L2TP Some implementations of L2TP support elements of IPSec. These elements must be disabled when L2TP is used with a FortiGate unit. Note: L2TP VPNs are only supported in NAT/Route mode.
Configuring L2TP PPTP and L2TP VPN Figure 65: Sample L2TP address range configuration To add source addresses Add a source address for every address in the L2TP address range. 1 Go to Firewall > Address. 2 Select the interface to which L2TP clients connect. This can be an interface, VLAN subinterface, or zone. 3 Select New to add an address. 1 Enter the Address Name, IP Address, and NetMask for an address in the L2TP address range. 2 Select OK to save the source address.
PPTP and L2TP VPN Configuring L2TP 6 Select OK to add the address group. To add a destination address Add an address to which L2TP users can connect. 1 Go to Firewall > Address. 2 Select the internal interface or the DMZ interface. 3 Select New to add an address. 4 Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer. 5 Select OK to save the source address.
Configuring L2TP PPTP and L2TP VPN 7 In the Connect window, select Properties. 8 Select the Security tab. 9 Make sure that Require data encryption is selected. Note: If a RADIUS server is used for authentication do not select Require data encryption. L2TP encryption is not supported for RADIUS server authentication. 10 Select the Networking tab. 11 Set VPN server type to Layer-2 Tunneling Protocol (L2TP). 12 Save the changes and continue with the following procedure.
PPTP and L2TP VPN Configuring L2TP 4 In the connect window, enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password. Configuring a Windows XP client for L2TP Use the following procedure to configure a client computer running Windows XP so that it can connect to a FortiGate L2TP VPN. To configure an L2TP VPN dialup connection 1 Go to Start > Settings.
Configuring L2TP PPTP and L2TP VPN To disable IPSec 1 Select the Networking tab. 2 Select Internet Protocol (TCP/IP) properties. 3 Double-click the Advanced tab. 4 Go to the Options tab and select IP security properties. 5 Make sure that Do not use IPSEC is selected. 6 Select OK and close the connection properties window. Note: The default Windows XP L2TP traffic policy does not allow L2TP traffic without IPSec encryption.
FortiGate-800 Installation and Configuration Guide Version 2.50 Network Intrusion Detection System (NIDS) The FortiGate NIDS is a real-time network intrusion detection sensor that uses attack signature definitions to both detect and prevent a wide variety of suspicious network traffic and direct network-based attacks. Also, whenever an attack occurs, the FortiGate NIDS can record the event in a log and send an alert email to the system administrator.
Detecting attacks Network Intrusion Detection System (NIDS) Selecting the interfaces to monitor To select the interfaces to monitor for attacks 1 Go to NIDS > Detection > General. 2 Select the interfaces to monitor for network attacks. You can select up to a total of 4 interfaces and VLAN subinterfaces. 3 Select Apply. Disabling monitoring interfaces To disable monitoring interfaces for attacks 1 Go to NIDS > Detection > General.
Network Intrusion Detection System (NIDS) Detecting attacks Viewing the signature list You can display the current list of NIDS signature groups and the members of a signature group. To view the signature list 1 Go to NIDS > Detection > Signature List. 2 View the names and action status of the signature groups in the list. The NIDS detects attacks listed in all the signature groups that have check marks in the Enable column. Note: The user-defined signature group is the last item in the signature list.
Detecting attacks Network Intrusion Detection System (NIDS) Figure 67: Example signature group members list Disabling NIDS attack signatures By default, all NIDS attack signatures are enabled. You can use the NIDS signature list to disable detection of some attacks. Disabling unnecessary NIDS attack signatures can improve system performance and reduce the number of IDS log messages and alert emails that the NIDS generates. For example, the NIDS detects a large number of web server attacks.
Network Intrusion Detection System (NIDS) Detecting attacks To add user-defined signatures 1 Go to NIDS > Detection > User Defined Signature List. 2 Select Upload ! . Caution: Uploading the user-defined signature list overwrites the existing file. 3 Type the path and filename of the text file for the user-defined signature list or select Browse and locate the file. 4 Select OK to upload the text file for the user-defined signature list.
Preventing attacks Network Intrusion Detection System (NIDS) Preventing attacks NIDS attack prevention protects the FortiGate unit and the networks connected to it from common TCP, ICMP, UDP, and IP attacks. You can enable NIDS attack prevention to prevent a set of default attacks with default threshold values. You can also enable or disable and set the threshold values for individual attack prevention signatures.
Network Intrusion Detection System (NIDS) Preventing attacks Setting signature threshold values You can change the default threshold values for the NIDS Prevention signatures listed in Table 40. The threshold depends on the type of attack. For flooding attacks, the threshold is the maximum number of packets received per second. For overflow attacks, the threshold is the buffer size for the command. For large ICMP attacks, the threshold is the ICMP packet size limit to pass through.
Logging attacks Network Intrusion Detection System (NIDS) To set Prevention signature threshold values 1 Go to NIDS > Prevention. 2 Select Modify beside the signature for which you want to set the Threshold value. Signatures that do not have threshold values do not have Modify 3 Type the Threshold value. 4 Select the Enable check box. 5 Select OK. icons. Logging attacks Whenever the NIDS detects or prevents an attack, it generates an attack message.
Network Intrusion Detection System (NIDS) Logging attacks The FortiGate unit uses an alert email queue in which each new message is compared with the previous messages. If the new message is not a duplicate, the FortiGate unit sends it immediately and puts a copy in the queue. If the new message is a duplicate, the FortiGate unit deletes it and increases an internal counter for the number of message copies in the queue. The FortiGate unit holds duplicate alert email messages for 60 seconds.
Logging attacks 278 Network Intrusion Detection System (NIDS) Fortinet Inc.
FortiGate-800 Installation and Configuration Guide Version 2.50 Antivirus protection You can enable antivirus protection in firewall policies. You can select a content profile that controls how the antivirus protection behaves. Content profiles control the type of traffic protected (HTTP, FTP, IMAP, POP3, SMTP), the type of antivirus protection and the treatment of fragmented email and oversized files or email.
Antivirus scanning Antivirus protection 6 Configure the FortiGate unit to send an alert email when it blocks or deletes an infected file. See “Configuring alert email” in the Logging and Message Reference Guide.
Antivirus protection File blocking Figure 69: Example content profile for virus scanning File blocking Enable file blocking to remove all files that are a potential threat and to provide the best protection from active computer virus attacks. Blocking files is the only protection from a virus that is so new that antivirus scanning cannot detect it. You would not normally operate the FortiGate unit with blocking enabled.
File blocking Antivirus protection By default, when blocking is enabled, the FortiGate unit blocks the following file patterns: • executable files (*.bat, *.com, and *.exe) • compressed or archive files (*.gz, *.rar, *.tar, *.tgz, and *.zip) • dynamic link libraries (*.dll) • HTML application (*.hta) • Microsoft Office files (*.doc, *.ppt, *.xl?) • Microsoft Works files (*.wps) • Visual Basic files (*.vb?) • screen saver files (*.
Antivirus protection Quarantine Quarantine FortiGate units with a hard disk can quarantine blocked or infected files. The quarantined files are removed from the content stream and stored on the FortiGate hard disk. Users receive a message that the removed files have been quarantined. On the FortiGate, the names of quarantined files are displayed on the quarantine list. The list displays status, duplication, and age information for each quarantined file.
Quarantine Antivirus protection 5 Add this content profile to firewall policies. See “Adding content profiles to policies” on page 221. Viewing the quarantine list To view the quarantine list 1 Go to Anti-Virus > Quarantine. The quarantine list displays the following information: File Name The processed filename of the file that was quarantined. The processed filename has all white space removed.
Antivirus protection Quarantine Filtering the quarantine list You can filter the quarantine list to: • Display only blocked files • Display only infected files • Display blocked and infected files found only in IMAP, POP3, SMTP, FTP, or HTTP traffic To filter the Quarantine list to display blocked or infected files 1 Go to Anti-Virus > Quarantine. 2 For FiIlter, select Status. 3 Select either infected or blocked. 4 Select Apply.
Blocking oversized files and emails Antivirus protection Note: The Quarantine Blocked Files option is not available for HTTP or FTP because a filename is blocked at request time and the file is not downloaded to the FortiGate unit. 3 Type the Age Limit (TTL) in hours to specify how long files are left in quarantine. The maximum number of hours is 480. The FortiGate unit automatically deletes a file when the TTL reaches 00:00. 4 Type the maximum file size in MB to quarantine.
Antivirus protection Exempting fragmented email from blocking Exempting fragmented email from blocking A fragmented email is a large email message that has been split into smaller messages that are sent individually and recombined when they are received. By default, when antivirus protection is enabled, the FortiGate unit blocks fragmented emails and replaces them with an email block message that is forwarded to the receiver.
Viewing the virus list 288 Antivirus protection Fortinet Inc.
FortiGate-800 Installation and Configuration Guide Version 2.50 Web filtering When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how web filtering behaves for HTTP traffic. Content profiles control the following types of content filtering: • blocking unwanted URLs, • blocking unwanted content, • removing scripts from web pages, • exempting URLs from blocking. You can also use the Cerberian URL filtering to block unwanted URLs.
Content blocking Web filtering 3 Configure web filtering settings to control how the FortiGate unit applies web filtering to the HTTP traffic allowed by policies. See: • “URL blocking” on page 293, • “Configuring Cerberian URL filtering” on page 296, • “Content blocking” on page 290, • “Script filtering” on page 299, • “Exempt URL list” on page 300. 4 Configure the messages that users receive when the FortiGate unit blocks unwanted content or unwanted URLs.
Web filtering Content blocking 4 Type a banned word or phrase. If you type a single word (for example, banned), the FortiGate unit blocks all web pages that contain that word. If you type a phrase (for example, banned phrase), the FortiGate unit blocks web pages that contain both words. When this phrase appears on the banned word list, the FortiGate unit inserts plus signs (+) in place of spaces (for example, banned+phrase).
Content blocking Web filtering Backing up the Banned Word list You can back up the banned word list by downloading it to a text file on the management computer. To back up the banned word list 1 Go to Web Filter > Content Block. 2 Select Backup Banned Word List . The FortiGate unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.
Web filtering URL blocking 5 Select Return to display the updated Banned Word List. 6 You can continue to maintain the Banned Word List by making changes to the text file and uploading it again as necessary. . Note: Banned Word must be selected in the content profile for web pages containing banned words to be blocked. URL blocking You can block the unwanted web URLs using FortiGate Web URL blocking, FortiGate Web pattern blocking, and Cerberian web filtering.
URL blocking Web filtering Note: Do not use regular expressions in the Web URL block list. You can use regular expressions in the Web Pattern Block list to create URL patterns to block. See “Configuring FortiGate Web pattern blocking” on page 296. Note: You can type a top-level domain suffix (for example, “com” without the leading period) to block access to all URLs with this suffix. Note: URL blocking does not block access to other services that users can access with a web browser.
Web filtering URL blocking Downloading the Web URL block list You can back up the Web URL block list by downloading it to a text file on the management computer. To download a Web URL block list 1 Go to Web Filter > Web URL Block. 2 Select Download URL Block List . The FortiGate unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.
Configuring Cerberian URL filtering 8 Web filtering You can continue to maintain the Web URL block list by making changes to the text file and uploading it again. Configuring FortiGate Web pattern blocking You can configure FortiGate web pattern blocking to block web pages that match a URL pattern. Create URL patterns using regular expressions (for example, badsite.* matches badsite.com, badsite.org, badsite.net and so on). FortiGate web pattern blocking supports standard regular expressions.
Web filtering Configuring Cerberian URL filtering Installing a Cerberian license key Before you can use the Cerberian web filter, you must install a license key. The license key determines the number of end users allowed to use Cerberian web filtering through the FortiGate unit. To install a Cerberian licence key 1 Go to Web Filter > URL Block. 2 Select Cerberian URL Filtering. 3 Enter the license number. 4 Select Apply.
Configuring Cerberian URL filtering Web filtering You can add users to the default group and apply any policies to the group. Use the default group to add: • • All the users who are not assigned alias names on the FortiGate unit. All the users who are not assigned to other user groups. The Cerberian web filter groups URLs into 53 categories. The default policy blocks the URLs of 12 categories. You can modify the default policy and apply it to any user groups.
Web filtering Script filtering Script filtering You can configure the FortiGate unit to remove Java applets, cookies, and ActiveX scripts from the HTML web pages. Note: Blocking any of these items might prevent some web pages from working properly. • Enabling script filtering • Selecting script filter options Enabling script filtering 1 Go to Firewall > Content Profile. 2 Select the content profile for which you want to enable script filtering. 3 Select Script Filter. 4 Select OK.
Exempt URL list Web filtering Exempt URL list Add URLs to the exempt URL list to allow legitimate traffic that might otherwise be blocked by content or URL blocking. For example, if content blocking is set to block pornography-related words and a reputable website runs a story on pornography, web pages from the reputable website are blocked. Adding the address of the reputable website to the exempt URL list allows the content of the website to bypass content blocking.
Web filtering Exempt URL list Figure 75: Example URL Exempt list Downloading the URL Exempt List You can back up the URL Exempt List by downloading it to a text file on the management computer. 1 Go to Web Filter > URL Exempt. 2 Select Download URL Exempt List . The FortiGate unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.
Exempt URL list 302 Web filtering 3 Select Upload URL Exempt List . 4 Type the path and filename of your URL Exempt List text file, or select Browse and locate the file. 5 Select OK to upload the file to the FortiGate unit. 6 Select Return to display the updated URL Exempt List. 7 You can continue to maintain the URL Exempt List by making changes to the text file and uploading it again as necessary. Fortinet Inc.
FortiGate-800 Installation and Configuration Guide Version 2.50 Email filter Email filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how email filtering behaves for email (IMAP and POP3) traffic.
Email banned word list Email filter Email banned word list When the FortiGate unit detects an email that contains a word or phrase in the banned word list, the FortiGate unit adds a tag to the subject line of the email and writes a message to the event log. Receivers can then use their mail client software to filter messages based on the subject tag. You can add banned words to the list in many languages using Western, Simplified Chinese, Traditional Chinese, Japanese, or Korean character sets.
Email filter Email banned word list Downloading the email banned word list You can back up the banned word list by downloading it to a text file on the management computer: To download the banned word list 1 Go to Email Filter > Content Block. 2 Select Download. The FortiGate unit downloads the banned word list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.
Email block list Email filter Email block list You can configure the FortiGate unit to tag all IMAP and POP3 protocol traffic sent from unwanted email addresses. When the FortiGate unit detects an email sent from an unwanted address pattern, the FortiGate unit adds a tag to the subject line of the email and writes a message to the email filter log. Receivers can then use their mail client software to filter messages based on the subject tag.
Email filter Email exempt list Uploading an email block list You can create a email block list in a text editor and then upload the text file to the FortiGate unit. Add one pattern to each line of the text file. You can follow the pattern with a space and then a 1 to enable or a zero (0) to disable the pattern. If you do not add this information to the text file, the FortiGate unit automatically enables all patterns that are followed with a 1 or no number when you upload the text file.
Adding a subject tag Email filter Adding address patterns to the email exempt list To add an address pattern to the email exempt list 1 Go to Email Filter > Exempt List. 2 Select New. 3 Type the address pattern that you want to exempt. • To exempt email sent from a specific email address, type the email address. For example, sender@abccompany.com. • To exempt email sent from a specific domain, type the domain name. For example, abccompany.com.
FortiGate-800 Installation and Configuration Guide Version 2.50 Logging and reporting You can configure the FortiGate unit to log network activity from routine configuration changes and traffic sessions to emergency events. You can also configure the FortiGate unit to send alert email messages to inform system administrators about events such as network attacks, virus incidents, and firewall and VPN events.
Recording logs Logging and reporting Recording logs on a remote computer You can configure the FortiGate unit to record log messages on a remote computer. The remote computer must be configured with a syslog server. To record logs on a remote computer 1 Go to Log&Report > Log Setting. 2 Select the Log to Remote Host check box to send the logs to a syslog server. 3 Type the IP address of the remote computer running syslog server software. 4 Type the port number of the syslog server.
Logging and reporting Recording logs 5 Select Config Policy. To configure the FortiGate unit to filter the types of logs and events to record, use the procedures in “Filtering log messages” on page 313 and “Configuring traffic logging” on page 314. 6 Select OK. 7 Select Apply. Recording logs on the FortiGate hard disk You can record log files on the FortiGate hard disk if a hard disk is installed on your FortiGate unit. To record logs on the FortiGate hard disk 1 Go to Log&Report > Log Setting.
Recording logs Logging and reporting Recording logs in system memory If your FortiGate unit does not contain a hard disk, you can configure the FortiGate unit to reserve some system memory for storing current event, attack, antivirus, web filter, and email filter log messages. Logging to memory allows quick access to only the most recent log entries. The FortiGate unit can store a limited number of messages in system memory.
Logging and reporting Filtering log messages Filtering log messages You can configure the logs that you want to record and the message categories that you want to record in each log. To filter log entries 1 Go to Log&Report > Log Setting. 2 Select Config Policy for the log location that you selected in “Recording logs” on page 309. 3 Select the log types that you want the FortiGate unit to record. Traffic Log Record all connections to and through the interface.
Configuring traffic logging Logging and reporting Figure 79: Example log filter configuration Configuring traffic logging You can configure the FortiGate unit to record traffic log messages for connections to: • An interface • A VLAN subinterface • A firewall policy The FortiGate unit can filter traffic logs for a source and destination address and service. You can also enable the following global settings: • resolve IP addresses to host names, • display the port number or service.
Logging and reporting Configuring traffic logging Enabling traffic logging You can enable logging on any interface, VLAN subinterface, and firewall policy. Enabling traffic logging for an interface If you enable traffic logging for an interface, all connections to and through the interface are recorded in the traffic log. To enable traffic logging for an interface 1 Go to System > Network > Interface. 2 Select Edit in the Modify column beside the interface for which you want to enable logging.
Configuring traffic logging Logging and reporting Configuring traffic filter settings You can configure the information recorded in all traffic log messages. To configure traffic filter settings 1 Go to Log&Report > Log Setting > Traffic Filter. 2 Select the settings that you want to apply to all traffic log messages. 3 Resolve IP Select Resolve IP if you want traffic log messages to list the IP address and domain name stored on the DNS server.
Logging and reporting Viewing logs saved to memory Destination IP Address Type the destination IP address and netmask for which you want the Destination Netmask FortiGate unit to log traffic messages. The address can be an individual computer, subnetwork, or network. Service 4 Select the service group or individual service for which you want the FortiGate unit to log traffic messages. Select OK.
Viewing and managing logs saved to the hard disk Logging and reporting 4 To view a specific line in the log, type a line number in the Go to line field and select . 5 To navigate through the log message pages, select Go to next page previous page . or Go to Searching logs To search log messages saved in system memory 1 Go to Log&Report > Logging. 2 Select Event Log, Attack Log, Antivirus Log, Web Filter Log, or Email Filter Log.
Logging and reporting Viewing and managing logs saved to the hard disk Viewing logs Log messages are listed with the most recent message at the top. To view the active or saved logs 1 Go to Log&Report > Logging. 2 Select Traffic Log, Event Log, Attack Log, Antivirus Log, Web Filter Log, or Email Filter Log. The web-based manager lists all saved logs of the selected type, with the active log at the top of the list.
Viewing and managing logs saved to the hard disk Logging and reporting Note: After you run a search, if you want to display all log messages again, run another search but leave all the search fields blank. Downloading a log file to the management computer You can download log files to the management computer as plain text files or commaseparated value (CSV) files. After downloading, you can view the text file with a text editor or the CSV file using a spreadsheet program.
Logging and reporting Configuring alert email Configuring alert email You can configure the FortiGate unit to send alert email to up to three email addresses when there are virus incidents, block incidents, network intrusions, and other firewall or VPN events or violations. After you set up the email addresses, you can test the settings by sending test email.
Configuring alert email Logging and reporting Enabling alert email You can configure the FortiGate unit to send alert email in response to virus incidents, intrusion attempts, and critical firewall or VPN events or violations. If you have configured logging to a local disk, you can enable sending an alert email when the hard disk is almost full. To enable alert email 322 1 Go to Log&Report > Alert Mail > Categories. 2 Select Enable alert email for virus incidents.
FortiGate-800 Installation and Configuration Guide Version 2.50 Glossary Connection: A link between machines, applications, processes, and so on that can be logical, physical, or both. DMZ, Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network. Typically, the DMZ contains servers accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers and DNS servers.
Glossary LAN, Local Area Network: A computer network that spans a relatively small area. Most LANs connect workstations and personal computers. Each computer on a LAN is able to access data and devices anywhere on the LAN. This means that many users can share data as well as physical resources such as printers. MAC address, Media Access Control address: A hardware address that uniquely identifies each node of a network.
Glossary SSH, Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. SSH provides strong secure authentication and secure communications over insecure channels. Subnet: A portion of a network that shares a common address component. On TCP/IP networks, subnets are defined as all devices whose IP addresses have the same prefix. For example, all devices with IP addresses that start with 100.100.100. would be part of the same subnet.
Glossary 326 Fortinet Inc.
FortiGate-800 Installation and Configuration Guide Version 2.
Index attack updates configuring 121 scheduling 120 through a proxy server 122 authentication 193, 223 configuring 224 enabling 229 LDAP server 227 RADIUS server 226 timeout 170 auto device in route 155 AutoIKE 232 certificates 232 introduction 232 pre-shared keys 232 automatic antivirus and attack definition updates configuring 121 B backing up system settings 108 bandwidth guaranteed 192 maximum 193 banned word list adding words 290, 304 restoring 305 blacklist URL 295, 307 block traffic IP/MAC binding 2
Index DHCP adding a DHCP server to an interface 158 adding a reserved IP to a DHCP server 160 adding a scope to a DHCP server 158 configuring 157 configuring a DHCP server 158 configuring DHCP relay 158 interface addressing mode 140 viewing a dynamic IP list 160 dialup L2TP configuring Windows 2000 client 265 configuring Windows XP client 267 dialup PPTP configuring Windows 2000 client 261 configuring Windows 98 client 260 configuring Windows XP client 261 dialup VPN viewing connection status 255 disabling
Index FortiResponse Distribution Network 118 connecting to 118 FortiResponse Distribution Server 118 from IP system status 115 from port system status 115 front keypad and LCD configuring IP address 61 G get community SNMP 175 grouping services 204 groups address 199 user 229 guaranteed bandwidth 192 H HA 73 connecting a NAT/Route mode cluster 76 introduction 19 managing HA group 78 NAT/Route mode 74 replacing FortiGate unit after fail-over 87 hard disk recording logs 311 status 108 hard disk full alert e
Index IPSec VPN authentication for user group 229 AutoIKE 232 certificates 232 disabling 266, 268 manual keys 232 pre-shared keys 232 remote gateway 229 status 255 timeout 255, 256 IPSec VPN tunnel testing 256 J Java applets 299 removing from web pages 299 K keyword log search 318, 319 L L2TP 229, 323 configuring Windows XP client 267 L2TP gateway configuring 263 language web-based manager 171 LCD and keypad configuring IP address 44 LDAP example configuration 228 LDAP server adding server address 227 de
Index mode Transparent 18 monitor system status 114 monitored interfaces 270 monitoring system status 111 MTU size 144 changing 144 definition 324 improving network performance 144 interface 144 N NAT introduction 18 policy option 192 push update 124 NAT mode adding policy 189 IP addresses 44 NAT/Route mode changing to 110 configuration from the CLI 44 connecting an HA cluster 76 HA 74 introduction 18 VLANs 146 netmask administrator account 172, 173 network address translation introduction 18 network intru
Index PPTP dialup connection configuring Windows 2000 client 261 configuring Windows 98 client 260 configuring Windows XP client 261 PPTP gateway configuring 258 predefined services 200 pre-shared keys introduction 232 prevention NIDS 274 protocol service 200 system status 115 proxy server 122 push updates 122 push update configuring 122 external IP address changes 123 management IP address changes 123 through a NAT device 124 through a proxy server 122 Q quarantine list filtering 285 sorting 284 viewing 2
Index schedule 205 applying to policy 208 automatic antivirus and attack definition updates 120 creating one-time 206 creating recurring 207 one-time 206 policy option 191 recurring 207 scheduled antivirus and attack updates 122 scheduled updates through a proxy server 122 scheduling 120 scope adding a DHCP scope 158 script filter 299 example settings 299 scripts removing from web pages 299, 308 searching logs 318, 319 logs saved to FortiGate hard disk 319 logs saved to memory 317 secondary IP interface 142
Index system settings backing up 108 restoring 108 restoring to factory default 109 system status 93, 111, 161 system status monitor 114 T TCP configuring checksum verification 270 custom service 203 technical support 23 testing alert email 321 time log search 318, 319 setting 169 time zone 169 timeout firewall authentication 170 idle 170 IPSec VPN 255, 256 web-based manager 170 to IP system status 115 to port system status 115 traffic configuring global settings 315, 316 filtering 314 logging 314 traffic
Index viewing dialup connection status 255 logs 318, 319 logs saved to memory 317 VPN tunnel status 255 virtual domain adding 149 adding a VLAN 150 adding a zone 150 adding firewall addresses 152 adding firewall policies 152 configuring 149 configuring in Transparent mode 147 deleting 153 properties 149 virtual IP 208 adding 209 port forwarding 208, 210 static NAT 208 virus definition updates downloading 135 virus definitions updating 117, 119 virus incidents enabling alert email 322 virus list displaying 2
