INSTALL GUIDE FortiGate-3016B FortiOS 3.0 MR6 www.fortinet.
FortiGate-3016B Install Guide FortiOS 3.0 MR6 18 March 2008 01-30006-0458-20080318 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Contents Contents Contents.............................................................................................. 3 Introduction ........................................................................................ 7 Register your FortiGate unit ............................................................................. 7 About the FortiGate-3016B ............................................................................... 8 About this document................................................
Contents Configure a DNS server ....................................................................... 24 Adding a default route and gateway ..................................................... 24 Adding firewall policies ......................................................................... 25 Configuring Transparent mode...................................................................... 25 Using the web-based manager ...................................................................
Contents Configure the speed ............................................................................. 44 FortiGate Firmware .......................................................................... 45 Downloading firmware .................................................................................... 45 Using the web-based manager....................................................................... 45 Upgrading the firmware .....................................................................
Contents 6 FortiGate-3016B FortiOS 3.
Introduction Register your FortiGate unit Introduction Welcome and thank you for selecting Fortinet products for your real-time network protection. The FortiGate Unified Threat Management System improves network security, reduces network misuse and abuse, and helps you use communications resources more efficiently without compromising the performance of your network. The FortiGate Unified Threat Management System are ICSA-certified for firewall, IPSec, and antivirus services.
About the FortiGate-3016B Introduction About the FortiGate-3016B The FortiGate-3016B multi-threat security appliance is a carrier-class device with sixteen gigabit Ethernet interfaces and a full complement of network protection features. Each interface of the FortiGate-3016B provides wire-speed firewall performance using Fortinet's advanced FortiASIC network processor technology. Multiple FortiGate-3016Bs can be deployed in redundant clusters to ensure failsafe operation.
Introduction Further Reading Note: Highlights useful additional information. ! Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment. Typographic conventions FortiGate documentation uses the following typographical conventions: Convention Example Keyboard input In the Gateway Name field, type a name for the remote VPN peer or client (for example, Central_Office_1).
Customer service and technical support Introduction • FortiGate Log Message Reference Available exclusively from the Fortinet Knowledge Center, the FortiGate Log Message Reference describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units. • FortiGate High Availability User Guide Contains in-depth information about the high availability feature and the clustering protocol.
Installing Environmental specifications Installing This chapter describes installing your FortiGate unit in your server room, environmental specifications and how to mount the FortiGate in a rack if applicable.
Cautions and warnings Installing • Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. • Consult the dealer or an experienced radio/TV technician for help. The equipment compliance with FCC radiation exposure limit set forth for uncontrolled Environment. Cautions and warnings Review the following cautions before installing your FortiGate unit.
Installing Cautions and warnings When placing the FortiGate unit on any flat, stable surface, ensure the unit has at least 1.5 inches (3.75 cm) of clearance on each side to ensure adequate airflow for cooling. For rack mounting, use the mounting brackets and screws included with the FortiGate unit. Note: Fortinet recommends purchasing side rail mounts or similar rack mount aids separately to ensure the FortiGate unit is attached safely to the rack.
Plugging in the FortiGate Installing The following photos illustrate how the mounting brackets and FortiGate unit should be attached to the rack. Figure 2: Mounting in a rack Plugging in the FortiGate The FortiGate unit does not have an on/off switch. To power on the FortiGate unit 1 Connect the power cables to the power connections on the back of the FortiGate unit. 2 Connect the power cables to power outlets. Each power cable should be connected to a different power source.
Installing Turning off the FortiGate unit Connecting to the network Using the supplied Ethernet cable, connect one end of the cable to your router or modem, whatever the connection is to the Internet. Connect the other end to the FortiGate unit. Connect to either the External, WAN port, or port 1. Connect additional cable to the Internal port or port 2 and your internal hub or switch.
Turning off the FortiGate unit 16 Installing FortiGate-3016B FortiOS 3.
Configuring NAT vs. Transparent mode Configuring This section provides an overview of the operating modes of the FortiGate unit, NAT/Route and Transparent, and how to configure the FortiGate unit for each mode. There are two ways you can configure the FortiGate unit, using the web-based manager or the command line interface (CLI). This section will step through using both methods. Use whichever you are most comfortable with. This section includes the following topics: • NAT vs.
Connecting to the FortiGate unit Configuring Transparent mode In Transparent mode, the FortiGate unit is invisible to the network. Similar to a network bridge, all FortiGate interfaces must be on the same subnet. You only have to configure a management IP address to make configuration changes. The management IP address is also used for antivirus and attack definition updates. Figure 2: FortiGate unit in Transparent mode 10.10.10.1 Management IP Internet Gateway to public network 204.23.1.2 10.10.10.
Configuring Connecting to the FortiGate unit To support a secure HTTPS authentication method, the FortiGate unit ships with a self-signed security certificate, which is offered to remote clients whenever they initiate a HTTPS connection to the FortiGate unit. When you connect, the FortiGate unit displays two security warnings in a browser. The first warning prompts you to accept and optionally install the FortiGate unit’s self-signed security certificate.
Configuring NAT mode Configuring Configuring NAT mode Configuring NAT mode involves defining interface addresses and default routes, and simple firewall policies. You can use the web-based manager or the CLI to configure the FortiGate unit in NAT/Route mode. Using the web-based manager After connecting to the web-based manager, you can use the following procedures to complete the basic configuration of the FortiGate unit.
Configuring Configuring NAT mode Initial PADT Timeout Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. Your ISP must support PADT. To disable the PADT timeout, set the value to 0. Distance Enter the administrative distance, between 1 and 255 for the default gateway retrieved from the DHCP server.
Configuring NAT mode Configuring For an initial configuration, you must edit the factory configured static default route to specify a different default gateway for the FortiGate unit. This will enable the flow of data through the FortiGate unit. For details on adding additional static routes, see the FortiGate Administration Guide. To modify the default gateway 1 Go to Router > Static.
Configuring Configuring NAT mode 3 Set the following and select OK. Source Interface Select the port connected to the Internet. Source Address All Destination Interface Select the port connected to the network. Destination Address All Schedule always Service Any Action Accept Firewall policy configuration is the same in NAT/Route mode and Transparent mode. Note that these policies allow all traffic through. No protection profiles have been applied.
Configuring NAT mode Configuring To set an interface to use PPPoE addressing config system interface edit external set mode pppoe set username set password set ipunnumbered set disc-retry-timeout set padt-retry-timeout set distance set defaultgw {enable | disable} set dns-server-override {enable | disable} end The CLI lists the IP address, netmask, and other settings for each of the FortiGate interfaces.
Configuring Configuring Transparent mode For an initial configuration, you must edit the factory configured static default route to specify a different default gateway for the FortiGate unit. This will enable the flow of data through the FortiGate unit. For details on adding additional static routes, see the FortiGate Administration Guide.
Configuring Transparent mode Configuring Using the web-based manager After connecting to the web-based manager, you can use the following procedures to complete the basic configuration of the FortiGate unit. Ensure you read the section “Connecting to the web-based manager” on page 18 before beginning. Switching to Transparent mode The FortiGate unit comes preset to NAT mode. You need to switch to Transparent mode. To switch to Transparent mode 1 Go to System > Status.
Configuring Configuring Transparent mode To add an outgoing traffic firewall policy 1 Go to Firewall > Policy. 2 Select Create New. 3 Set the following and select OK. Source Interface Select the port connected to the network. Source Address All Destination Interface Select the port connected to the Internet. Destination Address All Schedule always Service Any Action Accept To add an incoming traffic firewall policy 1 Go to Firewall > Policy. 2 Select Create New.
Configuring Transparent mode Configuring Configure a DNS server A DNS server is a service that converts symbolic node names to IP addresses. A domain name server (DNS server) implements the protocol. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com when browsing the Internet. DNS server IP addresses are typically provided by your internet service provider.
Configuring Verify the configuration Verify the configuration Your FortiGate unit is now configured and connected to the network. To verify the FortiGate unit is connected and configured correctly, use your web browser to browse a web site, or use your email client to send and receive email. If you cannot browse to the web site or retrieve/send email from your account, review the previous steps to ensure all information was entered correctly and try again. Remember, to verify the firewall policies.
Restoring a configuration Configuring Restoring a configuration Should you need to restore the configuration file, use the following steps. To restore the FortiGate configuration 1 Go to System > Maintenance > Backup & Restore. 2 Select to upload the restore file from your PC or a USB key. The USB Disk option will be grayed out if the FortiGate unit supports USB disks but none are connected. 3 Enter the path and file name of the configuration file, or select Browse to locate the file.
Configuring Additional configuration To change the administrator password 1 Go to System > Admin > Administrators. 2 Select Change Password and enter a new password. 3 Select OK. Alternatively, you can also add new administrator users by selecting Create New, however, you cannot remove the admin administrator. Applying a password for this account is recommended.
Additional configuration 32 Configuring FortiGate-3016B FortiOS 3.
Advanced configuration Protection profiles Advanced configuration The FortiGate unit and the FortiOS operating system provide a wide range of features that enable you to control network and internet traffic and protect your network. This chapter describes some of these options and how to configure them.
Firewall policies Advanced configuration Web Apply virus scanning and web content blocking to HTTP traffic. Unfiltered Apply no scanning, blocking or IPS. Use the unfiltered content profile if no content protection for content traffic is required. Add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. The best way to begin creating your own protection profile is to open a predefined profile.
Advanced configuration Antivirus options Configuring firewall policies To add or edit a firewall policy go to Firewall > Policy and select Edit on an existing policy, or select Create New to add a policy. The source and destination Interface/Zone match the firewall policy with the source and destination of a communication session. The Address Name matches the source and destination address of the communication session. Schedule defines when the firewall policy is enabled.
AntiSpam options Advanced configuration • Grayware - These are unsolicited commercial software programs that are installed on computers, often without the user's consent or knowledge. Grayware programs are generally considered an annoyance, but these programs can cause system performance problems or be used for malicious ends. The FortiGate unit scans for known grayware executable programs in each enabled category.
Advanced configuration Web filtering Banned word lists are specific words that may be typically found in email. The FortiGate unit searches for words or patterns in email messages. If matches are found, values assigned to the words are totalled. If the defined threshold value is exceeded, the message is marked as spam. If no match is found, the email message is passed along to the next filter. You configure banned words by going to Antispam > Banned Word.
Logging Advanced configuration To configure content blocking, go to Web Filter > Content Block. URL filter enables you to control additional web sites that you can block or allow. This enables you greater control over certain URLs or sub-URLs. The FortiGate unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead. To configure URL filters, go to Web Filter > URL Filter.
AMC modules Installing AMC filler units AMC modules FortiGate AMC modules enable you to expand your FortiGate unit and network environment. These modules enable you to provide small packet performance though optical or copper transceivers. A hard disk module enables you to quarantine files and store log information. Modules are available in single-width and double-width components. Depending on your FortiGate unit, you can use one or more of these modules types.
Removing modules AMC modules Note: The FortiGate-3810A supports only one FortiGate-ASM-S08 hard disk module. Note: AMC modules are not hot swappable. Always ensure you properly shut down the FortiGate unit before installing or removing a module. To insert a module into a FortiGate chassis 1 Ensure the FortiGate unit is powered off before proceeding. 2 Remove the panel block on the FortiGate unit using the hot swap latch. 3 Pull the latch on the module to the extended position.
AMC modules Using the AMC modules Note: The FortiGate-3810A supports only one FortiGate-ASM-S08 hard disk module. Formatting the hard disk When you first install the ASM-S08 in the FortiGate unit, the hard disk may not be formatted. This will result in an error in the console when starting up the FortiGate unit, indicating that the hard drive could not be mounted. If you see this message, or cannot access the hard disk using the web-based manager, you will need to format the hard disk using the CLI.
Using the AMC modules AMC modules Upload rolled files in Select to compress the log files before uploading. gzipped format Delete files after uploading Select to remove the log files once the FTP upoad has completed. Log configuration using the CLI Configure the FortiGate unit to log to the ASM-S08 using the CLI within the FortiAnalyzer command config log disk setting enable. For details on log configuration, see the FortiGate CLI Reference.
AMC modules Using the AMC modules For these multi-mode SFP interfaces, SerDes is the default mode. You can use a CLI command to change the interface to operate in SGMII mode. Depending on the type of transceivers you install, you need to configure the FortiGate unit or module for the transceiver using the CLI. Use the mediatype keyword of the config system interface CLI command to change the interfaces to either SerDes or SGMII mode. FortiGate-3016B FortiOS 3.
Using the AMC modules AMC modules To change the media type for the proper transceiver, enter the following CLI command: config system interface edit set mediatype end For example: config system interface edit AMC-SW1/1 set mediatype sgmii-sfp set speed auto next edit AMC-SW1/2 set mediatype sgmii-sfp set speed auto end Configure the speed You must also ensure the speed for the interface is correct for the installed transceiver.
FortiGate Firmware Downloading firmware FortiGate Firmware Fortinet periodically updates the FortiGate firmware to include new features and address issues. After you have registered your FortiGate unit, you can download FortiGate firmware updates is available for download at the support web site, http://support.fortinet.com. You can also use the instructions in this chapter to downgrade, or revert, to a previous version.
Using the web-based manager FortiGate Firmware To upgrade the firmware 1 Download the firmware image file to your management computer. 2 Log into the web-based manager as the admin administrative user. 3 Go to System > Status. 4 Under System Information > Firmware Version, select Update. 5 Type the path and filename of the firmware image file, or select Browse and locate the file. 6 Select OK.
FortiGate Firmware Using the web-based manager Backup and Restore from a USB key Use a USB key to either backup a configuration file or restore a configuration file. You should always make sure a USB key is properly install before proceeding since the FortiGate unit must recognize that the key is installed in its USB port. Note: You can only save VPN certificates if you encrypt the file. Make sure the configuration encryption is enabled so you can save the VPN certificates with the configuration file.
Using the CLI FortiGate Firmware Using the CLI Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date. You can also use the CLI command execute update-now to update the antivirus and attack definitions. For details, see the FortiGate Administration Guide.
FortiGate Firmware Using the CLI Reverting to a previous version This procedure reverts the FortiGate unit to its factory default configuration and deletes IPS custom signatures, web content lists, email filtering lists, and changes to replacement messages.
Installing firmware from a system reboot using the CLI FortiGate Firmware The FortiGate unit uploads the firmware image file. After the file uploads, a message similar to the following appears: Get image from tftp server OK. Check image OK. This operation will downgrade the current firmware version! Do you want to continue? (y/n) 7 Type y. The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and restarts. This process takes a few minutes.
FortiGate Firmware Installing firmware from a system reboot using the CLI 5 To confirm the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168: execute ping 192.168.1.168 6 Enter the following command to restart the FortiGate unit.
Installing firmware from a system reboot using the CLI 12 FortiGate Firmware Type D. The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete. Restoring the previous configuration Change the internal interface address, if required.
FortiGate Firmware Testing new firmware before installing Note: You need an unencrypted configuration file for this feature. Also the default files, image.out and system.conf, must be in the root directory of the USB key. Note: Make sure at least FortiOS v3.0MR1 is installed on the FortiGate unit before installing. To configure the USB Auto-Install using the CLI 1 Log into the CLI.
Testing new firmware before installing FortiGate Firmware To test the new firmware image 1 Connect to the CLI using a RJ-45 to DB-9 or null modem cable. 2 Make sure the TFTP server is running. 3 Copy the new firmware image file to the root directory of the TFTP server. 4 Make sure the internal interface is connected to the same integer as the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server’s IP address is 192.168.1.
FortiGate Firmware Testing new firmware before installing 11 Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and the following appears. Save as Default firmware/Backup firmware/Run image without saving: [D/B/R] 12 Type R. The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware image, but with its current configuration. You can test the new firmware image as required.
Testing new firmware before installing 56 FortiGate Firmware FortiGate-3016B FortiOS 3.
Index Index A F adding a default route 21, 24 additional resources 9 admin password 30 air flow 11 ambient temperature 11 antispam options 36 antivirus options 35 auto-install 47 auto-install from CLI 52 firewall policies 22, 25, 34 firmware backup and restore from USB 52 download 45 from system reboot 50 installing 50 re-installing current version 52 restore from CLI 52 restoring previous config 52 revert from CLI 49 reverting with web-based manager 46 testing before use 53 testing new firmware 53 upgr
Index P T PADT timeout 21 password, changing 30 power off 15 PPPoE 24 protection profiles 33 technical support 10 TFTP server 50 time and date 30 time zone 30 Transparent mode 18 switching to 26 typographic conventions 9 R registering 7 restore 30 restoring previous firmware configuration 52 reverting firmware 46 S security certificate 19 shielded twisted pair 12 shut down 15 signatures, update 31 static route 21, 24 system reboot, installing 50 U unnumbered IP 20 update signatures 31 updating antivi
Index 59 FortiGate-3016B FortiOS 3.
Index 60 FortiGate-3016B FortiOS 3.
www.fortinet.
www.fortinet.
