Download Print this page

Fortinet FortiGate FortiGate-800 Administration Manual

Fortinet FortiGate FortiGate-800 Administration Manual

Fortinet fortigate fortigate-800: user guide

Hide thumbs Also See for FortiGate FortiGate-800:

Installation and configuration manual (336 pages)

,

Install manual (64 pages)

,

Technical note (12 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation Manual

FortiGate 800

Administration Guide

I N T E R N A L

Esc

Enter

P W R

8

FortiGate-800 Administration Guide

Version 2.80 MR6

5 November 2004

01-28006-0008-20041105

E X T E R N A L

D M Z

HA

1

2

3

4

CONSOLE

USB

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the FortiGate FortiGate-800 and is the answer not in the manual?

Questions and answers

Summary of Contents for Fortinet FortiGate FortiGate-800

Page 1 FortiGate 800 FortiGate-800 Administration Guide Administration Guide I N T E R N A L E X T E R N A L D M Z Enter P W R Version 2.80 MR6 5 November 2004 01-28006-0008-20041105 CONSOLE...
Page 2 CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Page 3: Table Of Contents
High availability ... 18 Secure installation, configuration, and management ... 18 Document conventions ... 20 FortiGate documentation ... 21 Comments on Fortinet technical documentation... 21 Related documentation ... 22 FortiManager documentation ... 22 FortiClient documentation ... 22 FortiMail documentation... 22 FortiLog documentation ...
Page 4 Managing an HA cluster... 95 SNMP... 98 Configuring SNMP ... 99 SNMP community ... 100 FortiGate MIBs... 102 FortiGate traps ... 103 Fortinet MIB fields ... 105 Replacement messages ... 107 Replacement messages list ... 107 Changing replacement messages ... 108 01-28006-0008-20041105 Fortinet Inc.
Page 5 FortiManager... 109 System administration ... 111 Administrators ... 112 Administrators list... 112 Administrators options ... 112 Access profiles... 114 Access profile list ... 114 Access profile options ... 114 System maintenance ... 117 Backup and restore... 117 Backing up and Restoring... 118 Update center ...
Page 6 ... 168 config router static6... 191 Firewall... 193 Policy ... 194 How policy matching works... 194 Policy list ... 194 Policy options... 196 Advanced policy options ... 198 Configuring firewall policies ... 200 Policy CLI configuration ... 201 01-28006-0008-20041105 Fortinet Inc.
Page 7 Address... 202 Address list ... 203 Address options ... 203 Configuring addresses ... 204 Address group list ... 205 Address group options ... 205 Configuring address groups... 206 Service ... 206 Predefined service list... 207 Custom service list... 210 Custom service options... 210 Configuring custom services...
Page 8 Setting up a PPTP-based VPN ... 261 Enabling PPTP and specifying a PPTP range ... 262 Configuring a Windows 2000 client for PPTP ... 263 Configuring a Windows XP client for PPTP ... 263 PPTP passthrough... 264 01-28006-0008-20041105 Fortinet Inc.
Page 9 L2TP ... 265 Setting up a L2TP-based VPN... 266 Enabling L2TP and specifying an L2TP range... 266 Configuring a Windows 2000 client for L2TP... 267 Configuring a Windows XP client for L2TP ... 268 Certificates ... 270 Viewing the certificate list... 271 Generating a certificate request...
Page 10 Configuring the web URL block list ... 327 Web pattern block list... 328 Web pattern block options ... 329 Configuring web pattern block ... 329 URL exempt ... 329 URL exempt list... 330 URL exempt list options ... 330 Configuring URL exempt... 330 01-28006-0008-20041105 Fortinet Inc.
Page 11 Category block ... 331 FortiGuard managed web filtering service ... 331 Category block configuration options... 332 Configuring web category block... 333 Category block reports... 333 Category block reports options ... 334 Generating a category block report... 334 Category block CLI configuration... 334 Script filter ...
Page 12 Disk log file access ... 362 Viewing log messages ... 363 Searching log messages... 366 CLI configuration... 367 fortilog setting... 367 syslogd setting ... 368 FortiGuard categories ... 371 FortiGate maximum values ... 377 Glossary ... 381 Index ... 385 01-28006-0008-20041105 Fortinet Inc.
Page 13: Introduction
• • The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks.
Page 14: Antivirus Protection
MIME encoding, log all actions taken while scanning. 01-28006-0008-20041105 Introduction I N T E R N A L E X T E R N A L D M Z CONSOLE Enter P W R Fortinet Inc.
Page 15: Spam Filtering
Introduction FortiGate web content filtering also supports FortiGuard web category blocking. Using web category blocking you can restrict or allow access to web pages based on content ratings of web pages. You can configure URL blocking to block all or some of the pages on a web site. Using this feature, you can deny access to parts of a web site without denying access to it completely.
Page 16: Vlans And Virtual Domains
NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network. Route mode policies accept or deny connections between networks without performing address translation. 01-28006-0008-20041105 Introduction Fortinet Inc.
Page 17: Intrusion Prevention System (Ips)
Introduction You can develop and manage interfaces, VLAN subinterfaces, zones, firewall policies, routing, and VPN configuration for each virtual domain separately. For these configuration settings, each virtual domain is functionally similar to a single FortiGate unit. This separation simplifies configuration because you do not have to manage as many routes or firewall policies at one time.
Page 18: High Availability
About FortiGate Antivirus Firewalls High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Page 19: Logging And Reporting
Introduction The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options that are not available from the web-based manager. This Administration Guide contains information about basic and advanced CLI commands.
Page 20: Document Conventions
A space to separate options that can be entered in any combination and must be separated by spaces. For example: set allowaccess {ping https ssh snmp http telnet} You can enter any of the following: set allowaccess ping set allowaccess ping https ssh 01-28006-0008-20041105 Introduction Fortinet Inc.
Page 21: Fortigate Documentation
• • • • • • Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com. FortiGate-800 Administration Guide set allowaccess https ping ssh set allowaccess snmp...
Page 22: Related Documentation
Related documentation Related documentation Additional information about Fortinet products is available from the following related documentation. FortiManager documentation • • • FortiClient documentation • • FortiMail documentation • • • FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings.
Page 23: Fortilog Documentation
Fortinet Technical Support web site at http://support.fortinet.com. You can also register Fortinet products and service contracts from http://support.fortinet.com and change your registration information at any time. Technical support is available through email from any of the following addresses.
Page 24 Customer service and technical support Introduction 01-28006-0008-20041105 Fortinet Inc.
Page 25: System Status
System status You can connect to the web-based manager and view the current system status of the FortiGate unit. The status information that is displayed includes the system status, unit information, system resources, and session log. This chapter includes: • •...
Page 26: Status
Viewing system status Changing unit information Select to control how often the web-based manager updates the system status display. Select to set the selected automatic refresh interval. Select to manually update the system status display. 01-28006-0008-20041105 114. System status Fortinet Inc.
Page 27: Unit Information
System status System status UP Time System Time Log Disk Notification Unit Information Admin users and administrators whose access profiles contain system configuration read and write privileges can change or update the unit information. For information on access profiles, see Host Name Firmware Version Antivirus Definitions The current installed version of the FortiGate Antivirus Definitions.
Page 28: System Resources
CPU usage for the previous minute. Session history for the previous minute. Network utilization for the previous minute. The virus detection history over the last 20 hours. The intrusion detection history over the last 20 hours. 01-28006-0008-20041105 System status Fortinet Inc.
Page 29: Changing Unit Information
Note: For information about configuring the FortiGate unit for automatic antivirus definitions updates, see Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. FortiGate-800 Administration Guide The time at which the recent intrusion was detected.
Page 30 Note: For information about configuring the FortiGate unit for automatic attack definitions updates, see Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status > Status.
Page 31: Session List
System status Note: If the web-based manager IP address was on a different subnet in NAT/Route mode, you may have to change the IP address of your computer to the same subnet as the management IP address. To change to NAT/Route mode After you change the FortiGate unit from the NAT/Route mode to Transparent mode, most of the configuration resets to Transparent mode factory defaults, except for HA settings (see...
Page 32: Changing The Fortigate Firmware
FortiGate administrators whose access profiles contain system configuration read and write privileges and the FortiGate admin user can change the FortiGate firmware. After you download a FortiGate firmware image from Fortinet, you can use the procedures listed in Total number of sessions currently being conducted through the FortiGate unit.
Page 33: Upgrading To A New Firmware Version
System status Table 1: Firmware upgrade procedures Procedure Upgrading to a new firmware version Reverting to a previous firmware version Installing firmware images from a system reboot using the CLI Testing a new firmware image before installing it Installing and using a backup firmware image Upgrading to a new firmware version...
Page 34: Upgrading The Firmware Using The Cli
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build183-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build183-FORTINET.out...
Page 35: Reverting To A Previous Firmware Version
System status The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes. Reconnect to the CLI. To confirm that the new firmware image is successfully installed, enter: get system status Use the procedure antivirus and attack definitions, or from the CLI, enter: execute update_now...
Page 36: Reverting To A Previous Firmware Version Using The Cli
“Backing up and Restoring” on page “To update antivirus and attack definitions” on page 123 to update the antivirus and attack definitions. 01-28006-0008-20041105 System status “Backup and restore” on “To update antivirus and 118. to make sure that antivirus execute Fortinet Inc.
Page 37: Installing Firmware Images From A System Reboot Using The Cli
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build158-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build158-FORTINET.out...
Page 38 Back up web content and email filtering lists. For information, see “Web filter” on page 323 “To update antivirus and attack definitions” on page 123 01-28006-0008-20041105 System status 118. “Spam filter” on page 337. to make sure that antivirus Fortinet Inc.
Page 39 System status Type y. As the FortiGate units starts, a series of system startup messages is displayed. When one of the following messages appears: • • Immediately press any key to interrupt the system startup. Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must log in and repeat the If you successfully interrupt the startup process, one of the following messages appears:...
Page 40: Testing A New Firmware Image Before Installing It
“Updating antivirus and attack definitions” on page “Upgrading to a new firmware version” on page 01-28006-0008-20041105 “Backup and restore” on page “Backing up and restoring custom signature “Backup and restore” on page “Backup and restore” on page 117. 122. System status 117. 117. Fortinet Inc.
Page 41 System status For this procedure you: • • To test a new firmware image Connect to the CLI using a null-modem cable and FortiGate console port. Make sure the TFTP server is running. Copy the new firmware image file to the root directory of the TFTP server. Make sure that the internal interface is connected to the same network as the TFTP server.
Page 42: Installing And Using A Backup Firmware Image
FortiGate unit running v3.x BIOS Save as Default firmware/Run image without saving:[D/R] Save as Default firmware/Backup firmware/Run image without saving:[D/B/R] Installing a backup firmware image Switching to the backup firmware image Switching back to the default firmware image 01-28006-0008-20041105 System status Fortinet Inc.
Page 43: Installing A Backup Firmware Image
System status Installing a backup firmware image To run this procedure you: • • To install a backup firmware image Connect to the CLI using the null-modem cable and FortiGate console port. Make sure that the TFTP server is running. Copy the new firmware image file to the root directory of your TFTP server.
Page 44: Switching To The Backup Firmware Image
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must log in and repeat the 01-28006-0008-20041105 System status to switch to a backup command. execute reboot Fortinet Inc.
Page 45: Switching Back To The Default Firmware Image
System status If you successfully interrupt the startup process, the following message appears: [G]: [F]: [B]: [Q]: [H]: Enter G,F,B,Q,or H: Type B to load the backup firmware image. The FortiGate unit loads the backup firmware image and restarts. When the FortiGate unit restarts, it is running the backup firmware version and the configuration is set to factory default.
Page 46 Changing the FortiGate firmware System status 01-28006-0008-20041105 Fortinet Inc.
Page 47: System Network
System network System network settings control how the FortiGate unit connects to and interacts with your network. Basic network settings start with configuring FortiGate interfaces to connect to your network and configuring the FortiGate DNS settings. More advanced network settings include adding VLAN subinterfaces and zones to the FortiGate network configuration.
Page 48 Bring Down or Bring Up. For more information, “To bring down an interface that is administratively up” on page 54 “To start up an interface that is administratively down” on page Delete, edit, and view icons. 01-28006-0008-20041105 System network “VLAN Fortinet Inc.
Page 49: Interface Settings
System network Interface settings Interface settings displays the current configuration of a selected FortiGate interface or VLAN subinterface. Use interface settings to configure a new VLAN subinterface or to change the configuration of a FortiGate interface or VLAN subinterface. Figure 6: Interface settings See the following procedures for configuring interfaces: •...
Page 50 Enable Retrieve default gateway from server to retrieve a default gateway IP address from the DHCP server. The default gateway is added to the static routing table. from the DHCP server instead of the DNS server IP addresses on the DNS page. 01-28006-0008-20041105 System network 135. Fortinet Inc.
Page 51 System network Connect to server Status PPPoE If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoE request. You can disable connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request.
Page 52 FortiGate firmware. The FortiGate unit can only connect automatically to a DDNS server for the supported clients. The domain name to use for the DDNS service. “To modify the dead gateway detection settings” on page 01-28006-0008-20041105 System network “To add or edit a static route” on page 148. Fortinet Inc.
Page 53 System network HTTPS PING HTTP SNMP TELNET To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits from any interface. Ideally, this MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets.
Page 54: Configuring Interfaces
To configure traffic logging for connections to an interface “To add a VLAN subinterface in NAT/Route mode” on page 59. You cannot add an interface to a zone if you have added firewall policies for 01-28006-0008-20041105 System network “To add a zone” on Fortinet Inc.
Page 55 System network To add an interface to a virtual domain If you have added virtual domains to the FortiGate unit, you can use this procedure to add an interface or VLAN subinterface to a virtual domain. To add a virtual domain, domain if you have added firewall policies for the interface.
Page 56 Optionally, you can also configure management access and add a ping server to the secondary IP address: set allowaccess ping https ssh snmp http telnet set gwdetect enable Save the changes: for information on PPPoE settings. 01-28006-0008-20041105 System network “PPPoE” Fortinet Inc.
Page 57 System network To add a ping server to an interface Go to System > Network > Interface. Choose an interface and select Edit. Set Ping Server to the IP address of the next hop router on the network connected to the interface.
Page 58: Zone
Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between interfaces in the same zone is not blocked. Edit/View icons. Select to edit or view a zone. Delete icon. Select to remove a zone. 01-28006-0008-20041105 System network Fortinet Inc.
Page 59 System network Name Block intra-zone traffic Interface members Enable check boxes to select the interfaces that are part of this zone. To add a zone If you have added a virtual domain, go to System > Virtual Domain > Current Virtual Domain and select the virtual domain to which you want to add the zone.
Page 60: Management
FortiGate unit from. Enter the default gateway address. Select the virtual domain from which you want to perform system management. 01-28006-0008-20041105 120). “To control administrative access to an 83). This must be a valid IP System network “To Fortinet Inc.
Page 61: Dns
System network Select Apply. The FortiGate unit displays the following message: Management IP address was changed. Click here to redirect. Click on the message to connect to the new Management IP. Several FortiGate functions, including Alert E-mail and URL blocking, use DNS. You can add the IP addresses of the DNS servers to which your FortiGate unit can connect.
Page 62: Transparent Mode Route Settings
Enter the destination IP address and netmask for this route. Enter the IP address of the next hop router to which this route directs traffic The the relative preferability of this route. 1 is most preferred. 01-28006-0008-20041105 System network Fortinet Inc.
Page 63: Fortigate Units And Vlans
System network A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent and received by the devices in the VLAN. VLAN tags are 4-byte frame extensions that contain a VLAN identifier as well as other information. VLANs allow highly flexible, efficient network segmentation, enabling users and resources to be grouped logically, regardless of physical locations.
Page 64: Vlans In Nat/Route Mode
FortiGate unit. The FortiGate unit is configured with policies that allow traffic to flow between the VLANs and from the VLANs to the external network. shows a simplified NAT/Route mode VLAN configuration. In this example, 01-28006-0008-20041105 System network Fortinet Inc.
Page 65: Adding Vlan Subinterfaces
System network Figure 15: FortiGate unit in Nat/Route mode VLAN 100 network 10.1.1.2 Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096. Each VLAN subinterface must also be configured with its own IP address and netmask.
Page 66: Vlans In Transparent Mode
FortiGate unit forwards the packet to the destination VLAN subinterface. The destination VLAN ID is added to the packet by the FortiGate unit and the packet is sent to the VLAN trunk. “Address” on page 202. 01-28006-0008-20041105 System network Fortinet Inc.
Page 67 System network Figure 16: FortiGate unit with two virtual domains in Transparent mode Figure 17 three VLAN subinterfaces. In this configuration the FortiGate unit could be added to this network to provide virus scanning, web content filtering, and other services to each VLAN.
Page 68: Rules For Vlan Ids
Enter VLAN POWER switch Internet “System virtual domain” on page 135 01-28006-0008-20041105 VLAN 3 VLAN ID = 300 VLAN 1 VLAN 2 VLAN 3 External VLAN 1 VLAN VLAN 2 Trunk VLAN 3 Untagged packets Router System network Fortinet Inc.
Page 69: Transparent Mode Vlan List
System network Transparent mode VLAN list In Transparent mode, go to System > Network > Interface to add VLAN subinterfaces. Figure 18: Sample Transparent mode VLAN list Create New Virtual Domain Select a virtual domain to display the VLAN interfaces added to this virtual Name Access Status...
Page 70 Go to Firewall > Policy. Add firewall policies as required. “System virtual domain” on page 135 “Interface settings” on page 49 “Address” on page 202. 01-28006-0008-20041105 for information about virtual domains. for more descriptions of these settings. System network Fortinet Inc.
Page 71: Fortigate Ipv6 Support
System network FortiGate IPv6 support You can assign both an IPv4 and an IPv6 address to any interface on a FortiGate unit. The interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets. FortiGate units support static routing, periodic router advertisements, and tunneling of IPv6-addressed traffic over an IPv4-addressed network.
Page 72 FortiGate IPv6 support System network 01-28006-0008-20041105 Fortinet Inc.
Page 73: System Dhcp
System DHCP You can configure DHCP server or DHCP relay agent functionality on any FortiGate interface or VLAN subinterface. A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. An interface cannot provide both functions at the same time. Note: To configure DHCP server or DHCP relay functionality on an interface, the FortiGate unit must be in NAT/Route mode and the interface must have a static IP address.
Page 74: Dhcp Service Settings
Select DHCP Server if you want the FortiGate unit to be the DHCP server. “To configure an interface to be a DHCP server” on page 01-28006-0008-20041105 System DHCP “To configure an interface as a Fortinet Inc.
Page 75: Server
System DHCP Set type to Regular. Enter the DHCP Server IP address. Select OK. To configure an interface to be a DHCP server You can configure a DHCP server for any FortiGate interface. As a DHCP server, the interface dynamically assigns IP addresses to hosts on the network connected to the interface.
Page 76: Dhcp Server Settings
For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions. 75), you must configure a DHCP server for 01-28006-0008-20041105 System DHCP “To configure Fortinet Inc.
Page 77: Exclude Range
System DHCP Add a name for the DHCP server. Select the interface Configure the DHCP server. The IP range must match the subnet address of the network from which the DHCP request was received. Usually this would be the subnet connected to the interface for which you are added the DHCP server.
Page 78: Dhcp Exclude Range Settings
The IP address for the IP and MAC address pair. The IP address must be within the configured IP range. Delete icon. Delete an IP/MAC binding pair. Edit/View icon. View or modify an IP/MAC binding pair. 01-28006-0008-20041105 System DHCP Fortinet Inc.
Page 79: Dhcp Ip/Mac Binding Settings
System DHCP DHCP IP/MAC binding settings Figure 27: IP/MAC binding options Name IP Address MAC Address To add a DHCP IP/MAC binding pair Go to System > DHCP > IP/MAC Binding. Select Create New. Add a name for the IP/MAC pair. Add the IP address and MAC address.
Page 80 Dynamic IP System DHCP 01-28006-0008-20041105 Fortinet Inc.
Page 81: System Config
System config Use the System Config page to make any of the following changes to the FortiGate system configuration: • • • • • • System time Go to System > Config > Time to set the FortiGate system time. For effective scheduling and logging, the FortiGate system time must be accurate.
Page 82: Options
FortiGate unit to synchronize its time once a day. Timeout settings including the idle timeout and authentication timeout The language displayed by the web-based manager Front control buttons and LCD PIN protection Dead gateway detection interval and failover detection 01-28006-0008-20041105 System config Fortinet Inc.
Page 83 System config Figure 29: System config options Idle Timeout Auth Timeout Language LCD Panel Detection Interval Fail-over Detection Set the ping server dead gateway detection failover number. Enter the To set the system idle timeout Go to System > Config > Options. For Idle Timeout, type a number in minutes.
Page 84 FortiGate unit assumes that the gateway is no longer functioning. Select Apply. Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Page 85 System config Link failover Device failover If one of the FortiGate units in an HA cluster fails, all functions, all established HA heartbeat failover a.HA does not provide session failover for PPPoE, DHCP, PPTP, and L2TP services. FortiGate units can be configured to operate in active-passive (A-P) or active-active (A-A) HA mode.
Page 86: Ha Configuration
When the cluster is operating, you can select Cluster Members to view the status of all FortiGate units in the cluster. Status information includes the cluster ID, status, up time, weight, and monitor information. For more information, see each cluster member” on page 01-28006-0008-20041105 System config “To view the status of Fortinet Inc.
Page 87 System config Mode All members of the HA cluster must be set to the same HA mode. Active-Active Active-Passive Failover HA. The primary FortiGate unit in the cluster processes all Group ID The group ID range is from 0 to 63. All members of the HA cluster must have the same group ID.
Page 88 Enter a password for the HA cluster. The password must be the same for all FortiGate units in the HA cluster. The maximum password length is 15 characters. If you have more than one FortiGate HA cluster on the same network, each cluster should have a different password. Unit priority 01-28006-0008-20041105 System config Fortinet Inc.
Page 89 System config Schedule If you are configuring an active-active cluster, select a load balancing schedule. None Least- Connection Round-Robin Weighted Round-Robin Random IP Port Priorities of Heartbeat Device Enable or disable HA heartbeat communication and set the heartbeat priority for each interface in the cluster.
Page 90 IP address. This IP address does not affect the heartbeat traffic. In Transparent mode, you can connect the interface to your network. Default heartbeat device Port 1 01-28006-0008-20041105 System config Default priority Fortinet Inc.
Page 91: Configuring An Ha Cluster
System config Monitor priorities Enable or disable monitoring a FortiGate interface to verify that the interface is functioning properly and connected to its network. If a monitored interface fails or is disconnected from its network the interface leaves the cluster. The cluster reroutes the traffic being processed by that interface to the same interface of another cluster unit in the cluster that still has a connection to the network.
Page 92 “To connect a FortiGate HA cluster” on page “To change FortiGate host name” on page “Unit Priority” on page “Override Master” on page “Schedule” on page “To connect a FortiGate HA cluster” on page 01-28006-0008-20041105 System config 29. Use host names to identify Fortinet Inc.
Page 93 Then you must connect these interfaces to their networks using the same hub or switch. Fortinet recommends using switches for all cluster connections for the best performance. The FortiGate units in the cluster use cluster ethernet interfaces to communicate cluster session information, synchronize the cluster configuration, and report individual cluster member status.
Page 94 D M Z CONSOLE Enter P W R Hub or Switch I N T E R N A L E X T E R N A L D M Z CONSOLE Enter P W R External Internet System config Router Fortinet Inc.
Page 95: Managing An Ha Cluster
System config To configure weighted-round-robin weights By default, in active-active HA mode the weighted round-robin schedule assigns the same weight to each FortiGate unit in the cluster. If you configure a cluster to use the weighted round-robin schedule, from the CLI you can use config system ha weight to configure a weight value for each cluster unit.
Page 96 Indicates the status of each cluster unit. A green check mark indicates that the cluster unit is operating normally. A red X indicates that the cluster unit cannot communicate with the primary unit. 01-28006-0008-20041105 System config for more information. Fortinet Inc.
Page 97 System config Up Time Monitor CPU Usage Memory Usage Active Sessions Total Packets Virus Detected Network Utilization The total network bandwidth being used by all of the cluster unit Total Bytes Intrusion Detected The number of intrusions or attacks detected by the cluster unit. To view and manage logs for individual cluster units Connect to the cluster and log into the web-based manager.
Page 98: Snmp
FortiGate system information and can receive FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. The cluster contains fewer FortiGate units. The failed unit no longer appears on the Cluster Members list.
Page 99: Configuring Snmp
Configuring SNMP SNMP community FortiGate MIBs FortiGate traps Fortinet MIB fields Enable the FortiGate SNMP agent. Enter descriptive information about the FortiGate unit. The description can be up to 35 characters long. Enter the physical location of the FortiGate unit. The system location description can be up to 35 characters long.
Page 100: Snmp Community
Figure 35: SNMP community options (part 2) Community Name Hosts Enter a name to identify the SNMP community. Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit. 01-28006-0008-20041105 System config Fortinet Inc.
Page 101 System config IP Address Interface Queries Traps SNMP Event To configure SNMP access to an interface in NAT/Route mode Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or more FortiGate interfaces to accept SNMP connections. See control administrative access to an interface”...
Page 102: Fortigate Mibs
Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
Page 103: Fortigate Traps
The FortiGate agent can send traps to SNMP managers that you have added to SNMP communities. For SNMP managers to receive traps, you must load and compile the Fortinet trap MIB (file name fortinet.trap.2.80.mib) onto the SNMP manager. All traps include the trap message as well as the FortiGate unit serial number.
Page 104 On a FortiGate unit with a hard drive, hard drive usage exceeds 90%. On a FortiGate unit without a hard drive, log to memory usage has exceeds 90%. Description The different unit in the HA cluster became the primary unit. 01-28006-0008-20041105 System config Fortinet Inc.
Page 105: Fortinet Mib Fields
The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.2.80.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Page 106 The source port of the active IP session. The destination IP address of the active IP session. The destination port of the active IP session. The expiry time or time-to-live in seconds for the session. 01-28006-0008-20041105 System config Fortinet Inc.
Page 107: Replacement Messages
System config Replacement messages Change replacement messages to customize alert email and information that the FortiGate unit adds to content streams such as email messages, web pages, and FTP sessions. The FortiGate unit adds replacement messages to a variety of content streams.
Page 108: Changing Replacement Messages
For email this is the IP address of the email server that sent the email containing the virus. For HTTP this is the IP address of web page that sent the virus. 01-28006-0008-20041105 System config Table 20 lists the Fortinet Inc.
Page 109: Fortimanager
The name of the web filtering service. The name of the content category of the web site. The Fortinet logo. and a FortiManager Server. The remote ID of the FortiManager IPSec tunnel. The IP Address of the FortiManager Server.
Page 110 FortiManager System config 01-28006-0008-20041105 Fortinet Inc.
Page 111: System Administration
System administration When the FortiGate unit is first installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each of these administrator accounts and control the IP address from which the administrator account can connect to the FortiGate unit.
Page 112: Administrators
Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see profiles, see “Access profile list” on page 01-28006-0008-20041105 System administration “Using trusted hosts” on page 113. 114. Fortinet Inc.
Page 113 System administration To configure an administrator account Go to System > Admin > Administrators. Select Create New to add an administrator account or select the Edit icon to make changes to an existing administrator account. Type a login name for the administrator account. Type and confirm a password for the administrator account.
Page 114: Access Profiles
Allow or deny access to the system status, interface, virtual domain, HA, routing, option, SNMP, time, and replacement message features. Allow or deny access to the log setting, log access, and alert email features. Allow or deny access to the authorized users feature. 01-28006-0008-20041105 System administration Fortinet Inc.
Page 115 System administration Admin Users FortiProtect Update System Shutdown To configure an access profile Go to System > Admin > Access Profile. Select Create New to add an access profile, or select the edit icon to edit an existing access profile. Enter a name for the access profile.
Page 116 Access profiles System administration 01-28006-0008-20041105 Fortinet Inc.
Page 117: System Maintenance
System maintenance Use the web-based manager to maintain the FortiGate unit. Backup and restore You can back up system configuration, VPN certificate, web and spam filtering files to the management computer. You can also restore system configuration, VPN certificate, web and spam filtering files from previously downloaded backup files. Figure 44: Backup and restore list Category Latest Backup...
Page 118: Backing Up And Restoring
IPS User-Defined Upload or download IPS signatures. Signatures All Certificates Restore or back up all VPN certificates in a single password- protected file. See VPN certificates” on page 01-28006-0008-20041105 System maintenance “To restore VPN certificates” “To back up 119. Fortinet Inc.
Page 119 System maintenance Select OK to restore all configuration files to the FortiGate unit. The FortiGate unit restarts, loading the new configuration files. Reconnect to the web-based manager and review your configuration to confirm that the uploaded configuration files have taken effect. To back up individual categories Go to System >...
Page 120: Update Center
• • • To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet support web page. “To enable scheduled updates” on page 125. User-initiated updates from the FDN, Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus...
Page 121 System maintenance Figure 45: Update center FortiProtect Distribution Network Push Update Refresh Use override server address FortiGate-800 Administration Guide The status of the connection to the FortiProtect Distribution Network (FDN). Available means that the FortiGate unit can connect to the FDN. You can configure the FortiGate unit for scheduled updates.
Page 122: Updating Antivirus And Attack Definitions
The update attempt occurs at a randomly determined time within the selected hour. Select Update Now to manually initiate an update. Select Apply to save update settings. 01-28006-0008-20041105 System maintenance Fortinet Inc.
Page 123 System maintenance To update antivirus and attack definitions Go to System > Maintenance > Update center. Select Update Now to update the antivirus and attack definitions and engines. If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following: Your update request has been sent.
Page 124 <proxy-address_ip> set port <proxy-port> set username <username_str> set password <password_str> set status enable config system autoupdate tunneling set address 67.35.50.34 set port 8080 set username proxy_user set password proxy_pwd set status enable 01-28006-0008-20041105 System maintenance Fortinet Inc.
Page 125: Enabling Push Updates
System maintenance There are no special tunneling requirements if you have configured an override server address to connect to the FDN. Enabling push updates The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates.
Page 126: Enabling Push Updates Through A Nat Device
In the External Interface section, select the external interface that the FDN connects In the Type section, select Port Forwarding. In the External IP Address section, type the external IP address that the FDN connects to. Type the External Service Port that the FDN connects to. 01-28006-0008-20041105 System maintenance Fortinet Inc.
Page 127 System maintenance In the Map to IP section, type the IP address of the FortiGate unit on the internal network. If the FortiGate unit is operating in NAT/Route mode, enter the IP address of the external interface. If the FortiGate unit is operating in Transparent mode, enter the management IP address.
Page 128: Support
Support Support You can use the Support page to report problems with the FortiGate unit to Fortinet Support or to register your FortiGate unit with the FortiProtect Distribution Server (FDS). Figure 46: Support Report Bug FDS Registration Select FDS Registration to register the FortiGate unit with FortiNet.
Page 129: Registering A Fortigate Unit
After purchasing and installing a new FortiGate unit, you can register the unit using the web-based manager by going to the System Update Support page, or by using a web browser to connect to http://support.fortinet.com and selecting Product Registration. Registration consists of entering your contact information and the serial numbers of the FortiGate units that you or your organization purchased.
Page 130 For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. To activate the FortiCare Support Contract, you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information.
Page 131 A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit. Your Fortinet support user name and password is sent to the email address provided with your contact information.
Page 132: Shutdown
Caution: This procedure deletes all changes that you have made to the FortiGate configuration and reverts the system to its original configuration, including resetting interface addresses. Go to System > Maintenance > Shutdown. Select Reset to factory default. 01-28006-0008-20041105 System maintenance Fortinet Inc.
Page 133 System maintenance Select Apply. The FortiGate unit restarts with the configuration that it had when it was first powered Reconnect to the web-based manager and review the system configuration to confirm that it has been reset to the default settings. FortiGate-800 Administration Guide 01-28006-0008-20041105 Shutdown...
Page 134 Shutdown System maintenance 01-28006-0008-20041105 Fortinet Inc.
Page 135: System Virtual Domain
System virtual domain FortiGate virtual domains provide multiple logical firewalls and routers in a single FortiGate unit. Using virtual domains, one FortiGate unit can provide exclusive firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network.
Page 136: Virtual Domain Properties
System virtual domain 141) “To select a management virtual 140) “To configure routing for a virtual 142) “To configure the routing 142) 142) “To add IP pools to a virtual “To add Virtual IPs to a virtual 144) Fortinet Inc. 143)
Page 137: Shared Configuration Settings
System virtual domain Shared configuration settings The following configuration settings are shared by all virtual domains. Even if you have configured multiple virtual domains, there are no changes to how you configure the following settings. • • • • • •...
Page 138: Administration And Management
A check mark icon in this column indicates that this is the domain used for system management. Delete icon. Select to delete a virtual domain. You cannot delete the root virtual domain or a domain that is used for system management. 01-28006-0008-20041105 System virtual domain Fortinet Inc.
Page 139: Adding A Virtual Domain
System virtual domain See the following procedures for configuring virtual domains: • • • • • • • • • • • Adding a virtual domain To add a virtual domain Go to System > Virtual domain. Select Create New. Enter a virtual domain Name.
Page 140: Configuring Virtual Domains
Go to System > Network > Interface. Adding interfaces, VLAN subinterfaces, and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtual domain 01-28006-0008-20041105 System virtual domain Fortinet Inc.
Page 141 System virtual domain Set Virtual domain to All or to the name of the virtual domain that currently contains the interface. Select Edit for the physical interface you want to move. Choose the Virtual Domain to which to move the interface. Select OK.
Page 142: Configuring Routing For A Virtual Domain
58. Any zones that you add are added to the current virtual “Router” on page 145. Network traffic entering this virtual domain is routed only “Routing table (Transparent Mode)” on page 01-28006-0008-20041105 System virtual domain 61. Network traffic entering this Fortinet Inc.
Page 143 System virtual domain Select Create new to add firewall policies to the current virtual domain. interfaces, VLAN subinterfaces, or zones added to the current virtual domain. The firewall policies that you add are only visible when you are viewing the current virtual domain.
Page 144: Configuring Ipsec Vpn For A Virtual Domain
Select Change following the current virtual domain name above the table. Choose the virtual domain for which to configure VPN. Select OK. Go to VPN. Configure IPSec VPN, PPTP, L2TP, and certificates as required. See page 247. 01-28006-0008-20041105 System virtual domain “VPN” on Fortinet Inc.
Page 145: Router
Router This chapter describes how to configure FortiGate routing and RIP. It contains the following sections: • • • • • • Static A static route specifies where to forward packets that have a particular destination IP address. Static routes control traffic exiting the FortiGate unit—you can specify through which interface the packet will leave and to which device the packet should be routed.
Page 146 FortiGate_1 Enter Internal network 192.168.20.0/24 Destination IP/mask: 0.0.0.0/0.0.0.0 Gateway: 192.168.10.1 Device: Name of the interface connected to network 192.168.10.0/24 (e.g. external). Distance: 10 Figure 51, the FortiGate unit must be configured with static routes to 01-28006-0008-20041105 Router Fortinet Inc.
Page 147: Static Route List
Router Figure 51: Destinations on networks behind internal routers To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.30.0/24 Gateway: 192.168.10.2 Device: dmz...
Page 148: Static Route Options
Enter the administrative distance for the route. Using administrative distance you can specify the relative priorities of different routes to the same destination. A lower administrative distance indicates a more preferred route. Distance can be an integer from 1-255. 01-28006-0008-20041105 Router Fortinet Inc.
Page 149: Policy
Router Figure 54: Move a static route For Move to, select either Before or After and type the number that you want to place this route before or after. Select OK. The route is displayed in the new location on the static route list. Policy Using policy routing you can configure the FortiGate unit to route packets based on: •...
Page 150: Policy Route Options
Match packets that have this destination IP address and netmask. Match packets that have this destination port range. To match a single port, enter the same port number for both From and To. Send packets that match this policy route to this next hop router. 01-28006-0008-20041105 Router Fortinet Inc.
Page 151: Rip
Router The FortiGate implementation of the Routing Information Protocol (RIP) supports both RIP version 1 as defined by RFC 1058, and RIP version 2 as defined by RFC 2453. RIP version 2 enables RIP messages to carry more information, and to support simple authentication and subnet masks.
Page 152 Enter the metric to be used for the redistributed static routes. Enter the name of the route map to use for the redistributed static routes. For information on how to configure route maps, page 162. 01-28006-0008-20041105 Router “Route-map “Route-map list” on Fortinet Inc.
Page 153: Networks List
Router Networks list Identify the networks for which to send and receive RIP updates. If a network is not specified, interfaces in that network will not be advertised in RIP updates. Figure 58: RIP Networks list Create New Add a new RIP network. IP/Netmask The IP address and netmask for the RIP network.
Page 154: Interface Options
Select Regular to prevent RIP from sending updates for a route back out the interface from which it received that route. Select Poisoned reverse to send updates with routes learned on an interface back out the same interface but with the routes marked as unreachable. 01-28006-0008-20041105 Router Fortinet Inc.
Page 155: Distribute List
Router Authentication Password Key-chain To configure a RIP interface Go to Router > RIP > Interface. Select the edit icon beside an Interface to configure that interface. Select a Send Version if you want to override the default send version for this interface.
Page 156: Distribute List Options
Select the name of the interface to apply this distribute list to. If you do not specify an interface, this distribute list will be used for all interfaces. Select Enable to enable the distribute list. 01-28006-0008-20041105 Router Fortinet Inc.
Page 157: Offset List
Router Select or clear the Enable check box to enable or disable this distribute list. Select OK. Offset list Use offset lists to add the specified offset to the metric of a route. Note: By default, all offset lists for the root virtual domain are displayed. If you create additional virtual domains, the offset lists belonging to the current virtual domain only are displayed.
Page 158: Router Objects
Add a new access list name. An access list and a prefix list cannot have the same name. The access list name. The action to take for the prefix in an access list entry. The prefix in an access list entry. The Delete, Add access-list entry, and Edit icons. 01-28006-0008-20041105 Router Fortinet Inc.
Page 159: New Access List
Router New access list Figure 67: Access list name configuration To add an access list name Go to Router > Router Objects > Access List. Select Create New. Enter a name for the access list. Select OK. New access list entry Figure 68: Access list entry configuration list Entry Action...
Page 160: Prefix List
The action to take for the prefix in a prefix list entry. The prefix in a prefix list entry. The greater than or equal to number. The less than or equal to number. The Delete, Add prefix-list entry, and Edit icons. 01-28006-0008-20041105 Router Fortinet Inc.
Page 161: New Prefix List Entry
Router New prefix list entry Figure 71: Prefix list entry configuration list Entry Action Prefix Greater or equal to Match prefix lengths that are greater than or equal to this number. The Less or equal to To configure a prefix list entry Go to Router >...
Page 162: Route-Map List
Add a new route map name. The route map name. The action to take for this entry in the route map. The rules for a route map entry. The Delete, Add route-map entry, and Edit icons. 01-28006-0008-20041105 Router Fortinet Inc.
Page 163: Route-Map List Entry
Router Route-map list entry Figure 74: Route map entry configuration Route-map entry Action Match: Interface Address Next-hop Metric Route Type Set: Next-hop Metric Metric Type To configure a route map entry Go to Router > Router Objects > Route Map. Select the Add route-map entry icon to add a new route map entry or select the edit icon beside an existing route map entry to edit that entry.
Page 164: Key Chain List
The time period in which to accept a key. The time period in which to send a key. The start and end times for the accept and send lifetimes. The Delete, Add key-chain entry, and Edit icons. 01-28006-0008-20041105 Router Fortinet Inc.
Page 165: Key Chain List Entry
Router Enter a name for the key chain. Select OK. Key chain list entry Figure 77: Key chain entry configuration Key-chain entry Accept Lifetime Send Lifetime Start To configure a key chain entry Go to Router > Router Objects > Key-chain. Select the Add key-chain entry icon to add a new key chain entry or select the Edit icon beside an existing key chain entry to edit that entry.
Page 166: Monitor
The subtype for the route. The network for the route. The administrative distance of the route. The metric for the route. The gateway used by the route. The interface used by the route. How long the route has been available. 01-28006-0008-20041105 Router Fortinet Inc.
Page 167: Cli Configuration
Router Specify the network for which to display routes. Specify a gateway to display the routes using that gateway. Select Apply Filter. Note: You can configure Type, Network, and Gateway filters individually or in any combination. CLI configuration This guide only covers Command Line Interface (CLI) commands, keywords, or variables (in bold) that are not represented in the web-based manager.
Page 168: Get Router Info Rip
<keyword> <variable> config router ospf unset <keyword> get router ospf show router ospf config area config distribute-list config neighbor config network config ospf-interface config redistribute 01-28006-0008-20041105 Router Availability All models. All models. Fortinet Inc.
Page 169 Router Note: In the following table, only the router-id keyword is required. All other keywords are optional. ospf command keywords and variables Keywords and variables abr-type {cisco | ibm | shortcut | standard} database-overflow {disable | enable} database-overflow- max-lsas <lsas_integer> database-overflow- time-to-recover <seconds_integer>...
Page 170 CPU. A setting of 0 for spf-timers can quickly use up all available CPU. config router ospf set router-id 1.1.1.1 01-28006-0008-20041105 Router Default Availability All models. All models. All models. default. All models. disable All models. default. All models. 5 10 Fortinet Inc.
Page 171 Router This example shows how to display the OSPF configuration. config area Access the config area subcommand using the config router ospf command. Use this command to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings called areas.
Page 172 Enable or disable redistributing routes into a NSSA area. 01-28006-0008-20041105 Router Default Availability All models. none All models. All models. disable All models. All models. All models. enable Fortinet Inc.
Page 173 Router area command keywords and variables (Continued) Keywords and variables nssa-translator- role {always | candidate | never} shortcut {default | disable | enable} stub-type {no-summary | summary} type {nssa | regular | stub} Example This example shows how to configure a stub area with the id 15.1.1.1, a stub type of summary, a default cost of 20, and MD5 authentication.
Page 174 Set the direction for the filter. Enter in to filter incoming packets. Enter out to filter outgoing packets. Enter the name of the access list or prefix list to use for this filter list. 01-28006-0008-20041105 Router 160. Default Availability All models. All models. default. Fortinet Inc.
Page 175 Router Example This example shows how to use an access list named acc_list1 to filter packets entering area 15.1.1.1. This example shows how to display the settings for area 15.1.1.1. This example shows how to display the configuration for area 15.1.1.1. config range Access the config range subcommand using the config area command.
Page 176 Enable or disable using a substitute prefix. disable All models. config router ospf config area edit 15.1.1.1 config range config router ospf config area edit 15.1.1.1 01-28006-0008-20041105 Default enable default default. edit 1 set prefix 1.1.0.0 255.255.0.0 Router Availability All models. All models. All models. Fortinet Inc.
Page 177 Router config virtual-link Access the config virtual-link subcommand using the config area command. Use virtual links to connect an area to the backbone when the area has no direct connection to the backbone. A virtual link allows traffic from the area to transit a directly connected area to reach the backbone.
Page 178 The router id of the remote ABR. 0.0.0.0 is not allowed. 01-28006-0008-20041105 Router Default Availability All models. none All models. default. authentication must be set to text. All models. All models. All models. default. authentication must be set to md5. All models. default. Fortinet Inc.
Page 179 Router virtual-link command keywords and variables (Continued) Keywords and variables retransmit- interval <seconds_integer> transmit-delay <seconds_integer> Example This example shows how to configure a virtual link. This example shows how to display the settings for area 15.1.1.1. This example shows how to display the configuration for area 15.1.1.1. config distribute-list Access the config distribute-list subcommand using the config router ospf command.
Page 180 Enter the name of the access list to use for this distribute list. Advertise only the routes discovered by the specified protocol and that are permitted by the named access list. 01-28006-0008-20041105 Router Default Availability No default. All models. All models. connected Fortinet Inc.
Page 181 Router This example shows how to display the settings for distribute list 2. This example shows how to display the configuration for distribute list 2. config neighbor Access the config neighbor subcommand using the config router ospf command. Use this command to manually configure an OSPF neighbor on nonbroadcast networks.
Page 182 1 set ip 192.168.21.63 config router ospf config neighbor edit 1 config router ospf config neighbor edit 1 show 01-28006-0008-20041105 Router Default Availability All models. 0.0.0.0 All models. All models. All models. Fortinet Inc.
Page 183: Config Network
Router config network Access the config network subcommand using the config router ospf command. Use this command to identify the interfaces to include in the specified OSPF area. The prefix keyword can define one or multiple interfaces. config network command syntax pattern network command keywords and variables Keywords and variables...
Page 184 2 config router ospf config network edit 2 show config ospf-interface edit <interface-name_str> set <keyword> <variable> config ospf-interface edit <interface-name_str> unset <keyword> config ospf-interface delete <interface-name_str> config ospf-interface edit <interface-name_str> config ospf-interface edit <interface-name_str> show 01-28006-0008-20041105 Router Fortinet Inc.
Page 185 Router ospf-interface command keywords and variables Keywords and variables authentication {md5 | none | text} authentication-key <password_str> cost <cost_integer> database-filter-out {disable | enable} dead-interval <seconds_integer> FortiGate-800 Administration Guide Description Use the authentication keyword to define the authentication used for OSPF packets sent and received by this interface.
Page 186 MTUs so that they match. 01-28006-0008-20041105 Router Default Availability All models. No default. All models. No default. All models. No default. All models. authentication must be set to md5. 1500 All models. All models. disable Fortinet Inc.
Page 187 Router ospf-interface command keywords and variables (Continued) Keywords and variables network-type {broadcast | non- broadcast | point-to- multipoint | point-to-point} priority <priority_integer> retransmit-interval <seconds_integer> status {disable | enable} transmit-delay <seconds_integer> FortiGate-800 Administration Guide Description Specify the type of network to which the interface is connected.
Page 188: Config Redistribute
192.168.20.3 set authentication text set authentication-key a2b3c4d5e config router ospf config ospf-interface edit test config router ospf config ospf-interface edit test show 01-28006-0008-20041105 Router Fortinet Inc.
Page 189 Router config redistribute command syntax pattern redistribute command keywords and variables Keywords and variables Description metric <metric_integer> metric-type {1 | 2} Specify the external link type to be used routemap <name_str> Enter the name of the route map to use status {disable | enable} tag <tag_integer>...
Page 190 Specify a tag for the summary route. The valid range for tag_integer is 0 to 4294967295. config router ospf config summary-address edit 5 set prefix 10.0.0.0 255.0.0.0 get router ospf 01-28006-0008-20041105 Router Default Availability All models. enable All models. default. All models. Fortinet Inc.
Page 191: Config Router Static6
Router This example shows how to display the OSPF configuration. config router static6 Use this command to add, edit, or delete static routes for IPv6 traffic. Add static routes to control the destination of traffic exiting the FortiGate unit. You configure routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses.
Page 192 This example shows how to display the configuration for IPV6 static route 2. config router static6 edit 2 set dev internal set dst 12AB:0:0:CD30::/60 set gateway 12AB:0:0:CD30:123:4567:89AB:CDEF get router static6 get router static6 2 show router static6 show router static6 2 01-28006-0008-20041105 Router Fortinet Inc.
Page 193: Firewall
Firewall Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (by port number).
Page 194: Policy
Policy list You can add, delete, edit, re-order, enable, and disable policies in the policy list. Figure 79: Sample policy list How policy matching works Policy list Policy options Advanced policy options Configuring firewall policies 01-28006-0008-20041105 Firewall Fortinet Inc.
Page 195 Firewall The policy list has the following icons and features. Create new Source Dest Schedule Service Action Enable source -> destination (n) Policy list headings indicating the traffic to which the policy Figure 80: Move to options FortiGate-800 Administration Guide Select Create New to add a firewall policy.
Page 196: Policy Options
Select a service or protocol to which the policy will apply. You can select from a wide range of predefined services or add custom services and service groups. See 01-28006-0008-20041105 Firewall “Addresses” on page “Virtual IP” on page 202. “Schedule” on page 214. “Service” on page 206. Fortinet Inc. 218.
Page 197 Firewall Action VPN Tunnel Protection Profile Log Traffic Advanced FortiGate-800 Administration Guide Select how you want the firewall to respond when the policy matches a connection attempt. • ACCEPT: Select accept to accept connections matched by the policy. You can also configure NAT and Authentication for the policy. •...
Page 198: Advanced Policy Options
HTTP, Telnet, and FTP. Then users could authenticate with the policy using HTTP, Telnet, or FTP before using the other service. 243. 01-28006-0008-20041105 Firewall Fortinet Inc.
Page 199: Traffic Shaping
Firewall In most cases you should make sure that users can use DNS through the firewall without authentication. If DNS is not available users cannot connect to a web, FTP, or Telnet server using a domain name. Traffic Shaping Traffic Shaping controls the bandwidth available to and sets the priority of the traffic processed by the policy.
Page 200: Configuring Firewall Policies
Set the DSCP value for reply packets. For example, for an Internal External policy the value is applied to incoming reply packets -> before they exit the internal interface and returned to the originator. 194. 01-28006-0008-20041105 Firewall “Policy options” on page 196. “How policy matching Fortinet Inc.
Page 201: Policy Cli Configuration
Firewall Select the position for the policy. Select OK. To disable a policy Disable a policy to temporarily prevent the firewall from selecting the policy. Disabling a policy does not stop active communications sessions that have been allowed by the policy.
Page 202: Address
192.168.110.* to represent all addresses on the subnet Address list Address options Configuring addresses Address group list Address group options Configuring address groups 01-28006-0008-20041105 Firewall Default Availability All models. 0.0.0.0 Encrypt 0.0.0.0 policy, with outbound enabled. Fortinet Inc.
Page 203: Address List
Firewall Address list You can add addresses to the list and edit existing addresses. The FortiGate unit comes configured with the default ‘All’ address which represents any IP address on the network. Figure 84: Sample address list The address list has the following icons and features. Create New Name Address...
Page 204: Configuring Addresses
The netmask for a class B subnet should be 255.255.0.0. The netmask for a class C subnet should be 255.255.255.0. The netmask for all addresses should be 0.0.0.0 A range of IP addresses in a subnet (for example, 192.168.20.1 to 192.168.20.10) 01-28006-0008-20041105 Firewall Fortinet Inc.
Page 205: Address Group List
Firewall Address group list You can organize related addresses into address groups to make it easier to configure policies. For example, if you add three addresses and then configure them in an address group, you can configure a single policy using all three addresses. Note: If an address group is included in a policy, it cannot be deleted unless it is first removed from the policy.
Page 206: Configuring Address Groups
This section describes: • • • • • • • Predefined service list Custom service list Custom service options Configuring custom services Service group list Service group options Configuring service groups 01-28006-0008-20041105 Firewall Fortinet Inc.
Page 207: Predefined Service List
Firewall Predefined service list Figure 88: Predefined service list The predefined services list has the following icons and features. Name Detail Table 21 to any policy. Table 21: FortiGate predefined services Service name DHCP FortiGate-800 Administration Guide The name of the predefined services. The protocol for each predefined service.
Page 208 Open Shortest Path First (OSPF) routing protocol. OSPF is a common link state routing protocol. PC-Anywhere is a remote control and file transfer protocol. 01-28006-0008-20041105 Firewall Protocol Port 1720, 1503 6660-6669 1701 1720 111, 2049 5632 Fortinet Inc.
Page 209 Firewall Table 21: FortiGate predefined services (Continued) Service name ICMP_ANY PING TIMESTAMP INFO_REQUEST ICMP information request messages. INFO_ADDRESS ICMP address mask request messages. POP3 PPTP QUAKE RAUDIO RLOGIN SIP- MSNmessenger SMTP SNMP SYSLOG TALK TELNET TFTP UUCP VDOLIVE FortiGate-800 Administration Guide Description Internet Control Message Protocol is a message control and error-reporting protocol...
Page 210: Custom Service List
The Delete and Edit/View icons. The name of the TCP or UDP custom service. Select the protocol type of the service you are adding: TCP or UDP. TCP and UDP options are the same. 01-28006-0008-20041105 Firewall Protocol Port 1494 6000-6063 Fortinet Inc.
Page 211: Configuring Custom Services
Firewall Source Port Destination Port Specify the Destination Port number range for the service by entering the ICMP custom service options Figure 91: ICMP custom service options Name Protocol Type Type Code IP custom service options Figure 92: IP custom service options Name Protocol Type Protocol Number The IP protocol number for the service.
Page 212 Select the Edit icon beside the service you want to edit. Modify the custom service as required. Note: To change the custom service name you must delete the service and add it with a new name. Select OK. 01-28006-0008-20041105 Firewall Fortinet Inc.
Page 213: Service Group List
Firewall Service group list To make it easier to add policies, you can create groups of services and then add one policy to allow or block access for all the services in the group. A service group can contain predefined services and custom services in any combination. You cannot add service groups to another service group.
Page 214: Configuring Service Groups
This section describes: • • • • • • One-time schedule list One-time schedule options Configuring one-time schedules Recurring schedule list Recurring schedule options Configuring recurring schedules 01-28006-0008-20041105 Firewall Fortinet Inc.
Page 215: One-Time Schedule List
Firewall One-time schedule list You can create a one-time schedule that activates or deactivates a policy for a specified period of time. For example, your firewall might be configured with the default policy that allows access to all services on the Internet at all times. You can add a one-time schedule to block access to the Internet during a holiday period.
Page 216: Recurring Schedule List
Start Select Create New to add a recurring schedule. The name of the recurring schedule. The initials of the days of the week on which the schedule is active. The start time of the recurring schedule. 01-28006-0008-20041105 Firewall Fortinet Inc.
Page 217: Recurring Schedule Options
Firewall Stop Recurring schedule options Figure 98: Recurring schedule options Recurring schedule has the following options. Name Select Start Stop Configuring recurring schedules To add a recurring schedule Go to Firewall > Schedule > Recurring. Select Create New. Enter a name for the schedule. Select the days of the week that you want the schedule to be active.
Page 218: Virtual Ip
Similar to port forwarding, dynamic port forwarding is used to translate any address and a specific port number on a source network to a hidden address and, optionally a different port number on a destination network. Virtual IP list Virtual IP options Configuring virtual IPs 01-28006-0008-20041105 Firewall Fortinet Inc.
Page 219: Virtual Ip List
Firewall Virtual IP list Figure 99: Sample virtual IP list The virtual IP list has the following icons and features. Create New Name Service Port Map to IP Map to Port Virtual IP options Different options appear depending on the type of virtual IP you want to define. Choose from Static NAT or port forwarding.
Page 220: Configuring Virtual Ips
Enter the port number to be added to packets when they are forwarded. (Port forwarding only.) Select the protocol (TCP or UDP) that you want the forwarded packets to use. (Port forwarding only.) Table 22 on page 221 contains example virtual IP external interface settings 01-28006-0008-20041105 Firewall Fortinet Inc.
Page 221 Firewall You can now add the virtual IP to firewall policies. Table 22: Virtual IP external interface examples External Interface Description internal external To add port forwarding virtual IPs Go to Firewall > Virtual IP. Select Create New. Enter a name for the port forwarding virtual IP. Select the virtual IP External Interface from the list.
Page 222: Ip Pool
IP pool. An IP pool list appears when the policy destination interface is the same as the IP pool interface. “PPTP passthrough” on page 264 01-28006-0008-20041105 for more information. Fortinet Inc. Firewall...
Page 223: Ip Pool List
Firewall You can add an IP pool if you want to add NAT mode policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface. If you add an IP pool to the internal interface, you can select Dynamic IP pool for policies with the internal interface as the destination.
Page 224: Configuring Ip Pools
IP pool and assigns it to each connection. In this case the number of connections that the firewall can support is limited by the number of IP addresses in the IP pool. Select the interface to which to add an IP pool. Enter a name for the IP pool. 01-28006-0008-20041105 Firewall Fortinet Inc.
Page 225: Ip Pools And Dynamic Nat
Firewall IP pools and dynamic NAT You can use IP pools for dynamic NAT. For example, your organization might have purchased a range of Internet addresses but you might have only one Internet connection on the external interface of your FortiGate unit. You can assign one of your organization’s Internet IP addresses to the external interface of the FortiGate unit.
Page 226: Protection Profile List
You can add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. 01-28006-0008-20041105 Firewall Fortinet Inc.
Page 227: Protection Profile Options
Enable or disable quarantining for each protocol. You can quarantine suspect files to view them or submit files to Fortinet for analysis. 01-28006-0008-20041105 Protection profile 227.
Page 228: Configuring Web Filtering Options
Enabling this option will prevent the unintentional download of virus files hidden in fragmented files. Note that some types of files, such as PDF, fragment files to increase download speed and enabling this option can cause download interruptions. 01-28006-0008-20041105 Firewall Fortinet Inc.
Page 229: Configuring Web Category Filtering Options
Firewall Configuring web category filtering options Figure 108:Protection profile web category filtering options (FortiGuard) The following options are available for web category filtering through the protection profile. See options. Enable category block (HTTP only) Block unrated websites (HTTP only) Provide details for blocked HTTP 4xx and 5xx errors (HTTP only) Allow websites when a rating...
Page 230: Configuring Spam Filtering Options
Enable or disable checking traffic against configured Real-time Blackhole List and Open Relay Database List servers. Enable or disable the Fortinet spam filtering IP address blacklist: FortiShield. See on page 339 Enable or disable looking up the source domain name (from the SMTP HELO command) in the Domain Name Server.
Page 231: Configuring Protection Profiles
Firewall Note: Some popular email clients cannot filter messages based on the MIME header. Check your email client features before deciding how to tag spam. Configuring IPS options Figure 110:Protection profile IPS options The following options are available for IPS through the protection profile. See page 293 IPS Signature IPS Anomaly...
Page 232 Select Create New to add a policy or select Edit for the policy you want to modify. Select protection profile. Select a protection profile from the list. Configure the remaining policy settings, if required. Select OK. Repeat this procedure for any policies for which you want to enable network protection. 01-28006-0008-20041105 Firewall Fortinet Inc.
Page 233: Cli Configuration
Firewall CLI configuration Note: This guide only describes Command Line Interface (CLI) commands, keywords, or variables (in bold) that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide.
Page 234 If you want to remove an option from the list or add an option to the list, you must retype the list with the option removed or added. 01-28006-0008-20041105 Firewall Default Availability No default. All models. Fortinet Inc.
Page 235 Firewall firewall profile command keywords and variables (Continued) Keywords and variables http {bannedword block catblock chunkedbypass content_log oversize quarantine scan scriptfilter urlblock urlexempt} smtp {bannedword block content_log fragmail oversize quarantine scan spamemailbwl spamhdrcheck spamhelodns spamipbwl spamraddrdns spamrbl splice} FortiGate-800 Administration Guide Description Select the actions that this profile will use for filtering HTTP traffic for a...
Page 236 This example shows how to display the configuration for the firewall profile command. This example shows how to display the configuration for the spammail profile. get firewall profile get firewall profile spammail show firewall profile show firewall profile spammail 01-28006-0008-20041105 Firewall Fortinet Inc.
Page 237: Users And Authentication
Users and authentication You can control access to network resources by defining lists of authorized users, called user groups. To use a particular resource, such as a network or a VPN tunnel, the user must belong to one of the user groups that is allowed access. The user then must correctly enter a user name and password to prove his or her identity.
Page 238: Setting Authentication Timeout
Select Disable to prevent this user from authenticating. Select Password to require the user to authenticate using a password. Enter the password that this user must use to authenticate. The password should be at least six characters long. 01-28006-0008-20041105 Users and authentication Fortinet Inc.
Page 239: Radius
Users and authentication LDAP Radius To add a user name and configure authentication Go to User > Local. Select Create New to add a new user name or select the Edit icon to edit an existing configuration. Type the User Name. Select the authentication type for this user.
Page 240: Radius Server Options
Select the Delete icon beside the RADIUS server name that you want to delete. Select OK. The Delete and Edit icons. Enter a name to identify the RADIUS server. Enter the RADIUS server secret. 01-28006-0008-20041105 Users and authentication Fortinet Inc.
Page 241: Ldap
Users and authentication LDAP If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server.
Page 242 For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is domain component. You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units: ou=accounts,ou=marketing,dc=fortinet,dc=com 01-28006-0008-20041105 Users and authentication Fortinet Inc.
Page 243: User Group
Users and authentication User group To enable authentication, you must add user names, RADIUS servers, and LDAP servers to one or more user groups. You can then assign a firewall protection profile to the user group. You can configure authentication as follows: •...
Page 244: User Group Options
The list of users, RADIUS servers, or LDAP servers that can be added to a user group. The list of users, RADIUS servers, or LDAP servers added to a user group. Select a protection profile for this user group. 01-28006-0008-20041105 Users and authentication Fortinet Inc.
Page 245: Cli Configuration
Users and authentication CLI configuration This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide. peer Use this command to add or edit the peer certificate information.
Page 246: Peergrp
EU_branches set member Sophia_branch Valencia_branch Cardiff_branch get user peergrp get user peergrp EU_branches show user peergrp show user peergrp EU_branches 01-28006-0008-20041105 Users and authentication Default Availability No default. All models. Fortinet Inc.
Page 247: Vpn
FortiGate units support the following protocols to authenticate and encrypt traffic: • • • This chapter contains information about the following VPN topics: • • • • • • • • • • • • • • • • • •...
Page 248: Phase 1
1, Dialup if this is a dialup Phase 1 configuration, and the domain name if this is a dynamic DNS phase 1. Main mode or Aggressive mode. The names of the encryption and authentication algorithms used by each phase 1 configuration. Edit, view, or delete phase 1 configurations. 01-28006-0008-20041105 Fortinet Inc.
Page 249: Phase 1 Basic Settings
Phase 1 basic settings Figure 121:Phase 1 basic settings Gateway Name Type a name for the remote VPN peer. The remote peer can be either a Remote Gateway IP Address Dynamic DNS Mode Authentication Method FortiGate-800 Administration Guide gateway to another network or an individual client on the Internet. Select a Remote Gateway address type.
Page 250: Phase 1 Advanced Options
The group must be added to the FortiGate configuration through the config user peer and config user peergrp CLI commands before it can be selected here. For more information, see the “config user” chapter of the CLI Reference Guide. 01-28006-0008-20041105 “Enabling VPN access for 274. Fortinet Inc.
Page 251: Configuring Xauth
Encryption Authentication The FortiGate unit supports the following authentication methods: DH Group Keylife Local ID XAuth Nat-traversal Keepalive Frequency Dead Peer Detection Configuring XAuth XAuth authenticates users in a separate exchange held between Phases 1 and 2. XAuth: Enable as Client Username Password FortiGate-800 Administration Guide...
Page 252: Phase 2
Microsoft RADIUS). Use MIXED if the authentication server supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet Remote VPN Client.). Select a group of users to be authenticated by XAuth. The individual users within the group can be authenticated locally or by one or more LDAP or RADIUS servers.
Page 253: Phase 2 Basic Settings
Status Timeout Phase 2 basic settings Figure 124:Phase 2 basic settings Tunnel Name Remote Gateway Concentrator FortiGate-800 Administration Guide The current status of the tunnel. Down, tunnel is not processing traffic. Up, the tunnel is currently processing traffic. Unknown, status of Dialup tunnels.
Page 254: Phase 2 Advanced Options
You can configure the FortiGate unit to send an alert email when it detects a replay packet. For more information, see Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires. 01-28006-0008-20041105 “Alert E-mail options” on page 356. Fortinet Inc.
Page 255: Manual Key
DH Group Keylife Autokey Keep Alive DHCP-IPSec Internet browsing Quick Mode Identities Manual key Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiGate unit and a remote VPN peer that uses a manual key. The FortiGate unit must be configured to use the same encryption and authentication algorithms used by the remote peer.
Page 256: Manual Key List
Enter the external IP address of the FortiGate unit or other IPSec gateway at the opposite end of the tunnel. Select an Encryption Algorithm from the list. Use the same algorithm at both ends of the tunnel. 01-28006-0008-20041105 Fortinet Inc.
Page 257: Concentrator
Encryption Key Enter the Encryption Key. Authentication Algorithm Authentication Concentrator Concentrator Configure IPSec VPN concentrators to create hub and spoke configurations. IPSec VPN concentrators are only available in NAT/Route mode. To configure a concentrator Go to VPN > IPSEC > Concentrator and add a concentrator. Add the required Phase 2 configurations to the concentrator.
Page 258: Concentrator Options
A concentrator can have more than one tunnel in its list of members. Provides a list of tunnels that are members of the concentrator. To remove a tunnel from the list, select the tunnel in the Members list and select the left arrow. 01-28006-0008-20041105 Fortinet Inc.
Page 259: Ping Generator Options
Ping generator options Figure 130:Ping generator Enable Source IP 1 Destination IP 1 Source IP 2 Destination IP 2 To configure the ping generator Go to VPN > IPSEC > Ping Generator. Select Enable. In the Source IP 1 box, type the private IP address from which traffic may originate locally.
Page 260: Dialup Monitor
The IP address range from which the dialup user can connect. This is usually the current IP address of the dialup user’s computer. Stop the current dialup tunnel. The dialup user may have to reconnect to establish a new VPN session. 01-28006-0008-20041105 Fortinet Inc.
Page 261: Pptp
Name Remote gateway The IP address and UDP port of the remote gateway. For dynamic DNS Timeout Proxy ID Source The IP address range that VPN users of this tunnel can connect to. Proxy ID Destination Bring down tunnel icon Bring up tunnel icon PPTP...
Page 262: Enabling Pptp And Specifying A Pptp Range
The start of the IP range. For example, 192.168.1.10. The end of the IP range. For example, 192.168.1.20. Select the user group that contains the remote PPTP VPN clients. Select this option to disable the PPTP support. 01-28006-0008-20041105 204. 200. PPTP. PPTP. Fortinet Inc.
Page 263: Configuring A Windows 2000 Client For Pptp
Configuring a Windows 2000 client for PPTP To configure a PPTP dialup connection Go to Start > Settings > Network and Dial-up Connections. Double-click Make New Connection to start the Network Connection Wizard and select Next. For Network Connection Type, select Connect to a private network through the Internet and select Next.
Page 264: Pptp Passthrough
Go to Firewall > Virtual IP. Select Create New. Enter a name for the virtual IP, for example PPTP_pass. Set the External Interface to external. TCP/IP QoS Packet Scheduler File and Printer Sharing for Microsoft Networks Client for Microsoft Networks 01-28006-0008-20041105 Fortinet Inc.
Page 265: L2Tp
Select Port Forwarding. Set the External IP Address to 0.0.0.0. The 0.0.0.0 External IP Address matches any IP address. Alternatively, if PPTP users always connect to the same IP address, you can specify that IP address. Set the External Service Port to 1723. Set the Map to IP address to 192.168.23.1.
Page 266: Setting Up A L2Tp-Based Vpn
“To add an address” on page “To add a firewall policy” on page Configuring a Windows 2000 client for Configuring a Windows XP client for 01-28006-0008-20041105 “To add an address” on page 204. 200. L2TP. L2TP. “Users and 266. 204. Fortinet Inc.
Page 267: Configuring A Windows 2000 Client For L2Tp
Figure 134:L2TP range Enable L2TP Starting IP Ending IP User Group Disable L2TP To enable L2TP on the FortiGate unit Go to VPN > L2TP > L2TP Range. Select Enable L2TP. Complete the fields as required. Select Apply. Configuring a Windows 2000 client for L2TP To configure an L2TP dialup connection Go to Start >...
Page 268: Configuring A Windows Xp Client For L2Tp
Select Create a connection to the network of your workplace and select Next. Select Virtual Private Network Connection and select Next. Name the connection and select Next. If the Public Network dialog box appears, choose the appropriate initial connection and select Next. 01-28006-0008-20041105 Fortinet Inc.
Page 269 In the VPN Server Selection dialog, enter the IP address or host name of the FortiGate unit to connect to and select Next. Select Finish. To configure the VPN connection Right-click the icon that you have created. Select Properties > Security. Select Typical to configure typical settings.
Page 270: Certificates
FortiGate unit for decrypting messages sent by the remote peer. Conversely, the remote peer provides its public key to the FortiGate unit, which uses the key to encrypt messages destined for the remote peer. 01-28006-0008-20041105 Fortinet Inc.
Page 271: Viewing The Certificate List
Details are provided in the following sections: • • • • Viewing the certificate list Initially, no certificates are installed. To view the certificate list Go to VPN > Certificates > Local Certificates. Figure 135:Certificate list Generate Import Name Subject Status Generating a certificate request To obtain a personal or site certificate, you must send the request to a CA that...
Page 272 Follow the CA instructions to place a base-64 encoded PKCS#10 certificate request and upload the certificate request. Follow the CA instructions to download their root certificate, and then install the root certificate on the FortiGate unit. 01-28006-0008-20041105 further identify the object being certified. Fortinet Inc.
Page 273: Installing A Signed Certificate
Figure 136:Generating a certificate signing request Certificate Name Type a certificate name. Subject Information Optional Information Key Type Key Size Installing a signed certificate Your CA provides you with a digital certificate to install on the FortiGate unit. You must also obtain and install the CA’s root certificate on the FortiGate unit.
Page 274: Enabling Vpn Access For Specific Certificate Holders
To enable access for a specific certificate holder or a group of certificate holders Use this procedure to enhance access security if you are using digital certificates to authenticate peers. Go to VPN > IPSEC > Phase 1. “Backing up and Restoring” on page 01-28006-0008-20041105 118. Fortinet Inc.
Page 275: Cli Configuration
Under Peer Options, select one of these options: • • If you want to define the DN of the FortiGate unit, select Advanced, and from the Local ID list, select the DN of the FortiGate unit. Select OK. CLI configuration This guide only covers Command Line Interface (CLI) commands, keywords, or variables (in bold) that are not represented in the web-based manager.
Page 276 01-28006-0008-20041105 Default Availability All models. seconds dpd must be set to enable. All models. seconds dpd must be set to enable. All models. dpd must be set to enable. All models. seconds dpd must be set to enable. Fortinet Inc.
Page 277: Ipsec Phase2
Example Use the following command to edit an IPSec VPN phase 1 configuration with the following characteristics: • • • • • • • • • • • ipsec phase2 In addition to the advanced IPSec Phase 2 settings, the config vpn ipsec phase2 CLI command provides a way to bind the VPN tunnel selected in a Phase 2 configuration to a specific network interface.
Page 278: Ipsec Vip
Type the name of the local FortiGate interface. config vpn ipsec phase2 edit Tunnel_1 set bindtoif internal “Configuring IPSec virtual IP addresses” on page config vpn ipsec vip edit <vip_integer> set <keyword> <variable> 01-28006-0008-20041105 Default Availability All models. default. 290. Fortinet Inc.
Page 279 ipsec vip command keywords and variables Keywords and variables ip <address_ipv4> out-interface <interface-name_str> Example The following commands add IPSec VIP entries for two remote hosts that can be accessed by a FortiGate unit through an IPSec VPN tunnel on the external interface of the FortiGate unit.
Page 280: Authenticating Peers With Preshared Keys
“Phase 1” on page 248. “Adding firewall policies for IPSec VPN tunnels” on page “Phase 1” on page 248. “Phase 2” on page 252. “Adding firewall policies for IPSec VPN tunnels” on page 01-28006-0008-20041105 “Phase 2” on page 252. 282. 282. Fortinet Inc.
Page 281: Dialup Vpn
Dialup VPN Dialup VPN allows remote users with dynamic IP addresses to use VPN to connect to a private network. Dialup VPNs use AutoIKE and can be preshared key or certificate VPNs. To configure dialup VPN Add a phase 1 configuration to define the parameters used to authenticate the remote VPN peer.
Page 282: Manual Key Ipsec Vpn
To add a source address, see page “Manual key” on page 255. “Manual key” on page 255. “Adding firewall policies for IPSec VPN tunnels” on page “Policy” on page 194 204. 01-28006-0008-20041105 282. for information about firewall policies. “To add an address” on Fortinet Inc.
Page 283: Setting The Destination Address For Encrypted Traffic
Setting the destination address for encrypted traffic The destination address determines which remote peers and clients will be allowed to access the specified source address. In general: • • • To add a destination address, see Adding an IPSec firewall encryption policy Use the following procedure to add an IPSec firewall encryption policy.
Page 284: Configuring Internet Browsing Through A Vpn Tunnel
If required, add additional firewall policies to support internet browsing. Configure the remote VPN clients to deny split tunneling. “Phase 1” on page 248. “Phase 2” on page 282. 01-28006-0008-20041105 252. “System DHCP” on page “Adding firewall policies for IPSec Fortinet Inc.
Page 285: Ipsec Vpn In Transparent Mode
IPSec VPN in Transparent mode In Transparent mode, a FortiGate unit becomes transparent at the data link layer (OSI layer 2)—it looks like a network bridge. A FortiGate unit operating in Transparent mode requires the following basic configuration to operate as a node on the IP network: •...
Page 286: Hub And Spoke Vpns
The source address must be Internal_All. Use the following configuration for the encrypt policies: add the VPN tunnels. add a VPN concentrator. add a firewall policy. “To add an address” on page “To add an address” on page 01-28006-0008-20041105 204. 204. Fortinet Inc.
Page 287: Adding A Vpn Concentrator
Source Destination Action VPN Tunnel Allow inbound Allow outbound Select allow outbound. Inbound NAT Outbound NAT Select outbound NAT if required. Arrange the policies in the following order: • • Adding a VPN concentrator The VPN concentrator collects the hub-and-spoke tunnels into a group. This allows VPN traffic to pass from one tunnel to the other through the FortiGate unit.
Page 288: Configuring Spokes
The remote VPN spoke address. ENCRYPT The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt policies.) Do not enable. Select inbound NAT if required. “To add a firewall policy” on page 01-28006-0008-20041105 204. 204. 200. Fortinet Inc.
Page 289: Redundant Ipsec Vpns
Source Destination Action VPN Tunnel Allow inbound Allow outbound Do not enable. Inbound NAT Outbound NAT Select outbound NAT if required. Arrange the policies in the following order: • • • Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks, such as the Internet.
Page 290: Configuring Ipsec Virtual Ip Addresses
The source and destination of both policies must be the same. Add a different AutoIKE key tunnel to each policy. “To add a firewall policy” on page 01-28006-0008-20041105 248. “To add an address” on page 200. 204. Fortinet Inc.
Page 291 Consider the following example, which shows two physically separate networks. The IP addresses of the computers on both networks are in the 192.168.12.0/24 range, but no two IP addresses are the same. An IPSec VPN has been configured between FortiGate_1 and FortiGate_2. The FortiGate configuration permits Host_1 on the Finance network to transmit data to Host_2 on the HR network through the IPSec VPN tunnel.
Page 292: Troubleshooting
Make sure you select the correct DH group on both ends. Enable PFS. Change the policy to internal-to-external. Re-enter the source and destination address. The encryption policy must be placed above other non-encryption policies. “ipsec Fortinet Inc.
Page 293: Ips
IPS (attack) engines and definitions through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see FortiGate-800 Administration Guide FortiGate-800 Administration Guide Version 2.80 MR6...
Page 294: Signature
The FortiGate IPS matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinet’s FortiProtect infrastructure ensures the rapid identification of new threats and the development of new attack signatures. You can configure the FortiGate unit to automatically check for and download an updated attack definition file containing the latest signatures, or you can manually download the updated attack definition file.
Page 295: Predefined Signature List
If logging is disabled and action is set to Pass, the signature is effectively disabled. The FortiGate unit drops the packet that triggered the signature. Fortinet recommends using an action other than Drop for TCP connection based attacks.
Page 296: Configuring Predefined Signatures
The FortiGate unit drops the packet that triggered the signature, removes the session from the FortiGate session table, and does not send a reset. The FortiGate unit lets the packet that triggered the signature and all other packets in the session pass through the firewall. 01-28006-0008-20041105 Fortinet Inc.
Page 297: Configuring Parameters For Dissector Signatures
Select the Enable box to enable the signature or clear the Enable box to disable the signature. Select the Logging box to enable logging for this signature or clear the Logging box to disable logging for this signature. Select the Action for the FortiGate unit to take when traffic matches this signature. (See Select OK.
Page 298: Custom
(the default) no change is made to the codepoint in the IP header. Select the Enable custom signature box to enable the custom signature group or clear the Enable custom signature box to disable the custom signature group. Select Create New to create a new custom signature. 01-28006-0008-20041105 Fortinet Inc.
Page 299: Adding Custom Signatures
Clear all custom signatures Reset to recommended settings? Name Revision Enable Logging Action Modify Adding custom signatures To add a custom signature Go to IPS > Signature > Custom. Select Create New to add a new custom signature or select the Edit icon to edit an existing custom signature.
Page 300: Anomaly
The logging status for each anomaly. A white check mark in a green circle indicates logging is enabled for the anomaly. A white X in a grey circle indicates logging is disabled for the anomaly. 01-28006-0008-20041105 “Anomaly CLI configuration” on Fortinet Inc.
Page 301: Configuring An Anomaly
If logging is disabled and action is set to Pass, the anomaly is effectively disabled. Drop The FortiGate unit drops the packet that triggered the anomaly. Fortinet recommends using an action other than Drop for TCP connection based attacks.
Page 302 FortiGate session table, and does not send a reset. Session Pass The FortiGate unit lets the packet that triggered the anomaly and all other packets in the session pass through the firewall. Session Traffic over the specified threshold triggers the anomaly. 01-28006-0008-20041105 Fortinet Inc.
Page 303: Anomaly Cli Configuration
Anomaly CLI configuration Note: This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide. (config ips anomaly) config limit Note: This command has more keywords than are listed in this Guide.
Page 304: Configuring Ips Logging And Alert Email
You can change the default fail open setting using the CLI: Enable ips_open to cause the IPS to fail open and disable ips_open to cause the IPS to fail closed. “Log & Report” on page config sys global set ips-open [enable | disable] 01-28006-0008-20041105 351. Fortinet Inc.
Page 305: Antivirus
Antivirus > Quarantine View and sort the list of quarantined files, configure file patterns to upload automatically to Fortinet for analysis, and configure quarantining options in AntiVirus. Antivirus > Config > Config Set the size thresholds for files and emails for each protocol in Antivirus.
Page 306: File Block
IPS (attack) engines and definitions, as well as the local spam RBL, through the FortiProtect Distribution Network (FDN). The FortiProtect Center also provides the FortiProtect virus and attack encyclopedia and the FortiProtect Bulletin. Visit the FortiProtect Center at http://www.fortinet.com/FortiProtectCenter/. To set up automatic and push updates see This chapter describes: •...
Page 307: File Block List
Antivirus This section describes: • • File block list The file block list is preconfigured with a default list of file patterns: • • • • • • • • • Figure 151:Default file block list File block list has the following icons and features: Create New Apply Pattern...
Page 308: Configuring The File Block List
You can also submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to FortiNet for analysis. This section describes: •...
Page 309: Quarantined Files List Options
EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL. Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded.
Page 310: Autosubmit List
(* or ?). File patterns are applied for AutoSubmit regardless of file blocking settings. You can also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly from the quarantined files list. The FortiGate unit uses encrypted email to autosubmit files to an SMTP server through port 25.
Page 311: Config
Antivirus Config Go to Config to set quarantine configuration options including whether to quarantine blocked or infected files and from which service. You can also configure the time to live and file size values, and enable AutoSubmit settings. Figure 155:Quarantine configuration Quarantine configuration has the following options: Options Age limit...
Page 312: Config
1 to 25 MB. The range for each FortiGate unit is displayed in the web-based manager as shown in Virus list Config Grayware Grayware options 29. To find out how to use the Fortinet Update Center, see 120. Figure 01-28006-0008-20041105 “Changing unit 157.
Page 313: Grayware
Antivirus You can enable oversized file blocking in a firewall protection profile. To access protection profiles go to Firewall > Protection Profile, select Anti-Virus > Oversized File/Email and choose to pass or block oversized email and files for each protocol. Grayware Grayware programs are unsolicited commercial software programs that get installed on computers, often without the user’s consent or knowledge.
Page 314: Cli Configuration
Select enable to block download programs. Download components are usually run at Windows startup and are designed to install or download other software, especially advertising and dial software. 01-28006-0008-20041105 Antivirus Fortinet Inc.
Page 315: Heuristic
Antivirus heuristic The FortiGate heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators. Heuristic scanning is performed last, after file blocking and virus scanning have found no matches. In this way, heuristic scanning may detect new viruses, but may also produce some false positive results. The heuristic engine is enabled by default to pass suspected files to the recipient and send a copy to quarantine.
Page 316: Quarantine
Quarantine files found by heuristic scanning in traffic for the specified protocols. 01-28006-0008-20041105 Antivirus Default Availability FortiGate imap models smtp numbered pop3 200 and http higher. FortiGate default. models numbered 200 and higher. Fortinet Inc.
Page 317: Service Http
Antivirus service http Use this command to configure how the FortiGate unit handles antivirus scanning of large files and what ports the FortiGate unit virus scans for HTTP traffic. Note: This command has more keywords than are listed in this Guide. See the FortiGate CLI Reference Guide for a complete list of commands and keywords.
Page 318: Service Ftp
You can use ports from the range 1-65535. You can add up to 20 ports. config antivirus service ftp set port 22 set port 23 get antivirus service ftp show antivirus service ftp 01-28006-0008-20041105 Antivirus Default Availability All models. Fortinet Inc.
Page 319: Service Pop3
Antivirus service pop3 Use this command to configure how the FortiGate unit handles antivirus scanning of large files and what ports the FortiGate unit virus scans for POP3 traffic. Note: This command has more keywords than are listed in this Guide. See the FortiGate CLI Reference Guide for a complete list of commands and keywords.
Page 320: Service Imap
You can use ports from the range 1-65535. You can add up to 20 ports. config antivirus service imap set port 10585 set port 10686 set port 10787 get antivirus service imap show antivirus service imap 01-28006-0008-20041105 Antivirus Default Availability All models. Fortinet Inc.
Page 321: Service Smtp
Antivirus service smtp Use this command to configure how the FortiGate unit handles antivirus scanning of large files in SMTP traffic and what ports the FortiGate unit scans for SMTP. Note: This command has more keywords than are listed in this Guide. See the FortiGate CLI Reference Guide for a complete list of commands and keywords.
Page 322 CLI configuration Antivirus 01-28006-0008-20041105 Fortinet Inc.
Page 323: Web Filter
Web filter Web filter provides configuration access to the Web filtering and Web category filtering options you enable when you create a firewall Protection Profile. To access protection profile web filter options go to Firewall > Protection Profile, select edit or Create New, and select Web Filtering or Web Category Filtering. See “Protection profile options”...
Page 324 URL exempt Category block Script filter 01-28006-0008-20041105 Web Filter setting Web Filter > Category Block > Configuration Enable or disable FortiGuard and enable and set the size limit for the cache. “Protection profile” on 232. Web filter “To Fortinet Inc.
Page 325: Content Block
Web filter Content block Control web content by blocking specific words or word patterns. The FortiGate unit blocks web pages containing banned words and displays a replacement message instead. You can use Perl regular expressions or wildcards to add banned word patterns to the list.
Page 326: Configuring The Web Content Block List
“Using Perl regular expressions” on page Select the character set for the banned word. Choose from: Chinese Simplified, Chinese Traditional, French, Japanese, Korean, Thai, or Western. Select Enable to activate the banned word in the list. 01-28006-0008-20041105 Web filter 348. Fortinet Inc.
Page 327: Web Url Block List
Web filter Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com. Instead, you can use firewall policies to deny FTP connections. This section describes: •...
Page 328: Web Pattern Block List
FortiGate web pattern blocking supports standard regular expressions. You can add up to 20 patterns to the web pattern block list. Note: Enable Web filtering > Web URL Block in your firewall Protection Profile to activate the web pattern block settings. 01-28006-0008-20041105 Web filter Fortinet Inc.
Page 329: Web Pattern Block Options
Web filter Figure 163:Sample web pattern block list Web pattern block options Web pattern block has the following icons and features: Create New Pattern Configuring web pattern block To add a pattern to the web pattern block list Go to Web Filter > URL Block. Select Web Pattern Block.
Page 330: Url Exempt List
Select this icon to scroll the URL exempt list down. Select this icon to delete the entire URL exempt list. The current list of exempt URLs. Select the check box to enable all the URLs in the list. The Delete and Edit/View icons. 01-28006-0008-20041105 Web filter Fortinet Inc.
Page 331: Category Block
• FortiGuard managed web filtering service FortiGuard is a managed web filtering solution provided by Fortinet. FortiGuard sorts hundreds of millions of web pages into a wide range of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard Service Point to determine the category of a requested web page and then follows the firewall policy configured for that user or interface.
Page 332: Category Block Configuration Options
FortiGuard licensing Every FortiGate unit comes with a free 30-day FortiGuard trial license. FortiGuard license management is done by Fortinet servers, so there is no need to enter a license number. The FortiGate unit will then automatically contact a FortiGuard Service Point when you enable FortiGuard category blocking.
Page 333: Configuring Web Category Block
Web filter To have a URL’s... Apply Configuring web category block To enable FortiGuard web filtering Go to Web Filter > Category Block. Select Enable Service. Select Check status to make sure the FortiGate unit can access the FortiGuard server. After a moment, the FortiGuard status should change from Unknown to Available.
Page 334: Category Block Reports Options
The number of allowed web addresses accessed in the selected time frame. The number of blocked web addresses accessed in the selected time frame. The number of monitored web addresses accessed in the selected time frame. 01-28006-0008-20041105 Web filter Fortinet Inc.
Page 335 Use this command only if you need to change the host name. config webfilter catblock set ftgd_hostname guard.example.net get webfilter catblock show webfilter catblock 01-28006-0008-20041105 Category block Default Availability guard.fortinet.com All models. service fortiguar d only.
Page 336: Script Filter
You can configure the following options for script filtering: Javascript Cookies ActiveX Select Javascript to block all Javascript-based pages or applications. Select Cookies to block web sites from placing cookies on individual computers. Select ActiveX to block all ActiveX applications. 01-28006-0008-20041105 Web filter Fortinet Inc.
Page 337: Spam Filter
Real-time Blackhole List and Open Relay Database List servers. IP address FortiShield check Enable or disable Fortinet’s antispam IP address black list: FortiShield. This service works like an RBL server and is continuously updated to block spam sources. See “FortiShield IP address black list and spam...
Page 338 You can configure the language and whether to search the email body, subject, or both. You can configure the action to take as spam or clear for each word. “Protection profile” on 232. Spam filter “To Fortinet Inc.
Page 339: Order Of Spam Filter Operations
Both FortiShield antispam processes are completely automated and configured by Fortinet. With constant monitoring and dynamic updates, FortiShield is always current. You can enable or disable FortiShield in a firewall protection profile. See spam filtering options” on page This chapter describes: •...
Page 340: Ip Address
Mark as Spam to apply the spam action configured in the protection profile, Mark as Clear to let the email pass to the next filter, or Mark as Reject (SMTP only) to drop the session. The Delete and Edit/View icons. 01-28006-0008-20041105 Spam filter Fortinet Inc.
Page 341: Rbl & Ordbl
Spam filter Select Create New. Figure 171:Adding an IP address Enter the IP address/mask you want to add. If required, select before or after another IP address in the list to place the new IP address in the correct position. Select the action to take on email from the IP address.
Page 342: Rbl & Ordbl List
The action to take on email matched by the RBLs and ORDBLs. Actions are: Mark as Spam to apply the spam action configured in the protection profile, or Mark as Reject to drop the session. The Delete and Edit/View icons. 01-28006-0008-20041105 Spam filter Fortinet Inc.
Page 343: Email Address
Spam filter Email address The FortiGate unit uses the email address list to filter incoming email. The FortiGate unit compares the email address or domain of the sender to the list in sequence. If a match is found, the corresponding protection profile action is taken. If no match is found, the email is passed on to the next spam filter.
Page 344: Mime Headers
You can use Perl regular expressions or wildcards to add MIME header patterns to the list. See Note: MIME header entries are case sensitive. X-mailer: outgluck X-Distribution: bulk Content_Type: text/html Content_Type: image/jpg “Using Perl regular expressions” on page 01-28006-0008-20041105 Spam filter 348. Fortinet Inc.
Page 345: Mime Headers List
Spam filter This section describes: • • • MIME headers list You can configure the FortiGate unit to filter email with specific MIME header key-value pairs. You can mark each MIME header as clear or spam. Figure 176:Sample MIME headers list MIME headers options MIME headers list has the following icons and features: Create New...
Page 346: Banned Word
Perl regular expressions. See expressions” on page “Using Perl regular expressions” on page Banned word list Banned word options Configuring the banned word list 348. 01-28006-0008-20041105 Spam filter 348. “Using Perl regular Fortinet Inc.
Page 347: Banned Word Options
Spam filter Figure 178:Sample banned word List Banned word options Banned word has the following icons and features: Create new Total Pattern Pattern Type Language Where Action When you select Create New or Edit you can configure the following settings for the banned word.
Page 348: Configuring The Banned Word List
Mark as Clear to allow the email (since Banned Word is the last filter). Select to enable scanning for the banned word. fortinet.com not only matches fortinet.com but also matches fortinetacom, fortinetbcom, fortinetccom and so on. To mach fortinet.com, the regular expression should be: fortinet\.com forti*\.com matches fortiiii.com but does not match fortinet.com...
Page 349 Spam filter Word boundary In Perl regular expressions, the pattern does not have an implicit word boundary. For example, the regular expression “test” not only matches the word “test” but also matches any word that contains the “test” such as “atest”, “mytest”, “testimony”, “atestb”.
Page 350 ‘/’ will be parsed as a list of regexp options ('i', 'x', etc). An error occurs If the second '/' is missing. In regular expressions, the leading and trailing space is treated as part of the regular expression. 01-28006-0008-20041105 Spam filter Fortinet Inc.
Page 351: Log & Report
FortiGate-800 Administration Guide Version 2.80 MR6 Log & Report FortiGate units provide extensive logging capabilities for traffic, system and network protection functions. You can set the severity level of the messages that are logged, and you can choose the types of events that are logged. All types of log messages, except traffic and content, can be saved in internal memory.
Page 352: Log Config
A FortiLog unit. The FortiLog unit is a log analyzer and manager that can combine the log information from various FortiGate units and other firewall units. To enable content archiving with a firewall to select the FortiLog option and define its IP address. 01-28006-0008-20041105 Log & Report Protection profile, you need Fortinet Inc.
Page 353 Log & Report Disk Memory Syslog WebTrends Figure 181:Log setting options for all log locations To configure Log Setting Go to Log&Report > Log Config > Log Setting. Select the check box to enable logging to a location. Select the blue arrow beside the location. The setting options appear.
Page 354 Select the log files to upload to the FTP server. You can upload the Traffic Log file, Event Log file, Antivirus Log file, Web Filter Log file, Attack Log file, Spam Filter Log file, and Content Archive file. 01-28006-0008-20041105 Log & Report Table 36, “Logging Fortinet Inc.
Page 355: Syslog Settings
Log & Report To configure log file uploading Select the blue arrow to expand Log file upload settings. Select Upload When Rolling. Enter the IP address of the logging server. Enter the port number on the logging server. The default is 21 (FTP). Enter the Username and Password required on the logging server.
Page 356: Alert E-Mail Options
The interval to wait before sending an alert e-mail for error level log messages. The interval to wait before sending an alert e-mail for warning level log messages. The interval to wait before sending an alert e-mail for notification level log messages. 01-28006-0008-20041105 Log & Report Fortinet Inc.
Page 357: Log Filter Options
Log & Report Information Apply Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email. You can select specific events to trigger alert email in Log Filter, described in filter options”...
Page 358: Traffic Log
You can apply the following filters: The FortiGate unit logs all traffic that is allowed according to the firewall policy settings. The FortiGate unit logs all traffic that violates the firewall policy settings. for more information. 01-28006-0008-20041105 Log & Report “Enabling Fortinet Inc.
Page 359 Log & Report System Activity event IPSec negotiation event DHCP service event L2TP/PPTP/PPPoE service event Admin event HA activity event Firewall authentication event Pattern update event Anti-virus log The Anti-virus Log records virus incidents in Web, FTP, and email traffic, such as when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file or email.
Page 360: Configuring Log Filters
The FortiGate unit logs all instances of blocked email in SMTP traffic. The FortiGate unit logs all instances of blocked email in POP3 traffic. The FortiGate unit logs all instances of blocked email in IMAP traffic. 01-28006-0008-20041105 Log & Report Fortinet Inc.
Page 361 Log & Report To enable traffic logging for a firewall policy You can enable traffic logging for a firewall policy. All connections accepted by the firewall policy are recorded in the traffic log. Go to Firewall > Policy. Select the Edit icon for a policy. Select Log Traffic.
Page 362: Log Access
Clear log icon. Delete the log entries from the log file (but not the file). Download icon. Download the log as a text or CSV file. View icon. Display the log file through the web-based manager. 01-28006-0008-20041105 Log & Report Fortinet Inc.
Page 363: Viewing Log Messages
Log & Report Select the log type you wish to access. Select Disk from the Type list. You can clear or delete, download, or view the log files by selecting the corresponding icon. To download log files from the FortiGate disk When downloading a log file, you can save the log in plain text or CSV format.
Page 364 Type a search word and select Go. Column settings button. Select to choose columns for log display. Select Raw to switch to an unformatted log message display. Select Formatted to switch to a log message display organized into columns. 01-28006-0008-20041105 Log & Report Fortinet Inc.
Page 365 Log & Report Choosing columns You can customize your log messages display using the Column Settings window. The column settings apply only when the formatted (not raw) display is selected. Figure 186:Column settings for viewing log messages Available fields The fields that you can add to the log message display. Show these fields in this order...
Page 366: Searching Log Messages
The log message list shows only the logs that meet your log search criteria. 363. 363. The message must contain all of the keywords The message must contain at least one of the keywords The message must contain none of the keywords 01-28006-0008-20041105 Log & Report “Viewing log “Viewing log Fortinet Inc.
Page 367: Cli Configuration
Log & Report CLI configuration This guide only covers Command Line Interface (CLI) commands and command keywords that are not represented in the web-based manager. For complete descriptions of working with CLI commands see the FortiGate CLI Reference Guide. fortilog setting Note: The command keywords for fortilog setting that are not represented in the web- based manager are localid and psksecret.
Page 368: Syslogd Setting
Enter enable to enable the FortiGate unit to produce the log in Comma Separated Value (CSV) format. If you do not enable CSV format the FortiGate unit produces plain text files. 01-28006-0008-20041105 Log & Report Default Availability All models. disable Fortinet Inc.
Page 369 Log & Report log syslogd setting command keywords and variables Keywords and variables facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news...
Page 370 If the show command returns you to the prompt, the settings are at default. config log syslogd setting set status enable set server 220.210.200.190 set port 601 set facility user get log syslogd setting show log syslogd setting 01-28006-0008-20041105 Log & Report Fortinet Inc.
Page 371: Fortiguard Categories
FortiGuard categories FortiGuard is a web filtering solution provided by Fortinet. FortiGuard sorts thousands of Web pages into a wide variety of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard server to determine the category of a requested Web page and then follows the policy configured for that user or interface.
Page 372 Sites with content that is gratuitously offensive or shocking, but not violent or frightening. Includes sites devoted in part or whole to scatology and similar topics or to improper language, humor, or behavior. 01-28006-0008-20041105 FortiGuard categories Fortinet Inc.
Page 373 FortiGuard categories Table 38: FortiGuard categories Category name 16. Weapons Potentially Non-productive 17. Advertisement 18. Brokerage and Trading 19. Freeware and Software Download 20. Games 21. Internet Communication 22. Pay to Surf 23. Web-based Email Potentially Bandwidth Consuming 24. File Sharing and Storage 25.
Page 374 Political Organizations -- Sites sponsored by or providing information about political parties and interest groups focused on elections or legislation. 01-28006-0008-20041105 FortiGuard categories Fortinet Inc.
Page 375 FortiGuard categories Table 38: FortiGuard categories Category name 39. Reference Materials 40. Religion 41. Search Engines and Portals 42. Shopping and Auction 43. Social Organizations 44. Society and Lifestyles 45. Special Events 46. Sports 47. Travel 48. Vehicles FortiGate-800 Administration Guide Description Sites that offer reference-shelf content such as atlases, dictionaries, encyclopedias, formularies,...
Page 376 IP addresses. Private IP Addresses -- IP addresses defined in RFC 1918, 'Address Allocation for Private Intranets. Web Hosting -- Sites of organizations that provide hosting services, or top-level domain pages of Web communities. 01-28006-0008-20041105 FortiGuard categories Fortinet Inc.
Page 377: Fortigate Maximum Values
FortiGate maximum values The following table contains the maximum number of table, field, and list entries for FortiGate features. Feature system vdom (NAT/Route) system vdom (Transparent) system zone** system interface system interface secondaryip system interface ip6 prefix list system ipv6_tunnel system accprofile system admin system snmp...
Page 378 1000 1000 6000 6000 10000 10000 10000 10000 10000 1024 1024 2000 2000 5000 5000 5000 8000 20000 30000 50000 50000 50000 50000 3000 3000 5000 5000 5000 4000 5000 1000 1000 1024 1024 5000 5000 5000 5000 Fortinet Inc.
Page 379 FortiGate maximum values Feature vpn ipsec phase2** vpn ipsec manualkey** vpn ipsec concentrator** vpn ipsec concentrator member** vpn ipsec vip** antivirus filepattern antivirus heuristic rules antivirus quarfilepattern antispam bword antispam ipbwl antispam rbl antispam emailbwl antispam mheader ips anomaly limit ips custom log trafficfilter rule router access list**...
Page 380 2, 25, 50, 100, or 250 VDOMs, determined by firmware. FortiGate model 100A 200A 300A 400A 10, 25, 50, 100, or 250 VDOMs, determined by firmware. 01-28006-0008-20041105 FortiGate maximum values 1000 3000 3600 500A 1000 1000 1000 4000 5000 1000 1000 Fortinet Inc.
Page 381: Glossary
Glossary Connection: A link between machines, applications, processes, and so on that can be logical, physical, or both. DMZ, Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network. Typically, the DMZ contains servers accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers and DNS servers.
Page 382 SNMP works by sending messages to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. 01-28006-0008-20041105 Fortinet Inc.
Page 383 SSH, Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. SSH provides strong secure authentication and secure communications over insecure channels. Subnet: A portion of a network that shares a common address component.
Page 384 Glossary 01-28006-0008-20041105 Fortinet Inc.
Page 385: Index
Index abr-type 169 access-list 180 active sessions HA monitor 97 address 202 virtual IP 218 administrator account netmask 112, 113 trusted host 113 advertise 176, 190 alert email enabling 357 options 356 anomaly 300 list 300 antivirus 305 antivirus updates 123 through a proxy server 124 area 183 attack updates...
Page 386 33 upgrading using the CLI 34, 36 upgrading using the web-base manager 33, 35 Fortilog logging settings 353 fortilog setting 367 Fortinet customer service 23 FortiProtect Distribution Network 120 FortiProtect Distribution Server 120 from IP system status 32...
Page 387 HA monitor 96 GRE protocol 264 group ID HA 87 grouping services 213 groups user 243 guaranteed bandwidth 199, 200 HA 84, 86 add a new unit to a functioning cluster 94 cluster ID 96 cluster members 86 configuration 86 configure a FortiGate unit for HA operation 91 configure weighted-round-robin weights 95 connect a FortiGate HA cluster 93...
Page 388 81 one-time schedule creating 215, 217 Optional Information 273 options changing system options 82 OSPF 168 out-interface 279 override master HA 88 P2 Proposal 254 passive-interface 170 passthrough PPTP 264 Password 251 01-28006-0008-20041105 Fortinet Inc.
Page 389 password HA 88 Pattern block options 329 peer 178 Peer identification 274 Peer option 250 Peer to peer VPN 280 Phase 1 248 Phase 1 advanced options 250 Phase 1 basic settings 249 Phase 1 list 248 Phase 2 252 Phase 2 advanced options 254 Phase 2 basic settings 253 Phase 2 list 252...
Page 390 33 upgrading firmware using the CLI 34, 36 firmware using the web-based manager 33, 35 Uploading a local certificate 273 URL block 326 URL exempt 329 URL options 327 User Group 252 user groups configuring 243 01-28006-0008-20041105 Fortinet Inc.
Page 391 User-defined signatures 298 user-defined TCP services 210, 211 user-defined UDP services 210, 211 Username 251, 260 virtual domain properties 136 virtual IP 218 dynamic port forwarding 222 port forwarding 218 static NAT 218 virus detected HA monitor 97 virus protection worm protection 14 VLAN overview 62...
Page 392 Index 01-28006-0008-20041105 Fortinet Inc.