Download Print this page

Fortinet FortiGate FortiGate-800 Installation And Configuration Manual

Fortinet FortiGate FortiGate-800 Installation And Configuration Manual

Fortinet network device installation and configuration guide

Hide thumbs Also See for FortiGate FortiGate-800:

Administration manual (392 pages)

,

Install manual (64 pages)

,

Technical note (12 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

See also: Administration Manual , Installation Manual

Installation and

FortiGate 800

Configuration Guide

I N T E R N A L

E X T E R N A L

D M Z

HA

1

2

3

4

CONSOLE

USB

Esc

Enter

P W R

8

FortiGate User Manual Volume 1

Version 2.50

January 15 2004

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the FortiGate FortiGate-800 and is the answer not in the manual?

Questions and answers

Summary of Contents for Fortinet FortiGate FortiGate-800

Page 1: Configuration Guide
Installation and FortiGate 800 Configuration Guide I N T E R N A L E X T E R N A L D M Z CONSOLE Enter P W R FortiGate User Manual Volume 1 Version 2.50 January 15 2004...
Page 2 CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
Page 3: Table Of Contents
Command line interface ... 21 Logging and reporting ... 21 Document conventions ... 22 Fortinet documentation ... 22 Comments on Fortinet technical documentation... 23 Customer service and technical support... 23 Getting started ... 25 Package contents ... 26 Mounting ... 26 Powering on ...
Page 4 Completing the configuration ... 62 Setting the date and time ... 62 Enabling antivirus protection... 62 Registering your FortiGate unit ... 63 Configuring virus and attack definition updates ... 63 Connecting the FortiGate unit to your networks... 63 Fortinet Inc.
Page 5 Transparent mode configuration examples... 64 Default routes and static routes ... 65 Example default route to an external network... 65 Example static route to an external destination ... 67 Example static route to an internal destination ... 69 High availability... 73 Configuring an HA cluster ...
Page 6 FortiCare Service Contracts... 129 Registering the FortiGate unit ... 130 Updating registration information ... 131 Recovering a lost Fortinet support password... 132 Viewing the list of registered FortiGate units ... 132 Registering a new FortiGate unit ... 133 Adding or changing a FortiCare Support Contract number... 133 Changing your Fortinet support password ...
Page 7 Network configuration... 137 Configuring zones ... 137 Adding zones ... 138 Deleting zones ... 138 Configuring interfaces ... 138 Viewing the interface list ... 139 Changing the administrative status of an interface ... 139 Adding an interface to a zone ... 139 Configuring an interface with a manual IP address ...
Page 8 Configuring the FortiGate unit for SNMP monitoring ... 174 Configuring FortiGate SNMP support ... 174 FortiGate MIBs... 176 FortiGate traps ... 177 Fortinet MIB fields ... 179 Replacement messages ... 181 Customizing replacement messages ... 182 Customizing alert emails... 183 Firewall configuration...
Page 9 Services ... 200 Predefined services ... 200 Adding custom TCP and UDP services ... 203 Adding custom ICMP services ... 204 Adding custom IP services... 204 Grouping services ... 204 Schedules ... 205 Creating one-time schedules ... 206 Creating recurring schedules ... 207 Adding schedules to policies...
Page 10 Configuring a Windows XP client for PPTP ... 261 Configuring L2TP ... 263 Configuring the FortiGate unit as an L2TP gateway ... 263 Configuring a Windows 2000 client for L2TP... 265 Configuring a Windows XP client for L2TP ... 267 Fortinet Inc.
Page 11 Network Intrusion Detection System (NIDS) ... 269 Detecting attacks ... 269 Selecting the interfaces to monitor... 270 Disabling monitoring interfaces... 270 Configuring checksum verification ... 270 Viewing the signature list ... 271 Viewing attack descriptions... 271 Disabling NIDS attack signatures ... 272 Adding user-defined signatures ...
Page 12 Recording logs on the FortiGate hard disk ... 311 Recording logs in system memory... 312 Log message levels ... 312 Filtering log messages ... 313 Configuring traffic logging ... 314 Enabling traffic logging... 315 Configuring traffic filter settings... 316 Adding traffic filter entries ... 316 Fortinet Inc.
Page 13 Viewing logs saved to memory ... 317 Viewing logs... 317 Searching logs ... 318 Viewing and managing logs saved to the hard disk... 318 Viewing logs... 319 Searching logs ... 319 Downloading a log file to the management computer... 320 Deleting all messages from an active log ...
Page 14 Contents Fortinet Inc.
Page 15: Introduction
• • The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks.
Page 16: Antivirus Protection
PKZip format, detect viruses in email that has been encoded using uuencode format, detect viruses in email that has been encoded using MIME encoding, log all actions taken while scanning. Introduction Fortinet Inc.
Page 17: Email Filtering
Introduction Email filtering FortiGate email filtering can scan all IMAP and POP3 email content for unwanted senders or unwanted content. If there is a match between a sender address pattern on the email block list, or an email contains a word or phrase in the banned word list, the FortiGate adds an email tag to the subject line of the email.
Page 18: Nat/Route Mode
To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log, and can be configured to send alert emails. Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually or you can configure the FortiGate unit to automatically check for and download attack definition updates.
Page 19: Vpn
• • High availability High Availability (HA) provides failover between two or more FortiGate units. Fortinet achieves HA by using redundant hardware: matching FortiGate models running in NAT/Route mode. You can configure the FortiGate units for either active-passive (A-P) or active-active (A-A) HA.
Page 20: Secure Installation, Configuration, And Management
Once you are satisfied with a configuration, you can download and save it. The saved configuration can be restored at any time. Figure 1: The FortiGate web-based manager and setup wizard Introduction Fortinet Inc.
Page 21: Command Line Interface
Introduction Command line interface You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiGate unit, including the Internet.
Page 22: Document Conventions
Contains in-depth information about FortiGate IPSec VPN using certificates, pre- shared keys and manual keys for encryption. Also contains basic configuration information for the Fortinet Remote VPN Client, detailed configuration information for FortiGate PPTP and L2TP VPN, and VPN configuration examples.
Page 23: Comments On Fortinet Technical Documentation
The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage the FortiGate unit. Comments on Fortinet technical documentation You can send information about errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com. Customer service and technical support...
Page 24 Customer service and technical support Introduction Fortinet Inc.
Page 25: Getting Started
FortiGate-800 Installation and Configuration Guide Version 2.50 Getting started This chapter describes unpacking, setting up, and powering on a FortiGate Antivirus Firewall unit. When you have completed the procedures in this chapter, you can proceed to one of the following: •...
Page 26: Package Contents
I N T E R N A L E X T E R N A L D M Z CONSOLE Enter P W R QuickStart Guide Copyright 2003 Fortinet Incorporated. All rights reserved. Trademarks Products mentioned in this document are trademarks. Documentation Fortinet Inc.
Page 27: Power Requirements
Getting started Power requirements • • • • Environmental specifications • • • Powering on To power on the FortiGate-800 unit Make sure that the power switch on the back is turned off. Connect the power cable to the power connection on the back of the FortiGate unit. Connect the power cable to a power outlet.
Page 28: Connecting To The Web-Based Manager
The Register Now window is displayed. Use the information in this window to register your FortiGate unit so that Fortinet can contact you for firmware updates. You must also register to receive updates to the FortiGate virus and attack definitions.
Page 29: Connecting To The Command Line Interface (Cli)
Getting started Connecting to the command line interface (CLI) As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI. Configuration changes made with the CLI are effective immediately without resetting the firewall or interrupting service. To connect to the FortiGate CLI, you need: •...
Page 30: Factory Default Fortigate Configuration Settings
Factory default Transparent mode network configuration Factory default firewall configuration Factory default content profiles Netmask: Management Access: Table 2. This configuration allows you to Table 2 HTTPS management User name: admin Password: (none) 192.168.1.99 255.255.255.0 HTTPS, Ping Getting started Fortinet Inc.
Page 31: Factory Default Transparent Mode Network Configuration
Getting started Table 2: Factory default NAT/Route mode network configuration (Continued) External interface DMZ interface HA interface Interface 1 Interface 2 Interface 3 Interface 4 Factory default Transparent mode network configuration If you switch the FortiGate unit to Transparent mode, it has the default network configuration listed in Table 3: Factory default Transparent mode network configuration Administrator...
Page 32: Factory Default Firewall Configuration
You can select this option to control the maximum or minimum amount of bandwidth available to traffic processed by the policy. Getting started HTTPS, Ping Ping HTTPS, Ping Ping Ping Ping Ping Fortinet Inc.
Page 33: Factory Default Content Profiles
Getting started Table 4: Factory default firewall configuration (Continued) Factory default content profiles You can use content profiles to apply different protection settings for content traffic that is controlled by firewall policies. You can use content profiles for: • • •...
Page 34 Web Exempt List Email Block List Email Exempt List Email Content Block Oversized File/Email Block Pass Fragmented Emails Getting started HTTP IMAP POP3 block block block block HTTP IMAP POP3 pass pass pass pass SMTP block SMTP pass Fortinet Inc.
Page 35 Getting started Web content profile Use the web content profile to apply antivirus scanning and web content blocking to HTTP content traffic. You can add this content profile to firewall policies that control HTTP traffic. Table 7: Web content profile Options Antivirus Scan File Block...
Page 36: Planning The Fortigate Configuration
E X T E R N A L D M Z CONSOLE Enter P W R 10.10.10.1 NAT mode policies controlling traffic between internal and external networks. Getting started 192.168.1.3 Route mode policies controlling traffic between internal networks. DMZ network 10.10.10.2 Fortinet Inc.
Page 37: Nat/Route Mode With Multiple External Network Connections
Getting started NAT/Route mode with multiple external network connections In NAT/Route mode, you can configure the FortiGate unit with multiple redundant connections to the external network (usually the Internet). For example, you could create the following configuration: • • • •...
Page 38: Configuration Options
I N T E R N A L E X T E R N A L D M Z CONSOLE Enter P W R 10.10.10.1 Internal Management IP Transparent mode policies controlling traffic between internal and external networks Getting started Internal network 10.10.10.3 Fortinet Inc.
Page 39: Fortigate Model Maximum Values Matrix
Getting started Front keypad and LCD If you are configuring the FortiGate unit to operate in NAT/Route mode, you can use the control buttons and LCD to add the IP address of the FortiGate interfaces as well as the external default gateway. If you are configuring the FortiGate unit to operate in Transparent mode, you can use the control buttons and LCD to switch to Transparent mode.
Page 40: Next Steps
Web filter and Limit varies depending on available system memory. Fortinet recommends limiting total size of web and email filter lists to 4 Mbytes or less. If you want to use larger web filter lists, consider using Cerberian web email filter lists filtering.
Page 41: Nat/Route Mode Installation
FortiGate-800 Installation and Configuration Guide Version 2.50 NAT/Route mode installation This chapter describes how to install the FortiGate unit in NAT/Route mode. For information about installing a FortiGate unit in Transparent mode, see mode installation” on page units in HA mode, see installing the FortiGate unit in NAT/Route mode, see configuration”...
Page 42: Advanced Nat/Route Mode Settings
The FortiGate unit includes a DHCP server that you can configure to automatically set the addresses of the computers on your internal network. NAT/Route mode installation _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ Fortinet Inc.
Page 43: Dmz And User-Defined Interfaces
NAT/Route mode installation DMZ and user-defined interfaces user-defined interfaces if you are configuring them during installation. The HA interface is configured during HA installation. Table 12: DMZ and user-defined interfaces (Optional) DMZ IP: Using the setup wizard From the web-based manager, you can use the setup wizard to do the initial configuration of the FortiGate unit.
Page 44: Using The Front Control Buttons And Lcd
192.168.1.1 255.255.255.0 Table 12 on page 43 “Completing the configuration” on page Table 10 on page 42 Table 10 on page NAT/Route mode installation to complete the following procedure. to complete the 42. Enter: Fortinet Inc.
Page 45 NAT/Route mode installation Set the IP address and netmask of the external interface to the external IP address and netmask that you recorded in set system interface external mode static ip <IP_address> <netmask> Example set system interface external mode static ip 204.23.1.5 255.255.255.0 To set the external interface to use DHCP, enter: set system interface external mode dhcp connection enable...
Page 46: Connecting The Fortigate Unit To Your Networks
HA for connecting to another FortiGate-800 for high availability (see availability” on page 73), user-defined interfaces 1 to 4 for connecting up to four additional networks to your FortiGate unit. NAT/Route mode installation “Configuration example: Multiple connections to “High Fortinet Inc.
Page 47 NAT/Route mode installation Figure 7: FortiGate-800 NAT/Route mode connections Hub or Switch FortiGate-800 To connect to FortiGate-800 user-defined interfaces Connect the user-defined interface to the hub or switch connected to the intended network. Repeat for all user-defined interfaces that you have configured. The example in interface 1 and an external network connected to user-defined interface 4.
Page 48: Configuring Your Networks
Interface 1 I N T E R N A L E X T E R N A L D M Z CONSOLE Enter P W R User-defined FortiGate-800 Interface 4 Public Switch or Router Internet NAT/Route mode installation Fortinet Inc.
Page 49: Completing The Configuration
NAT/Route mode installation Completing the configuration Use the information in this section to complete the configuration of the FortiGate unit. Configuring the DMZ interface Use the following procedure to configure the DMZ interface: Log into the web-based manager. Go to System > Network > Interface. Choose the dmz interface and select Modify Change the IP address and Netmask as required.
Page 50: Registering Your Fortigate Unit
After purchasing and installing a new FortiGate unit, you can register the unit by going to the System Update Support page, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the FortiGate units that you or your organization have purchased.
Page 51: Configuring Ping Servers
NAT/Route mode installation Figure 9: Example multiple Internet connection configuration External Network #1 Configuring ping servers Use the following procedure to make gateway 1 the ping server for the external interface and gateway 2 the ping server for the DMZ interface. Go to System >...
Page 52: Using The Cli
Load sharing and primary and secondary connections Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway #1: 1.1.1.1 Gateway #2: 2.2.2.1 Device #1: external Device #2: dmz Select OK. Gateway #1 0.0.0.0 1.1.1.1 NAT/Route mode installation Device #1 Gateway #2 Device #2 external 2.2.2.1 Fortinet Inc.
Page 53: Load Sharing
NAT/Route mode installation Load sharing You can also configure destination routing to direct traffic through both gateways at the same time. If users on the internal network connect to the networks of ISP1 and ISP2, you can add routes for each of these destinations. Each route can include a backup destination to the network of the other ISP.
Page 54 Type a number in the Move to field to move this route to the bottom of the list. If there are only 3 routes, type 3. Select OK. Gateway #1 255.255.255.0 1.1.1.1 255.255.255.0 2.2.2.1 0.0.0.0 1.1.1.1 NAT/Route mode installation Table Device #1 Gateway #2 Device #2 external 2.2.2.1 1.1.1.1 external external 2.2.2.1 Fortinet Inc.
Page 55: Policy Routing Examples
NAT/Route mode installation Policy routing examples Adding policy routing increases your control over how packets are routed. Policy routing works on top of destination-based routing. To increase the control provided by destination-based routing, configure destination-based routing first and then build policy routing on top.
Page 56: Firewall Policy Example
FortiGate unit connected to the Internet using its internal “Default firewall configuration” on page Internal_All DMZ_All Always Accept Select NAT. NAT/Route mode installation 186. Fortinet Inc.
Page 57 NAT/Route mode installation Restricting access to a single Internet connection In some cases you might want to limit some traffic to being able to use only one Internet connection. For example, in the topology shown in organization might want its mail server to be able to connect to only the SMTP mail server of ISP1.
Page 58 Configuration example: Multiple connections to the Internet NAT/Route mode installation Fortinet Inc.
Page 59: Transparent Mode Installation
FortiGate-800 Installation and Configuration Guide Version 2.50 Transparent mode installation This chapter describes how to install your FortiGate unit in Transparent mode. If you want to install the FortiGate unit in NAT/Route mode, see installation” on page This chapter describes: •...
Page 60: Using The Setup Wizard
IP default gateway field. “Connecting to the web-based manager” on page Table 16 on page 59 Transparent mode installation to fill in the wizard fields. Fortinet Inc.
Page 61: Using The Front Control Buttons And Lcd
Transparent mode installation Using the front control buttons and LCD This procedure describes how to use the control buttons and LCD to configure Transparent mode IP addresses. Use the information that you recorded in page 59 use the front control buttons and LCD: Press Enter three times to configure the management interface IP address.
Page 62: Configuring The Transparent Mode Management Ip Address
Select Anti-Virus & Web filter to enable antivirus protection for this policy. Select the Scan Content Profile. Select OK to save the changes. Table 16 on page 59. Enter: 169. to edit this policy. Transparent mode installation Table 16 on page “Setting system Fortinet Inc.
Page 63: Registering Your Fortigate Unit
After purchasing and installing a new FortiGate unit, you can register the unit by going to the System Update Support page, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the FortiGate units that you or your organization have purchased.
Page 64: Transparent Mode Configuration Examples
E X T E R N A L D M Z Enter P W R External or Router Internet the management computer, The FortiResponse Distribution Network (FDN), a DNS server. Transparent mode installation Other Network CONSOLE Interface 4 Other Network Fortinet Inc.
Page 65: Default Routes And Static Routes
Transparent mode installation This section describes: • • • • Default routes and static routes To create a route to a destination, you need to define an IP prefix which consists of an IP network address and a corresponding netmask value. A default route matches any prefix and forwards traffic to the next hop router (otherwise known as the default gateway).
Page 66: General Configuration Steps
Management IP 192.168.1.1 I N T E R N A L E X T E R N A L D M Z Enter P W R Internal Network Transparent mode installation FortiResponse Distribution Network (FDN) Management Computer Router CONSOLE Fortinet Inc.
Page 67: Example Static Route To An External Destination
• • CLI configuration steps To configure the Fortinet basic settings and a default route using the CLI: Change the system to operate in Transparent Mode. Add the Management IP address and Netmask. Add the default route to the external network.
Page 68 Enter P W R Internal Network Management Computer Select Change to Transparent Mode. Select Transparent in the Operation Mode list. Select OK. The FortiGate unit changes to Transparent mode. Transparent mode installation 24.102.233.5 FortiResponse Distribution Network (FDN) CONSOLE Fortinet Inc.
Page 69: Example Static Route To An Internal Destination
• • CLI configuration steps To configure the Fortinet basic settings and a static route using the CLI: Set the system to operate in Transparent Mode. Add the Management IP address and Netmask. Add the static route to the primary FortiResponse server.
Page 70 I N T E R N A L E X T E R N A L D M Z Enter P W R Internal Network A Gateway IP 192.168.1.3 Internal Router Transparent mode installation CONSOLE Internal Network B Management Computer 172.16.1.11 FortiResponse Distribution Network (FDN) Fortinet Inc.
Page 71 Transparent mode installation Web-based manager example configuration steps To configure the FortiGate basic settings, a static route, and a default route using the web-based manager: Go to System > Status. • • • Go to System > Network > Management. •...
Page 72 Transparent mode configuration examples Transparent mode installation Fortinet Inc.
Page 73: High Availability
FortiGate-800 Installation and Configuration Guide Version 2.50 High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster uses the same overall security policy and shares the same configuration settings. You can add up to 32 FortiGate units to an HA cluster.
Page 74: Configuring An Ha Cluster
Advanced HA options Active-Active cluster packet flow Configuring FortiGate units for HA operation Connecting the cluster Adding a new FortiGate unit to a functioning cluster “Changing the FortiGate host name” on page High availability 94. Use host names to identify Fortinet Inc.
Page 75 High availability Select the HA mode. Select Active-Active mode to create an Active-Active HA cluster. Select Active-Passive mode to create an Active-Passive HA cluster. The HA mode must be the same for all FortiGate units in the HA cluster. Enter and confirm a password for the HA cluster. The password must be the same for all FortiGate units in the HA cluster.
Page 76: Connecting The Cluster
Then you must connect these interfaces to their networks using the same hub or switch. Fortinet recommends using switches for all cluster connections for the best performance. The FortiGate units in the cluster use dedicated HA ethernet interfaces to communicate HA status information to make sure the cluster is functioning properly.
Page 77 High availability Inserting an HA cluster into your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluster. Also, starting the cluster interrupts network traffic until the individual FortiGate units in the cluster are functioning and the cluster completes negotiation. Cluster negotiation normally takes just a few seconds.
Page 78: Adding A New Fortigate Unit To A Functioning Cluster
“Configuring FortiGate units for HA operation” on page “Changing to Transparent mode” on page “Connecting the cluster” on page “NAT/Route mode installation” on page 41 to configure the cluster interfaces, to log into and manage 109. High availability Fortinet Inc.
Page 79: Configuring Cluster Interface Monitoring
High availability You can also use SNMP to manage the cluster by configuring a cluster interface for SNMP administrative access. Using an SNMP manager you can get cluster configuration information and receive traps. Note: You cannot connect to the HA interfaces to manage the cluster or to manage individual FortiGate units in the cluster.
Page 80: Viewing The Status Of Cluster Members
The display includes bar graphs of current CPU and memory usage as well as line graphs of CPU and memory usage for the past minute. For more information, see “Viewing CPU and memory status” on page High availability 111. Fortinet Inc.
Page 81 High availability Select Sessions & Network. The cluster displays sessions and network status for each cluster member. The primary unit is identified as Local and the other units in the cluster are listed by serial number. The display includes bar graphs of the current number of sessions and current network utilization as well as line graphs of session and network utilization usage for the last minute.
Page 82: Viewing Cluster Sessions
“Viewing and managing logs saved to the hard disk” on page 318 “Downloading a log file to the management computer” on page 320 “Deleting all messages from an active log” on page 320 “Deleting a saved log file” on page 320 High availability “Viewing logs saved to memory” on Fortinet Inc.
Page 83: Monitoring Cluster Units For Failover
High availability Monitoring cluster units for failover If the primary unit in the cluster fails, the units in the cluster renegotiate to select a new primary unit. Failure of the primary unit results in the following: • • • • If a subordinate unit fails, the cluster continues to function normally.
Page 84: Changing Cluster Unit Host Names
Enter the following command to change the host name of the cluster member. set system hostname <hostname_str> Repeat steps to control which FortiGate unit becomes the “Managing individual cluster units” on page 83 for each cluster member. High availability “Selecting a FortiGate unit as a to log into each Fortinet Inc.
Page 85: Synchronizing The Cluster Configuration
High availability Synchronizing the cluster configuration Cluster synchronization keeps all units in the cluster synchronized with the master unit. This includes: • • • • • • • • Synchronization with all cluster members occurs in real time as the administrator changes or adds configuration settings to the primary unit.
Page 86: Upgrading Firmware
For information about updating antivirus and attack definitions, see attack definitions updates” on page for all the subordinate units in the HA cluster. for each cluster unit. 119. High availability “Changing the “Manually initiating antivirus and Fortinet Inc.
Page 87: Replacing A Fortigate Unit After Failover
High availability Replacing a FortiGate unit after failover A failover can occur because of a hardware or software problem. When a failover occurs, you can attempt to restart the failed FortiGate unit by cycling its power. If the FortiGate unit starts up correctly, it rejoins the HA cluster, which then continues to function normally.
Page 88: Configuring The Priority Of Each Fortigate Unit In The Cluster
For example, you might want to reduce the number of connections processed by the primary cluster unit by increasing the weight assigned to the subordinate cluster units. for each cluster unit. High availability “Selecting Fortinet Inc.
Page 89: Active-Active Cluster Packet Flow
High availability Weight values are entered in order according to the priority of the units in the cluster. For example, if you have a cluster of three FortiGate units, you can enter the following command to configure the weight values for each unit: set system ha weight 1 3 3 This command has the following results: •...
Page 90: Nat/Route Mode Packet Flow
FortiGate HA, the switch should support and be configured to use individual MAC address tables for each switch interface. Virtual cluster MAC address (MAC_V) Client MAC address (MAC_C), Server MAC address (MAC_S), Subordinate unit internal MAC address (MAC_S_I), Subordinate unit external MAC address (MAC_S_E). High availability Fortinet Inc.
Page 91: Transparent Mode Packet Flow
High availability The following are examples of switches that are compatible with the FGCP because they use a Global MAC address table: • • • • • • • • Transparent mode packet flow In transparent mode, six MAC addresses are involved in active-active communication between a client and a server if the cluster routes the packets to the subordinate unit in the cluster: •...
Page 92 Active-Active cluster packet flow High availability Fortinet Inc.
Page 93: System Status
FortiGate-800 Installation and Configuration Guide Version 2.50 System status You can connect to the web-based manager and view the current system status of the FortiGate unit. The status information that is displayed includes the current firmware version, the current virus and attack definitions, and the FortiGate unit serial number. If you log into the web-based manager using the admin administrator account, you can make any of the following changes to the FortiGate system settings: •...
Page 94: Changing The Fortigate Host Name
The new host name is displayed on the Status page, and in the CLI prompt, and is added to the SNMP System Name. Changing the FortiGate firmware After you download a FortiGate firmware image from Fortinet, you can use the procedures listed in Table 18: Firmware upgrade procedures...
Page 95: Upgrading To A New Firmware Version
System status Upgrading to a new firmware version Use the following procedures to upgrade the FortiGate unit to a newer firmware version. Upgrading the firmware using the web-based manager Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
Page 96: Reverting To A Previous Firmware Version
Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v250-build045-FORTINET.out...
Page 97: Reverting To A Previous Firmware Version Using The Cli
System status If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore the previous configuration from the backup configuration file. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
Page 98 Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v250-build045-FORTINET.out...
Page 99: Installing Firmware Images From A System Reboot Using The Cli
System status Update antivirus and attack definitions. For information, see antivirus and attack definitions updates” on page execute updatecenter updatenow To confirm that the antivirus and attack definitions have been updated, enter the following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information.
Page 100 Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,B,Q,or H: System status execute reboot command. Fortinet Inc.
Page 101: Restoring The Previous Configuration
System status Enter the firmware image filename and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following are displayed: • • The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.
Page 102 FortiGate unit running v3.x BIOS [G]: Get firmware image from TFTP server. [F]: Format boot device. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,Q,or H: System status execute reboot command. Fortinet Inc.
Page 103: Installing And Using A Backup Firmware Image
System status Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: Type the address of the internal interface of the FortiGate unit and press Enter. Note: The local IP address is used only to download the firmware image. After the firmware is installed, the address of this interface is changed back to the default IP address for this interface.
Page 104 Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options. System status execute reboot command. Fortinet Inc.
Page 105 System status Switching to the backup firmware image Use this procedure to switch the FortiGate unit to operating with a backup firmware image that you previously installed. When you switch the FortiGate unit to the backup firmware image, the FortiGate unit operates using the configuration that was saved with that firmware image.
Page 106: Manual Virus Definition Updates
Update Now. To update the antivirus definitions manually Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status.
Page 107: Manual Attack Definition Updates
Now. To update the attack definitions manually Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status.
Page 108: Displaying The Fortigate Up Time
Select OK to restore the system settings file to the FortiGate unit. The FortiGate unit restarts, loading the new system settings. Reconnect to the web-based manager and review your configuration to confirm that the uploaded system settings have taken effect. System status Fortinet Inc.
Page 109: Restoring System Settings To Factory Defaults
System status Restoring system settings to factory defaults Use the following procedure to restore system settings to the values set at the factory. This procedure does not change the firmware version or the antivirus or attack definitions. Caution: This procedure deletes all changes that you have made to the FortiGate configuration and reverts the system to its original configuration, including resetting interface addresses.
Page 110: Changing To Nat/Route Mode
The admin administrator account password (see accounts” on page 172) HA settings (see “High availability” on page Custom replacement messages (see “Connecting to the web-based manager” on page 28 “Adding and editing administrator “Replacement messages” on page “Connecting to the System status 181) Fortinet Inc.
Page 111: System Status
System status System status You can use the system status monitor to display FortiGate system health information. The system health information includes memory usage, the number of active communication sessions, and the amount of network bandwidth currently in use. The web-based manager displays current statistics as well as statistics for the previous minute.
Page 112: Viewing Sessions And Network Status
Set the automatic refresh interval and select Go to control how often the web-based manager updates the display. More frequent updates use system resources and increase network traffic. However, this only occurs when you are viewing the display using the web-based manager. System status Fortinet Inc.
Page 113: Viewing Virus And Intrusions Status
System status Select Refresh to manually update the information displayed. Figure 20: Sessions and network status monitor Viewing virus and intrusions status Use the virus and intrusions status display to track when viruses are found by the FortiGate antivirus system and to track when the NIDS detects a network-based attack.
Page 114: Session List
If you are logged in as an administrative user with read and write privileges or as the admin user, you can select Clear to update the session list. to stop an active session. System status or Page Down Fortinet Inc.
Page 115 System status Each line of the session list displays the following information. Protocol From IP From Port To IP To Port Expire Clear Figure 22: Example session list FortiGate-800 Installation and Configuration Guide The service protocol of the connection, for example, udp, tcp, or icmp. The source IP address of the connection.
Page 116 Session list System status Fortinet Inc.
Page 117: Virus And Attack Definitions Updates And Registration
Network (FDN) to update the antivirus and attack definitions and the antivirus engine. You have the following update options: • • • To receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet support web page. This chapter describes: • • • •...
Page 118: Connecting To The Fortiresponse Distribution Network
FortiGate was not able to connect to the FDN and other error conditions. Connecting to the FortiResponse Distribution Network Manually initiating antivirus and attack definitions updates Configuring update logging “Scheduling updates” on page 122. Virus and attack definitions updates and registration 120. “Enabling Fortinet Inc.
Page 119: Manually Initiating Antivirus And Attack Definitions Updates
Virus and attack definitions updates and registration Table 19: Connections to the FDN Connections FortiResponse Distribution Network Push Update Manually initiating antivirus and attack definitions updates You can use the following procedure to update the antivirus and attack definitions at any time.
Page 120: Configuring Update Logging
Once a day. You can specify the time of day to check for updates. Once a week. You can specify the day of the week and the time of day to check for updates. Virus and attack definitions updates and registration “Recording logs” on page 309. Fortinet Inc.
Page 121: Adding An Override Server
Virus and attack definitions updates and registration Select Apply. The FortiGate unit starts the next scheduled update according to the new update schedule. Whenever the FortiGate unit runs a scheduled update, the event is recorded in the FortiGate event log. Figure 23: Configuring automatic antivirus and attack definitions updates Adding an override server If you cannot connect to the FDN, or if your organization provides antivirus and attack...
Page 122: Enabling Scheduled Updates Through A Proxy Server
Note: Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN. For more information, see page “Registering the FortiGate unit” on page “Enabling scheduled updates through a proxy server” on 122. Virus and attack definitions updates and registration 130. Fortinet Inc.
Page 123: Enabling Push Updates
Virus and attack definitions updates and registration When the network configuration permits, configuring push updates is recommended in addition to configuring scheduled updates. On average the FortiGate unit receives new updates sooner through push updates than if the FortiGate unit receives only scheduled updates.
Page 124: Enabling Push Updates Through A Nat Device
Note: This example describes the configuration for a FortiGate NAT device. However, you can use any NAT device with a static external IP address that can be configured for port forwarding. Virus and attack definitions updates and registration Fortinet Inc.
Page 125 Virus and attack definitions updates and registration Figure 24: Example network topology: Push updates through a NAT device FortiGate-300 NAT Device FortiGate-800 General procedure Use the following steps to configure the FortiGate NAT device and the FortiGate unit on the internal network so that the FortiGate unit on the internal network can receive push updates: Add a port forwarding virtual IP to the FortiGate NAT device.
Page 126 If the FortiGate unit is operating in Transparent mode, enter the management IP address. For the example topology, enter 192.168.1.99. Set the Map to Port to 9443. Set Protocol to UDP. Select OK. Virus and attack definitions updates and registration Fortinet Inc.
Page 127 Virus and attack definitions updates and registration Figure 25: Push update port forwarding virtual IP Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT device Add a new external to internal firewall policy. Configure the policy with the following settings: Source Destination Schedule...
Page 128: Registering Fortigate Units
FortiGate units that you or your organization purchased. You can register multiple FortiGate units in a single session without re-entering your contact information. Once registration is completed, Fortinet sends a Support Login user name and password to your email address. You can use this user name and password to log on to the Fortinet support web site to: •...
Page 129: Forticare Service Contracts
For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. To activate the FortiCare Support Contract, you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information.
Page 130: Registering The Fortigate Unit
Your contact information including: • First and last name • Company name • Email address (Your Fortinet support login user name and password will be sent to this email address.) • Address • Contact phone number A security question and an answer to the security question.
Page 131: Updating Registration Information
Updating registration information You can use your Fortinet support user name and password to log on to the Fortinet Support web site at any time to view or update your Fortinet support information. This section describes: •...
Page 132: Recovering A Lost Fortinet Support Password
Updating registration information Recovering a lost Fortinet support password If you provided a security question and answer when you registered on the Fortinet support web site, you can use the following procedure to receive a replacement password. If you did not provide a security question and answer, contact Fortinet technical support.
Page 133: Registering A New Fortigate Unit
To register a new FortiGate unit Go to System > Update > Support. Select Support Login. Enter your Fortinet support user name and password. Select Login. Select Add Registration. Select the model number of the product model that you want to register.
Page 134: Changing Your Fortinet Support Password
Make the required changes to your security question and answer. Select Update Profile. Your changes are saved to the Fortinet technical support database. If you changed your contact information, the changes are displayed. Virus and attack definitions updates and registration...
Page 135: Downloading Virus And Attack Definitions Updates
FortiGate unit. To download virus and attack definitions updates Go to System > Update > Support. Select Support Login. Enter your Fortinet support user name and password. Select Login. Select Download Virus/Attack Update. If required, select the FortiOS version.
Page 136: Registering A Fortigate Unit After An Rma
FortiGate unit is protected by hardware coverage, you can return the FortiGate unit that is not functioning to your reseller or distributor. The RMA is recorded and you will receive a replacement unit. Fortinet adds the RMA information to the Fortinet support database. When you receive the replacement unit you can use the following procedure to update your product registration information.
Page 137: Network Configuration
FortiGate-800 Installation and Configuration Guide Version 2.50 Network configuration You can use the System Network page to change any of the following FortiGate network settings: • • • • • • • • Configuring zones In NAT/Route mode, you can use zones to group related interfaces and VLAN subinterfaces.
Page 138: Adding Zones
Adding a ping server to an interface Controlling administrative access to an interface Changing the MTU size to improve network performance Configuring traffic logging for connections to an interface Configuring the management interface in Transparent mode Network configuration “Adding beside them Fortinet Inc.
Page 139: Viewing The Interface List
Network configuration Viewing the interface list To view the interface list Go to System > Network > Interface. The interface list is displayed. The interface list shows the following status information for all the FortiGate interfaces and VLAN subinterfaces: • •...
Page 140: Configuring An Interface With A Manual Ip Address
DNS from server if you do not want the DHCP server to configure these FortiGate settings. To configure an interface for DHCP Go to System > Network > Interface. Choose an interface and select Modify In the Addressing Mode section, select DHCP. Network configuration Fortinet Inc.
Page 141: Configuring An Interface For Pppoe
Network configuration Clear the Retrieve default gateway and DNS from server check box if you do not want the FortiGate unit to obtain a default gateway IP address and DNS server IP addresses from the DHCP server. By default, this option is enabled. Clear the Connect to Server check box if you do not want the FortiGate unit to connect to the DHCP server.
Page 142: Adding A Secondary Ip Address To An Interface
The FortiGate unit retrieves an IP address, netmask, and other settings from the PPPoE server. The FortiGate unit was unable to retrieve an IP address and other information from the PPPoE server. 154. “Modifying the Dead Gateway Detection settings” on 171. Network configuration “Adding destination-based routes to the Fortinet Inc.
Page 143: Controlling Administrative Access To An Interface
Network configuration Controlling administrative access to an interface For a FortiGate unit running in NAT/Route mode, you can control administrative access to an interface to control how administrators access the FortiGate unit and the FortiGate interfaces to which administrators can connect. Controlling administrative access for an interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet.
Page 144: Changing The Mtu Size To Improve Network Performance
Internet unless this is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the Internet: • • “Updating antivirus and attack definitions” on page Use secure administrative user passwords, Change these passwords regularly, Network configuration 117) Fortinet Inc.
Page 145: Vlan Overview
Network configuration • • To configure the management interface in Transparent mode Go to System > Network > Management. Change the Management IP and Netmask as required. This must be a valid address for the network that you want to manage the FortiGate unit from.
Page 146: Vlans In Nat/Route Mode
If you enter this command, multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface. This command is recommended for advanced users only. for more information. 147. Network configuration “VLANs in NAT/Route mode” on “Virtual Fortinet Inc.
Page 147: Adding Vlan Subinterfaces
Network configuration Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096. Each VLAN subinterface must also be configured with its own IP address and netmask.
Page 148 VLAN2 VLAN trunk VLAN2 VLAN3 VLAN3 FortiGate unit Virtual Domain 1 External content filtering VLAN1 antivirus VLAN2 NIDS VLAN1 VLAN3 VLAN Switch or router VLAN trunk Virtual Domain 2 content filtering VLAN2 antivirus VLAN3 NIDS Network configuration Internet Fortinet Inc.
Page 149: Virtual Domain Properties
Network configuration Virtual domain properties A virtual domain has the following exclusive properties: • • • • • Virtual domains share the following global properties with other processes on the FortiGate unit: • • • • • • In addition to the global properties, virtual domains share a common administrative model.
Page 150 VLAN subinterfaces in a virtual domain. For more information about zones, see page 137. Use the following procedure to add a zone to a virtual domain. Network configuration “Adding zones to virtual domains” on page “Configuring zones” on 150. Fortinet Inc.
Page 151 Network configuration Figure 32: FortiGate unit containing a virtual domain with zones Multiple zones in a single virtual domain cannot be connected to a single VLAN trunk. This configuration is correct because each zone is connected to a different VLAN trunk (zone1 connected to the VLAN trunk on the internal interface and zone2 connected to the VLAN trunk on the external interface).
Page 152: Adding Firewall Policies For Virtual Domains
The source and destination cannot be the same VLAN subinterface or zone. Select New to add a new policy. Configure the policy. Select OK to add the policy. Adding addresses for virtual domains Adding firewall policies for virtual domains Network configuration Fortinet Inc.
Page 153: Deleting Virtual Domains
Network configuration Deleting virtual domains You must remove all VLAN subinterfaces and zones that have been added to the virtual domain before you can delete the virtual domain. To remove VLAN subinterfaces and zones you must remove all firewall policies and firewall addresses for the VLAN subinterfaces and zones.
Page 154: Adding A Default Route
If you are adding a static route from the FortiGate unit to a single destination router, you need to specify only one gateway. Add the IP address of Gateway #2, if you want to route traffic to multiple gateways. “Adding a ping server to an interface” on page Network configuration 142. Fortinet Inc.
Page 155: Adding Routes In Transparent Mode
Network configuration Set Device #1 to the FortiGate interface or VLAN subinterface through which to route traffic to connect to Gateway #1. You can select the name of an interface, VLAN subinterface, or Auto (the default). If you select the name of an interface or VLAN subinterface the traffic is routed to that interface.
Page 156: Configuring The Routing Table
“Adding a ping server to an interface” on page to delete a route from the routing table. Destination address Source address Protocol, service type, or port range Incoming or source interface Network configuration 142. to change its order in Fortinet Inc.
Page 157: Configuring Dhcp Services
Network configuration Using policy routing you can build a routing policy database (RPDB) that selects the appropriate route for traffic by applying a set of routing rules. To select a route for traffic, the FortiGate unit matches the traffic with the policy routes added to the RPDB starting at the top of the list.
Page 158: Configuring A Dhcp Relay Agent
IP for the range of addresses that the FortiGate unit assigns to DHCP clients. Adding a DHCP server to an interface Adding scopes to a DHCP server Adding a reserve IP to a DHCP server Viewing a DHCP server dynamic IP list Network configuration Fortinet Inc.
Page 159 Network configuration You can add multiple scopes to an interface so that the DHCP server added to that interface can supply IP addresses to computers on multiple subnets. Add multiple scopes if the DHCP server receives DHCP requests from subnets that are not connected directly to the FortiGate unit.
Page 160 Enter an IP address. The IP address must be within the IP pool added to the selected scope. Enter the MAC address of the device. Optionally, specify a name for the IP and MAC address pair. Network configuration Fortinet Inc.
Page 161: Rip Configuration
FortiGate-800 Installation and Configuration Guide Version 2.50 RIP configuration The FortiGate implementation of the Routing Information Protocol (RIP) supports both RIP version 1 as defined by RFC 1058, and RIP version 2 as defined by RFC 2453. RIP version 2 enables RIP messages to carry more information, and to support simple authentication and subnet masks.
Page 162 The time in seconds that must elapse after the last update for a route before RIP removes the route from the routing table. Flush should be greater than the value of Invalid to allow the route to go into the holddown state. The default for Flush is 240 seconds. RIP configuration Fortinet Inc.
Page 163: Configuring Rip For Fortigate Interfaces
RIP configuration Figure 34: Configuring RIP settings Configuring RIP for FortiGate interfaces You can customize a RIP configuration for each FortiGate interface. This allows you to customize RIP for the network to which each interface is connected. To configure RIP for FortiGate interfaces Go to System >...
Page 164 More traffic will use routes to the interface with the lower metric. Metric can be from 1 to 16 with 16 equalling unreachable. RIP configuration Fortinet Inc.
Page 165: Adding Rip Filters
RIP configuration Adding RIP filters Use the Filter page to create RIP filter lists and assign RIP filter lists to the neighbors filter, incoming route filter, or outgoing route filter. The neighbors filter allows or denies updates from other routers. The incoming filter accepts or rejects routes in an incoming RIP update packet.
Page 166: Assigning A Rip Filter List To The Neighbors Filter
For Incoming Routes Filter, select the name of the RIP filter list to assign to the incoming filter. Select Apply. Add Prefix to add an entry to the filter list. to add entries to the RIP filter list. RIP configuration Fortinet Inc.
Page 167: Assigning A Rip Filter List To The Outgoing Filter
RIP configuration Assigning a RIP filter list to the outgoing filter The outgoing filter allows or denies adding routes to outgoing RIP update packets. You can assign a single RIP filter list to the outgoing filter. To assign a RIP filter list to the outgoing filter Go to System >...
Page 168 Adding RIP filters RIP configuration Fortinet Inc.
Page 169: System Configuration
FortiGate-800 Installation and Configuration Guide Version 2.50 System configuration Use the System Config page to make any of the following changes to the FortiGate system configuration: • • • • • Setting system date and time For effective scheduling and logging, the FortiGate system time must be accurate. You can either manually set the FortiGate system time or you can configure the FortiGate unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.
Page 170: Changing System Options
Go to System > Config > Options. For Auth Timeout, type a number in minutes. Set the system idle timeout. Set the authentication timeout. Select the language for the web-base manager. Modify the dead gateway detection settings. System configuration Fortinet Inc.
Page 171 System configuration Select Apply. Auth Timeout controls the amount of inactive time that the firewall waits before requiring users to authenticate again. For more information, see authentication” on page The default Auth Timeout is 15 minutes. The maximum Auth Timeout is 480 minutes (8 hours).
Page 172: Adding And Editing Administrator Accounts
FortiGate unit, and shut down the FortiGate unit. There is only one admin user. edit, or delete administrator accounts. Can change own administrator account password. Cannot make changes to system settings from the System Status page. Can view the FortiGate configuration. System configuration Fortinet Inc.
Page 173: Editing Administrator Accounts
FortiGate system information and can receive FortiGate traps. To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. FortiGate-800 Installation and Configuration Guide...
Page 174: Configuring The Fortigate Unit For Snmp Monitoring
FortiGate SNMP agent. Configuring the FortiGate unit for SNMP monitoring Configuring FortiGate SNMP support FortiGate MIBs FortiGate traps Fortinet MIB fields Configuring SNMP access to an interface Configuring SNMP community settings System configuration FortiGate MIBs).
Page 175 System configuration To configure SNMP community settings Go to System > Config > SNMP v1/v2c. Select the Enable SNMP check box. Configure the following SNMP settings: System Name System Location Contact Information Add the contact information for the person responsible for this FortiGate Get Community Trap Community Trap Receiver IP...
Page 176: Fortigate Mibs
Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.
Page 177: Fortigate Traps
The FortiGate agent can send traps to up to three SNMP trap receivers on your network that are configured to receive traps from the FortiGate unit. For these SNMP managers to receive traps, you must load and compile the Fortinet trap MIB onto the SNMP manager.
Page 178: Logging Traps
HTTP or FTP download or from an email message. Description On a FortiGate unit with a hard drive, hard drive usage exceeds 90%. On a FortiGate unit without a hard drive, log to memory usage has exceeds 90%. System configuration Fortinet Inc.
Page 179: Fortinet Mib Fields
MIB fields and describes the configuration and status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.mib file into your SNMP manager and browsing the Fortinet MIB fields.
Page 180: Antivirus Configuration
NIDS detection configuration. NIDS response configuration. Antivirus file blocking configuration. Antivirus quarantine configuration. Antivirus configuration including the current virus definition virus list. Web filter URL block list. Web filter script blocking configuration. Web filter exempt URL list. System configuration Fortinet Inc.
Page 181: Replacement Messages
System configuration Logging and reporting configuration Table 34: Logging and reporting MIB fields fnLoglogSetting fnLoglog fnLogAlertEmail Replacement messages Replacement messages are added to content passing through the firewall to replace: • • • You can edit the content of replacement messages. You can also edit the content added to alert email messages to control the information that appears in alert emails for virus incidents, NIDS events, critical system events, and disk full events.
Page 182: Customizing Replacement Messages
The URL of the blocked web page or file. <**/INFECTED**> Used when quarantine is enabled (permitted for all scan services and block services for email only). <**QUARANTINE**> %%QUARFILE The name of the file that was quarantined. NAME%% <**/QUARANTINE**> System configuration Fortinet Inc.
Page 183: Customizing Alert Emails
System configuration Customizing alert emails Customize alert emails to control the content displayed in alert email messages sent to system administrators. To customize alert emails Go to System > Config > Replacement Messages. For the alert email message that you want to customize, select Modify In the Message setup dialog box, edit the text of the message.
Page 184 %%EMAIL_TO%% The email address of the intended receiver of the message from which the file was removed. <**/BLOCK_ALERT**> Used for critical firewall event alert emails. <**CRITICAL_EVENT**> %%CRITICAL_EVENT The firewall critical event message <**/CRITICAL_EVENT**> System configuration Fortinet Inc.
Page 185: Firewall Configuration
FortiGate-800 Installation and Configuration Guide Version 2.50 Firewall configuration Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (port number).
Page 186: Default Firewall Configuration
• • Default firewall configuration Adding firewall policies Configuring policy lists Addresses Services Schedules Virtual IPs IP pools IP/MAC binding Content profiles Interfaces VLAN subinterfaces Zones Addresses Services Schedules Content profiles Firewall configuration “Content profiles” on page 218. Fortinet Inc.
Page 187: Interfaces
Firewall configuration Interfaces Add policies to control connections between FortiGate interfaces and between the networks connected to these interfaces. By default, you can add policies for connections that include the internal, external, and DMZ interfaces. To add policies that include the port1 to port4 interfaces, you must use the following steps to add these interfaces to the firewall policy grid: If they are down, start the interfaces up.
Page 188: Addresses
This address matches all addresses on the internal network. External_All This address matches all addresses on the external network. DMZ_All This address matches all addresses on the DMZ network. 197. “Virtual IPs” on page “Services” on page “Schedules” on page Firewall configuration Table 208. 200. 205. Fortinet Inc.
Page 189: Content Profiles
Firewall configuration Content profiles Add content profiles to policies to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services. The FortiGate unit includes the following default content profiles: • • • • The default policy includes the scan content profile. For more information about content profiles, see Adding firewall policies Add Firewall policies to control connections and traffic between FortiGate interfaces,...
Page 190: Firewall Policy Options
Select an address or address group that matches the source address of the packet. Before you can add this address to a policy, you must add it to the source interface. For information about adding an address, see Firewall configuration “Addresses” on page 197. Fortinet Inc.
Page 191 Firewall configuration Destination Select an address or address group that matches the destination address of the packet. Before you can add this address to a policy, you must add it to the destination interface, VLAN subinterface, or zone. For information about adding an address, see “Addresses”...
Page 192: Traffic Shaping
You can use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy. Guarantee bandwidth (in Kbytes) to make sure that there is enough bandwidth available for a high-priority service. Firewall configuration “IP pools” on page 213. Fortinet Inc.
Page 193 Firewall configuration Maximum Bandwidth Traffic Priority Authentication Select Authentication and select a user group to require users to enter a user name and password before the firewall accepts the connection. Select the user group to control the users that can authenticate with this policy. For information about adding and configuring user groups, see add user groups before you can select Authentication.
Page 194 Select Log Traffic to write messages to the traffic log whenever the policy processes a connection. For information about logging, see Comments You can add a description or other information about the policy. The comment can be up to 63 characters long, including spaces. Firewall configuration “Logging and reporting” on page Fortinet Inc. 309.
Page 195: Configuring Policy Lists
Firewall configuration Configuring policy lists The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific to more general. For example, the default policy is a very general policy because it matches all connection attempts.
Page 196: Changing The Order Of Policies In A Policy List
To enable a policy Go to Firewall > Policy. Select the policy list that contains the policy that you want to enable. Select the check box of the policy to enable it. 111. Firewall configuration to change its order “System Fortinet Inc.
Page 197: Addresses
Firewall configuration Addresses All policies require source and destination addresses. To add addresses to a policy, you must first add addresses to the address list for the interfaces, zones, or VLAN subinterfaces of the policy. You can add, edit, and delete all firewall addresses as required. You can also organize related addresses into address groups to simplify policy creation.
Page 198: Editing Addresses
The netmask for a class A subnet should be 255.0.0.0. The netmask for a class B subnet should be 255.255.0.0. The netmask for a class C subnet should be 255.255.255.0. The netmask for all addresses should be 0.0.0.0 Firewall configuration Fortinet Inc.
Page 199: Deleting Addresses
Firewall configuration Deleting addresses Deleting an address removes it from an address list. To delete an address that has been added to a policy, you must first remove the address from the policy. To delete an address Go to Firewall > Address. Select the interface list containing the address that you want to delete.
Page 200: Services
Adding custom ICMP services Adding custom IP services Grouping services Description Match connections on any port. A connection that uses any of the predefined services is allowed through the firewall. Firewall configuration Table 38. You can add these Protocol Port Fortinet Inc.
Page 201 Firewall configuration Table 38: FortiGate predefined services (Continued) Service name DHCP-Relay FINGER GOPHER H323 HTTP HTTPS IMAP Internet-Locator- Service L2TP FortiGate-800 Installation and Configuration Guide Description Generic Routing Encapsulation. A protocol that allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol, by encapsulating the packets of the protocol within GRE packets.
Page 202 Syslog service for remote logging. A protocol supporting conversations between two or more users. Firewall configuration Protocol Port 1720 111, 2049 5632 icmp icmp icmp icmp 1723 26000, 27000, 27910, 27960 7070 161-162 161-162 517-518 Fortinet Inc.
Page 203: Adding Custom Tcp And Udp Services
Firewall configuration Table 38: FortiGate predefined services (Continued) Service name TELNET TFTP UUCP VDOLIVE WAIS WINFRAME X-WINDOWS Adding custom TCP and UDP services Add a custom TCP or UDP service if you need to create a policy for a service that is not in the predefined service list.
Page 204: Adding Custom Icmp Services
A service group can contain predefined services and custom services in any combination. You cannot add service groups to another service group. To group services Go to Firewall > Service > Group. Select New. Firewall configuration Fortinet Inc.
Page 205: Schedules
Firewall configuration Type a Group Name to identify the group. This name appears in the service list when you add a policy and cannot be the same as a predefined service name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
Page 206: Creating One-Time Schedules
Set Start and Stop times to 00 for the schedule to be active for the entire day. Set the Stop date and time for the schedule. One-time schedules use a 24-hour clock. Select OK to add the one-time schedule. Figure 45: Adding a one-time schedule Firewall configuration Fortinet Inc.
Page 207: Creating Recurring Schedules
Firewall configuration Creating recurring schedules You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week. For example, you might want to prevent Internet use outside working hours by creating a recurring schedule. If you create a recurring schedule with a stop time that occurs before the start time, the schedule starts at the start time and finishes at the stop time on the next day.
Page 208: Adding Schedules To Policies
IP address of the interface that receives the packets. This technique is called port forwarding or port address translation (PAT). You can also use port forwarding to change the destination port of the forwarded packets. Firewall configuration Fortinet Inc.
Page 209: Adding Static Nat Virtual Ips
Firewall configuration This section describes: • • • Adding static NAT virtual IPs To add a static NAT virtual IP Go to Firewall > Virtual IP. Select New to add a virtual IP. Type a Name for the virtual IP. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
Page 210: Adding Port Forwarding Virtual Ips
The external interface is the interface connected to the source network that receives the packets to be forwarded to the destination network. You can select any firewall interface or a VLAN subinterface. In the Type section, select Port Forwarding. Firewall configuration Fortinet Inc.
Page 211 Firewall configuration Enter the External IP Address that you want to map to an address on the destination zone. You can set the external IP address to the IP address of the external interface selected in step If the IP address of the external interface selected in step DHCP, you can enter 0.0.0.0 for the External IP Address.
Page 212: Adding Policies With Virtual Ips
Set action to ACCEPT to accept connections to the internal server. You can also select DENY to deny access. Select NAT if the firewall is protecting the private addresses on the destination network from the source network. Firewall configuration Fortinet Inc.
Page 213: Ip Pools
Firewall configuration Authentication Log Traffic Anti-Virus & Web filter Select OK to save the policy. IP pools An IP pool (also called a dynamic IP pool) is a range of IP addresses added to a firewall interface. If you add IP pools to an interface, you can select Dynamic IP Pool when you configure a policy with the destination set to this interface.
Page 214: Ip Pools For Firewall Policies That Use Fixed Ports
FortiGate unit from a different computer. The IP address of a computer is easy to change to a trusted address, but MAC addresses are added to ethernet cards at the factory and are not easy to change. Firewall configuration Fortinet Inc.
Page 215: Configuring Ip/Mac Binding For Packets Going Through The Firewall
Firewall configuration You can enter the static IP addresses and corresponding MAC addresses of trusted computers in the static IP/MAC table. If you have trusted computers with dynamic IP addresses that are set by the FortiGate DHCP server, the FortiGate unit adds these IP addresses and their corresponding MAC addresses to the dynamic IP/MAC table.
Page 216: Configuring Ip/Mac Binding For Packets Going To The Firewall
A packet with both the IP address and MAC address not defined in the IP/MAC binding table: • is allowed to connect to the firewall if IP/MAC binding is set to Allow traffic, • is blocked if IP/MAC binding is set to Block traffic. Firewall configuration Fortinet Inc.
Page 217: Viewing The Dynamic Ip/Mac List
Firewall configuration Enter the IP Address and the MAC Address. You can bind multiple IP addresses to the same MAC address. You cannot bind multiple MAC addresses to the same IP address. However, you can set the IP address to 0.0.0.0 for multiple MAC addresses. This means that all packets with these MAC addresses are matched with the IP/MAC binding list.
Page 218: Content Profiles
Configure email filtering for IMAP and POP3 policies Configure oversized file and email blocking for HTTP, FTP, POP3, SMTP, and IMAP policies Pass fragmented email for POP3, SMTP, and IMAP policies Default content profiles Adding content profiles Adding content profiles to policies Firewall configuration Fortinet Inc.
Page 219: Default Content Profiles
Firewall configuration Default content profiles The FortiGate unit has the following four default content profiles that are displayed on the Firewall Content Profile page. You can use the default content profiles or create your own. Strict Scan Unfiltered Adding content profiles If the default content profiles do not provide the protection that you require, you can create custom content profiles.
Page 220 “Blocking oversized files and emails” on page 286. Allow email messages that have been fragmented to bypass antivirus scanning. See “Exempting fragmented email from blocking” on page 287. Firewall configuration “Script filtering” on page 299. “Exempt “Email “Email 304. Fortinet Inc.
Page 221: Adding Content Profiles To Policies
Firewall configuration Adding content profiles to policies You can add content profiles to policies with action set to allow or encrypt and with service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services. To add a content profile to a policy Go to Firewall >...
Page 222 Content profiles Firewall configuration Fortinet Inc.
Page 223: Users And Authentication
FortiGate-800 Installation and Configuration Guide Version 2.50 Users and authentication FortiGate units support user authentication to the FortiGate user database, a RADIUS server, and an LDAP server. You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database. You can also add the names of RADIUS and LDAP servers.
Page 224: Setting Authentication Timeout
Enter the password that this user must use to authenticate. The password should be at least six characters long. The password can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Users and authentication Fortinet Inc.
Page 225: Deleting User Names From The Internal Database
Users and authentication LDAP Radius Select the Try other servers if connect to selected server fails check box if you have selected Radius and you want the FortiGate unit to try to connect to other RADIUS servers added to the FortiGate RADIUS configuration. Select OK.
Page 226: Configuring Radius Support
You cannot delete a RADIUS server that has been added to a user group. To delete a RADIUS server Go to User > RADIUS. Select Delete Select OK. Adding RADIUS servers Deleting RADIUS servers beside the RADIUS server name that you want to delete. Users and authentication Fortinet Inc.
Page 227: Configuring Ldap Support
Users and authentication Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server.
Page 228: Deleting Ldap Servers
You cannot delete an LDAP server that has been added to a user group. To delete an LDAP server Go to User > LDAP. Select Delete Select OK. beside the LDAP server name that you want to delete. Users and authentication Fortinet Inc.
Page 229: Configuring User Groups
Users and authentication Configuring user groups To enable authentication, you must add user names, RADIUS servers, and LDAP servers to one or more user groups. You can then select a user group when you require authentication. You can select a user group to configure authentication for: •...
Page 230: Deleting User Groups
You cannot delete user groups that have been selected in a policy, a dialup user phase 1 configuration, or a PPTP or L2TP configuration. To delete a user group Go to User > User Group Select Delete Select OK. beside the user group that you want to delete. Users and authentication Fortinet Inc.
Page 231: Ipsec Vpn
FortiGate-800 Installation and Configuration Guide Version 2.50 IPSec VPN A Virtual Private Network (VPN) is an extension of a private network that encompasses links across shared or public networks such as the Internet. For example, a company that has two offices in different cities, each with its own private network, can use a VPN to create a secure tunnel between the offices.
Page 232: Key Management
IPSec supports the automated generation and negotiation of keys using the Internet Key Exchange protocol. This method of key management is referred to as AutoIKE. Fortinet supports AutoIKE with pre-shared keys and AutoIKE with certificates. AutoIKE with pre-shared keys If both peers in a session are configured with the same pre-shared key, they can use it to authenticate themselves to each other.
Page 233: Manual Key Ipsec Vpns
IPSec VPN In some respects, certificates are simpler to manage than manual keys or pre-shared keys. For this reason, certificates are best suited to large network deployments. Manual key IPSec VPNs When using manual keys, complementary security parameters must be entered at both ends of the tunnel.
Page 234 16 characters. Enter a 40-character (20 byte) hexadecimal number (0-9, A-F). Separate the number into two segments—the first of 16 characters; the second of 24 characters. “Adding a VPN concentrator” on page IPSec VPN 251. Fortinet Inc.
Page 235: Autoike Ipsec Vpns
IPSec VPN AutoIKE IPSec VPNs FortiGate units support two methods of Automatic Internet Key Exchange (AutoIKE) for establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates. • • • General configuration steps for an AutoIKE VPN An AutoIKE VPN configuration consists of phase 1 and phase 2 configuration parameters, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel.
Page 236 16 randomly chosen alphanumeric characters. RSA Signature: Select a local certificate that has been digitally signed by the certificate authority (CA). To add a local certificate to the FortiGate unit, see “Obtaining a signed local certificate” on page IPSec VPN 242. Fortinet Inc.
Page 237: Configuring Advanced Options
IPSec VPN Configure the Local ID the that the FortiGate unit sends to the remote VPN peer. • • Configuring advanced options To configure phase 1 advanced options Select Advanced Options. Select a Peer Option if you want to authenticate remote VPN peers by the ID that they transmit during phase 1.
Page 238 Microsoft RADIUS). Use MIXED if the authentication server supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet Remote VPN Client.). Select a group of users to be authenticated by XAuth. The individual users within the group can be authenticated locally or by one or more LDAP or RADIUS servers.
Page 239 IPSec VPN Figure 56: Adding a phase 1 configuration (Standard options) Figure 57: Adding a phase 1 configuration (Advanced options) FortiGate-800 Installation and Configuration Guide AutoIKE IPSec VPNs...
Page 240: Adding A Phase 2 Configuration For An Autoike Vpn
When the key expires, a new key is generated without interrupting service. P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 99999 Kbytes. “Adding a phase 1 configuration for an AutoIKE VPN” on page 253. IPSec VPN 235. “Redundant IPSec Fortinet Inc.
Page 241 IPSec VPN Enable Autokey Keep Alive if you want to keep the VPN tunnel running even if no data is being processed. Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration. If you use the procedure, to a concentrator, the next time you open the tunnel, the Concentrator field displays the name of the concentrator to which you added the tunnel.
Page 242: Managing Digital Certificates
VPN tunnel between the participants. Fortinet uses a manual procedure to obtain certificates. This involves copying and pasting text files from your local computer to the certificate authority, and from the certificate authority to your local computer.
Page 243 FortiGate unit (such as Manufacturing or MF). Enter the legal name of the organization that is requesting the certificate for the FortiGate unit (such as Fortinet). Enter the name of the city or town where the FortiGate unit is located (such as Vancouver).
Page 244 Note: Use the execute vpn certificates key CLI command to back up and restore the local certificate and private key. For more information, see the FortiGate CLI Reference Guide. to download the local certificate to the management computer. IPSec VPN Fortinet Inc.
Page 245: Obtaining Ca Certificates
IPSec VPN Obtaining CA certificates For the VPN peers to authenticate themselves to each other, they must both obtain a CA certificate from the same certificate authority. The CA certificate provides the VPN peers with a means to validate the digital certificates that they receive from other devices.
Page 246: Adding A Source Address
Content profiles to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services in the VPN. Logging so that the FortiGate unit logs all connections that use the VPN. Adding a source address Adding a destination address Adding an encrypt policy IPSec VPN Fortinet Inc.
Page 247: Adding A Destination Address
IPSec VPN Adding a destination address The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway. To add a destination address Go to Firewall > Address. Select an external interface. Select New to add an address.
Page 248 Destination (usually a public IP address). The tunnel, and the traffic within the tunnel, can only be initiated at the end that implements Outbound NAT. 189. IPSec VPN “Adding firewall Fortinet Inc.
Page 249: Ipsec Vpn Concentrators
IPSec VPN Figure 60: Adding an encrypt policy IPSec VPN concentrators In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer called a hub. The peers that connect to the hub are known as spokes. The hub functions as a concentrator on the network, managing the VPN connections between the spokes.
Page 250: Vpn Concentrator (Hub) General Configuration Steps
(client or gateway) configured in phase 1, encryption and authentication algorithms, and a number of security parameters. “AutoIKE IPSec VPNs” on page “Adding a source address” on page “Adding a VPN concentrator” on page 233. 235. 246. 251. IPSec VPN Fortinet Inc.
Page 251: Adding A Vpn Concentrator
IPSec VPN Source Destination Action VPN Tunnel Allow inbound Allow outbound Select allow outbound Inbound NAT Outbound NAT Select outbound NAT if required. Arrange the policies in the following order: • • Adding a VPN concentrator To add a VPN concentrator configuration Go to VPN >...
Page 252: Vpn Spoke General Configuration Steps
Do not enable. Select inbound NAT if required. “Adding an encrypt policy” on page The local VPN spoke address. External_All “Manual key IPSec VPNs” on page “AutoIKE IPSec VPNs” on page 246. 247. IPSec VPN 233. 235. Fortinet Inc.
Page 253: Redundant Ipsec Vpns
IPSec VPN Action VPN Tunnel Allow inbound Allow outbound Do not enable. Inbound NAT Outbound NAT Select outbound NAT if required. Arrange the policies in the following order: • • • Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks, such as the Internet.
Page 254: Configuring Redundant Ipsec Vpns
If the VPN connections are in different zones, add a separate outgoing encrypt policy for each connection. The source and destination of both policies must be the same. Add a different AutoIKE key tunnel to each policy. “Adding an encrypt policy” on page 235. 240. 246. 247. 247. IPSec VPN Fortinet Inc.
Page 255: Monitoring And Troubleshooting Vpns
IPSec VPN Monitoring and Troubleshooting VPNs • • • Viewing VPN tunnel status You can use the IPSec VPN tunnel list to view the status of all IPSec AutoIKE key VPN tunnels. For each tunnel, the list shows the status and the tunnel time out. To view VPN tunnel status Go to VPN >...
Page 256: Testing A Vpn
The time before the next key exchange. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife. The actual IP address or subnet address of the local peer. IPSec VPN Fortinet Inc.
Page 257: Pptp And L2Tp Vpn
FortiGate-800 Installation and Configuration Guide Version 2.50 PPTP and L2TP VPN You can use PPTP and L2TP to create a virtual private network (VPN) between a remote client computer that is running Windows and your internal network. Because PPTP and L2TP are supported by Windows you do not require third-party software on the client computer.
Page 258: Configuring The Fortigate Unit As A Pptp Gateway
Select the interface to which PPTP clients connect. This can be an interface, VLAN subinterface, or zone. 224. 229. “To add users and user groups” on page PPTP and L2TP VPN “Adding user names and “Configuring user 258. Fortinet Inc.
Page 259 PPTP and L2TP VPN Select New to add an address. Enter the Address Name, IP Address, and NetMask for an address in the PPTP address range. Select OK to save the source address. Repeat for all addresses in the PPTP address range. Note: If the PPTP address range is comprised of an entire subnet, add an address for this subnet.
Page 260: Configuring A Windows 98 Client For Pptp
An icon for the new connection appears in the Dial-Up Networking folder. Right-click the new icon and select Properties. Go to Server Types. Uncheck IPX/SPX Compatible. Select TCP/IP Settings. Uncheck Use IP header compression. Uncheck Use default gateway on remote network. Select OK twice. PPTP and L2TP VPN Fortinet Inc.
Page 261: Configuring A Windows 2000 Client For Pptp
PPTP and L2TP VPN To connect to the PPTP VPN Start the dialup connection that you configured in the previous procedure. Enter your PPTP VPN User Name and Password. Select Connect. Configuring a Windows 2000 client for PPTP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiGate PPTP VPN.
Page 262 This user name and password is not the same as your VPN user name and password. TCP/IP QoS Packet Scheduler File and Printer Sharing for Microsoft Networks Client for Microsoft Networks PPTP and L2TP VPN Fortinet Inc.
Page 263: Configuring L2Tp
PPTP and L2TP VPN Configuring L2TP Some implementations of L2TP support elements of IPSec. These elements must be disabled when L2TP is used with a FortiGate unit. Note: L2TP VPNs are only supported in NAT/Route mode. This section describes: • •...
Page 264 Addresses list and select the right arrow to add it to the Members list. To remove addresses from the address group, select an address from the Members list and select the left arrow to remove it from the group. PPTP and L2TP VPN Fortinet Inc.
Page 265: Configuring A Windows 2000 Client For L2Tp
PPTP and L2TP VPN Select OK to add the address group. To add a destination address Add an address to which L2TP users can connect. Go to Firewall > Address. Select the internal interface or the DMZ interface. Select New to add an address. Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer.
Page 266 CA authentication. Instead, it checks for a local or active directory IPSec policy. To connect to the L2TP VPN Start the dialup connection that you configured in the previous procedure. Enter your L2TP VPN User Name and Password. Select Connect. PPTP and L2TP VPN Fortinet Inc.
Page 267: Configuring A Windows Xp Client For L2Tp
PPTP and L2TP VPN In the connect window, enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password. Configuring a Windows XP client for L2TP Use the following procedure to configure a client computer running Windows XP so that it can connect to a FortiGate L2TP VPN.
Page 268 In the connect window, enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password. PPTP and L2TP VPN Fortinet Inc.
Page 269: Network Intrusion Detection System (Nids)
FortiGate-800 Installation and Configuration Guide Version 2.50 Network Intrusion Detection System (NIDS) The FortiGate NIDS is a real-time network intrusion detection sensor that uses attack signature definitions to both detect and prevent a wide variety of suspicious network traffic and direct network-based attacks. Also, whenever an attack occurs, the FortiGate NIDS can record the event in a log and send an alert email to the system administrator.
Page 270: Selecting The Interfaces To Monitor
FortiGate unit is installed behind a router that also does checksum verification. To configure checksum verification Go to NIDS > Detection > General. Select the type of traffic that you want to run Checksum Verifications on. Select Apply. Figure 66: Example NIDS detection configuration Network Intrusion Detection System (NIDS) Fortinet Inc.
Page 271: Viewing The Signature List
Open a web browser and enter the following URL: http://www.fortinet.com/ids/ID<attack-ID> Make sure that you include the attack ID. For example, to view the Fortinet Attack Analysis web page for the ssh CRC32 overflow /bin/sh attack (ID 101646338), use the following URL: http://www.fortinet.com/ids/ID101646338 Note: Each attack log message includes a URL that links directly to the FortiResponse Attack Analysis web page for that attack.
Page 272: Disabling Nids Attack Signatures
Note: To save your NIDS attack signature settings, Fortinet recommends that you back up your FortiGate configuration before you update the firmware and restore the saved configuration after the update.
Page 273 Network Intrusion Detection System (NIDS) To add user-defined signatures Go to NIDS > Detection > User Defined Signature List. Select Upload Caution: Uploading the user-defined signature list overwrites the existing file. Type the path and filename of the text file for the user-defined signature list or select Browse and locate the file.
Page 274: Preventing Attacks
Enabling NIDS attack prevention signatures Setting signature threshold values to enable all signatures in the NIDS attack prevention signature to disable all signatures in the NIDS attack prevention Network Intrusion Detection System (NIDS) to enable only the default NIDS attack prevention Fortinet Inc.
Page 275: Setting Signature Threshold Values
Network Intrusion Detection System (NIDS) Setting signature threshold values You can change the default threshold values for the NIDS Prevention signatures listed threshold is the maximum number of packets received per second. For overflow attacks, the threshold is the buffer size for the command. For large ICMP attacks, the threshold is the ICMP packet size limit to pass through.
Page 276: Logging Attacks
NIDS Signature Group Members list. beside the signature for which you want to set the Threshold value. Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages Network Intrusion Detection System (NIDS) icons. Fortinet Inc.
Page 277 Network Intrusion Detection System (NIDS) The FortiGate unit uses an alert email queue in which each new message is compared with the previous messages. If the new message is not a duplicate, the FortiGate unit sends it immediately and puts a copy in the queue. If the new message is a duplicate, the FortiGate unit deletes it and increases an internal counter for the number of message copies in the queue.
Page 278 Logging attacks Network Intrusion Detection System (NIDS) Fortinet Inc.
Page 279: Antivirus Protection
FortiGate-800 Installation and Configuration Guide Version 2.50 Antivirus protection You can enable antivirus protection in firewall policies. You can select a content profile that controls how the antivirus protection behaves. Content profiles control the type of traffic protected (HTTP, FTP, IMAP, POP3, SMTP), the type of antivirus protection and the treatment of fragmented email and oversized files or email.
Page 280: Antivirus Scanning
Configure file quarantine settings to control the quarantining of infected files. For information about configuring quarantine options, see options” on page cdimage floppy image .ace .bzip2 .Tar+Gzip+Bzip2 “Adding content profiles to policies” on page 285. Antivirus protection “Adding content profiles” on page 221. “Configuring quarantine 219. Fortinet Inc.
Page 281: File Blocking
Antivirus protection Figure 69: Example content profile for virus scanning File blocking Enable file blocking to remove all files that are a potential threat and to provide the best protection from active computer virus attacks. Blocking files is the only protection from a virus that is so new that antivirus scanning cannot detect it.
Page 282: Blocking Files In Firewall Traffic
(*.dll) HTML application (*.hta) Microsoft Office files (*.doc, *.ppt, *.xl?) Microsoft Works files (*.wps) Visual Basic files (*.vb?) screen saver files (*.scr) “Adding content profiles” on page “Adding content profiles to policies” on page Antivirus protection 219. 221. Fortinet Inc.
Page 283: Quarantine
Antivirus protection Quarantine FortiGate units with a hard disk can quarantine blocked or infected files. The quarantined files are removed from the content stream and stored on the FortiGate hard disk. Users receive a message that the removed files have been quarantined. On the FortiGate, the names of quarantined files are displayed on the quarantine list.
Page 284: Viewing The Quarantine List
EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL. You can delete or download the file. When you download a file, it is downloaded in its original format. Antivirus protection 221. Fortinet Inc.
Page 285: Filtering The Quarantine List
Antivirus protection Filtering the quarantine list You can filter the quarantine list to: • • • To filter the Quarantine list to display blocked or infected files Go to Anti-Virus > Quarantine. For FiIlter, select Status. Select either infected or blocked. Select Apply.
Page 286: Blocking Oversized Files And Emails
HTTP or email proxy client. Configuring limits for oversized files and email To configure limits for oversized files and email Go to Anti-Virus > Config > Config. Type the size limit, in MB. Select Apply. Antivirus protection Fortinet Inc.
Page 287: Exempting Fragmented Email From Blocking
Antivirus protection Exempting fragmented email from blocking A fragmented email is a large email message that has been split into smaller messages that are sent individually and recombined when they are received. By default, when antivirus protection is enabled, the FortiGate unit blocks fragmented emails and replaces them with an email block message that is forwarded to the receiver.
Page 288 Viewing the virus list Antivirus protection Fortinet Inc.
Page 289: Web Filtering
FortiGate-800 Installation and Configuration Guide Version 2.50 Web filtering When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how web filtering behaves for HTTP traffic. Content profiles control the following types of content filtering: •...
Page 290: Content Blocking
“Recording logs” on page “Configuring alert email” on page Adding words and phrases to the Banned Word list Clearing the Banned Word list Backing up the Banned Word list Restoring the Banned Word list Web filtering 296, 181. 309. 321. Fortinet Inc.
Page 291: Clearing The Banned Word List
Web filtering Type a banned word or phrase. If you type a single word (for example, banned), the FortiGate unit blocks all web pages that contain that word. If you type a phrase (for example, banned phrase), the FortiGate unit blocks web pages that contain both words.
Page 292: Backing Up The Banned Word List
Type the path and filename of the banned word list text file, or select Browse and locate the file. Select OK to upload the file to the FortiGate unit. Description Disabled Enabled ASCII Simplfied Chinese Traditional Chinese Japanese Korean banned 1 0 banned+phrase+1 1 3 "banned+phrase+2" 1 1 Web filtering Fortinet Inc.
Page 293: Url Blocking
Web filtering Select Return to display the updated Banned Word List. You can continue to maintain the Banned Word List by making changes to the text file and uploading it again as necessary. Note: Banned Word must be selected in the content profile for web pages containing banned words to be blocked.
Page 294 Select Clear URL Block List block list. 296. and Page Down to navigate through the Web URL block list. to remove all URLs and patterns from the Web URL Web filtering “Configuring to enable all items in the Fortinet Inc.
Page 295: Uploading A Url Block List
Web filtering Downloading the Web URL block list You can back up the Web URL block list by downloading it to a text file on the management computer. To download a Web URL block list Go to Web Filter > Web URL Block. Select Download URL Block List The FortiGate unit downloads the list to a text file on the management computer.
Page 296: Configuring Fortigate Web Pattern Blocking
FortiGate support for Cerberian web filtering. • • • • Installing a Cerberian license key Adding a Cerberian user Configuring Cerberian web filter Enabling Cerberian URL filtering “High availability” on page Web filtering Fortinet Inc.
Page 297: Installing A Cerberian License Key
Web filtering Installing a Cerberian license key Before you can use the Cerberian web filter, you must install a license key. The license key determines the number of end users allowed to use Cerberian web filtering through the FortiGate unit. To install a Cerberian licence key Go to Web Filter >...
Page 298: Enabling Cerberian Url Filtering
Select Anti-Virus & Web filter. Select the content profile from the Content Profile list. Select OK. All the users who are not assigned alias names on the FortiGate unit. All the users who are not assigned to other user groups. Web filtering Fortinet Inc.
Page 299: Script Filtering
Web filtering Script filtering You can configure the FortiGate unit to remove Java applets, cookies, and ActiveX scripts from the HTML web pages. Note: Blocking any of these items might prevent some web pages from working properly. • • Enabling script filtering Go to Firewall >...
Page 300: Exempt Url List
Adding URLs to the URL Exempt list Downloading the URL Exempt List Uploading a URL Exempt List and Page Up ) is added to the to activate all items in the to navigate the exempt URL list. Web filtering Fortinet Inc.
Page 301: Downloading The Url Exempt List
Web filtering Figure 75: Example URL Exempt list Downloading the URL Exempt List You can back up the URL Exempt List by downloading it to a text file on the management computer. Go to Web Filter > URL Exempt. Select Download URL Exempt List The FortiGate unit downloads the list to a text file on the management computer.
Page 302 Select OK to upload the file to the FortiGate unit. Select Return to display the updated URL Exempt List. You can continue to maintain the URL Exempt List by making changes to the text file and uploading it again as necessary. Web filtering Fortinet Inc.
Page 303: Email Filter
FortiGate-800 Installation and Configuration Guide Version 2.50 Email filter Email filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how email filtering behaves for email (IMAP and POP3) traffic. Content profiles control the following types of protection to identify unwanted email: •...
Page 304: Email Banned Word List
FortiGate unit inserts plus signs (+) in place of spaces (for example, banned+phrase). If you type a phrase in quotes (for example, “banned word”), the FortiGate unit tags all email in which the words are found together as a phrase. Email filter Fortinet Inc.
Page 305: Downloading The Email Banned Word List
Email filter Downloading the email banned word list You can back up the banned word list by downloading it to a text file on the management computer: To download the banned word list Go to Email Filter > Content Block. Select Download.
Page 306: Email Block List
To tag email from a specific subdomain, type the subdomain name. For example, mail.abccompany.com. To tag email from an entire organization category, type the top-level domain name. For example, type com to tag email sent from all organizations that use .com as the top-level domain. Email filter Fortinet Inc.
Page 307: Uploading An Email Block List
Email filter Uploading an email block list You can create a email block list in a text editor and then upload the text file to the FortiGate unit. Add one pattern to each line of the text file. You can follow the pattern with a space and then a 1 to enable or a zero (0) to disable the pattern.
Page 308: Adding Address Patterns To The Email Exempt List
To exempt email sent from a specific subdomain, type the subdomain name. For example, mail.abccompany.com. To exempt email sent from an entire organization category, type the top-level domain name. For example, type net to exempt email sent from all organizations that use .net as the top-level domain. Email filter Fortinet Inc.
Page 309: Logging And Reporting
FortiGate-800 Installation and Configuration Guide Version 2.50 Logging and reporting You can configure the FortiGate unit to log network activity from routine configuration changes and traffic sessions to emergency events. You can also configure the FortiGate unit to send alert email messages to inform system administrators about events such as network attacks, virus incidents, and firewall and VPN events.
Page 310: Recording Logs On A Remote Computer
For each Log type, select the activities for which you want the FortiGate unit to record log messages. “Configuring traffic logging” on page “Log message levels” on page Logging and reporting 312. “Filtering log messages” on 314. 312. Fortinet Inc.
Page 311: Recording Logs On The Fortigate Hard Disk
Logging and reporting Select Config Policy. To configure the FortiGate unit to filter the types of logs and events to record, use the procedures in on page Select OK. Select Apply. Recording logs on the FortiGate hard disk You can record log files on the FortiGate hard disk if a hard disk is installed on your FortiGate unit.
Page 312: Recording Logs In System Memory
NIDS attack log messages. DHCP Error messages not available. Antivirus, Web filter, email filter, and system event log messages. Antivirus, Web filter, and email filter log messages. Antivirus, Web filter, email filter log messages, and other event log messages. Fortinet Inc.
Page 313: Filtering Log Messages
Logging and reporting Filtering log messages You can configure the logs that you want to record and the message categories that you want to record in each log. To filter log entries Go to Log&Report > Log Setting. Select Config Policy for the log location that you selected in page Select the log types that you want the FortiGate unit to record.
Page 314: Configuring Traffic Logging
This section describes: • • • An interface A VLAN subinterface A firewall policy resolve IP addresses to host names, display the port number or service. Enabling traffic logging Configuring traffic filter settings Adding traffic filter entries Logging and reporting Fortinet Inc.
Page 315: Enabling Traffic Logging
Logging and reporting Enabling traffic logging You can enable logging on any interface, VLAN subinterface, and firewall policy. Enabling traffic logging for an interface If you enable traffic logging for an interface, all connections to and through the interface are recorded in the traffic log. To enable traffic logging for an interface Go to System >...
Page 316: Configuring Traffic Filter Settings
(A-Z, a-z), and the special characters - and _. Spaces and other special characters are not allowed. Type the source IP address and netmask for which you want the FortiGate unit to log traffic messages. The address can be an individual computer, subnetwork, or network. Logging and reporting Fortinet Inc.
Page 317: Viewing Logs Saved To Memory
Logging and reporting Destination IP Address Destination Netmask Service Select OK. The traffic filter list displays the new traffic address entry with the settings that you selected in Figure 81: Example new traffic address entry Viewing logs saved to memory If the FortiGate unit is configured to save log messages in system memory, you can use the web-based manager to view, search, and clear the log messages.
Page 318: Searching Logs
To search log messages created during the selected year, month, day, and hour. Viewing logs Searching logs Downloading a log file to the management computer Deleting all messages from an active log Deleting a saved log file Logging and reporting or Go to Fortinet Inc.
Page 319: Viewing Logs
Logging and reporting Viewing logs Log messages are listed with the most recent message at the top. To view the active or saved logs Go to Log&Report > Logging. Select Traffic Log, Event Log, Attack Log, Antivirus Log, Web Filter Log, or Email Filter Log.
Page 320: Downloading A Log File To The Management Computer
Select Download file in CSV format to download the log messages to a text file in CSV format. In this format, a comma is added between each field in each message. If you open this file in a spreadsheet, each message field appears in a separate column. Logging and reporting Fortinet Inc.
Page 321: Configuring Alert Email
Logging and reporting Configuring alert email You can configure the FortiGate unit to send alert email to up to three email addresses when there are virus incidents, block incidents, network intrusions, and other firewall or VPN events or violations. After you set up the email addresses, you can test the settings by sending test email.
Page 322: Enabling Alert Email
AutoIKE Key VPN tunnels. Select Send alert email when disk is full to have the FortiGate unit send an alert email when the hard disk is almost full. Select Apply. Logging and reporting Fortinet Inc.
Page 323: Glossary
FortiGate-800 Installation and Configuration Guide Version 2.50 Glossary Connection: A link between machines, applications, processes, and so on that can be logical, physical, or both. DMZ, Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network. Typically, the DMZ contains servers accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers and DNS servers.
Page 324 SNMP, Simple Network Management Protocol: A set of protocols for managing networks. SNMP works by sending messages to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. Fortinet Inc.
Page 325 SSH, Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. SSH provides strong secure authentication and secure communications over insecure channels. Subnet: A portion of a network that shares a common address component.
Page 326 Glossary Fortinet Inc.
Page 327: Index
FortiGate-800 Installation and Configuration Guide Version 2.50 Index accept policy 191 action policy option 191 active log deleting all messages 320 searching 318, 319 viewing and maintaining saved logs 318 ActiveX 299 removing from web pages 299 address 197 adding 197 adding firewall addresses to a virtual domain 152 editing 198, 199 group 199...
Page 328 (Transparent mode) 62 default route 159 deleting log files 320 deny firewall policy 191 policy 191 destination policy option 191 destination route adding 154 adding a default route 154 detection NIDS 269 device auto 155 Fortinet Inc.
Page 329 CLI 95, 97 upgrading using the web-base manager 95, 96 first trap receiver IP address SNMP 175 fixed port 192 FortiCare service contracts 129 support contract number 133 Fortinet customer service 23 Fortinet support recovering a lost password 132 Index...
Page 330 LCD 44, 61 IP pool adding 213 IP service custom 204 IP spoofing 214 IP/MAC binding 214 adding 216 allow traffic 216 block traffic 216 dynamic IP/MAC list 215 enabling 217 static IP/MAC list 215 IPSec 323 Fortinet Inc.
Page 331 IPSec VPN authentication for user group 229 AutoIKE 232 certificates 232 disabling 266, 268 manual keys 232 pre-shared keys 232 remote gateway 229 status 255 timeout 255, 256 IPSec VPN tunnel testing 256 Java applets 299 removing from web pages 299 keyword log search 318, 319 L2TP 229, 323...
Page 332 286 overwrite log option 311 password adding 224 changing administrator account 173 Fortinet support 134 recovering a lost Fortinet support 132 PAT 210 pattern web pattern blocking 296 permission administrator account 173 ping server adding to an interface 142...
Page 333 312 recording logs on FortiGate hard disk 311 recording logs on NetIQ WebTrends server 310 recovering a lost Fortinet support password 132 FortiGate-800 Installation and Configuration Guide recurring schedule 207 creating 207 registered FortiGate units...
Page 334 133 changing 133 support password changing 134 syn interval 169 synchronize with NTP server 169 system configuration 169 system date and time setting 169 system location SNMP 175 system name SNMP 175 system options changing 170 Fortinet Inc.
Page 335 system settings backing up 108 restoring 108 restoring to factory default 109 system status 93, 111, 161 system status monitor 114 configuring checksum verification 270 custom service 203 technical support 23 testing alert email 321 time log search 318, 319 setting 169 time zone 169 timeout...
Page 336 PPTP 261 connecting to L2TP VPN 268 connecting to PPTP VPN 262 wizard setting up firewall 43, 60 starting 43, 60 worm list displaying 287 worm protection 287 zone adding 138 adding to a virtual domain 150 configuring 137 Fortinet Inc.

Save PDF