Download Print this page

Fortinet Gate 60D Administration Manual

Version 4.0

Hide thumbs Also See for Gate 60D:

Quick start manual (20 pages)

,

Quick start manual (12 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

FortiGate

™

Version 4.0

Administration Guide

Visit

http://support.fortinet.com

to register your FortiGate product. By registering you can

receive product updates, technical support, and FortiGuard services.

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the Gate 60D and is the answer not in the manual?

Questions and answers

Summary of Contents for Fortinet Gate 60D

Page 1 FortiGate ™ Version 4.0 Administration Guide Visit http://support.fortinet.com to register your FortiGate product. By registering you can receive product updates, technical support, and FortiGuard services.
Page 2 FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Page 3: Table Of Contents
Fortinet documentation ....................26 Tools and Documentation CD................... 26 Fortinet Knowledge Center ..................26 Comments on Fortinet technical documentation ............. 26 What’s new in FortiOS 4.0 ..............27 FortiOS 4.0 FortiGate models and features supported ..........28 UTM features grouped under new UTM menu............29 Data Leak Prevention....................
Page 4 Connecting to the FortiGate CLI from the web-based manager ....... 47 Button bar features ....................... 47 Contacting Customer Support..................48 Backing up your FortiGate configuration ..............48 Using FortiGate Online Help ..................49 Searching the online help ..................50 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 5 Reverting to a previous firmware image..............98 Downgrading to a previous firmware through the web-based manager ....98 Verifying the downgrade ................... 99 Downgrading to a previous firmware through the CLI ..........99 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 6 Configuring modem settings ................... 140 Redundant mode configuration................142 Standalone mode configuration ................143 Adding firewall policies for modem connections ............. 144 Connecting and disconnecting the modem............. 144 Checking modem status ..................144 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 7 Configuring DHCP services ..................172 Configuring an interface as a DHCP relay agent............ 173 Configuring a DHCP server ..................173 Viewing address leases....................175 Reserving IP addresses for specific clients ............175 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 8 Configuring SNMP ....................186 Configuring an SNMP community................186 Fortinet MIBs ......................188 Fortinet and FortiGate traps..................189 Fortinet and FortiGate MIB fields................192 Replacement messages ..................... 194 Replacement messages list..................195 Changing replacement messages ................196 Mail replacement messages ................... 197 HTTP replacement messages ................
Page 9 Updating antivirus and attack definitions..............271 Enabling push updates....................273 Enabling push updates when a FortiGate unit IP address changes ....... 273 Enabling push updates through a NAT device ............274 Adding VDOM Licenses....................276 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 10 Configuring BFD ..................... 307 Customizable routing widgets ................... 309 Access List......................309 Distribute List ......................310 Key Chain ....................... 310 Offset List........................ 311 Prefix List ........................ 312 Route Map ......................312 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 11 Configuring service groups ..................359 Firewall Schedule................. 361 Viewing the recurring schedule list................361 Configuring recurring schedules ................362 Viewing the one-time schedule list ................362 Configuring one-time schedules ................363 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 12 Firewall Protection Profile..............397 What is a protection profile?..................397 Adding a protection profile to a firewall policy ............398 Default protection profiles ..................398 Viewing the protection profile list ................399 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 13 Built-in patterns and supported file types..............443 Viewing the file filter list catalog................444 Creating a new file filter list..................444 Viewing the file filter list ..................445 Configuring the file filter list..................445 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 14 Configuring DoS sensors..................470 Understanding the anomalies ................. 472 Intrusion protection CLI configuration ..............472 Web Filter....................475 Order of web filtering....................475 How web filtering works ..................... 475 Web filter controls....................... 476 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 15 Viewing the antispam email address list catalog ............ 503 Creating a new antispam email address list ............504 Viewing the antispam email address list..............504 Configuring the antispam email address list ............505 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 16 Defining phase 2 advanced settings............... 539 Manual Key ........................541 Creating a new manual key configuration .............. 542 Internet browsing configuration ................544 Concentrator ....................... 544 Defining concentrator options ................. 545 Monitoring VPNs ......................545 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 17 Directory Service user groups ................585 SSL VPN user groups..................... 585 Viewing the User group list ..................586 Configuring a user group ..................586 Configuring FortiGuard Web filtering override options..........589 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 18 Example configuration: SSL offloading for a WAN optimization tunnel ....625 SSL offloading and reverse proxy web caching for an internet web server.... 627 Secure tunnelling ......................630 WAN optimization over IPSec VPN ................ 630 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 19 Example configuration: logging all FortiGate traffic ..........658 Event log......................... 659 Data Leak Prevention log ..................660 Application Control log.................... 660 Antivirus log ......................660 Web filter log......................661 Spam filter log......................661 Attack log (IPS)....................... 661 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 20 Alert Email ........................670 Configuring Alert Email ................... 672 Reports......................... 673 Viewing basic traffic reports..................673 FortiAnalyzer report schedules ................674 Viewing FortiAnalyzer reports................. 677 Printing your FortiAnalyzer report ................677 Index...................... 679 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 21: Introduction
• Fortinet documentation Fortinet products Fortinet's portfolio of security gateways and complementary products offers a powerful blend of ASIC-accelerated performance, integrated multi-threat protection, and constantly updated, in-depth threat intelligence. This unique combination delivers network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while providing a flexible, scalable path for expansion.
Page 22 The most recent version of this document is available from the FortiGate page of the Fortinet Technical Documentation web site. The information in this document is also available in a slightly different form as FortiGate web-based manager online help. You can also find more information about FortiOS from the same FortiGate page, as well...
Page 23 FortiGate data leak prevention to prevent sensitive data from leaving your network. • Application Control describes how to configure the application control options associated with firewall protection profiles. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 24: Document Conventions
Fortinet technical documentation uses the conventions described below. IP addresses To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Page 25: Typographical Conventions
“Global configuration settings” on page 107. Registering your Fortinet product Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.
Page 26: Training
FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Center at http://kc.fortinet.com. Comments on Fortinet technical documentation Please send information about any errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/...
Page 27: What's New In Fortios 4.0
Auto-bypass and recovery for AMC bridge module • Rogue Wireless Access Point detection • Configurable VDOM and global resource limits • User authentication monitor • OCSP and SCEP certificate over HTTPS FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 28: Fortios 4.0 Fortigate Models And Features Supported
WAN Optimization data to an external iSCSI storage device. You do not need to install an ASM module in the single-width AMC slot to configure and use iSCSI. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 29: Utm Features Grouped Under New Utm Menu
(DLP), and content archiving to HTTPS, IMAPS, POP3S, and SMTPS traffic. The following FortiGate models support SSL content scanning and inspection: • 110C • 111C • 310B • 602B • 3016B FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 30: Wan Optimization
For information about NAC quarantine, see “NAC quarantine and the Banned User list” on page 595. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 31: Ips Extensions
(attacker) or both the source and destination address of the attack (both). config ips DoS edit new_DoS-sensor config anomaly edit "tcp_dst_session" set status enable set quarantine {attacker | both | none} set quarantine-expiry 600 set threshold 5000 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 32: Adding Ips Sensors To A Dos Policy From The Cli
Figure 1: One-arm IDS topology Internet SPAN port Hub or switch Internal network To enable sniffer mode on a FortiGate unit port5 interface, enter the following CLI commands: config system interface edit port5 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 33: Ips Interface Policies For Ipv6
When these WCCP-enabled firewall policies accept traffic, the traffic is re-directed to a cache server. The FortiGate unit uses the information in the WCCP database to determine the cache server to redirect the traffic to. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 34 2 Add a firewall policy to enable WCCP for traffic accepted by the firewall policy. config firewall policy Edit <policy_id> (configure the firewall policy) set wccp {enable | disable} FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 35: Any" Interface For Firewall Policies
Optionally, you can permit different schedules or services and apply different protection profiles to different user groups. For more information, see “Identity-based firewall policy options (non-SSL-VPN)” on page 328. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 36: Web Filtering Http Upload Enhancements
A new monitor page (go to Firewall > Load Balance > Monitor) shows the status of each virtual server and real server. For more information, see “Monitoring the servers” on page 395. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 37: Per-Firewall Policy Session Ttl
CLI-only options that are not displayed by default. The customized GUI layouts are stored as part of the administrator admin profile. For more information, see “Customizable web-based manager” on page 231. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 38: Administration Over Modem
Also, you can set global resource limits to control the impact of various features on system performance. For more information, see “Configuring global and VDOM resource limits” on page 116 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 39: User Authentication Monitor
8008 and use telnet on port 4523, you could use the following commands to add HTTP authentication on ports 8080 and 8008 and Telnet authentication on port 4523: config user setting config auth-ports edit 1 set port 8080 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 40: Dynamically Assigning Vpn Client Ip Addresses From A Radius Record
4 Configure an ACCEPT firewall policy with the virtual IPSec interface as source and the local private network as destination. SNMP upgraded to v3.0 SNMP v3.0 provides up-to-date information and status reporting about the hardware running on your network. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 41: File Quarantine
You can now block or provide client comforting for HTTP-POST activity by selecting the HTTP POST Action in a protection profile. For more information, see “Web Filtering options” on page 411. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 42 Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic) What’s new in FortiOS 4.0 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 43: Web-Based Manager
FortiGate interface. To connect to the web-based manager you require a FortiGate administrator account and password. The web-based manager supports multiple languages, but by default appears in English on first use. Figure 3: Example FortiGate-3810A web-based manager dashboard (default configuration) FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 44: Common Web-Based Manager Tasks
Changing administrative access to your FortiGate unit • Changing the web-based manager idle timeout • Connecting to the FortiGate CLI from the web-based manager Connecting to the web-based manager To connect to the web-based manager, you require: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 45: Changing Your Fortigate Administrator Password
FortiGate and changing configuration options. For improved security you should regularly change the admin administrator account password and the passwords for any other administrator accounts that you add. Note: See the Fortinet Knowledge Center article Recovering lost administrator account passwords if you forget or lose an administrator account password and cannot log into your FortiGate unit.
Page 46: Changing The Web-Based Manager Language
HTTPS administrative access to the web-based manager (recommended) • enabling or disabling HTTP administrative access to the web-based manager (not recommended) • enabling or disabling secure SSH administrative access to the CLI (recommended) FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 47: Changing The Web-Based Manager Idle Timeout
Selecting the CLI console logs you into the CLI. For more information, see “CLI Console” on page Button bar features The button bar in the upper right corner of the web-based manager provides access to several important FortiGate features. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 48: Contacting Customer Support
Fortinet Training and Certification • visit the FortiGuard Center. You must register your Fortinet product to receive product updates, technical support, and FortiGuard services. To register a Fortinet product, go to Product Registration and follow the instructions.
Page 49: Using Fortigate Online Help
Email Send an email to Fortinet Technical Documentation at techdoc@fortinet.com if you have comments on or corrections for the online help or any other Fortinet technical documentation product. Print Print the current online help page. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/...
Page 50: Searching The Online Help
Help pages with the search words in the help page title are ranked highest. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 51 Alt+7 Send an email to Fortinet Technical Documentation at techdoc@fortinet.com if you have comments on or corrections for the online help or any other Fortinet technical documentation product. Alt+8 Print the current online help page. Alt+9 Add an entry for this online help page to your browser bookmarks or favorites list, to make it easier to find useful online help pages.
Page 52: Logging Out
Configure firewall policies and protection profiles that apply network protection features. Also configure virtual IP addresses and IP pools. Configure antivirus and antispam protection, web filtering, intrusion protection, data leak prevention, and application control. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 53: Using Web-Based Manager Lists
Adding filters to web-based manager lists You can add filters to control the information that is displayed by the following complex lists: • Session list (see “Viewing the session list” on page FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 54 On firewall policy, IPv6 policy, predefined signature and log and report log access lists, you can combine filters with column settings to provide even more control of the information displayed by the list. See “Using filters with column settings” on page 59 more information. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 55 < unless the < is followed by a space (for example, filtering ignores <string but not < string). Filtering also ignores matched opening and closing < and > characters and any characters inside them (for example, filtering ignores <string> but does not ignore >string>). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 56 Other custom filters are also available. You can filter log messages according to date range and time range. You can also set the level filter to display log messages with multiple severity levels. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 57: Using Page Controls On Web-Based Manager Lists
Current Page (enter a page number to display that page) First Page Display the first page of items in the list. Previous Page Display the previous page of items in the list. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 58: Using Column Settings To Control The Columns Displayed
Move Down to change the order in which to display the columns. For example, you can change interface list column headings to display only the IP/Netmask, MAC address, MTU, and interface Type for each interface. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 59: Using Filters With Column Settings
In the pre-defined signatures list you can also sort the list by different columns; you might want to sort the list by application so that all signatures for each application are grouped together. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 60: Web-Based Manager Icons
Enter a VDOM Enter a virtual domain and use the web-based manager to configure settings for the virtual domain. Expand Arrow Expand this section to reveal more fields. This icon is used in (closed) some dialog boxes and lists. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 61 Edit icon when you have read-only access to a web-based manager list. View details View detailed information about an item. For example, you can use this icon to view details about certificates. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 62 Web-based manager icons Web-based manager FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 63: System Status
“Admin profiles” on page 222. Viewing system status The System Status page displays by default when you log in to the web-based manager. Go to System > Status to view the System Status page. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 64 Select to change settings for the display. Refresh Select to update the displayed information. Close Select to close the display. You will be prompted to confirm the action. The available dashboard widgets are: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 65: System Information
The name of the HA cluster for this FortiGate unit. For more information, see “HA” on page 177. The FortiGate unit must be operating in HA mode to display this field. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 66 FDN, and orange if the FDN is reachable but the license has expired. Selecting any of the Configure options will take you to the Maintenance page. For more information, see “System Maintenance” on page 253. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 67 The maximum number of virtual domains the unit supports with the current license. For high-end FortiGate, you can select the Purchase More link to purchase a license key through Fortinet technical support to increase the maximum number of VDOMs. See “Adding VDOM Licenses” on page 276.
Page 68 For more information on Event Logging, see “Event log” on page 659. Figure 26: Unit Operation (FortiGate-800) Figure 27: Unit Operation (FortiGate 30B with FGAMS) Figure 28: Unit Operation (FortiGate 3810A) FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 69 Shutdown Select to shutdown the FortiGate unit. You will be prompted for confirmation, and also prompted to enter a reason for the shutdown that will be entered into the logs. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 70 Alert messages help you track system events on your FortiGate unit such as firmware changes, network security events, or virus detection events. Each message shows the date and time that the event occurred. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 71 Various configuration settings are required to actually collect data for the statistics widget. See the descriptions of content archive and attack log for details. For detailed procedures involving the Statistics list, see “Viewing Statistics” on page FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 72 Reset the Content Archive and Attack Log statistic counts to zero. Sessions The number of communications sessions being handled by the FortiGate unit. Select Details for detailed information. See “Viewing the session list” on page FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 73 (CTRL-C) and paste (CTRL-V) text from or to the CLI Console. Figure 33: CLI Console Customize The two controls located on the CLI Console widget’s title bar are Customize, and Detach. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 74 FortiGate unit performance. For this reason when this display is not shown on the dashboard, it is not collecting data, and not impacting system performance. When the display is shown, information is only stored in memory. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 75 Selecting edit for Top Sessions allows changes to the: • refresh interval • sort criteria to change between source and destination addresses of the sessions • number of top sessions to show FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 76 The system stores up to 1024 entries, but only displays up to 20 in the GUI. Selecting the edit icon for Top Viruses allows changes to the: • refresh interval FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 77 The traffic entering the FortiGate unit on this interface is indicated with a thin red line. Traffic Out The traffic leaving the FortiGate unit on this interface is indicated with a dark green line, filled in with light green. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 78: Changing System Information
The default host name is the FortiGate unit serial number. For example FGT8002805030003 would be a FortiGate-800 unit. Administrators whose admin profiles permit system configuration write access can change the FortiGate unit host name. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 79: Changing The Fortigate Firmware
Note: To access firmware updates for your FortiGate model, you will need to register your FortiGate unit with Customer Support. For more information go to http://support.fortinet.com or contact Customer Support. For more information about using the USB disk, and the FortiGuard Network see “System...
Page 80: Upgrading To A New Firmware Version
To upgrade the firmware using the web-based manager 1 Copy the new firmware image file to your management computer. The firmware images for FortiGate units are available at the Fortinet Technical Support web site. Log in to the site and go to Firmware Images > FortiGate.
Page 81: Viewing Operational History
To revert to a previous firmware version using the web-based manager 1 Copy the firmware image file to your management computer. The firmware images for FortiGate units are available at the Fortinet Technical Support web site. Log in to the site and go to Firmware Images > FortiGate.
Page 82: Manually Updating Fortiguard Definitions
To update FortiGuard antivirus definitions, IPS definitions, or antispam rule set manually 1 Download the latest update file from Fortinet support site and copy it to the computer that you use to connect to the web-based manager. 2 Start the web-based manager and go to System > Status.
Page 83: Viewing Statistics
The source IP address of the connection. Source Port The source port of the connection. Destination The destination IP address of the connection. Address Destination Port The destination port of the connection. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 84: Viewing Content Archive Information On The Statistics Widget
2 In the Content Archive section, select Details for Email. Date and Time The time that the email passed through the FortiGate unit. From The sender’s email address. The recipient’s email address. Subject The subject line of the email. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 85: Viewing The Attack Log
You can select Reset on the header of the Statistics section to clear the content archive and attack log information and reset the counts to zero. Viewing viruses caught 1 Go to System > Status. 2 In the Attack Log section, select Details for AV. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 86 The host that attempted to view the URL. URL Blocked The URL that was blocked. From The sender’s email address or IP address. The intended recipient’s email address or IP address. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 87: Topology
The FortiGate unit object shows the link status of the unit’s interfaces. Green indicates the interface is up. Gray indicates the interface is down. Select the interface to view its IP address and netmask, if assigned. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 88 Objects within the rectangle are selected when you release the mouse button. Exit. Select to finish editing the diagram. Save changes first. The toolbar contracts to show only the Refresh and Zoom controls. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 89: Adding A Subnet Object
(-) and the IP range end address. FQDN If Type is FQDN, enter the fully qualified domain name. Connect to interface Select the interface or zone to associate with this address. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 90: Customizing The Topology Diagram
Line Color Select the color of connecting lines between subnet objects and interfaces. Line Width Select the thickness of connecting lines. Reset to Default Reset all topology diagram settings to default. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 91: Managing Firmware Versions
In addition to firmware images, Fortinet releases patch releases—maintenance release builds that resolve important issues. Fortinet strongly recommends reviewing the release notes for the patch release before upgrading the firmware. Follow the steps below: •...
Page 92: Backing Up Your Configuration
Analysis and Management server if you have FortiGuard Analysis and Management Service enabled. Fortinet recommends backing up all configuration settings from your FortiGate unit before upgrading to FortiOS 4.0. This ensures all configuration settings are still available if you require downgrading to FortiOS 3.0 MR7 and want to restore those configuration settings.
Page 93: Backing Up Your Configuration To A Usb Key
Encrypt configuration file check box, enter a password, and then enter it again to confirm. 3 Select Backup. After successfully backing up your configuration file, either from the CLI or the web-based manager, proceed with upgrading to FortiOS 4.0. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 94: Testing Firmware Before Upgrading
7 Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 8 Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 95: Upgrading Your Fortigate Unit
The following procedure describes how to upgrade to FortiOS 4.0 in the web-based manager. Fortinet recommends using the CLI to upgrade to FortiOS 4.0. The CLI upgrade procedure reverts all current firewall configurations to factory default settings.
Page 96: Upgrading To Fortios 4.0 Through The Cli
The following procedure uses a TFTP server to upgrade the firmware. The CLI upgrade procedure reverts all current firewall configurations to factory default settings. See the Fortinet Knowledge Center article, Loading FortiGate firmware using TFTP for procedure, for additional information about upgrading firmware in the CLI.
Page 97: Verifying The Upgrade
FortiOS 4.0. You can verify your configuration settings by: • going through each menu and tab in the web-based manager • using the show shell command in the CLI. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 98: Reverting To A Previous Firmware Image
FortiGate login. This process takes a few minutes. 6 Log in to the web-based manager. Go to System > Status to verify that the firmware version under System Information has changed to the correct firmware. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 99: Verifying The Downgrade
IP address of the TFTP server is 192.168.1.168, enter: execute restore image tftp image.out 192.168.1.168 The FortiGate unit responds with the message: This operation will replace the current firmware version! Do you want to continue? (y/n) FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 100 8 Reconnect to the CLI. 9 Enter the following command to confirm the firmware image installed successfully: get system status “Restoring your configuration” on page 101 to restore you previous configuration settings. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 101: Restoring Your Configuration
4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 102 Getting file confall from tftp server 192.168.1.168 Restoring files... All done. Rebooting... This may take a few minutes. Use the CLI show shell command to verify your settings are restored, or log in to the web-based manager. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 103: Using Virtual Domains
They can connect only to network resources that communicate with the management virtual domain. The management VDOM is set to root by default, but you can change it. For more information, see “Changing the management VDOM” on page 116. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 104: Vdom Configuration Settings
VPN settings. You can also move physical interfaces from the root VDOM to other VDOMs and move VLAN subinterfaces from one VDOM to another. For more information on VLANs, see “VLAN overview” on page 150. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 105 “File Filter” on page 443 Intrusion Protection “Intrusion Protection” on page 455 Web Filter “Web Filter” on page 475 AntiSpam “Antispam” on page 495 Data Leak Prevention “Data Leak Prevention” on page 511 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 106 (Send alert email for the following) Event Log “Event log” on page 659 Log access “Accessing Logs” on page 662 (Memory only) Content Archive “Content Archive” on page 667 Report Access “Reports” on page 673 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 107: Global Configuration Settings
567 time-out Admin Settings Web- “Settings” on page 228 based manager language Admin Settings LCD “Settings” on page 228 panel PIN, where applicable Wireless Settings “Wireless settings” on page 162 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 108: Enabling Vdoms
The FortiGate unit logs you off. You can now log in again as admin. Alternatively, through the CLI, enter: config system global, set vdom-admin When virtual domains are enabled, the web-based manager and the CLI are changed as follows: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 109: Configuring Vdoms And Global Settings
High-end FortiGate models support the purchase of a VDOM license key from customer service to increase their maximum allowed VDOMs to 25, 50, 100, 250, or 500. Configuring 250 or more VDOMs will result in reduced system performance. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 110: Creating A New Vdom
4 Under License Information > Virtual Domains, select Purchase More. 5 You will be taken to the Fortinet customer support web site where you can log in and purchase a license key for 25, 50, 100, 250, or 500 VDOMs.
Page 111: Working With Vdoms And Global Settings
When you log in as admin and virtual domains are enabled, the FortiGate unit is automatically in global configuration, as demonstrated by the appearance of the VDOM option under System. To work with virtual domains, select System > VDOM. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 112 Change the description of the VDOM. The name of the VDOM cannot be changed. Enter icon Enter the selected VDOM. After entering a VDOM you will only be able to view and change settings specific to that VDOM. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 113: Adding Interfaces To A Vdom
Note: Inter-VDOM links cannot refer to a domain that is in transparent mode. Figure 48: VDOM link interfaces To create an inter-VDOM link 1 Log in as admin. 2 Go to System > Network > Interface. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 114: Assigning An Interface To A Vdom
VDOM if the interface is included in any of the following configurations: • DHCP server • zone • routing • firewall policy • IP pool • proxy arp (only accessible through the CLI). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 115: Assigning An Administrator To A Vdom
108. 3 Go to System > Admin >Administrators. 4 Create a new administrator account or select the Edit icon of an existing administrator account. 5 Go to the Virtual Domain list. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 116: Changing The Management Vdom
If you are a super administrator, you can control resource allocation to each VDOM. This limits the impact of each VDOM on other VDOMs due to resource competition. Also, you can set global resource limits to control the impact of various features on system performance. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 117: Vdom Resource Limits
VDOMs. Guaranteed Enter the minimum amount of the resource available to this VDOM regardless of usage by other VDOMs. Current The amount of the resource that this VDOM currently uses. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 118: Global Resource Limits
Resource Limits dialog box lists the valid range of values for the configured maximum. For some resources, you can set the maximum to zero to set no limit. Reset icon Reset the configured maximum to the default maximum value. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 119: System Network
(FortiWiFi models) and service set identifiers (SSIDs) (see “Adding a wireless interface” on page 163) • add and configure VDOM links (see “Inter-VDOM links” on page 113) • view loopback interfaces FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 120 For more information, see “Column Settings” on page 122. Description icon The tooltip for this icon displays the Description field for this interface. For more information see “Interface settings” on page 123. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 121 Shows the addressing mode of this interface such as manual, DHCP, or PPPoE. The maximum number of bytes per transmission unit. Anything over 1500 are jumbo frames. See “Interface MTU packet size” on page 135. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 122: Switch Mode
The internal interface is a switch with either four or six physical interface connections, depending on the FortiGate model. Normally the internal interface is configured as a single interface shared by all physical interface connections - a switch. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 123: Interface Settings
You cannot create a virtual IPSec interface on this screen, but you can specify its endpoint addresses, enable administrative access and provide a description if you are editing an existing interface. For more information, see “Configuring a virtual IPSec interface” on page 133. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 124 Interfaces System Network Figure 56: Create New Interface settings Figure 57: Edit Interface settings FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 125 Virtual Domain Select the virtual domain to which this VLAN subinterface belongs. Admin accounts with super-admin profile can change the VDOM for a VLAN when VDOM configuration is enabled. For more information, see “Using virtual domains” on page 103. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 126 See “Configuring SNMP” on page 186. TELNET Allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 127: Creating An 802.3Ad Aggregate Interface
VIP, IP Pool or multicast policy • it is not an HA heartbeat interface • it is not one of the FortiGate 5000 series backplane interfaces FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 128: Creating A Redundant Interface
You can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 129 3 In the Name field, enter a name for the redundant interface. The interface name must different from any other interface, zone or VDOM. 4 From the Type list, select Redundant Interface. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 130: Configuring Dhcp On An Interface
The IP address and netmask leased from the DHCP server. IP/Netmask Only displayed if Status is connected. Renew Select to renew the DHCP license for this interface. Only displayed if Status is connected. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 131: Configuring An Interface For Pppoe
PPPoE server and gets addressing information. Select Status to refresh the addressing mode status message. Only displayed if you selected Edit. Status can be one of the following 4 messages. initializing No activity. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 132: Configuring Dynamic Dns On An Interface
If at any time your Fortigate unit cannot contact the DDNS server, it will retry three times at one minute intervals and then change to retrying at three minute intervals. This is to prevent flooding the DDNS server. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 133: Configuring A Virtual Ipsec Interface
If you want to use dynamic routing with the tunnel or be able to ping the tunnel interface, enter IP addresses for the local and remote ends of the tunnel. These Remote IP two addresses must not be used anywhere else in the network. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 134: Configuring Interfaces With Cli Commands
FortiGate interfaces. The interfaces added to a soft switch interface are called members. The members of a switch interface cannot be accessed as an individual interface after being added to a soft switch interface. They are removed from the system interface table. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 135: Administrative Access To An Interface
If the packets that the FortiGate unit sends are larger than the smallest MTU, they are broken up or fragmented, which slows down transmission. Experiment by lowering the MTU to find an MTU size for optimum network performance. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 136: Secondary Ip Addresses
A primary IP address must be assigned to the interface. • The interface must use manual addressing mode. • By default, IP addresses cannot be part of the same subnet. To allow interface subnet overlap use the CLI command: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 137 The IP address and netmask for the secondary IP. Ping Server The IP address of the ping server for the address. The ping server can be shared by multiple addresses. Enable Indicates if the ping server option is selected. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 138: Configuring Zones
To configure zone settings 1 Go to System > Network > Zone. 2 Select Create New or select the Edit icon for a zone. 3 Select name, and interfaces. 4 Select OK. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 139: Configuring The Modem Interface
This section describes: • Configuring modem settings • Redundant mode configuration • Standalone mode configuration • Adding firewall policies for modem connections • Connecting and disconnecting the modem • Checking modem status FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 140: Configuring Modem Settings
Figure 68 shows the only the settings specific to standalone mode. The remaining settings are common to both standalone and redundant modes and are shown in Figure Figure 68: Modem settings (Standalone) FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 141 The maximum number of times (1-10) that the FortiGate unit modem attempts to reconnect to the ISP if the connection fails. The default redial limit is 1. Select None to have no limit on redial attempts. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 142: Redundant Mode Configuration
Note: Do not add policies for connections between the modem interface and the ethernet interface that the modem is backing up. To configure redundant mode 1 Go to System > Network > Modem. 2 Select Redundant mode. 3 Enter the following information: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 143: Standalone Mode Configuration
Dialup Account 2 Dialup Account 3 4 Select Apply. 5 Configure firewall policies for network connectivity through the modem interface. “Adding firewall policies for modem connections” on page 144. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 144: Adding Firewall Policies For Modem Connections
The modem will not redial unless you select Dial Now. A green check mark indicates the active dialup account. The IP address and netmask assigned to the modem interface appears on the System Network Interface screen of the web-based manager. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 145: Configuring Networking Options
4 Enter Dead Gateway Detection settings. 5 Select OK. Figure 70: Configuring Networking Options - FortiGate models 200 and higher Figure 71: Configuring Networking Options - FortiGate models 100 and lower FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 146: Dns Servers
1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 Set Ping Server to the IP address of the next hop router on the network. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 147: Web Proxy
This is the domain name to enter into browsers to access the proxy server. Max HTTP request length Enter the maximum length of an HTTP request. Larger requests will be rejected. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 148 5 Go to System > Network > Web Proxy and select Enable Explicit Proxy. 6 Enter a Port number for the explicit proxy. For example, 8888. 7 Select Apply to save your changes. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 149: Routing Table (Transparent Mode)
2 Select Create New. You can also select the Edit icon of an existing route to modify it. 3 Enter the Destination IP and netmask. 4 Enter the Gateway IP address. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 150: Vlan Overview
VLAN. VLAN tags are 4-byte frame extensions that contain a VLAN identifier as well as other information. For more information on VLANs, see the FortiGate VLANs and VDOMs Guide. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 151: Fortigate Units And Vlans
FortiGate unit internal interface connects to a VLAN trunk on an internal switch, and the external interface connects to an upstream Internet router. The FortiGate unit can then apply different policies for traffic on each VLAN that connects to the internal interface. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 152: Rules For Vlan Ids
FortiGate unit. The FortiGate unit is configured with policies that allow traffic to flow between VLANs and from the VLANs to the external network. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 153: Adding Vlan Subinterfaces
If not, you can only create VLAN subinterfaces in your own VDOM. “Using virtual domains” on page 103 for information about virtual domains. 7 Configure the VLAN subinterface settings. “Interface settings” on page 123. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 154: Vlans In Transparent Mode
This includes VLANs. If no other interfaces are configured for a VDOM, you can configure up to 255 VLANs in that VDOM. Figure 77 shows a FortiGate unit operating in Transparent mode with 2 virtual domains and configured with three VLAN subinterfaces. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 155 Transparent mode VL AN 1 VLAN Trunk VL AN 2 VL AN 3 VLAN Switch VLAN 1 VLAN 2 VLAN 3 VLAN 1 Network VLAN 2 Network VLAN 3 Network FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 156: Rules For Vlan Ids
After you add a VLAN subinterface, you can add firewall policies for connections between VLAN subinterfaces or from a VLAN subinterface to a physical interface. 1 Go to Firewall > Address. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 157: Troubleshooting Arp Issues
ARP packets. However, this also opens up your network to potential hacking attempts that spoof packets. For more secure solutions, see the FortiGate VLANs and VDOMs Guide. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 158 VLANs in Transparent mode System Network FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 159: System Wireless
IEEE 802.11b (2.4-GHz Band) • IEEE 802.11g (2.4-GHz Band) • WEP64 and WEP128 Wired Equivalent Privacy (WEP) • Wi-Fi Protected Access (WPA), WPA2 and WPA2 Auto using pre-shared keys or RADIUS servers FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 160: Channel Assignments
Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure that the channel number complies with the regulatory standards of Mexico. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 161: Ieee 802.11G Channel Numbers
• • • • • 2457 • • • • • • 2462 • • • • • • 2467 • • • • 2472 • • • • 2484 • FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 162: Wireless Settings
When operating the FortiWiFi unit in Client mode, radio settings are not configurable. Figure 79: FortiWiFi wireless parameters - Access Point mode Figure 80: FortiWiFi wireless parameters - Client mode Figure 81: FortiWiFi wireless parameters - Monitoring mode FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 163: Adding A Wireless Interface
You can add up to three virtual wireless interfaces to your access point. These additional interfaces share the same wireless parameters configured for the WLAN interface for Band, Geography, Channel, Tx Power, and Beacon Interval. Ensure each wireless interface has a unique SSID. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 164 If you choose not to broadcast the SSID, you need to inform users of the SSID so they can configure their wireless devices. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 165: Wireless Mac Filter
If the MAC address is on the approved list, the user gains access to the network. If the user is not in the list, the user is rejected. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 166: Managing The Mac Filter List
To edit a MAC filter list 1 Go to System > Wireless > MAC Filter. 2 Select Edit for the wireless interface. Figure 85: Wireless interface MAC filter 3 Complete the following and select OK: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 167: Wireless Monitor
Signal Strength (dBm) The strength of the signal from the client. Noise (dBm) The received noise level. S/N (dB) The signal-to-noise ratio in deciBels calculated from signal strength and noise level. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 168: Rogue Ap Detection
Access points are listed in the Unknown Access Points list until you mark them as either Accepted or Rogue access points. This designation helps you to track access points. It does not affect anyone’s ability to use these access points. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 169 Rogue Access Points list. You can also enter information about accepted and rogue APs in the CLI without having to detect them first. See the system wireless ap-status command in the FortiGate Reference. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 170 Rogue AP detection System Wireless FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 171: System Dhcp
To configure a DHCP relay see “Configuring an interface as a DHCP relay agent” on page 173. DHCP services can also be configured through the Command Line Interface (CLI). See FortiGate CLI Reference for more information. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 172: Configuring Dhcp Services
Type of DHCP relay or server: Regular or IPSec. Enable Green check mark icon indicates that server or relay is enabled. Add DHCP Server Select to configure and add a DHCP server for this interface. icon FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 173: Configuring An Interface As A Dhcp Relay Agent
3 Select the Add DHCP Server icon to create a new DHCP server, or select the Edit icon beside an existing DHCP server to change its settings. 4 Configure the DHCP server. 5 Select OK. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 174 “Dynamically assigning VPN client IP addresses from a RADIUS record” on page 573. When User-group defined method is selected, the IP Range fields are greyed out, and the Exclude Ranges table and controls are not visible. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 175: Viewing Address Leases
You can assign up to 200 IP addresses as reserved. For more information see the FortiGate Maximum Values for FortiOS 3.0 article on the Fortinet Knowledge Center. Use the CLI config system dhcp reserved-address command. For more information, see the FortiGate CLI Reference.
Page 176 Viewing address leases System DHCP FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 177: System Config
FortiGate HA Overview, the FortiGate HA Guide, and the Fortinet Knowledge Center. HA is not available on FortiGate models 50A and 50AM. HA is available on all other FortiGate models, including the FortiGate-50B. The following topics are included in this section: •...
Page 178 VDOM partitioning options. Other differences between configuration options for regular HA and for virtual clustering HA are described below and in the FortiGate HA Overview and the FortiGate HA Guide. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 179 The default group name is FGT-HA. You can accept the default group name when first configuring a cluster. When the cluster is operating you can change the group name, if required. Two clusters on the same network cannot have the same group name. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 180: Cluster Members List
HA configuration of primary unit, change the device priority and host name of subordinate units, and download a debug log for any cluster unit. You can also view HA statistics for the cluster. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 181 Up and down arrows Changes the order of cluster members in the list. The operation of the cluster or of the units in the cluster are not affected. All that changes is the order of the units on the cluster members list. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 182: Viewing Ha Statistics
183. Download debug log Select to download an encrypted debug log to a file. You can send this debug log file to Fortinet Technical Support (http://support.fortinet.com) to help diagnose problems with the cluster or with individual cluster units. Viewing HA statistics From the cluster members list, you can select View HA Statistics to display the serial number, status, and monitor information for each cluster unit.
Page 183: Changing Subordinate Unit Host Name And Device Priority
To change the host name and device priority of a subordinate unit in an operating cluster, go to System > Config > HA to display the cluster members list. Select Edit for any slave (subordinate) unit in the cluster members list. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 184: Disconnecting A Cluster Unit From A Cluster
IP/Netmask Specify an IP address and netmask for the interface. You can use this IP address to connect to this interface to configure the disconnected FortiGate unit. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 185: Snmp
FortiGate unit. To monitor FortiGate system information and receive FortiGate traps, you must first compile the proprietary Fortinet and FortiGate Management Information Base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager.
Page 186: Configuring Snmp
SNMP queries and traps. Each community can be configured to monitor the FortiGate unit for a different set of events. You can also add the IP addresses of up to 8 SNMP managers to each community. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 187 Note: When the FortiGate unit is in virtual domain mode, SNMP traps can only be sent on interfaces in the management virtual domain. Traps cannot be sent over other interfaces. Figure 101: SNMP community options (part 1) Figure 102: SNMP community options (part 2) FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 188: Fortinet Mibs
3 Select Apply. Fortinet MIBs The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit configuration.
Page 189: Fortinet And Fortigate Traps
To receive Fortinet device SNMP traps, you must load and compile the FORTINET- CORE-MIB into your SNMP manager. The name of the table indicates if it is found in the Fortinet MIB or the FortiGate MIB. The Trap Message column includes the message included with the trap as well as the SNMP MIB field name to help locate the information about the trap.
Page 190 (fnTrapIpChange) The trap message includes the name of the interface, the new IP address and the serial number of the Fortinet unit. You can use this trap to track interface IP address changes for interfaces with dynamic IP addresses set using DHCP or PPPoE.
Page 191 Used for verification by FortiManager. (fgFmTrapConfChange) The FortiGate unit configuration has been changed by something other than the managing FortiManager device. (fgFmTrapIfChange) No message. Sent to monitoring FortiManager when an interface changes IP address. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 192: Fortinet And Fortigate Mib Fields
MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet and FortiGate MIB fields by compiling the FORTINET-CORE-MIB.mib and FORTINET- FORTIGATE-MIB.mib files into your SNMP manager and browsing the MIB fields on your...
Page 193 Table 26: FortiGate Dialup VPNs MIB field Description fgVpnDialupIndex An index value that uniquely identifies an VPN dial-up peer in the table. fgVpnDialupGateway The remote gateway IP address on the tunnel. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 194: Replacement Messages
Go to System > Config > Replacement Messages to change replacement messages and customize alert email and information that the FortiGate unit adds to content streams such as email messages, web pages, and FTP sessions. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 195: Replacement Messages List
The same applies to pages blocked by web filtering and email blocked by spam filtering. Note: Disclaimer replacement messages provided by Fortinet are examples only. Replacement messages list To view the replacement messages list go to System > Config > Replacement Messages.
Page 196: Changing Replacement Messages
Alert Mail replacement messages • Spam replacement messages • Administration replacement message • Authentication replacement messages • FortiGuard Web Filtering replacement messages • IM and P2P replacement messages • Endpoint control replacement message FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 197: Mail Replacement Messages
HTTP protocol when an event occurs such as antivirus blocking a file that contains a virus in an HTTP session. HTTP replacement messages are HTML pages. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 198: Ftp Replacement Messages
The FortiGate unit sends the FTP replacement messages listed in Table 30 to FTP clients when an event occurs such as antivirus blocking a file that contains a virus in an FTP session. FTP replacement messages are text messages. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 199: Nntp Replacement Messages
If you enable Send alert email for logs based on severity for alert email, whether or not replacement messages are sent by alert email depends on how you set the alert email Minimum log level. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 200: Spam Replacement Messages
(a false positive). Administration replacement message If you enter the following CLI command the FortiGate unit displays the Administration Login disclaimer whenever an administrator logs into the FortiGate unit web-based manager or CLI. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 201: Authentication Replacement Messages
The following is an example of a simple authentication page that meets the requirements listed above. <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</H4> <FORM ACTION="/" method="post"> <INPUT NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%" TYPE="hidden"> <TABLE ALIGN="center" BGCOLOR="#00cccc" BORDER="0" CELLPADDING="15" CELLSPACING="0" WIDTH="320"><TBODY> FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 202: Fortiguard Web Filtering Replacement Messages
HTTP protocol when FortiGuard web filtering blocks a URL, provides details about blocked HTTP 4xx and 5xx errors, and for FortiGuard overrides. FortiGuard Web Filtering replacement messages are HTTP pages. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 203: Im And P2P Replacement Messages
In an Application Control list, the block-photo CLI keyword is enabled for block message MSN, or Yahoo and the application control list is added to a protection profile. You enable photo blocking from the CLI. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 204: Endpoint Control Replacement Message
FortiGate interface added to the banned user list using HTTP on port 80. This replacement message is not displayed if method is set to Attacker and Victim IP Address. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 205: Ssl Vpn Replacement Message
%%FILE%% can be used in virus and file block messages. The FortiGuard - Web Filtering logo. %%FORTIGUARD_WF%% The Fortinet logo. %%FORTINET%% The link to the FortiClient Host Security installs download for the %%LINK%% Endpoint Control feature.
Page 206: Operation Mode And Vdom Management Access
To switch from NAT/Route to Transparent mode 1 Go to System > Config > Operation Mode or select Change beside Operation Mode on the System Status page for the virtual domain. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 207: Management Access
IP address that applies to all interfaces in your VDOM that permit management access. The FortiGate also uses this IP address to connect to the FDN for virus and attack updates (see “Configuring FortiGuard Services” on page 264). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 208 Use Trusted Hosts to limit where the remote access can originate from. • Do not change the system idle timeout from the default value of 5 minutes (see “Settings” on page 228). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 209: System Admin
The super_admin admin profile cannot be changed; it does not appear in the list of profiles in System > Admin > Admin Profile, but it is one of the selections in the Admin Profile drop-down list in System > Admin New/Edit Administrator dialog box. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 210 The read-only super_admin profile is suitable in a situation where it is necessary for a system administrator to troubleshoot a customer configuration without being able to make changes. Other than being read-only, the super_admin_readonly profile can view all the FortiGate configuration tools. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 211: Viewing The Administrators List
Authentication of a specific account on a RADIUS, LDAP, or TACACS+ server. Remote+ Authentication of any account on an LDAP, RADIUS, or TACACS+ server. Wildcard PKI-based certificate authentication of an account. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 212: Configuring An Administrator Account
New. To configure the settings for an existing administrator, select the Edit icon beside the administrator. Figure 107: Administrator account configuration - Regular (local) authentication Figure 108: Administrator account configuration - Remote authentication FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 213 Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. This is not available if Wildcard is selected or when Type is PKI. See the Fortinet Knowledge Center article Recovering lost administrator account passwords if you forget or lose an administrator account password and cannot log in to your FortiGate unit.
Page 214: Configuring Regular (Password) Authentication For Administrators
“Viewing the administrators list” on page 211. Note: If you forget or lose an administrator account password and cannot log in to your FortiGate unit, see the Fortinet Knowledge Center article Recovering lost administrator account passwords. Configuring remote authentication for administrators You can authenticate administrators using RADIUS, LDAP, or TACACS+ servers.
Page 215 To create the user group (RADIUS) 1 Go to User > User Group. 2 Select Create New or select the Edit icon beside an existing RADIUS group. 3 Enter the name that identifies the user group. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 216 4 Configure additional features as required. For more information, see “Configuring an administrator account” on page 212. 5 Select OK. For more information about using a RADIUS server to authenticate system administrators, Fortinet Knowledge Centre article #3849 Using RADIUS for Admin Access and Authorization. • Admin profiles •...
Page 217 Type is Regular. Password Password of user to be authenticated. Available only if Bind Type is Regular. Secure Connection A check box that enables a secure LDAP server connection for authentication. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 218 To do this you need to: • configure the TACACS+ server • configure the FortiGate unit to access the TACACS+ server FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 219 6 Select OK. To configure an administrator to authenticate with a TACACS+ server 1 Go to System > Admin. 2 Select Create New, or select the Edit icon beside an existing administrator. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 220: Configuring Pki Certificate Authentication For Administrators
Edit icon Edit this PKI user. To configure a PKI user 1 Go to User > PKI. 2 Select Create New, or select the Edit icon beside an existing PKI user. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 221 0.0.0.0/0.0.0.0 addresses to a non-zero address, the other 0.0.0.0/0.0.0.0 will be ignored. The only way to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0.0.0.0. However, this configuration is less secure. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 222: Admin Profiles
VDOM and cannot access global configuration options or the configuration for any other VDOM. For information about which settings are global, see “VDOM configuration settings” on page 104. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 223 Network Configuration (netgrp) system arp-table system dhcp system interface system zone execute dhcp lease-clear execute dhcp lease-list execute clear system arp table execute interface FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 224: Viewing The Admin Profiles List
You need to use the admin account or an account with Admin Users read/write access to create or edit admin profiles. To view the admin profiles list, go to System > Admin > Admin Profile. Figure 114: Admin profile list Delete Edit FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 225: Configuring An Admin Profile
OK. Figure 115: Admin profile options Profile Name Enter the name of the admin profile. Access Control List of the items that can customize access control settings if configured. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 226: Central Management
FortiGuard Analysis and Management Service, you can also remotely upgrade the firmware on the FortiGate unit. Figure 116: Central Management using FortiManager Figure 117: Central Management using the FortiGuard Analysis and Management Service FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 227 The Revision Control tab displays a list of the backed up configuration files. The list displays only when your FortiGate unit is managed by a central management server. For more information, see “Managing configuration revisions” on page 261. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 228: Settings
An alternative HTTPS port number for remote client web browsers to connect to the FortiGate unit. The default port number is 10443. Telnet Port TCP port to be used for administrative telnet access. The default is 23. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 229: Monitoring Administrators
To see the number of logged-in administrators, go to System > Status. Under System Information, you will see Current Administrators. Select Details to view information about the administrators currently logged in to the FortiGate unit. Figure 119: System Information displaying current administrators FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 230: Fortigate Ipv6 Support
IPv4-addressed packets and another for IPv6-addressed packets. For more information, see the FortiGate IPv6 Support Technical Note available from the Fortinet Knowledge Center. Before you can work with IPv6 on the web-based manager, you must enable IPv6 support. Note: IPv6 is not supported in Transparent mode.
Page 231: Customizable Web-Based Manager
FortiGate features. Before customizing the GUI layout, you need to configure the administrative admin profile. To configure the profile, go to System > Admin > Admin Profile and select Create New. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 232 Hide from within the GUI layout dialog box (see Figure 124). The following configuration will set up read-only administrative access to Log&Report items for the Report Profile profile, and prevent access to the default layout. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 233 4 Select OK to save the settings. The admin profiles list reappears. 5 From the list, select the Edit icon beside Report Profile. 6 Under GUI Control > Menu Layout, select Customize, and then select OK. (see Figure 123 Figure 124). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 234 Reset menu to default layout configuration In the GUI layout dialog box, select the customization drop-down menu icon beside System and select hide (see Figure 124). Repeat for each menu item except Log&Report. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 235 To create a new tab 1 Select the Create New tab item icon (see Figure A tab is created with the default name custom menu, and an additional Create New icon appears beside it. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 236 8 widgets. 2 For the Custom Log Report Tab1, select 2 columns. 3 To save your modified configuration, select Save in the Edit this tab dialog box. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 237 This search employs a real-time filtering mechanism with a “contains” type search on the widget names. For example, if you search on “use”, you will be shown User Group, IM User Monitor, Firewall User Monitor, Banned User, and Top Viruses (see Figure 130). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 238 For the Custom Log Report Tab1, select the following items for inclusion in the layout: • Alert E-mail • Schedule. Close the Edit Layout dialog box. Figure 131: Log&Report category selection for Custom Log Report Tab1 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 239 Customizable web-based manager Figure 132: Custom Log Report Tab1 page layout preview For the Custom Log Report Tab2, select the following items for inclusion in the layout: • Event Log • Log Setting. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 240 Save to close the custom GUI layout dialog box (see Figure 135). To abandon the configuration, select Reset menus (see Figure 135). To exit the GUI layout dialog box without saving your changes, select Cancel (see Figure 135). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 241 FortiGate unit, then log back in using the name and password of an administrator assigned the Report Profile administrative profile. The FortiGate web-based manager reflects the customized configuration of Report Profile (see Figure 136). Figure 136: Customized FortiGate web-based manager page FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 242 Customizable web-based manager System Admin FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 243: System Certificates
Fortinet_CA Embedded inside firmware and BIOS. Fortinet’s CA certificate. Used to verify certificates that claim to be signed by Fortinet, for example with a FortiGate/FortiManager tunnel or an SSL connection to a FortiGuard server. Listed under Certificates > CA, or in FortiGate CLI under vpn certificate ca or vpn certificate ocsp.
Page 244: Local Certificates
247. Name The names of existing local certificates and pending certificate requests. Subject The Distinguished Names (DNs) of local signed certificates. Comments A description of the certificate. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 245: Generating A Certificate Request
Generate, and complete the fields in the table below. To download and send the certificate request to a CA, see “Downloading and submitting a certificate request” on page 246. Figure 138: Generate Certificate Signing Request Remove/Add OU FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 246: Downloading And Submitting A Certificate Request
2 In the Local Certificates list, select the Download icon in the row that corresponds to the generated certificate request. 3 In the File Download dialog box, select Save to Disk. 4 Name the file and save it to the local file system. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 247: Importing A Signed Server Certificate
To import the PKCS12 file, go to System > Certificates > Local Certificates and select Import. Figure 140: Upload PKCS12 Certificate Certificate with key Enter the full path to and file name of the previously exported PKCS12 file. file FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 248: Importing Separate Server Certificate And Private Key Files
To view installed Remote (OCSP) certificates or import a Remote (OCSP) certificate, go to System > Certificates > Remote. To view certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate. Note: There is one OCSP per VDOM. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 249: Importing Remote (Ocsp) Certificates
Fortinet_CA certificate. To view installed CA root certificates or import a CA root certificate, go to System > Certificates > CA Certificates. To view root certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 250: Importing Ca Certificates
If you choose SCEP, the system starts the retrieval process as soon as you select OK. The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 251: Crl
CRL is retrieved automatically from the server when the FortiGate unit does not have a copy of it or when the current copy expires. To import a certificate revocation list, go to System > Certificates > CRL and select Import. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 252 OK. The system assigns a unique name to each CRL. The names are numbered consecutively (CRL_1, CRL_2, CRL_3, and so on). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 253: System Maintenance
FortiGate unit includes a USB port (see “Formatting USB Disks” on page 261). You can also restore the system configuration from previously downloaded backup files in the Backup & Restore menu. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 254: Backing Up And Restoring
Backup & Restore section. For more information, “Central Management” on page 226. To view the backup and restore options, go to System > Maintenance > Backup and Restore. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 255: Basic Backup And Restore Options
FortiGate unit. USB Disk is displayed only if the FortiGate unit includes a USB port. If you do not connect a USB disk, this option is grayed out. For more information, see “Formatting USB Disks” on page 261. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 256 FortiGate unit and a FortiManager unit, and runs over SSL using IPv4/TCP port 541. For detailed instructions on how to install a FortiManager unit, see the FortiManager Install Guide. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 257 Additional information, including how to register you FortiGate unit for the FortiGuard Analysis and Management Service, is available in the FortiGuard Analysis and Management Service Users Guide. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 258 FortiGuard Analysis and Management Service. The list is in numerical order, with the recent uploaded configuration first. Restore Select to restore the configuration from the FortiGuard Analysis and Management Service. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 259: Upgrading And Downgrading Firmware
Detailed firmware version information is provided if you have subscribed for the FortiGuard Analysis and Management Service. To view the firmware options, go to System > Maintenance > Backup & Restore. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 260: Configuring Advanced Options
USB disk. automatically update If the firmware image on the disk matches the currently installed FortiGate firmware... firmware, the FortiGate unit skips the firmware update process. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 261: Managing Configuration Revisions
Select to apply the selected settings. Download Debug Log Download an encrypted debug log to a file. You can send this debug log to Fortinet Technical Support to help diagnose problems with your FortiGate unit. Formatting USB Disks FortiGate units with USB ports support USB disks for backing up and restoring configurations.
Page 262: Using Script Files
After executing scripts, you can view the script execution history on the script page. The list displays the last 10 executed scripts. To view the script options, go to System > Maintenance > Scripts. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 263: Creating Script Files
Tip: An unencrypted configuration file uses the same structure and syntax as a script file. You can save a configuration file and copy the required parts to a new file, making any edits you require. You can generate script files more quickly this way. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 264: Uploading Script Files
NAT device. Registering your FortiGate unit on the Fortinet Support web page provides a valid license contract and connection to the FDN. On the Fortinet Support web page, go to Product Registration and follow the instructions.
Page 265: Fortiguard Services
FortiGuard Antispam service FortiGuard Antispam is an antispam system from Fortinet that includes an IP address black list, a URL black list, spam filtering tools, contained in an antispam rule set that is downloaded to the FortiGate unit. The IP address black list contains IP addresses of email servers known to generate spam.
Page 266: Configuring The Fortigate Unit For Fdn And Fortiguard Subscription Services
System Maintenance Every FortiGate unit comes with a free 30-day FortiGuard Web Filtering trial license. FortiGuard license management is performed by Fortinet servers. There is no need to enter a license number. The FortiGate unit automatically contacts a FortiGuard service point when enabling FortiGuard category blocking.
Page 267 If the Status icon is green, the expiry date is displayed. [Version] The version number of the definition file currently installed on the FortiGate unit for this service. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 268 Green (Available) - the push update service is allowed. See “Enabling push updates” on page 273. If the icon is gray or yellow, see “Troubleshooting FDN connectivity” on page 271. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 269 Update Now Select to manually initiate an FDN update. Submit attack Fortinet recommends that you select this check box. It helps to improve the quality of IPS signature. characteristics… (recommended)
Page 270 Select to go directly to the FortiGuard Analysis and Management Service portal web site to view logs or configuration. You can also portal, please click here select this to register your FortiGate unit with the FortiGuard Analysis and Management Service. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 271: Troubleshooting Fdn Connectivity
Note: Updating antivirus and IPS attack definitions can cause a very short disruption in traffic scanning while the FortiGate unit applies the new signature definitions. Fortinet recommends scheduling updates when traffic is light to minimize disruption. To make sure the FortiGate unit can connect to the FDN 1 Go to System >...
Page 272 1 Go to System > Maintenance > FortiGuard. 2 Select the Use override server address check box. 3 Type the fully qualified domain name or IP address of the FortiGuard server. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 273: Enabling Push Updates
FortiGate unit will usually receive new updates sooner. Fortinet does not recommend enabling push updates as the only method for obtaining updates. The FortiGate unit might not receive the push notification. When the FortiGate unit receives a push notification, it makes only one attempt to connect to the FDN and download updates.
Page 274: Enabling Push Updates Through A Nat Device
1 Register the FortiGate unit on the internal network so that it has a current support license and can receive push updates. For more information, see “Registering your Fortinet product” on page 2 Configure the following FortiGuard options on the FortiGate unit on the internal network.
Page 275 Enter 9443. This is the port number to which the NAT FortiGate unit will send the push update after it comes through the virtual IP. FortiGate units expect push update notifications on port 9443. 4 Select OK. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 276: Adding Vdom Licenses
If you have you can increase the maximum number of VDOMs on your FortiGate unit you can purchase a license key from Fortinet to increase the maximum number of VDOMs to 25, 50, 100 or 250. By default, FortiGate units support a maximum of 10 VDOMs.
Page 277: Router Static
The following topics are covered in this section: • How the routing table is built • How routing decisions are made • Multipath routing and determining the best routeRoute priority • Route priority • Blackhole Route FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 278: How The Routing Table Is Built
31 (sometimes not available), the traffic will use the route with an administrative distance of 5. Different routing protocols have different default administrative distances. The default administrative distances for any of these routing protocols are configurable. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 279: Route Priority
Linux programming. Blackhole routes are used to dispose of packets instead of responding to suspicious inquiries. This provides added security since the originator will not discover any information from the target network. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 280: Static Route
Figure 163 shows the static route list belonging to a FortiGate unit that has interfaces named “port1” and “port2”. The names of the interfaces on your FortiGate unit may be different. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 281: Default Route And Default Gateway
FortiGate unit. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 282 FortiGate routing table must include a static route to that network. For example, in Figure 165, the FortiGate unit must be configured with static routes to interfaces 192.168.10.1 and 192.168.11.1 in order to forward packets to Network_1 and Network_2 respectively. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 283 For more information see FortiGate CLI Reference. To change the gateway for the default route 1 Go to Router > Static > Static Route. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 284: Adding A Static Route To The Routing Table
Figure 166 shows the Edit Static Route dialog box belonging to a FortiGate unit that has an interface named “internal”. The names of the interfaces on your FortiGate unit may be different. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 285: Policy Route
FortiGate unit that has interfaces named “external” and “internal”. The names of the interfaces on your FortiGate unit may be different. To edit an existing policy route, see “Adding a policy route” on page 286. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 286: Adding A Policy Route
The range is from 0 to 255. A value of 0 disables the feature. Incoming Interface Select the name of the interface through which incoming packets subjected to the policy are received. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 287: Moving A Policy Route
Select After to place it following the indicated route. Policy route ID Enter the Policy route ID of the route in the Policy route table to move the selected route before or after. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 288 Policy Route Router Static FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 289: Router Dynamic
Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small, relatively homogeneous networks. The FortiGate implementation of RIP supports RIP version 1 (see RFC 1058) and RIP version 2 (see RFC 2453). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 290: Viewing And Editing Basic Rip Settings
To view and edit RIP settings go to Router > Dynamic > RIP. Figure 170 shows the basic RIP settings on a FortiGate unit that has interfaces named “dmz” and “external”. The names of the interfaces on your FortiGate unit may be different. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 291 FortiGate interfaces whose IP addresses match the RIP network address space. IP/Netmask Enter the IP address and netmask that defines the RIP-enabled network. Select to add the network information to the Networks list. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 292: Selecting Advanced Rip Options
FortiGate routing table. The range is from 1 to 16. This metric is the hop count, with 1 being best or shortest. This value also applies to Redistribute unless otherwise specified. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 293: Configuring A Rip-Enabled Interface
Note: Additional options such as split-horizon and key-chains can be configured per interface through the CLI. For more information, see the “router” chapter of the FortiGate CLI Reference or the Fortinet Knowledge Center. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ •...
Page 294: Ospf
A neighbor is any router that directly connected to the same area as the FortiGate unit. After initial contact, the FortiGate unit exchanges Hello packets with its OSPF neighbors regularly to confirm that the neighbors can be reached. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 295: Defining An Ospf As-Overview
1 Go to Router > Dynamic > OSPF. 2 Under Areas, select Create New. 3 Define the characteristics of one or more OSPF areas. See “Defining OSPF areas” on page 299. 4 Under Networks, select Create New. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 296: Configuring Basic Ospf Settings
If Router ID is not explicitly set, the highest IP address of the VDOM or unit will be used. Advanced Options Select the Expand Arrow to view or hide advanced OSPF settings. For more information, see “Selecting advanced OSPF options” on page 298. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 297 Delete and Edit Delete or edit an OSPF area entry, network entry, or interface definition. Icons are visible only when there are entries in Areas, Networks, and Interfaces icons sections. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 298: Selecting Advanced Ospf Options
Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214. Select to redistribute routes learned through BGP. Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 299: Defining Ospf Areas
OSPF backbone. Virtual links can be set up only between two FortiGate units that act as area border routers. For more information on virtual links, see the FortiGate CLI Reference. Figure 175: New/Edit OSPF Area FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 300: Specifying Ospf Networks
Select an area ID for the network. The attributes of the area must match the characteristics and topology of the specified network. You must define the area before you can select the area ID. For more information, see “Defining OSPF areas” on page 299. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 301: Selecting Operating Parameters For An Ospf Interface
Select the name of the FortiGate interface to associate with this OSPF interface definition (for example, port1, external, or VLAN_1). The FortiGate unit can have physical, VLAN, virtual IPSec or GRE interfaces connected to the OSPF-enabled network. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 302: Bgp
BGP update, the FortiGate unit examines the Multi-Exit Discriminator (MED) attributes of potential routes to determine the best path to a destination network before recording the path in the FortiGate unit routing table. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 303: Viewing And Editing Bgp Settings
Add the neighbor information to the Neighbors list, or edit an entry in the list. Neighbor The IP addresses of BGP peers. Remote AS The numbers of the autonomous systems associated with the BGP peers. Delete icon Delete a BGP neighbor entry. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 304: Multicast
CLI commands to configure PIM settings, see multicast in the “router” chapter of the FortiGate CLI Reference. Note: For more information about FortiGate multicast support, see the FortiGate Multicast Technical Note. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 305: Viewing And Editing Multicast Settings
The priority number assigned to Designated Router (DR) candidacy on the interface. Available only when sparse mode is enabled. Delete and Edit Delete or edit the PIM settings on the interface. icons FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 306: Overriding The Multicast Settings On An Interface
Configure multicast DNAT in the CLI by using the following command: config firewall multicast-policy edit p1 set dnat <dnatted-multicast-group> set ... next For more information, see the “firewall” chapter of the FortiGate CLI Reference. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 307: Bi-Directional Forwarding Detection (Bfd)
3. The port that BFD traffic originates from will be checked for security purposes as indicated by disabling bfd-dont-enforce-src-port. config system settings FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 308 OSPF, and you can override the global settings at the interface level. To enable BFD on OSPF: configure routing OSPF set bfd enable To override BFD on an interface: configure routing OSPF configure ospf-interface edit <interface_name> set bfd disable FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 309: Customizable Routing Widgets
Prefix The IP address prefix for this access-list. When this prefix is matched, the action is taken. The prefix can match any address, or a specific address. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 310: Distribute List
The offset list is part of the RIP and OSPF routing protocols. For more information about RIP, see “RIP” on page 289. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 311: Offset List
Select to remove a offset entry. Edit Icon Select to edit an existing offset entry. For more information on the offset list, see the “router” chapter of the FortiGate CLI Reference. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 312: Prefix List
• When a single matching match-* rule is found, changes to the routing information are made as defined through the rule’s set-ip-nexthop, set-metric, set-metric-type, and/or set-tag settings. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 313 Select to add a route map entry to a route map. Edit Icon Select to edit an existing route map entry. For more information on the route map, see the “router” chapter of the FortiGate CLI Reference. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 314 Customizable routing widgets Router Dynamic FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 315: Router Monitor
Routing Monitor list belonging to a FortiGate unit that has interfaces named “port1”, “port4”, and “lan”. The names of the interfaces on your FortiGate unit may be different. Figure 187: Routing Monitor list FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 316 Multi-Exit Discriminator (MED) — routes learned through BGP. However, several attributes in addition to MED determine the best path to a destination network. Gateway The IP addresses of gateways to the destination networks. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 317: Searching The Fortigate Routing Table
5 Select Apply Filter. Note: All of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 318 Searching the FortiGate routing table Router Monitor FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 319: Firewall Policy
Matching firewall policies are determined by comparing the firewall policy and the packet’s: • source and destination interfaces • source and destination firewall addresses • services • time/schedule. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 320: Moving A Policy To A Different Position In The Policy List
“How list order affects policy matching” on page 319. Moving a policy in the firewall policy list does not change its ID, which only indicates the order in which the policy was created. Figure 190: Move Policy FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 321: Multicast Policies
“Moving a policy to a different position in the policy list” on page 320. To view the policy list, go to Firewall > Policy. Figure 191: Firewall policy list Filter Delete Edit Insert Policy before Move To FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 322 Move To icon Move the corresponding policy before or after another policy in the list. For more information, see “Moving a policy to a different position in the policy list” on page 320. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 323: Configuring Firewall Policies
Insert Policy before (see “Viewing the firewall policy list” on page 321). Note: You can configure differentiated services (DSCP) firewall policy options through the CLI. See the “firewall” chapter of the FortiGate CLI Reference. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 324 If Action is set to SSL-VPN and the policy is for web-only mode clients, select all. If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the name of the address that you reserved for tunnel mode clients. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 325 This option is available only after you have added a SSL-VPN user group. You can also configure NAT and protection profiles, log traffic, shape traffic or add a comment to the policy. See “Configuring SSL VPN identity-based firewall policies” on page 331. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 326 Maximum Select to limit bandwidth in order to keep less important services from using bandwidth needed for more important ones. Bandwidth FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 327: Adding Authentication To Firewall Policies
HTTPS service, which the FortiGate unit would use to verify the network user’s certificate; upon successful certificate-based authentication, the network user would then be able to access his or her email. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 328: Identity-Based Firewall Policy Options (Non-Ssl-Vpn)
The one-time or recurring schedule that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see “Firewall Schedule” on page 361. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 329 LDAP and RADIUS servers. This option is selected by default. Directory Include Directory Service groups defined in User > User Group. The groups are authenticated through a domain controller using Fortinet Server Authentication Service (FSAE) Extensions (FSAE). If you select this option, you must install the FSAE on the Directory Service domain controller.
Page 330: Ipsec Firewall Policy Options
Select to enable traffic from a dialup client or computers on the remote private network to initiate the tunnel. Allow outbound Select to enable traffic from computers on the local private network to initiate the tunnel. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 331: Configuring Ssl Vpn Identity-Based Firewall Policies
Note: The SSL-VPN option is only available from the Action list after you have added SSL VPN user groups. To add SSL VPN user groups, see “SSL VPN user groups” on page 585. For more information, see “Configuring firewall policies” on page 323. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 332 Destination Interface/Zone Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone to which IP packets are forwarded. If Action is set to SSL-VPN, the interface is associated with the local private network. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 333 To create an identity based firewall policy, select the Enable Identity Based Policy check box. A table opens below the check box. Select Add. The New Authentication Rule dialog opens (see Figure 197). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 334 IPS, content archiving, and logging to a firewall policy. You can also create a protection profile by selecting Create New from this list. For more information, see “Firewall Protection Profile” on page 397. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 335 IPS, content archiving, and logging to this policy. You can also create a protection profile by selecting Create New from this list. For more information, see “Firewall Protection Profile” on page 397. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 336: Endpoint Compliance Check Options
To edit this web page go to System > Config > Clients to Download Replacement Messages and edit the Endpoint Control Download Portal Portal replacement message. If the redirect is not enabled, the non-compliant user simply has no network access. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 337: Dos Policies
Customize the table view. You can select the columns to hide or display and specify the column displaying order in the table. Section View Select to display firewall polices organized by interface. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 338: Configuring Dos Policies
The interface or zone to be monitored. Source Address Select an address or address range to limit traffic monitoring to network traffic sent from the specified address or range. Select Multiple to include multiple addresses or ranges. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 339: Firewall Policy Examples
With their current network topography, all 15 of the internal computers are behind a router and must go to an external source to access the IPS mail and web servers. All home- based employees access the router through open/non-secured connections. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 340 2 Select Create New and enter or select the following settings for Home_User_1: Interface / Zone Source: internal Destination: wan1 Address Source: Destination: Home_User_1 CompanyA_Network Schedule Always Service Action IPSEC VPN Tunnel Home1 Allow Inbound Allow outbound Inbound NAT FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 341 FortiGate unit. They now access the email and web servers in a DMZ, which is also behind the FortiGate unit. All home-based employees now access the office network through the FortiGate unit via VPN tunnels. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 342: Scenario Two: Enterprise-Sized Business
The staff firewall policies will all use a protection profile configured specifically for staff access. Enabled features include virus scanning, spam filtering, IPS, and blocking of all P2P traffic. FortiGuard web filtering is also used to block advertising, malware, and spyware sites. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 343 Policies are configured in Firewall > Policy. Protection Profiles are configured in Firewall > Protection Profile. Main office “staff to Internet” policy: Source Interface Internal Source Address Destination Interface External Destination Address Schedule Always Action Accept FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 344 Source Address Branch Staff Destination Interface Destination Address Servers Schedule Always Action Accept For more information about these examples, see: • SOHO and SMB Configuration Example Guide • FortiGate Enterprise Configuration Example FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 345: Firewall Address
Valid IP address and netmask formats include: • x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0 • x.x.x.x/x, such as 192.168.1.0/24 Note: An IP address 0.0.0.0 with netmask 255.255.255.255 is not a valid firewall address. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 346: Viewing The Firewall Address List
(the down arrow) located in the Create New button, then select IPv6 Address, to configure an IPv6 firewall address. For more information on enabling IPv6 support, see “Settings” on page 228. Name The name of the firewall address. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 347: Configuring Addresses
Select the interface, zone, or virtual domain (VDOM) link to which you want to bind the IP address. Select Any if you want to bind the IP address with the interface/zone when you create a firewall policy. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 348: Viewing The Address Group List
To organize addresses into an address group 1 Go to Firewall > Address > Group. 2 Select Create New. 3 Complete the following: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 349 Tip: You can also create firewall address groups when configuring a firewall policy: Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Source Address list, select Address Group > Create New. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 350 Configuring address groups Firewall Address FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 351: Firewall Service
For more information, see “Configuring custom services” on page 357. To view the predefined service list, go to Firewall > Service > Predefined. Figure 210: Predefined service list FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 352 1720, 1503 approved by the International Telecommunication 1719 Union (ITU) defining how audiovisual conferencing data can be transmitted across networks. For more information, see the FortiGate Support for H.323 Technical Note. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 353 Internet as the transmission medium. ONC-RPC Open Network Computing Remote Procedure Call. ONC-RPC is a widely deployed remote procedure call system. OSPF Open Shortest Path First. OSPF is a common link state routing protocol. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 354 Samba daemon. SCCP Skinny Client Control Protocol. SCCP is a Cisco 2000 proprietary standard for terminal control for use with voice over IP (VoIP). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 355 161-162 SOCKS SOCKetS. SOCKS is an Internet protocol that 1080 allows client-server applications to transparently 1080 use the services of a network firewall. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 356: Viewing The Custom Service List
If you need to create a firewall policy for a service that is not in the predefined service list, you can add a custom service. To view the custom service list, go to Firewall > Service > Custom. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 357: Configuring Custom Services
Specify the source port number range for the service by entering the low and high port numbers. If the service uses one port number, enter this number in both the Low and High fields. The default values allow the use of any source port. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 358 4 Complete the fields in the following table and select OK. Figure 214: New Custom Service - IP Name Enter a name for the IP custom service. Protocol Type Select IP. Protocol Number Enter the IP protocol number for the service. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 359: Viewing The Service Group List
Tip: You can also create custom service groups when you configure a firewall policy. Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Service list, select Service Group > Create New. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 360 Use the arrows to move selected services Services between this list and Members. Members The list of services in the group. Use the arrows to move selected services between this list and Available Services. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 361: Firewall Schedule
The name of the recurring schedule. The initials of the days of the week on which the schedule is active. Start The start time of the recurring schedule. Stop The stop time of the recurring schedule. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 362: Configuring Recurring Schedules
Create New Add a one-time schedule. Name The name of the one-time schedule. Start The start date and time for the schedule. Stop The stop date and time for the schedule. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 363: Configuring One-Time Schedules
Tip: You can also create one-time schedules when you configure a firewall policy. Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Schedule list, select One-time > Create New. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 364 Configuring one-time schedules Firewall Schedule FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 365: Firewall Virtual Ip
In Transparent mode, virtual IPs are available from the FortiGate CLI. Inbound connections Virtual IPs can be used in conjunction with firewall policies whose Action is not DENY to apply bidirectional NAT, also known as inbound NAT. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 366 Server load balancing requires that you configure at least one “real” server, but can use up to eight. Real servers can be configured with health check monitors. Health check monitors can be used to gauge server responsiveness before forwarding packets. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 367 IP address, except in its session table. The web server has no indication that another network exists. As far as the server can tell, all packets are sent by the FortiGate unit. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 368: Outbound Connections
For example, if a network interface’s IP address is 10.10.10.1, and its bound virtual IP’s external IP is 10.10.10.2, mapping inbound traffic to the private network IP address 192.168.2.1, traffic outbound from 192.168.2.1 will be translated to 10.10.10.2, not 10.10.10.1 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 369: Vip Requirements
Remove the virtual IP from the list. The Delete icon only appears if the virtual IP is not selected in a firewall policy. Edit icon Edit the virtual IP to change any virtual IP option including the virtual IP name. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 370: Configuring Virtual Ips
IP address range and adds the IP address range to the External IP Address/Range field. This option appears only if Type is Static NAT. Port Forwarding Select to perform port address translation (PAT). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 371 “Adding static NAT port forwarding for an IP address range and a port range” on page 377 • “Adding dynamic virtual IPs” on page 378 • “Adding a virtual IP with port translation only” on page 379 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 372: Adding A Static Nat Virtual Ip For A Single Ip Address
FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network. Figure 227: Virtual IP options: static NAT virtual IP for a single IP address Name static_NAT External Interface wan1 Type Static NAT FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 373: Adding A Static Nat Virtual Ip For An Ip Address Range
192.168.37.6 are translated and sent to 10.10.10.44. The computers on the Internet are unaware of this translation and see three computers with individual IP addresses rather than a FortiGate unit with a private network behind it. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 374 The IP address range of the servers on the internal network. Define the range by entering the first address of the range in the first field Address/Range and the last address of the range in the second field. 4 Select OK. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 375: Adding Static Nat Port Forwarding For A Single Ip Address And A Single Port
To add static NAT virtual IP port forwarding for a single IP address and a single port 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 376 IP to the dmz network IP addresses of the web servers. 1 Go to Firewall > Policy and select Create New. 2 Configure the firewall policy: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 377: Adding Static Nat Port Forwarding For An Ip Address Range And A Port Range
DMZ network. In this example, the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network. Name Port_fwd_NAT_VIP_port_range External Interface external Type Static NAT FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 378: Adding Dynamic Virtual Ips
External IP address must be set to 0.0.0.0 so the External IP address matches any IP address. To add a dynamic virtual IP 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Enter a name for the dynamic virtual IP. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 379: Adding A Virtual Ip With Port Translation Only
The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides PPTP passthrough access from the Internet to a PPTP server, the external service port number should be 1723 (the PPTP port). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 380: Virtual Ip Groups
VIP group, go to Firewall > Virtual IP > VIP Group and select the Edit icon for the VIP group to edit. Enter the information as described below, and select OK. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 381: Ip Pools
A single IP address is entered normally. For example, 192.168.110.100 is a valid IP pool address. If an IP address range is required, use either of the following formats. • x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120 • x.x.x.[x-x], for example 192.168.110.[100-120] FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 382: Ip Pools And Dynamic Nat
If you use fixed port in such a case, the FortiGate unit preserves the original source port. But conflicts may occur since users may have different sessions using the same TCP 5 tuples. Original address Change to 192.168.1.1 172.16.30.10 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 383: Viewing The Ip Pool List
Edit icon Select to edit the following information: Name, Interface, IP Range/Subnet. Configuring IP Pools To add an IP pool, go to Firewall > Virtual IP > IP Pool. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 384: Double Nat: Combining Ip Pool With Virtual Ip
IP to translate the destination port from 8080 to 80. To create an IP pool 1 Go to Firewall > Virtual IP > IP Pool. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 385 2 Select Create New. 3 Configure the firewall policy: Source Interface/Zone internal Source Address 10.1.1.0/24 Destination Interface/Zone Destination Address server-1 Schedule always Service HTTP Action ACCEPT 4 Select NAT. 5 Select OK. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 386: Adding Nat Firewall Policies In Transparent Mode
Use the following steps to configure NAT in Transparent mode • Adding two management IPs • Adding an IP pool to the wan1 interface • Adding an internal to wan1 firewall policy FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 387 1 set srcintf "internal" set dstintf "wan1" set scraddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable set ippool enable set poolname nat-out FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 388 Adding NAT firewall policies in transparent mode Firewall Virtual IP Note: You can add the firewall policy from the web-based manager and then use the CLI to enable NAT and add the IP Pool. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 389: Firewall Load Balance
IP address. Figure 239: Virtual server and real servers setup Internet/Intranet User (Virtual Server/Load Balancer) LAN/WAN Real Server Real Server Real Server FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 390: Configuring Virtual Servers
CLI under config firewall vip. • SSL Session ID: Persistence time is equal to the SSL sessions. SSL session states are set in CLI under config firewall vip. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 391 IP address. If this option is not selected, the header will contain the IP address of the FortiGate unit. This option appears only if HTTP or HTTS are selected for Type, and is available only if HTTP Multiplexing is selected. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 392: Configuring Real Servers
Select the blue arrow beside a virtual server name to view the IP addresses of the real servers that are bound to it. Port The port number on the destination network to which the external port number is mapped. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 393: Configuring Health Check Monitors
FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 394 Matched Content Enter the HTTP reply content that must be present to indicate proper server connectivity. This option appears only if Type is HTTP. Interval Enter the number of seconds between each server health check. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 395: Monitoring The Servers
Display the traffic processed by each real server. Graceful Select to start or stop real servers. When stopping a server, the FortiGate unit will not accept new sessions but will wait for the active sessions to finish. Stop/Start FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 396 Monitoring the servers Firewall Load Balance FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 397: Firewall Protection Profile
586. You can use protection profiles to configure: • antivirus protection • web filtering • FortiGuard Web Filtering • spam filtering • • data leak prevention sensor • dashboard statistics FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 398: Adding A Protection Profile To A Firewall Policy
If a FortiAnalyzer unit is configured, files are quarantined remotely. Quarantine permits system administrators to inspect, recover, or submit quarantined files to Fortinet for analysis. Apply virus scanning and web content blocking to HTTP traffic. Add this protection profile to firewall policies that control HTTP traffic.
Page 399: Viewing The Protection Profile List
HTTPS, IMAPS, POP3S, and SMTPS Antivirus, DLP, and content archiving • HTTPS web filtering and FortiGuard web filtering • IMAPS, POP3S, and SMTPS spam filtering • re-encrypts the sessions and forwards them to their destinations. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 400: Supported Fortigate Models
Two encrypted SSL sessions are set up, one between the client and the FortiGate unit, and a second one between the FortiGate unit and the server. Inside the FortiGate unit the packets are decrypted. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 401 If you want the certificate to have a different name, change these file names. 8 Add the imported signing CA certificate to the SSL content scanning and inspection configuration. Use the following CLI command if the certificate name is Example_CA. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 402: Configuring Ssl Content Scanning And Inspection
HTTP POST Action Go to Firewall > Protection Profile. Add or edit a protection profile and configure Web Filtering for HTTPS. For more information, see “Web Filtering options” on page 411. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 403 To view archived content go to Log&Report > Content Archive. Select Web to view HTTPS content. Select E-mail to view IMAPS, POP3S, and SMTPS content. For more information, see “Content Archive” on page 667. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 404: Configuring A Protection Profile
If the default protection profiles do not provide the settings required, you can create custom protection profiles. To add a protection profile, go to Firewall > Protection Profile and select Create New. Figure 250: New Protection Profile Expand Arrow FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 405: Protocol Recognition Options
80 for HTTP). You can edit the settings for each content protocol and select inspection for all port numbers for that protocol, or select one or more port numbers to monitor for that protocol. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 406 Note: If your FortiGate unit supports SSL content scanning and inspection, you must set HTTPS Content Filtering Mode to Deep Scan before you can configure additional HTTPS content scanning protection profile options. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 407: Anti-Virus Options
Edit icon beside an existing protection profile. Then select the Expand Arrow beside Anti-Virus, enter the information as described below, and select OK. For more antivirus configuration options, see “AntiVirus” on page 439. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 408 File Filter Select to filter files, then under Option, specify a file filter, which can consist of file name patterns and file types. For more information, see “File Filter” on page 443. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 409 Quarantine Select for each protocol to quarantine suspect files for later inspection or submission to Fortinet for analysis. This option appears only if the FortiGate unit has a hard drive or a configured FortiAnalyzer unit, and will take effect only if you have first enabled and configured the quarantine.
Page 410 HTTP client: If the file does not contain a virus, the FortiGate unit sends the rest of the file to the client. If the file is infected, the FortiGate unit closes the data connection but cannot send a message to the client. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 411: Ips Options
Note: If your FortiGate unit does not support SSL content scanning and inspection, or if you have set HTTPS Content Filtering Mode to URL Filtering, you can only select URL filtering and blocking invalid URLs for HTTPS. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 412 “URL filter” on page 483. Web URL filter list Select the URL filter list to add to this protection profile. For more information, see “Creating a new URL filter list” on page 484. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 413: Fortiguard Web Filtering Options
FortiGate unit does not support SSL content scanning and inspection or if you have set HTTPS Content Filtering Mode to URL Filtering you can have fewer options for HTTPS. See the field descriptions below for details. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 414 Then select the Expand Arrow beside Web Filtering and scroll down to FortiGuard Web Filtering. Enter the information as described below, and select OK. Figure 258: Protection Profile FortiGuard Web Filtering options FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 415 HTTPS if your FortiGate unit supports SSL content scanning and inspection. Allow websites when a rating Allow web pages that return a rating error from the web filtering service. error occurs FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 416: Spam Filtering Options
If the IP address is found, FortiGuard Antispam terminates the session. If FortiGuard Antispam does not find a match, the email server sends the email to the recipient. With the URL filter, FortiGuard Antispam checks the body of email messages to FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 417 Note: Some popular email clients cannot filter messages based on the MIME header. For these clients, select to tag email message subject lines instead. Figure 260: Protection Profile Spam Filtering options FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 418 “Creating a new antispam email address list” on page 504. Return e-mail DNS check Select to enable checking that the domain specified in the reply-to or from address has an A or MX record. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 419: Data Leak Prevention Sensor Options
You apply data leak prevention (DLP) to traffic by selecting a data leak prevention sensor. You can use DLP to prevent sensitive data from leaving your network and to provide content archiving. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 420: Application Control Options
New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Application Control and select the application control list to add to the protection profile. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 421: Logging Options
To configure Logging options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Logging, enter the information as described below, and select FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 422 Log Intrusions Select to log IPS signature and anomaly events. Application Log Application Select to log Application Control events. Control Control Data Leak Log DLP Select to log DLP events. Prevention Sensor FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 423: Traffic Shaping
If multiple users start multiple communications session using the same policy, all of these communications sessions must share from the bandwidth available for the policy. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 424: Traffic Priority
Since packets must be received by the FortiGate unit before they are subject to traffic shaping, if the FortiGate unit cannot process all of the traffic it receives, then dropped packets, delays, and latency are likely to occur. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 425: Configuring Traffic Shaping
Select a value to ensure there is enough bandwidth available for a high-priority service. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies Bandwidth is significantly less than the bandwidth capacity of the interface. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 426 Be sure to enable traffic shaping on all firewall policies. If you do not apply any traffic shaping rule to a policy, the policy is set to high priority by default. Distribute firewall policies over all three priority queues. 3 Select OK. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 427: Sip Support
Description Protocol (SDP) messages that allow participants to agree on a set of compatible media types. SIP applications are based on a client-server structure and support user mobility with two operating modes: proxy and redirect. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 428 RTP Session – phone rings SIP Client B SIP Client A 6. RTP session opens when (b@example.com) (a@example.com) Client B answers 1. SIP clients register with SIP server FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 429: The Fortigate Unit And Voip Security
“Firewall Policy” on page 319. Figure 272: SIP source NAT 217.10.79.9 217.10.69.11 SIP Server RTP Server SIP service provider has a SIP server and a separate RTP server 217.233.122.132 Internet 10.72.0.57 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 430 FortiGate unit (217.233.90.60) and the FortiGate unit then translates the SIP contact header to the SIP server (10.0.0.60). The SIP server changes the SIP/SDP connection information (which tells the SIP phone which RTP IP it should contact) also to 217.233.90.60. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 431: How Sip Support Works
IP address or interface. The FortiGate unit segments the VoIP network, separating the voice traffic from other traffic to ensure that appropriate priority and policies are applied. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 432: Configuring Sip
6 Make sure the application control list is selected in a protection profile and that the protection profile is added to a firewall policy. For more information about application control, see “Application Control” on page 523. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 433: Enabling Sip Support From The Cli
SIP and SCCP traffic that you expect the FortiGate unit to be handling. You can adjust the settings if some calls are lost or if the amount of SIP or SCCP traffic is affecting FortiGate unit performance. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 434: Enabling Sip Logging
RTP is bypassed. Therefore, no pinholes need to be created. From the CLI, type the following commands: config application list edit <list_name> config entries edit 12 set rtp disable FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 435 <list_name> config entries edit 12 set preserve-override {enable | disable} where selecting enable removes the original source IP address from the SDP i line and disable appends the address. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 436 From the CLI, type the following commands: config application list edit <list_name> config entries FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 437 SIP support Configuring SIP edit 12 set contact-fixup {enable | disable} FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 438 Configuring SIP SIP support FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 439: Antivirus
Note: File filter includes file pattern and file type scans which are applied at different stages in the antivirus process. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 440: Antivirus Tasks
This task checks if files and email messages exceed configured thresholds. It is enabled by setting the Oversized File/Email option under Firewall > Protection Profile > Antivirus to Pass. For more information, see “Anti-Virus options” on page 407. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 441: Fortiguard Antivirus
If the file passes the file pattern scan, it will have a virus scan applied to it. The virus definitions are keep up to date through the FortiNet Distribution Network. The list is updated on a regular basis so you do not have to wait for a firmware upgrade. For more information on updating virus definitions, see “FortiGuard antivirus”...
Page 442 View and sort the list of quarantined files, protocol. File Quarantine is only available on configure file patterns to upload automatically to units with a local disk, or with a configured Fortinet for analysis, and configure quarantining FortiAnalyzer unit. options in AntiVirus. Pass fragmented email messages.
Page 443: File Filter
• Visual Basic files (*.vb?) • screen saver files (*.scr) • program information files (*.pif) • control panel files (*.cpl) The FortiGate unit can take actions against the following file types: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 444: Viewing The File Filter List Catalog
407. Creating a new file filter list To add a file pattern list to the file pattern list catalog, go to UTM > AntiVirus > File Filter and select Create New. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 445: Viewing The File Filter List
Select to move the file pattern or type to any position in the list. Configuring the file filter list For file patterns, you can add a maximum of 5000 patterns to a list. For file types, you can only select from the supported types. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 446: File Quarantine
View the file name and status information about the file in the Quarantined Files list. Submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to Fortinet for analysis. FortiGate units can also quarantine blocked and infected files to a FortiAnalyzer unit. Files stored on the FortiAnalyzer unit can also be viewed from the Quarantined Files list.
Page 447: Viewing The File Quarantine List
This value indicates the time that the first file was quarantined if the duplicate count increases. Service The service from which the file was quarantined (HTTP, FTP, IMAP, POP3, SMTP, IM, NNTP, IMAPS, POP3S, SMTPS, or HTTPS). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 448: Viewing The Autosubmit List
The TTL information is not available if the files are quarantined on a FortiAnalyzer unit. Upload status Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded. This option is available only if the FortiGate unit has a local hard disk.
Page 449: Configuring The Autosubmit List
FortiGate unit has a local hard disk. Figure 283: New File Pattern dialog box File Pattern Enter the file pattern or file name to be upload automatically to Fortinet. Enable Select to enable the file pattern Note: To enable automatic uploading of the configured file patterns, go to AntiVirus >...
Page 450 Select either Heuristics or Block Pattern. Heuristics is configurable through the CLI only. See “Antivirus CLI configuration” on page 453. Apply Select to save the configuration. Figure 286: Notification lists FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 451: Viewing The Virus Database Information
Figure 289: Virus database information Usually the FortiGuard AV definitions are updated automatically from the FortiGuard Distribution Network (FDN). Go to System > Maintenance > FortiGuard to configure automatic antivirus definition updates from the FDN. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 452: Viewing And Configuring The Grayware List
Download Block download programs. Download components are usually run at Windows startup and are designed to install or download other software, especially advertising and dial software. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 453: Antivirus Cli Configuration
CPUs, making scanning faster. This feature is available on models numbered 1000 and higher. For more information, see the Antivirus failopen and optimization Fortinet Knowledge Center article. config antivirus heuristic The FortiGate heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators.
Page 454 This feature is available on models numbered 200 and higher. config antivirus service <service_name> Use this command to configure how the FortiGate unit handles antivirus scanning of large files, and what ports the FortiGate unit scans for the service. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 455: Intrusion Protection
The FortiGate Intrusion Protection system matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinet’s FortiGuard infrastructure ensures the rapid identification of new threats and the development of new attack signatures.
Page 456: Intrusion Protection Settings And Controls
If required, you can override the default settings of the signatures specified in an IPS sensor. The FortiGate unit provides a number of pre-built IPS sensors, but you should check their settings before using them, to ensure they meet your network requirements. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 457: Viewing The Predefined Signature List
Column Settings Select to customize the signature information displayed in the table. You can also readjust the column order. For more information, see “Using column settings to control the columns displayed” on page 58 “Web-based manager icons” on page FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 458: Using Display Filters
2 Select the filter icon beside any column name in the signature table. 3 In Edit Filters, specify the filtering criteria. The criteria will vary depending on the column name. 4 Select the Enable check box. 5 Select OK. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 459: Custom Signatures
For more information on custom signature syntax, see the FortiGate Intrusion Protection System (IPS) Guide. Note: Custom signatures are an advanced feature. This document assumes the user has previous experience creating intrusion detection signatures. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 460: Protocol Decoders
UTM > Intrusion Protection > Protocol Decoder. The decoder list is provided for your reference and can be configured using the CLI. For more information, see the FortiGate Reference. Figure 294: The protocol decoder list FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 461: Upgrading The Ips Protocol Decoder List
The name of each IPS sensor. Comments An optional description of the IPS sensor. Delete and Edit icons Delete or edit an IPS sensor. Five default IPS sensors are provided with the default configuration. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 462: Adding An Ips Sensor
To view an IPS sensor, go to UTM > Intrusion Protection > IPS Sensor and select the Edit icon of any IPS sensor. The Edit IPS Sensor window is divided into three parts: the sensor attributes, Filters, and Overrides. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 463 Insert icon Create a new filter and insert it above the current filter. Move to icon After selecting this icon, enter the destination position in the window that appears, and select OK. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 464: Configuring Filters
Select All, or select Specify and then one or more severity ratings. Severity defines the relative importance of each signature. Signatures rated critical detect the most dangerous attacks while those rated as info pose a much smaller threat. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 465: Configuring Pre-Defined And Custom Overrides
If you wanted to disable one of those signatures, the simplest way would be to create an override and mark the signature as disabled. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 466 “NAC quarantine and the Banned User list” on Attackers (to page 595. Banned Users List) The FortiGate unit deals with the attack according to the IPS sensor or DoS sensor configuration regardless of this setting. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 467: Packet Logging
For example, if is set to , the FortiGate unit will save the packet packet-log-history containing the IPS signature and the six before it. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 468 3 Select the Attack Log log type. 4 Select the Packet Log icon of the log entry you want to view. The IPS Packet Log Viewer window appears. Figure 300: Log entry with packet log icon FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 469: Dos Sensors
If this sensor is at the top of the list, no subsequent sensors will ever execute. The traffic anomaly detection list can be updated only when the FortiGate firmware image is upgraded. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 470: Viewing The Dos Sensor List
DoS sensor, or select Create New to create a new DoS sensor. Note: You can configure NAC quarantine for DoS sensors from the FortiGate CLI. For more information, see “Configuring NAC quarantine” on page 596. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 471 The IP address of the traffic destination. 0.0.0.0/0 matches all addresses. If the FortiGate unit is running in transparent mode, 0.0.0.0/0 also includes the management IP address. Destination The destination port of the traffic. 0 matches any port. Port FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 472: Understanding The Anomalies
If for any reason the IPS should cease to function, it will fail open by default. This means crucial network traffic will not be blocked, and the FortiGate unit will continue to operate while the problem is being resolved. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 473 Intrusion Protection Intrusion protection CLI configuration ips global socket-size Set the size of the IPS buffer. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 474 Intrusion protection CLI configuration Intrusion Protection FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 475: Web Filter
How web filtering works The following information shows how the filters interact with each other and how to use them to your advantage. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 476: Web Filter Controls
413. Rating corrections as well as suggesting ratings for new pages can be submitted on the FortiGuard Center web page. Visit the Fortinet Knowledge Center details and a link to the FortiGuard Center. The following tables compare web filtering options in protection profiles and the web filter menu.
Page 477 Web resume Download Block Enable to block downloading the remainder of a file that has already been partially downloaded. Enabling this option prevents the unintentional download of virus files, but can cause download interruptions. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 478: Web Content Block
/i. For example, /bad language/i blocks all instances of bad language regardless of case. Wildcard patterns are not case sensitive. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 479: Viewing The Web Content Block List Catalog
The score for a pattern is applied only once even if it appears on the page multiple times. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 480: Configuring The Web Content Block List
To add or edit a content block pattern go to UTM > Web Filter > Web Content Block and select Create New or select the Edit icon of the web content block list you want to view. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 481: Viewing The Web Content Exempt List Catalog
The number of content patterns in each web content block list. Profiles The protection profiles each web content block list has been applied to. Comment Optional description of each web content block list. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 482: Creating A New Web Content Exempt List
Web content exempt list name. To change the name, edit text in the name field and select OK. Comment Optional comment. To add or edit comment, enter text in comment field and select OK. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 483: Configuring The Web Content Exempt List
FortiGate unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead. Note: Enable Web filtering > Web URL Filter in a firewall Protection Profile to activate the URL filter settings. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 484: Viewing The Url Filter List Catalog
Creating a new URL filter list Different FortiGate models support different maximum numbers of URL filter lists. For details, see the FortiGate Maximum Values Matrix in Fortinet’s Knowledge Center web site http://kc.forticare.com. To add a URL filter list to the URL filter list catalog go to UTM > Web Filter > URL Filter.
Page 485: Viewing The Url Filter List
URLs with this suffix. To add a URL to the URL filter list go to UTM > Web Filter > URL Filter. Select Create New or edit an existing list. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 486: Url Formats
To control access to all pages with a URL that ends with example.com, add example.com to the filter list. For example, adding example.com controls access to www.example.com, mail.example.com, www.finance.example.com, and so FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 487: Moving Urls In The Url Filter List
Enter the URL before or after which the new URL is to be located in the list. FortiGuard - Web Filter FortiGuard Web Filtering is a managed web filtering solution provided by Fortinet. FortiGuard Web Filtering sorts hundreds of millions of web pages into a wide range of categories users can allow, block, or monitor.
Page 488: Configuring Fortiguard Web Filtering
This button is not available under User Overrides. Return Select to return to the override category page. Clear All icon Select to clear the table. URL/Category The URL or category to which the override applies. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 489: Configuring Administrative Override Rules
Enter the name of the user selected in Scope. User Group Select a user group from the dropdown list. User groups must be configured before FortiGuard Web Filtering configuration. For more information, see “User Group” on page 583. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 490 Scope Select one of the following: User, User Group, IP, or Profile. Depending on the option selected, a different option appears below Scope. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 491: Creating Local Categories
Select the gray funnel to open the Category Filter dialog box. When the list has been filtered, the funnel changes to green. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 492: Configuring Local Ratings
URL block list is processed. The local ratings override the FortiGuard server ratings and appear in reports as “Local Category”. To create a local rating go to UTM > Web Filter > Local Ratings. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 493: Category Block Cli Configuration
Web Filtering Service Point name cannot be changed using the web-based manager. Configure all FortiGuard Web Filtering settings using the CLI. For more information, see FortiGate CLI Reference for descriptions of the webfilter fortiguard keywords. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 494 FortiGuard - Web Filter Web Filter FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 495: Antispam
If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. If the action in the filter is Mark as Reject, the email session is dropped. Rejected SMTP or SMTPS email messages are substituted with a configurable replacement message. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 496: Anti-Spam Filter Controls
System > Maintenance > FortiGuard Configure the FortiGuard Antispam service. Enable FortiGuard Antispam, check the status of Fortinet has its own DNSBL server for the FortiGuard Antispam server, view the license FortiGuard Antispam that provides spam IP type and expiry date, and configure the cache. For address and URL blacklists.
Page 497 You can configure the language and whether to search the email body, subject, or both. You can configure the action to take as spam or clear for each word. Spam Action FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 498: Banned Word
Edit Delete Create New Add a new list to the catalog. For more information, see “Creating a new banned word list” on page 499. Name The available antispam banned word lists. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 499: Creating A New Banned Word List
To view the banned word list, go to UTM > AntiSpam > Banned Word and select the Edit icon of the banned word list you want to view. Figure 326: Sample banned word List Remove All Entries Edit Delete Current Page FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 500: Adding Words To The Banned Word List
“Using wildcards and Perl regular expressions” on page 506. Language Select the character set for the banned word. Where Select where the FortiGate unit should search for the banned word: Subject, Body, or All. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 501: Ip Address And Email Address Black/White Lists
Creating a new antispam IP address list To add an antispam IP address list to the antispam IP address list catalog, go to UTM > AntiSpam > IP Address and select Create New. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 502: Viewing The Antispam Ip Address List
Reject (SMTP or SMTPS) to drop the session. If an IP address is set to reject but mail is delivered from that IP address via using POP3 or IMAP, the email messages will be marked as spam. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 503: Adding An Antispam Ip Address
Figure 331: Sample antispam email address list catalog Edit Delete Create New Create a new antispam address list. Name Antispam email address lists. # Entries The number of entries in each antispam email address list. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 504: Creating A New Antispam Email Address List
OK. Comments Optional comment. To add or edit comment, enter text in comment field and select OK. Create New Add an email address to the email address list. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 505: Configuring The Antispam Email Address List
The FortiGate unit compares the MIME header key-value pair of incoming email to the list pair in sequence. If a match is found, the corresponding action is taken. If no match is found, the email is passed on to the next spam filter. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 506: Config Spamfilter Dnsbl
In Perl regular expressions, the ‘.’ character refers to any single character. It is similar to the ‘?’ character in wildcard match pattern. As a result: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 507: Perl Regular Expression Formats
Antispam Using wildcards and Perl regular expressions • fortinet.com not only matches fortinet.com but also fortinetacom, fortinetbcom, fortinetccom, and so on. Note: To add a question mark (?) character to a regular expression from the FortiGate CLI, enter Ctrl+V followed by ?. To add a single backslash character (\) to a regular expression from the CLI you must add precede it with another backslash character.
Page 508: Example Regular Expressions
('i', 'x', etc). An error occurs if the second '/' is missing. In regular expressions, the leading and trailing space is treated as part of the regular expression. Example regular expressions Block any word in a phrase /block|any|word/ FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 509 The following phrases are some examples of common phrases found in spam messages. /try it for free/i /student loans/i /you’re already approved/i /special[\+\-\*=<>\.\,;!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i Figure 335: MMS Message Flood Remove All Entries Current Page Figure 336: MMS Duplicate Message Remove All Entries Current Page FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 510 Using wildcards and Perl regular expressions Antispam FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 511: Data Leak Prevention
FortiGate unit. This section describes how to configure the DLP settings. If you enable virtual domains (VDOMs) on the Fortinet unit, data leak prevention is configured separately for each virtual domain. For details, see “Using virtual domains”...
Page 512: Adding And Configuring A Dlp Sensor
Edit icon of the sensor to be configured. A list of the DLP rules and DLP compound rules included in the DLP sensor is displayed. A newly created sensor will include no rules. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 513: Adding Or Editing A Rule In A Dlp Sensor
Create New. To edit a rule already included in the sensor, select the edit icon of the sensor you want to edit. Figure 339: Adding a DLP rule to a DLP sensor FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 514 Select Rule or Compound Rule. The rules of the selected type will be displayed in the table below. Type Name The names of all available rules or compound rules. Description The optional description entered for each rule or compound rule. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 515: Dlp Rules
If a compound rule is used in a compound rule or a sensor, the delete icon will not be available. Remove the compound rule from the compound rule or sensor and then delete it. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 516: Adding Or Configuring Dlp Rules
Go to UTM > Data Leak Prevention > Rule. To add a new rule, select Create New. To edit an existing rule, select the edit icon of the rule to be changed. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 517 SMTPS, IMAPS, POP3S or any combination of these protocols. For more information about SSL content scanning and inspection, see “Configuring SSL content scanning and inspection” on page 402. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 518 This option is available for FTP, HTTP, IM, and NNTP. Hostname Search for the specified host name when contacting a HTTP server. HTTP header Search for the specified string in HTTP headers. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 519: Dlp Compound Rules
Each included rule is configured with a single attribute, but every attribute must be present before the rule is activated. For example, create two rules and add them to a sensor: • Rule 1 checks SMTP traffic for a sender address of spammer@example.com FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 520: Viewing The Dlp Compound Rule List
Go to UTM > Data Leak Prevention > Compound. To add a new compound rule, select Create New. To edit an existing compound rule, select the edit icon of the compound rule to be changed. Figure 343: DLP compound rule Add rule FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 521 Select the rule to include in the compound rule. Add Rule Select the Add Rule icon to have another rule selection appear. This way, multiple rules may be added to the compound rule. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 522 DLP Compound Rules Data Leak Prevention FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 523: Application Control
Add application control lists to protection profiles applied to the network traffic you need to monitor. FortiGuard application control database Fortinet is constantly increasing the list of applications that application control can detect by adding applications to the FortiGuard Application Control Database.
Page 524: Viewing The Application Control Lists
Create New. Enter a name and optionally, a comment of description. Select OK. Since a new application control list is blank, the list edit window appears. For information on creating application control list entries, see “Configuring an application control list” on page 525. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 525: Configuring An Application Control List
Action Select the action the FortiGate unit takes with other application traffic. Select whether the FortiGate unit will log other application traffic. Create New Select to create a new application entry. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 526: Adding Or Configuring An Application Control List Entry
If Application is all, every application in the selected category is included. Action If the FortiGate unit detects traffic from the specified application, the selected action will be taken. Options FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 527: Application Control Statistics
You can use these statistics to gain insight into how the protocols are being used within your network. To view these statistics, go to UTM > Application Control > Statistics. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 528 (Files) Sent • (Files) Received • (Files) Blocked. Voice Chat For each IM protocol, the following voice chat information is listed: • (Voice chats) Since Last Reset • (Voice chats) Blocked. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 529 Block action will not be reflected. VoIP Usage For SIP and SCCP protocol, the following information is listed: • Active Sessions (phones connected, etc) • Total Calls (since last reset) • Calls Failed/Dropped • Calls Succeeded FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 530 Application control statistics Application Control FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 531: Ipsec Vpn
3 Create a firewall policy to permit communication between your private network and the VPN. For a policy-based VPN, the firewall policy action is IPSEC. For an interface- based VPN, the firewall policy action is ACCEPT. See “Configuring firewall policies” on page 323. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 532: Policy-Based Versus Route-Based Vpns
Put all the IPSec interfaces in a zone and enable intra-zone traffic. There must be more than one IPSec interface in the zone. For more information and an example, see the FortiGate IPSec VPN User Guide. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 533: Auto Key
The names of the local interfaces to which IPSec tunnels are bound. These can be physical, aggregate, VLAN, inter-VDOM link or wireless interfaces. Delete and Edit icons Delete or edit a phase 1 configuration. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 534: Creating A New Phase 1 Configuration
IP Address If you selected Static IP Address, type the IP address of the remote peer. Dynamic DNS If you selected Dynamic DNS, type the domain name of the remote peer. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 535 If the remote peer is a FortiClient dialup client, the identifier is specified in the Local ID field, accessed by selecting Config in the Policy section of the VPN connection’s Advanced Settings. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 536: Defining Phase 1 Advanced Settings
Create Phase 1, and then select Advanced. For information about how to choose the correct advanced phase 1 settings for your particular situation, see the FortiGate IPSec VPN User Guide. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 537 MD5 — Message Digest 5, the hash algorithm developed by RSA Data Security. SHA1 — Secure Hash Algorithm 1, which produces a 160-bit message digest. To specify a third combination, use the Add button beside the fields for the second combination. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 538: Creating A New Phase 2 Configuration
The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1 configuration that specifies the remote end point of the VPN tunnel. In most cases, you need to configure only basic phase 2 settings. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 539: Defining Phase 2 Advanced Settings
Auto Key (IKE), select Create Phase 2, and then select Advanced. For information about how to choose the correct advanced phase 2 settings for your particular situation, see the FortiGate IPSec VPN User Guide. Figure 354: Phase 2 advanced settings Delete FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 540 Note: You can configure settings so that VPN users can browse the Internet through the FortiGate unit. For more information, see “Internet browsing configuration” on page 544. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 541: Manual Key
Note: You should use manual keys only if it is unavoidable. There are potential difficulties in keeping keys confidential and in propagating changed keys to remote VPN peers securely. For general information about how to configure an IPSec VPN, see the FortiGate IPSec VPN User Guide. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 542: Creating A New Manual Key Configuration
To specify manual keys for creating a tunnel, go to VPN > IPSEC > Manual Key and select Create New. Figure 356: New Manual Key FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 543 Create a virtual interface for the local end of the VPN tunnel. Select this check box to create a route-based VPN, clear it to create a policy-based VPN. Mode This is available only in NAT/Route mode. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 544: Internet Browsing Configuration
“spokes”. The hub functions as a concentrator on the network, managing all VPN connections between the spokes. VPN traffic passes from one tunnel to the other through the hub. You define a concentrator to include spokes in the hub-and-spoke configuration. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 545: Defining Concentrator Options
Monitoring VPNs To view active VPN tunnels, go to User > Monitor > IPSEC. For more information, see “IPSEC monitor list” on page 592. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 546 Monitoring VPNs IPSec VPN FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 547: Pptp Vpn
PPTP configuration using FortiGate web-based manager To configure the PPTP tunnel, create a customized screen in the web-based manager. The PPTP Range tab is found under the Categories heading as a selection in the Additional category: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 548 Apply. Note: The start and end IPs in the PPTP address range must be in the same 24-bit subnet, e.g. 192.168.1.1 - 192.168.1.254. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 549: Pptp Configuration Using Cli Commands
<address_ipv4> ip-mode {range | usrgrp} local-ip <address_localip> sip <address_ipv4> status {disable | enable} usrgrp <group_name> Variables Description Default The ending address of the PPTP address range. eip <address_ipv4> 0.0.0.0 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 550 0.0.0.0 Enable to have the PPTP client retrieve the IP ip-mode address from the PPTP user group or select an IP {range | usrgrp} address from the pre-configured IP address range. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 551: Ssl Vpn
Internet through the FortiGate unit. SSL VPN tunnel-mode access requires the following firewall policies: • External > Internal, with the action set to SSL, with an SSL user group FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 552: Configuring Ssl Vpn
Select the signed server certificate to use for authentication purposes. If you leave the default setting (Self-Signed), the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect. Require Client Certificate If you want to enable the use of group certificates for authenticating remote clients, select the check box.
Page 553: Monitoring Ssl Vpn Sessions
Tunnel IP: IP address that the Fortigate unit assigned to the remote client. Action Select action to apply to current SSL VPN tunnel session or subsession. Delete icon Delete the current session or subsession. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 554: Ssl Vpn Web Portal
To use a default SSL VPN web portal configuration, select the Edit icon next to the web portal in the Portal list. The SSL VPN web portal you select will appear. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 555 SSL VPN Default web portal configurations Figure 363: Default web portals Edit button Default full-access web portal Default tunnel-access web portal Default web-access web portal FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 556: General Tab
Use the Advanced tab to configure advanced settings that monitor the SSL VPN clients and apply other advanced settings. To edit settings for an existing web portal configuration, select Settings > Advanced to open the Advanced tab. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 557 Windows 2000 Action - Select the action for the FortiGate unit to take if the client operating system is Windows 2000 or XP: Allow, Deny, or Check Windows XP Latest Version. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 558: Adding And Editing Widgets
Active when SSL VPN web portal is activated by user. Add Widget list Select to add a widget to the SSL VPN web portal configuration. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 559: Session Information Widget
Telnet, VNC, and RDP all pop up a window that requires a browser plug-in. FTP and Samba replace the bookmarks page with an HTML file-browser. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 560 Bookmark added Edit Select to edit the general configuration information in the Bookmarks widget. Remove widget Select to close the Bookmarks widget and remove it from the web portal home page. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 561 Bookmarks widget. Cancel Select to exit the Bookmarks Add window without saving the new bookmark configuration. Editing bookmarks To edit bookmarks, in the Bookmarks widget title bar, select Edit. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 562 Bookmarks widget will be in the list. Location The information the FortiGate unit needs to forward client requests to the correct server application or network service. Description An optional description of the bookmark. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 563: Connection Tool Widget
Enter the information that the FortiGate unit needs to forward client requests to the correct server/application. Value depends on value in Type. Select to connect to the server/application specified in Type and Host. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 564: Tunnel Mode Widget
“Dynamically assigning VPN client IP addresses from a RADIUS record” on page 573. Split tunneling Select to enable split tunneling. Start IP Enter the starting IP address for the split tunnel range. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 565 Disconnect End the session and close the tunnel to the FortiGate unit. Refresh now Refresh the Fortinet SSL VPN Client page (web portal). Link status Indicates the state of the SSL VPN tunnel: Up is displayed when an SSL VPN tunnel with the FortiGate unit has been established.
Page 566 Default web portal configurations SSL VPN FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 567: User
“Configuring a Directory Service server” on page 581. • Configure for certificate-based authentication for administrative access (HTTPS web- based manager), IPSec, SSL-VPN, and web-based firewall authentication. For more information, see “PKI” on page 581. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 568: Local User Accounts
To view the list of existing local users, go to User > Local. Figure 372: Example Local user list Delete Edit Create New Add a new local user account. User Name The local user name. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 569 If you enable virtual domains (VDOMs) on the FortiGate unit, IM is available separately for each virtual domain. For more information, see “Using virtual domains” on page 103. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 570 “IM user monitor list” on page 594. Configuring older versions of IM applications Some older versions of IM protocols are able to bypass file blocking because the message types are not recognized. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 571: Remote
CLI to change the default RADIUS port. For more information, see the config system global command in the FortiGate CLI Reference. To view the list of RADIUS servers, go to User > Remote > RADIUS. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 572: Configuring A Radius Server
If you have not selected a protocol, the default protocol configuration uses PAP, MS- CHAPv2, and CHAP, in that order. To add a new RADIUS server, go to User > Remote > RADIUS, select Create New, and enter or select the following: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 573: Dynamically Assigning Vpn Client Ip Addresses From A Radius Record
IP address to assign to the user from the Framed-IP-Address field in the RADIUS record received when the RADIUS server confirms that the user has authenticated successfully. See RFC 2865 RFC 2866 for more information about RADIUS. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 574 You can dynamically assign IP addresses to PPTP VPN clients using RADIUS records by configuring the PPTP VPN to use the user group for getting IP addresses: config vpn pptp set status enable set ip-mode usrgrp FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 575: Ldap
Domain Name System (DNS) names at the top level of the hierarchy. The common name identifier for most LDAP servers is cn; however some servers use other common name identifiers such as uid. For example, you could use the following base distinguished name: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 576 LDAP User ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is a domain component. You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units: ou=accounts,ou=marketing,dc=fortinet,dc=com Binding is said to occur when the LDAP server successfully authenticates the user and allows the user access to the LDAP server based on his or her permissions.
Page 577 Distinguished Name field of the LDAP Server configuration. To see the users within the LDAP Server user group for the selected Distinguished Name, select the Expand arrow beside the Distinguished Name in the LDAP Distinguished Name Query tree. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 578: Tacacs
Auto, ASCII, PAP, CHAP, and MSCHAP. Delete icon Delete this TACACS+ server. Edit icon Edit this TACACS+ server. Configuring TACACS+ servers There are several different authentication protocols that TACACS+ can use during the authentication process: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 579: Directory Service
In a domain, the directory resides on computers that are configured as domain controllers. A domain controller is a server that manages all security-related features that affect the user/domain interactions, security centralization, and administrative functions. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 580 Because the domain controller authenticates users, the FortiGate unit does not perform authentication. It recognizes group members by their IP address. You must install the Fortinet Server Authentication Extensions (FSAE) on the network and configure the FortiGate unit to retrieve information from the Directory Service server. For...
Page 581: Configuring A Directory Service Server
Users only need a valid certificate for successful authentication—no user name or password are necessary. Firewall and SSL VPN are the only user groups that can use PKI authentication. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 582: Configuring Peer Users And Peer Groups
FortiGate CLI Reference. Caution: If you use the CLI to create a peer user, Fortinet recommends that you enter a value for either subject or ca. If you do not do so, and then open the user record in the web- based manager, you will be prompted to enter a subject or ca value before you can continue.
Page 583: User Group
You can configure user groups to provide authenticated access to: • Firewall policies that require authentication “Adding authentication to firewall policies” on page 327. You can choose the user groups that are allowed to authenticate with these policies. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 584: Firewall User Groups
Note: A user group cannot be a dialup group if any member is authenticated using a RADIUS or LDAP server. For more information, see “Creating a new phase 1 configuration” on page 534. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 585: Directory Service User Groups
On a network, you can configure the FortiGate unit to allow access to members of Directory Service server user groups who have been authenticated on the network. The Fortinet Server Authentication Extensions (FSAE) must be installed on the network domain controllers.
Page 586: Viewing The User Group List
Firewall, Directory Service, and SSL VPN. Note: If you try to add LDAP servers or local users to a group configured for administrator authentication, an “Entry not found” error occurs. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 587 User User Group Figure 389: User group configuration - Firewall Right Arrow Expand Arrow Left Arrow Figure 390: User group configuration - Directory Service Right Arrow Left Arrow Expand Arrow FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 588 Left Arrow. FortiGuard Web Filtering Available only if Type is Firewall or Directory Service. Override Configure Web Filtering override capabilities for this group. “Configuring FortiGuard Web filtering override options” on page 589. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 589: Configuring Fortiguard Web Filtering Override Options
Authenticating user, who chooses the override scope. User Only the user. Override Type Select from the list to allow access to: Directory Only the lowest level directory in the URL. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 590: Options
For information about how to use certificate authentication, see FortiGate Certificate Management User Guide. To configure authentication setting options, go to User > Options. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 591: Monitor
FortiGate configuration (disable a user account) and then use the User monitor to immediately end the user’s current session. To view the list of authenticated users (Firewall), go to User > Monitor > Firewall. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 592: Ipsec Monitor List
You can use filters to control the information displayed in the list. For more information, “Adding filters to web-based manager lists” on page To view active tunnels, go to User > Monitor > IPSEC. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 593: Ssl Vpn Monitor List
IP address of the remote client, and the time the connection was made. You can also see which services are being provided, and delete an active web session from the FortiGate unit. For more information, see “SSL VPN” on page 551. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 594: Im User Monitor List
User Name The name selected by the user when registering with an IM protocol. The same user name can be used for multiple IM protocols. Each user name/protocol pair appears separately in the list. Source IP The Address from which the user initiated the IM session. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 595: Nac Quarantine And The Banned User List
System > Config > Replacement Messages and editing the NAC Quarantine replacement messages. For more information, see “NAC quarantine replacement messages” on page 204. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 596: Configuring Nac Quarantine
The list also shows all IP addresses, authenticated users, senders, and interfaces blocked by Data Leak Prevention (DLP). The system administrator can selectively release users or interfaces from quarantine or configure quarantine to expire after a selected time period. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 597 Banned User list. If Expires is Indefinite you must manually remove the user or host from the list. Delete icon Delete the selected user or IP address from the Banned User list. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 598 NAC quarantine and the Banned User list User FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 599: Wan Optimization And Web Caching
Frequently asked questions about FortiGate WAN optimization Q: Which FortiGate models support WAN optimization? A: WAN optimization is supported on the following models: • FortiGate-51B and 111C • FortiGate-310B • FortiGate-620B • FortiGate-3016B FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 600 Q: Does FortiGate WAN optimization work with other vendor’s WAN optimization or acceleration features? A: No, FortiGate WAN optimization is proprietary to Fortinet. FortiGate WAN optimization is compatible with FortiClient WAN optimization. Q: Can the web cache feature be used for caching HTTPs sessions.
Page 601: Overview Of Fortigate Wan Optimization
FortiGate WAN optimization includes the following features. • Web caching (a type of object caching) • Client/server or active passive WAN optimization (also known as automated WAN optimization mode) • Peer to peer WAN optimization FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 602: Wan Optimization Tunnels
WAN optimization peers identifying and authenticating with each other. Note: Once a tunnel has been established multiple WAN optimization sessions can start and stop between peers without restarting the tunnel. Peer authentication requires the following configuration on each peer. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 603: Authentication Groups
WAN optimization is compatible with identity-based firewall policies. If a session is allowed after authentication and if the identity-based policy that allows the session does not include a protection profile the session can be processed by matching WAN optimization rules. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 604: Wan Optimization Transparent Mode
FortiGate-ASM-SAS module for web caching and byte caching. All FortiGate models that support WAN optimization except for the 51B and 111C models can also be configured to use iSCSI for web caching and byte caching. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 605: Configuring Wan Optimization
• Add the WAN optimization techniques to be applied to the traffic Figure 401: WAN optimization rule list Edit Delete Insert Enable/ Before Disable Rules Move To FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 606: How List Order Affects Rule Matching
Subsequent possible matches are not considered or applied. Ordering rules from most specific to most general prevents rules that match a wide range of traffic from superseding and effectively masking rules that match exceptions. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 607: Moving A Rule To A Different Position In The Rule List
4 Select Before or After, and enter the ID of the rule that is before or after your intended destination. This specifies the rule’s new position in the WAN optimization rule list. 5 Select OK. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 608: Configuring A Wan Optimization Rule
(active) rule. To match one passive rule with many active rules the passive rule port range should include the port ranges of all of the active rules. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 609 WAN optimization and web caching” on page 624. You can select SSL offloading if Auto-Detect is set to Active or Off. You can also select SSL offloading for web cache only rules. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 610: Web Caching
(for example, zipped) and non-compressed versions of the same file separately. If the HTTP protocol considers the compressed and uncompressed versions of a file the same object only the compressed or uncompressed file will be cached. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 611: Web Cache Only Topology
Note: Since only one FortiGate unit is involved in the web cache configuring you do not need to change the WAN optimization peer configuration for this scenario. Figure 406: Adding a web cache only WAN optimization rule FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 612: Configuring Client/Server (Active-Passive) Web Caching
Figure 407: Example client/server (active-passive) web cache topology Web Server Network 192.168.10.0 User Network WAN Optimization WAN Optimization 172.20.120.0 Server (passive rule, Client (active rule, Enable Web Cache) Protocol=HTTP) IP address IP address 172.10.10.1 172.20.20.1 11010010101 Web Cache FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 613 The rule is added to the bottom of the WAN optimization list. 7 If required, move the rule to a different position in the list. “Moving a rule to a different position in the rule list” on page 607. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 614: Configuring Peer To Peer Web Caching
FortiGate unit accepts WAN optimization tunnel connections from the client FortiGate unit and the two units can form a WAN optimization tunnel. The server side FortiGate unit uses the settings in the rule added to the client side FortiGate unit. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 615 To configure the client side FortiGate unit 1 Go to WAN Opt. & Cache > Peer and enter a Local Host ID for the client FortiGate unit. Local Host ID Client_Side FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 616 2 Select Create New and add a Peer Host ID and the IP address for the client side FortiGate unit. Peer Host ID Client_Side IP Address 172.20.34.12 3 Select OK to save the peer. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 617: Client/Server Or Active Passive Wan Optimization
FortiGate unit. The active rules do the following: • Optimize HTTP traffic from IP addresses 172.20.120.100 to 172.20.120.150 • Optimize FTP traffic from IP addresses 172.20.120.151 172.20.120.200 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 618 172.20.120.100 to 172.20.120.200. Mode Full Optimization Source 172.20.120.[100-200] Destination 192.168.10.0 Port 1 - 65535 Auto-Detect Active Protocol CIFS Transparent Mode Enable Enable Byte Caching Enable 3 Select OK to save the rule. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 619 Local Host ID Web_servers 2 Select Create New and add a Peer Host ID and the IP address for the client side FortiGate unit. Peer Host ID User_net IP Address 172.30.120.1 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 620: Peer To Peer Wan Optimization
You do not have to add a rule to the server side FortiGate unit. But the server side FortiGate unit peer list must include the client FortiGate unit. The server side FortiGate unit uses the WAN optimization settings in the client side rule. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 621 4 Go to Firewall > Policy and add a firewall policy that accepts traffic to be optimized. 5 Go to WAN Opt. & Cache > Rule and select Create New. 6 Configure the rule. Mode Full Optimization Source 172.20.120.0 Destination 192.168.10.0 Port 1-65535 Auto-Detect FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 622: About Wan Optimization Addresses
Valid IP address and netmask formats include: • x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0 • x.x.x.x/x, such as 192.168.1.0/24 Note: An IP address 0.0.0.0 with netmask 255.255.255.255 is not a valid source or destination address. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 623: Protocol Optimization
TCP protocol optimization uses techniques such as TCP SACK support, TCP window scaling and window size adjustment, and TCP connection pooling to remove TCP bottlenecks. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 624: Byte Caching
HTTP servers that you want offloading for. Then you must add one SSL server configuration for each of the HTTP servers. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 625: Example Configuration: Ssl Offloading For A Wan Optimization Tunnel
FortiGate units and use IPSec to protect the privacy of the WAN optimization tunnel. To configure the client side FortiGate unit 1 Go to WAN Opt. & Cache > Peer and enter a Local Host ID for the server side FortiGate unit. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 626 1 Go to WAN Opt. & Cache > Peer and enter a Local Host ID for the server side FortiGate unit. Local Host ID Web_servers 2 Select Create New and add a Peer Host ID and the IP address for the peer side FortiGate unit. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 627: Ssl Offloading And Reverse Proxy Web Caching For An Internet Web Server
Serve more requests for static content from web servers. • Serve more requests for dynamic content from web servers. • Reducing operating expenses including the cost of bandwidth required to serve content. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 628 1 Go to Firewall > Virtual IP and select Create New to add a virtual IP that translates the destination IP address from 192.168.10.1 to 172.10.20.30. Name Reverse_proxy_VIP External Interface port2 Type Static NAT External IP Address/Range 192.168.10.1 Mapped IP Address/Range port1 Destination Address 172.10.20.30 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 629 Web Cache Only Source 0.0.0.0 Destination 192.168.10.1 Port Transparent Mode Enable Enable SSL Enable 2 Select OK to save the rule. The rule is added to the bottom of the WAN optimization list. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 630: Secure Tunnelling
1 Go to Status > WAN Optimization. 2 Select Enable WAN Optimization. 3 Enable the protocols to be optimized: HTTP (web browsing), CIFS (Windows file sharing), MAPI (Microsoft Exchange) and FTP (file transfers). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 631: Configuring Wan Optimization Storage
FortiGate unit to use this storage location for web caching, byte caching or both. You configure WAN optimization storage from the FortiGate CLI. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 632: Example Wan Optimization Iscsi Configuration
74.5 GB ref: 0 (Vendor: ATA Model: FUJITSU MHW2080B? Rev: 000) partition 1 74.5 GB ref: 1 label: <none> Device 2 60.3 GB ref: 16 (Vendor: IET Model: VIRTUAL-DISK Rev: 0) FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 633: About Partition Labels
Partition is created on /dev/sdb with file system; size: 40000MB Device 1 74.5 GB ref: 0 (Vendor: ATA Model: FUJITSU MHW2080B? Rev: 000) partition 1 74.5 GB ref: 1 label: <none> FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 634: Wan Optimization And Ha
Add a change to the Local Host ID to the FortiGate configuration. Adding or Select Create New to add a new peer or select Edit beside an existing peer to modify it. modifying a peer FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 635: Configuring Authentication Groups
If you select Certificate all peers that use this authentication group must have the same certificate. Go to System > Certificate and add a local certificate. Then select this certificate in the Certificate field. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 636: Details About Wan Optimization Peer Authentication
Local Host ID in the tunnel request with the with the server side peer list. If a match is found authentication is successful. If a match is not found authentication fails. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 637: Monitoring Wan Optimization
Figure 426: WAN optimization monitor Refresh Traffic Summary Refresh Bandwidth Optimization FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 638: Changing Web Cache Settings
If the web cache is configured to cache these negative responses, it returns that response in subsequent requests for that page or image for the specified number of minutes. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 639 / value, the FortiGate unit treats it as a PNC header if it is a type-N object. When ignore IE Reload is enabled, the FortiGate unit ignores the PNC interpretation of the Accept: / header. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 640 Get for PNC configuration is enabled, the revalidate PNC configuration has no effect. Most download managers make byte-range requests with a PNC header. To serve such requests from the cache, the revalidate pragma-no-cache option should be configured along with byte-range support. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 641: Endpoint Control
HTTP Challenge to a Secure Channel (HTTPS) is enabled in User > Options > Authentication. • Configure software detection if you want to monitor the applications installed on endpoints. See “Viewing and configuring the software detection list” on page 643. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 642: Viewing Forticlient Required Version Information
Go to Endpoint Control > FortiClient and select Customize to set the minimum FortiClient version that endpoints are required to run and to configure the download source for the FortiClient installer. Figure 427: Configuring FortiClient version requirements and installer source FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 643: Viewing And Configuring The Software Detection List
Specify — Enter the FortiClient version that endpoints must have installed. Fortinet recommends that administrators deploy a FortiClient version update to their users or ask users to install the update and then wait a reasonable period of time for the updates to be installed before updating the minimum version required to the most recent version.
Page 644: Monitoring Endpoints
The endpoints list can provide an inventory of the endpoints on your network. Entries for endpoints not running the FortiClient application include the IP address, last update time, and traffic volume/attempts. The “non-compliant” status indicates the endpoint is not running the FortiClient application. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 645 For more information, see “Using column settings to control the columns displayed” on page 58 “Web-based manager icons” on page Clear All Filters Clear any column display filters you might have applied. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 646 If the endpoint is non-compliant, this column displays the number of times the endpoint has attempted to connect through the FortiGate unit. The FortiClient application is not required to obtain this information. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 647: Log&Report
When customizing the logging location, you can also customize what minimum log severity level the FortiGate unit should log these events at. There are six severity levels to choose from. For more information, see “Log severity levels” on page 649. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 648: Fortiguard Analysis And Management Service
FortiGate unit can send logs to a FortiGuard Analysis server. This service provides another way to store and view logs, as well as archiving email messages. For more information, see “FortiGuard Analysis and Management Service” on page 648. Fortinet recommends reviewing the FortiGuard Analysis and Management Service Administration Guide to learn more about the logging, reporting, and remote management features from the FortiGuard Analysis and Management Service portal web site.
Page 649: Fortiguard Analysis And Management Service Portal Web Site
You receive this information when you register for the FortiGuard Analysis and Management Service on the Fortinet support web site. After entering all appropriate information on the Fortinet support web site, you can then log into the FortiGuard Analysis and Management Service portal web site.
Page 650: High Availability Cluster Logging
Note: Daylight Saving Time (DST) is now extended by four weeks in the United States and Canada and may affect your location. It is recommended to verify if your location observes this change, since it affects the scope of the report. Fortinet has released supporting firmware. See the Fortinet Knowledge Center article,...
Page 651: Connecting To Fortianalyzer Using Automatic Discovery
FortiAnalyzer units available on the network within the same subnet. When the FortiGate unit discovers the FortiAnalyzer unit, the FortiGate unit automatically begins sending log data, if logging is configured for traffic and other events, to the FortiAnalyzer unit. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 652: Testing The Fortianalyzer Configuration
7 Select Apply. Note: If your FortiGate unit is in Transparent mode, you must modify the interface in the CLI before Automatic Discovery can carry traffic. Use the procedure in the Fortinet Knowledge Center article, Fortinet Discovery Protocol in Transparent mode, to enable the interface to also carry traffic when using the Automatic Discovery feature.
Page 653: Logging To A Fortiguard Analysis Server
Logging to a FortiGuard Analysis server You can configure logging to a FortiGuard Analysis server after registering for the FortiGuard Analysis and Management Service on the Fortinet support web site. Fortinet recommends verifying that the connection is working properly before configuring logging to a FortiGuard Analysis server.
Page 654: Logging To Memory
(such as Notepad) because they are saved as plain text files. Configuring a facility easily identifies the device that recorded the log file. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 655: Logging To Webtrends
Use the CLI to configure the FortiGate unit to send log messages to WebTrends. After logging into the CLI, enter the following commands: config log webtrends setting server <address_ipv4> status {disable | enable} FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 656 172.16.125.99 For more information about setting the options for the types of logs sent to WebTrends, see the Log chapter in the FortiGate CLI Reference. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 657: Log Types
If you are logging “other-traffic”, the FortiGate unit will incur a higher system load because “other-traffic” logs log individual traffic packets. Fortinet recommends logging firewall policy traffic since it minimizes the load. Logging “other-traffic” is disabled by default. Firewall policy traffic logging records the traffic that is both permitted and denied by the firewall policy, based on the protection profile.
Page 658: Example Configuration: Logging All Fortigate Traffic
Edit the IPS Sensor and select Add Pre-defined Override to add the following predefined IPS signatures to the sensor. • Invalid.Protocol.Header • TCP.Bad.Flags • TCP.Invalid.Packet.Size Enable each of these signatures, set Action to Block and enable Logging. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 659: Event Log
SSL VPN session All session activity such as application launches and blocks, timeouts, and verifications. event VIP ssl event All server-load balancing events happening during SSL session, especially details about handshaking. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 660: Data Leak Prevention Log
FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file or email that is logged, it records an antivirus log. You can also apply filters to customize what the FortiGate unit logs, which are: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 661: Web Filter Log
FortiGate unit. • Attack Anomaly – The FortiGate unit logs all detected and prevented attacks based on unknown or suspicious traffic patterns, and the action taken by the FortiGate unit. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 662: Accessing Logs
Log Type list. The FortiGate unit displays a list of rolled log files. You can view log messages when you select the View icon. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 663: Accessing Logs Stored On The Fortianalyzer Unit
View a log file’s log messages. Delete icon Delete rolled logs. Fortinet recommends to download the rolled log file before deleting it because the rolled log file cannot be retrieved after deleting it. Accessing logs stored on the FortiAnalyzer unit You can view and navigate through logs saved to the FortiAnalyzer unit.
Page 664: Accessing Logs Stored On The Fortiguard Analysis Server
Remote, Memory or Disk. If you are logging to the FortiGate unit’s hard disk, select Edit beside a rolled log file to view log messages. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 665: Customizing The Display Of Log Messages
For example, log messages can be viewed in Formatted or Raw view. In Formatted view, you can customize the columns, or filter log messages. In Raw view, the log message appears as it would in the log file. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 666: Column Settings
Move the selected field up one position in the Show these fields in this order list. Move down Move the selected field down one position in the Show these fields in this order list. 7 Select OK. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 667: Filtering Log Messages
FortiAnalyzer unit or FortiGuard Analysis server. A FortiGuard Analysis server becomes available when you subscribe to the FortiGuard Analysis and Management Service. For more information, see “FortiGuard Analysis and Management Service” on page 648. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 668: Content Archiving And Data Leak Prevention
FortiGate spam filtering and by FortiGuard Antispam. By default; however, the protection profile options under Archive SPAMed email to FortiAnalyzer/FortiGuard are disabled. As a result, by default email identified as spam is not content archived. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 669: Configuring Voip Content Archiving
5 Enter one of the following to enable content archiving for the entry you chose in step 5: set sip-archive-summary enable set sccp-archive-summary enable set simple-archive-summary enable 6 If you want to enable full content archiving of SIMPLE, enter the following: FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 670: Viewing Content Archives
You can also base alert email messages on the severity levels of the logs. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 671 Select if you require an alert email message based on blocked web sites that were accessed. HA status changes Select if you require an alert email message based on HA status changes. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 672: Configuring Alert Email
Note: The default minimum log severity level is Alert. If the FortiGate unit collects more than one log message before an interval is reached, the FortiGate unit combines the messages and sends out one alert email. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 673: Reports
By default all services are selected. When you refresh your browser or go to a different menu, all services revert to default settings. Clear the check boxes beside the services you do not want to include in the graphical analysis. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 674: Fortianalyzer Report Schedules
Contact a FortiAnalyzer administrator before configuring report schedules from the FortiGate unit to verify that the appropriate report layout is configured. Report layouts can only be configured from the FortiAnalyzer unit. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 675 Delete or edit a report schedule in the list. Clone icons Create a duplicate of the report schedule and use it as a basis for a new report schedule. Report schedule configuration settings FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 676 To clone a report schedule 1 Go to Log&Report > Report Config. 2 Select Clone in the same row of the report schedule that will be the basis of a new report schedule. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 677: Viewing Fortianalyzer Reports
To print a FortiAnalyzer report, go to Log&Report > Report Access, select the report you want printed from the list and then select Print. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 678 Reports Log&Report FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 679: Index
276 CA certificates, 249 local ratings, 492 Certificate Revocation List (CRL), 251 local URL block categories, 491 cipher suite, 553 local user account, 568 combined IP pool and virtual IP, 384 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 680 284 admin, 45 subnet object, 89 admin profile, 222 system administrators, 209 configuring, 212 system certificates, 247 netmask, 213 system configuration backup and restore, 254 administrator login disclaimer, 200 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 681 (ABR), 294, 299 ARP, 370, 390 proxy ARP, 370, 390 OSPF, 294 attack updates manual, 82 scheduling, 272 through a proxy server, 273 Authentication IPSec VPN, phase 2, 540 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 682 IPSec VPN, phase 1, 535 list, 499 certificate, security. See system certificate pattern, 500 certificate, server, 552 pattern type, 500 certificate. See system certificates banned word check channel protection profile, 419 wireless setting, 163 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 683 48 destination IP address system status, 83 content archive viewing, 84 destination NAT SIP, 430 content block catalog, 479 destination network address translation (DNAT) web filter, 478 virtual IPs, 367, 368 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 684 HA, 180 service, 352 Encryption documentation IPSec VPN, phase 2, 540 commenting on, 26 Encryption Algorithm Fortinet, 26 IPSec VPN, manual key, 542, 543 domain name, 346 Encryption Key IPSec VPN, manual key, 543 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/...
Page 685 IP pool list, 383 antivirus, 443 firewall IP pool options, 383 default list of patterns, 443 firewall load balancing list, antivirus, 445 WAN optimization, 603 protection profile, 408 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 686 FTP_GET, 352 reverting to previous version, 80 FTP_PUT, 352 upgrading to a new version, 80 GOPHER, 352 viewing, 259 GRE, 352 group list, 359 fixed port H323, 352 IP pool, 382 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 687 261 firewall policy, 326, 425 Fortinet traffic shaping, 326, 425 customer service, 109 GUI. See web-based manager Fortinet customer service, 25 Fortinet documentation, 26 Fortinet Family Products, 21 Fortinet Knowledge Center, 26 H323 service, 352 Fortinet MIB, 189, 192...
Page 688 ARP, 370, 390 changing, 78 software switch, 125 changing for a cluster, 182 wireless, 159 viewing, 78 WLAN, 159 hostname Interface Mode, 123 cluster members list, 182 interface monitoring HA, 180 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 689 353 IPSec, 294 inter-VDOM links, 113 IPSec firewall policy allow inbound, 330 introduction allow outbound, 330 Fortinet documentation, 26 inbound NAT, 331 intrusion detected outbound NAT, 331 HA statistics, 183 IPSec Interface Mode intrusion protection IPSec VPN, manual key, 543...
Page 690 165 traffic, 657 MAC filter list web filter, 661 configuring, 166 viewing, 166 major version, 80 Management Information Base (MIB), 185 management VDOM, 112, 116 Manual Key IPSec VPN, 541 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 691 320, 607 MS-CHAP, 572 MS-CHAP-V2, 572 object cache WAN optimization web caching, 610 MS-SQL OCSP certificates service, 353 importing, 249 MTU size, 127, 135 ONC-RPC multicast, 304 service, 353 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 692 RFC 3973, 304 RP, 304 P1 Proposal sparse mode, 304 IPSec phase 1, 537 PING, 393 P2 Proposal service, 354 IPSec VPN, phase 2, 540 ping server adding to an interface, 146 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 693 ActiveX filter, 422 PPPoE logging, blocked files, 422 and IP Pools, 326 logging, content block, 422 PPPoE (Point-to-Point Protocol over Ethernet) logging, cookie filter, 422 RFC 2516, 131 logging, intrusions, 422 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 694 IP address changes, 274 rate URLs by domain and IP address through a proxy server, 273 protection profile, 416 RAUDIO service, 354 QoS, 339 read & write access level administrator account, 78, 79, 211 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 695 Reverse Path Forwarding (RPF), 306 firewall service, 354 reverse proxy web cache, 627 revision control, 227 SAMBA REXEC service, 354 firewall service, 354 scan RFC, 304 default protection profile, 398 RFC 1058, 289 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 696 359 virtual IP, 369 H323, 352 service set identifier (SSID), 119 HTTPS, 353 Session Initiation Protocol. See SIP ICMP_ANY, 353 session list IKE, 353 viewing, 83 IMAP, 353 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 697 671 service, 356 SNAT SSID virtual IPs, 367 wireless setting, 164 SSID broadcast wireless setting, 164 content inspection, 399 content scanning, 399 inspection, 399 service definition, 353, 354 SSL offloading, 601 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 698 64 one-time schedule, 363 system time recurring schedule, 362 configuring, 78 streaming mode, 408, 419 system wireless. See wireless strict default protection profile, 398 strict blocking (HTTP only) protection profile, 416 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 699 77 unit operation Traffic Priority, 606, 635 viewing, 68 traffic priority up time firewall policy, 606, 635 HA statistics, 183 traffic shaping, 606, 635 update traffic reports push, 273 viewing, 673 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 700 78 IP pool list, 383 IPS sensor list, 461 IPS sensor options, 411 IPSec VPN auto key list, 533 IPSec VPN concentrator list, 544 IPSec VPN manual key list, 541 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 701 VPN IPSec (see also IPSec VPN), 531 Virtual IP VPN PPTP, 547 transparent mode, 386 VPN SSL. See SSL VPN VPN tunnel IPSec VPN, firewall policy, 330 VPN, IPSec firewall policy, 330 VPNs, 547 WAIS service, 356 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 702 URL block list, 485 content block, 478 filter interaction, 475 FortiGuard, 487 protection profile options, 476 URL block, 483 URL category, 270 web content block list, 479 web URL block list, 485 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 703 FortiWiFi-60A, 162 X-Forwarded-For (XFF), 148 settings FortiWiFi-60AM, 162 X-WINDOWS settings FortiWiFi-60B, 162 service, 356 SSID, 164 SSID broadcast, 164 Tx power, 163 viewing monitor, 167 zones WLAN configuring, 138 interface, 159 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 704 Index FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback...
Page 705 www.fortinet.com...
Page 706 www.fortinet.com...

Save PDF