manualshive.com logo in svg

Fortinet FortiGate 400, Installation & Configuration Manual, Page: 210 / 308

Share
Download
Fortinet FortiGate 400 Installation & Configuration Manual Download Page 210

210

Fortinet Inc.

Key management

IPSec VPN

Key management

There are three basic elements in any encryption system:
• an algorithm which changes information into code,
• a cryptographic key which serves as a secret starting point for the algorithm,
• a management system to control the key. 

IPSec provides two ways to handle key exchange and management: manual keying 
and IKE for automated key management. 

Manual Keys

Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates

Manual Keys

When manual keys are employed, matching security parameters must be entered at 
both ends of the tunnel. These settings, which include both the encryption and 
authentication keys, must be kept secret so that unauthorized parties cannot decrypt 
the data, even if they know which encryption algorithm is being used. 

Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates

To facilitate deployment of multiple tunnels, an automated system of key management 
is required. IPSec supports the automated generation and negotiation of keys using 
the Internet Key Exchange protocol. This method of key management is typically 
referred to as AutoIKE. Fortinet supports AutoIKE with pre-shared keys and AutoIKE 
with certificates.

AutoIKE with pre-shared keys

When both peers in a session have been configured with the same pre-shared key, 
they can use it to authenticate themselves to each other. The peers do not actually 
send the key to each other. Instead, as part of the security negotiation process, they 
use it in combination with a Diffie-Hellman group to create a session key. The session 
key is used for encryption and authentication purposes, and is automatically 
regenerated during the communication session by IKE. 

Pre-shared keys are similar to the manual keys in that they require the network 
administrator to distribute and manage matching information at the VPN peer sites. 
Whenever a pre-shared key changes, the administrator must update both sites. 

AutoIKE with certificates

This method of key management involves the participation of a trusted third party, the 
certificate authority (CA). Each peer in a VPN is first required to generate a set of 
keys, known as a public/private key pair. The CA signs the public key for each peer, 
creating a signed digital certificate. The peer then contacts the CA to retrieve their own 
certificates, plus that of the CA itself. Once the certificates have been uploaded to the 
FortiGate units and appropriate IPSec tunnels and policies have been configured, the 
peers are ready to start communicating. As they do, IKE manages the exchange of 
certificates, transmitting signed digital certificates from one peer to another. The 
signed digital certificates are validated by the presence of the CA certificate at each 
end. With authentication complete, the IPSec tunnel is then established. 

In some respects, certificates are simpler to manage than manual keys or pre-shared 
keys. For this reason, certificates are best suited to large network deployments.

Summary of Contents for FortiGate 400

Page 1: ...FortiGate 400 Installation and Configuration Guide 4 HA 3 CONSOLE 1 2 Esc Enter FortiGate User Manual Volume 1 Version 2 50 MR2 18 August 2003 ...

Page 2: ...llation and Configuration Guide Version 2 50 MR2 18 August 2003 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS CAUTION RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS For technical support please visit http www f...

Page 3: ...3 Users and authentication 23 VPN 23 NIDS 24 Antivirus 24 Web Filter 24 Email filter 24 Logging and Reporting 24 About this document 25 Document conventions 26 Fortinet documentation 27 Comments on Fortinet technical documentation 27 Customer service and technical support 28 Getting started 29 Package contents 30 Mounting 30 Powering on 31 Connecting to the web based manager 32 Connecting to the c...

Page 4: ...leting the configuration 50 Configuring interface 3 50 Configuring interface 4 HA 51 Setting the date and time 51 Enabling antivirus protection 51 Registering your FortiGate unit 51 Configuring virus and attack definition updates 52 Configuration example Multiple connections to the Internet 52 Configuring Ping servers 53 Destination based routing examples 54 Policy routing examples 57 Firewall pol...

Page 5: ...ate units 77 Configuring the HA interfaces 77 Configuring the HA cluster 78 Connecting the HA cluster to your network 80 Starting the HA cluster 82 HA in Transparent mode 82 Installing and configuring the FortiGate units 82 Configuring the HA interface and HA IP address 82 Configuring the HA cluster 83 Connecting the HA cluster to your network 85 Starting the HA cluster 86 Managing the HA cluster ...

Page 6: ... to factory defaults 108 Changing to Transparent mode 109 Changing to NAT Route mode 109 Restarting the FortiGate unit 109 Shutting down the FortiGate unit 110 System status 110 Viewing CPU and memory status 110 Viewing sessions and network status 111 Viewing virus and intrusions status 112 Session list 113 Virus and attack definitions updates and registration 115 Updating antivirus and attack def...

Page 7: ...135 Viewing the interface list 135 Bringing up an interface 135 Changing an interface static IP address 136 Adding a secondary IP address to an interface 136 Adding a ping server to an interface 136 Controlling management access to an interface 137 Configuring traffic logging for connections to an interface 137 Changing the MTU size to improve network performance 137 Configuring port4 ha 138 Confi...

Page 8: ...FortiGate SNMP support 162 FortiGate MIBs 163 FortiGate traps 164 Customizing replacement messages 164 Customizing replacement messages 165 Customizing alert emails 166 Firewall configuration 169 Default firewall configuration 170 Interfaces 170 VLAN subinterfaces 170 Zones 171 Addresses 171 Services 172 Schedules 172 Content profiles 172 Adding firewall policies 172 Firewall policy options 173 Co...

Page 9: ...ckets going through the firewall 194 Configuring IP MAC binding for packets going to the firewall 195 Adding IP MAC addresses 195 Viewing the dynamic IP MAC list 196 Enabling IP MAC binding 196 Content profiles 197 Default content profiles 197 Adding a content profile 197 Adding a content profile to a policy 199 Users and authentication 201 Setting authentication timeout 202 Adding user names and ...

Page 10: ...ess 225 Adding a destination address 225 Adding an encrypt policy 225 IPSec VPN concentrators 227 VPN concentrator hub general configuration steps 227 Adding a VPN concentrator 229 VPN spoke general configuration steps 230 Redundant IPSec VPNs 231 Configuring redundant IPSec VPN 231 Monitoring and Troubleshooting VPNs 233 Viewing VPN tunnel status 233 Viewing dialup VPN connection status 233 Testi...

Page 11: ... attack log 256 Reducing the number of NIDS attack log and email messages 257 Antivirus protection 259 General configuration steps 259 Antivirus scanning 260 File blocking 261 Blocking files in firewall traffic 262 Adding file patterns to block 262 Quarantine 263 Quarantining infected files 263 Quarantining blocked files 263 Viewing the quarantine list 264 Sorting the quarantine list 264 Filtering...

Page 12: ...ing and reporting 281 Recording logs 281 Recording logs on a remote computer 282 Recording logs on a NetIQ WebTrends server 282 Recording logs on the FortiGate hard disk 283 Recording logs in system memory 284 Filtering log messages 284 Configuring traffic logging 286 Enabling traffic logging 286 Configuring traffic filter settings 287 Adding traffic filter entries 288 Viewing logs saved to memory...

Page 13: ...Contents FortiGate 400 Installation and Configuration Guide 13 Glossary 295 Index 299 ...

Page 14: ...Contents 14 Fortinet Inc ...

Page 15: ...ntent Analysis System ABACAS technology which leverages breakthroughs in chip design networking security and content analysis The unique ASIC based architecture analyzes content and behavior in real time enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks The FortiGate series complements existing solutions such as host based ...

Page 16: ...ng FortiGate web content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content If a match is found between a URL on the URL block list or if a web page is found to contain a word or phrase in the content block list the FortiGate blocks the web page The blocked web page is replaced with a message that you can edit using the FortiGate web based manage...

Page 17: ...m the protected networks and to allow controlled access to internal networks FortiGate policies include a complete range of options that control all incoming and outgoing network traffic control encrypted VPN traffic apply antivirus protection and web content filtering block or allow access for all policy options control when individual policies are in effect accept or deny traffic to and from ind...

Page 18: ...n also apply authentication content filtering and antivirus protection to VLAN tagged network and VPN traffic Network intrusion detection The FortiGate Network Intrusion Detection System NIDS is a real time network intrusion detection sensor that detects and prevents a wide variety of suspicious network activity NIDS detection uses attack signatures to identify over 1000 attacks You can enable and...

Page 19: ...s L2TP for easy connectivity with a more secure VPN standard also supported by many popular operating systems Firewall policy based control of IPSec VPN traffic IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another tunnel through the FortiGat...

Page 20: ...front panel control buttons and LCD Web based manager Using HTTP or a secure HTTPS connection from any computer running Internet Explorer you can configure and manage the FortiGate unit The web based manager supports multiple languages You can configure the FortiGate unit for HTTP and HTTPs administration from any FortiGate interface You can use the web based manager for most FortiGate configurati...

Page 21: ...he FortiGate CLI Reference Guide Logging and reporting The FortiGate supports logging of various categories of traffic and of configuration changes You can configure logging to report traffic that connects to the firewall report network services used report traffic permitted by firewall policies report traffic that was denied by firewall policies report events such as configuration changes and oth...

Page 22: ...our FortiGate unit and get access to other technical support resources See Registering FortiGate units on page 125 Network configuration Changes have been made to how zones are added and used See Configuring zones on page 133 Changes have been made to how VLANs are added and used See Configuring VLANs on page 139 New interface configuration options See Configuring interfaces on page 135 Ping serve...

Page 23: ...he firewall default configuration has changed See Default firewall configuration on page 170 Add virtual IPs to all interfaces See Virtual IPs on page 188 Add content profiles to firewall policies to configure blocking scanning quarantine web content blocking and email filtering See Content profiles on page 197 Users and authentication LDAP authentication See Configuring LDAP support on page 205 V...

Page 24: ... that are blocked Blocking oversized files Web Filter See the FortiGate Content Protection Guide for a complete description of FortiGate web filtering functionality New features include Cerberian URL Filtering Email filter See the FortiGate Content Protection Guide for a complete description of FortiGate email filtering functionality Logging and Reporting See the FortiGate Logging and Message Refe...

Page 25: ...ting RIP configuration describes the FortiGate RIP2 implementation and how to configure RIP settings System configuration describes system administration tasks available from the System Config web based manager pages This chapter describes setting system time adding and changed administrative users configuring SNMP and editing replacement messages Firewall configuration describes how to configure ...

Page 26: ...g variable keyword xxx_integer indicates an integer variable keyword xxx_ip indicates an IP address variable keyword vertical bar and curly brackets to separate alternative mutually exclusive required keywords For example set system opmode nat transparent You can enter set system opmode nat or set system opmode transparent square brackets to indicate that a keyword is optional For example get fire...

Page 27: ...ient detailed configuration information for FortiGate PPTP and L2TP VPN and VPN configuration examples Volume 3 FortiGate Content Protection Guide Describes how to configure antivirus protection web content filtering and email filtering to protect content as it passes through the FortiGate unit Volume 4 FortiGate NIDS Guide Describes how to configure the FortiGate NIDS to detect and protect the Fo...

Page 28: ...m the following addresses For information on Fortinet telephone support see http support fortinet com When requesting technical support please provide the following information Your name Company name Location Email address Telephone number FortiGate unit serial number FortiGate model FortiGate FortiOS firmware version Detailed description of the problem amer_support fortinet com For customers in t...

Page 29: ...Gate unit in NAT Route mode go to NAT Route mode installation on page 45 If you are going to operate the FortiGate unit in Transparent mode go to Transparent mode installation on page 61 If you are going to operate two or more FortiGate units in HA mode go to High availability on page 75 This chapter describes Package contents Mounting Powering on Connecting to the web based manager Connecting to ...

Page 30: ...alled as a free standing appliance on any stable surface For free standing installation make sure that the appliance has at least 1 5 in 3 75 cm of clearance on each side to allow for adequate air flow and cooling Dimensions 16 75 x 12 x 1 75 in 42 7 x 30 5 x 4 5 cm Weight 11 lb 5 kg Removable Hard Drive Power Connection Power Switch Front Back 4 HA 3 CONSOLE 1 2 Esc Enter LCD Control Buttons Inte...

Page 31: ...he back is turned off 2 Connect the power cable to the power connection on the back of the FortiGate unit 3 Connect the power cable to a power outlet 4 Turn on the power switch After a few seconds SYSTEM STARTING appears on the LCD MAIN MENU appears on the LCD when the system is up and running Table 1 FortiGate 400 LED indicators LED State Description Power Green The FortiGate unit is powered on O...

Page 32: ...ic IP address 192 168 1 2 and a netmask of 255 255 255 0 2 Using the crossover cable or the ethernet hub and cables connect interface 1 of the FortiGate unit to the computer ethernet connection 3 Start Internet Explorer and browse to the address https 192 168 1 99 remember to include the s in https The FortiGate login is displayed 4 Type admin in the Name field and select Login The Register Now wi...

Page 33: ...rectly to the communications port on the computer to which you have connected the null modem cable and select OK 5 Select the following port settings and select OK 6 Press Enter to connect to the FortiGate CLI The following prompt appears FortiGate 400 login 7 Type admin and press Enter twice The following prompt appears Type for a list of commands For information on how to use the CLI see the For...

Page 34: ...l filtering to the network traffic controlled by firewall policies Factory default NAT Route mode network configuration Factory default Transparent mode network configuration Factory default firewall configuration Factory default content profiles Factory default NAT Route mode network configuration When the FortiGate unit is first powered on it is running in NAT Route mode and has the basic networ...

Page 35: ... Ping Interface 3 Ping Interface 4 HA Ping Table 4 Factory default firewall configuration Port 1 Address Port1_All IP 0 0 0 0 Represents all of the IP addresses on the network connected to port 1 Mask 0 0 0 0 Port 2 Address Port2_All IP 0 0 0 0 Represents all of the IP addresses on the network connected to port 2 Mask 0 0 0 0 Recurring Schedule Always The schedule is valid at all times This means ...

Page 36: ...s NAT NAT is selected for the NAT Route mode default policy so that the policy applies network address translation to the traffic processed by the policy NAT is not available for Transparent mode policies Traffic Shaping Traffic shaping is not selected The policy does not apply traffic shaping to the traffic controlled by the policy You can select this option to control the maximum or minimum amou...

Page 37: ...ontent services On FortiGate models with a hard drive if antivirus scanning finds a virus in a file the file is quarantined on the FortiGate hard disk If required system administrators can recover quarantined files Table 5 Strict content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan File Block Quarantine Web URL Block Web Content Block Web Script Filter Web Exempt List Email Block List Em...

Page 38: ...s between highly trusted or highly secure networks where content does not need to be protected Table 7 Web content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan File Block Quarantine Web URL Block Web Content Block Web Script Filter Web Exempt List Email Block List Email Exempt List Email Content Block Oversized File Email Block pass pass pass pass pass Pass Fragmented Emails Table 8 Unfi...

Page 39: ...3 can be connected to another network such as a DMZ network Interface 4 HA can be connected to another network Interface 4 HA can also be connected to other FortiGate 400s if you are installing an HA cluster You can add security policies to control whether communications through the FortiGate unit operate in NAT mode or in route mode Security policies control the flow of traffic based on each pack...

Page 40: ...e 4 HA is the redundant interface to the external network You must configure routing to support redundant internet connections Routing can be used to automatically re direct connections from an interface if its connection to the external network fails Otherwise security policy configuration is similar to a NAT Route mode configuration with a single Internet connection You would create NAT mode pol...

Page 41: ...to another network Interface 4 HA connect to another network Interface 4 HA can also connect to other FortiGate 400s if you are installing an HA cluster Configuration options Once you have selected Transparent or NAT Route mode operation you can complete your configuration plan and begin configuring the FortiGate unit You can use the web based manager setup wizard the control buttons and LCD or th...

Page 42: ...le 9 FortiGate maximum values matrix FortiGate model 50 60 100 200 300 400 500 1000 2000 3000 3600 Policy 200 500 1000 2000 5000 5000 20000 50000 50000 50000 50000 Address 500 500 500 500 3000 3000 6000 10000 10000 10000 10000 Address group 500 500 500 500 500 500 500 500 500 500 500 Service 500 500 500 500 500 500 500 500 500 500 500 Service group 500 500 500 500 500 500 500 500 500 500 500 Recur...

Page 43: ...h availability on page 75 IP pool 50 50 50 50 50 50 50 50 50 50 50 RADIUS server 6 6 6 6 6 6 6 6 6 6 6 File pattern 56 56 56 56 56 56 56 56 56 56 56 PPTP user 500 500 500 500 500 500 500 500 500 500 500 L2TP user 500 500 500 500 500 500 500 500 500 500 500 URL block no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit Content block no limit no limit no...

Page 44: ...44 Fortinet Inc Next steps Getting started ...

Page 45: ...erface Completing the configuration Connecting the FortiGate unit to your networks Configuring your network Completing the configuration Configuration example Multiple connections to the Internet Preparing to configure NAT Route mode Use Table 10 to gather the information that you need to customize NAT Route mode settings Table 10 NAT Route mode settings Administrator Password Interface 1 IP _____...

Page 46: ...he new IP address of interface 1 Otherwise you can reconnect to the web based manager by browsing to https 192 168 1 99 You have now completed the initial configuration of your FortiGate unit and can proceed to Completing the configuration on page 50 Interface 4 HA IP _____ _____ _____ _____ Netmask _____ _____ _____ _____ Internal servers Web Server _____ _____ _____ _____ SMTP Server _____ _____...

Page 47: ...and PORT4 HA if required You have now completed the basic configuration of your FortiGate unit and you can proceed to Completing the configuration on page 50 Using the command line interface As an alternative to using the setup wizard you can configure the FortiGate unit using the command line interface CLI To connect to the CLI see Connecting to the command line interface CLI on page 33 Configuri...

Page 48: ...ress of interface 3 to 192 45 56 73 and netmask to 255 255 255 0 enter set system interface port3 mode static ip 192 45 56 73 255 255 255 0 5 Confirm that the addresses are correct Enter get system interface The CLI lists the IP address netmask and other settings for each of the FortiGate interfaces 6 Set the primary DNS server IP addresses Enter set system dns primary IP address Example set syste...

Page 49: ... to another FortiGate 400 for high availability see High availability on page 75 or to connect to a fourth network To connect the FortiGate unit running in NAT Route mode 1 Connect interface 1 to the hub or switch connected to your internal network 2 Connect interface 2 to the public switch or router provided by your Internet Service Provider 3 Optionally connect interface 3 to your DMZ network Yo...

Page 50: ...c to the IP address of the FortiGate interface to which they are connected Completing the configuration Use the information in this section to complete the initial configuration of the FortiGate unit Configuring interface 3 Use the following procedure to configure interface 3 to connect to a network 1 Log into the web based manager 2 Go to System Network Interface 3 Choose port3 and select Modify ...

Page 51: ...date and time on page 157 Enabling antivirus protection To enable antivirus protection to protect users on your internal network from downloading a virus from the Internet 1 Go to Firewall Policy port1 port2 2 Select Edit to edit this policy 3 Select Anti Virus Web filter to enable antivirus protection for this policy 4 Select the Scan Content Profile 5 Select OK to save your changes Registering y...

Page 52: ... 8 In this topology the organization operating the FortiGate unit uses two Internet service providers to connect to the Internet The FortiGate unit is connected to the Internet using port 2 and port 3 Port 1 connects to gateway 1 operated by ISP1 and port 2 connects to gateway 2 operated by ISP2 By adding ping servers to interfaces and by configuring routing you can control how traffic uses each I...

Page 53: ... Internet connection configuration Configuring Ping servers Use the following procedure to make Gateway 1 the ping server for port2 and Gateway 2 the ping server for port3 1 Go to System Network Interface 2 For port2 select Modify Ping Server 1 1 1 1 Select Enable Ping Server Select OK 3 For port3 select Modify Ping Server 2 2 2 1 Select Enable Ping Server Select OK ...

Page 54: ...nd backup links to the Internet Use the following procedure to add a default destination based route that directs all outgoing traffic to Gateway 1 If Gateway 1 fails all connections are re directed to Gateway 2 Gateway 1 is the primary link to the Internet and Gateway 2 is the backup link 1 Go to System Network Routing Table 2 Select New Destination IP 0 0 0 0 Mask 0 0 0 0 Gateway 1 1 1 1 1 Gatew...

Page 55: ...ge 53 users on the internal network would connect to the Internet to access web pages and other Internet resources However they may also connect to services such as email provided by their ISPs You can combine the routes described in the previous examples to provide users with a primary and backup connection to the Internet while at the same time routing traffic to each ISP network as required The...

Page 56: ... of the list If there are only 3 routes type 3 Select OK Adding the routes using the CLI 1 Add the route for connections to the network of ISP2 set system route number 1 dst 100 100 100 0 255 255 255 0 gw1 1 1 1 1 dev1 port2 gw2 2 2 2 1 dev2 port3 1 Add the route for connections to the network of ISP1 set system route number 2 dst 200 200 200 0 255 255 255 0 gw1 2 2 2 1 dev1 port3 gw2 1 1 1 1 dev2...

Page 57: ... traffic from internal subnets to different external networks If the FortiGate provides internet access for multiple internal subnets you can use policy routing to control the route that traffic from each network takes to the Internet For example if the internal network includes the subnets 192 168 10 0 and 192 168 20 0 you can enter the following policy routes 1 Enter the following command to rou...

Page 58: ...iGate unit connected to the Internet using its port2 and port3 interfaces The default policy allows all traffic from the port1 network to connect to the Internet through the port2 interface If you add a similar policy to the port1 to port3 policy list this policy will allow all traffic from the port1 network to connect to the Internet through the port3 interface With both of these policies added t...

Page 59: ...ork and both interfaces connected to the Internet As well as you add redundant policies you must arrange them in both policy lists in the same order Restricting access to a single Internet connection In some cases you might want to limit some traffic to only being able to use one Internet connection For example in the topology shown in Figure 8 on page 53 the organization might want its mail serve...

Page 60: ...60 Fortinet Inc Configuration example Multiple connections to the Internet NAT Route mode installation ...

Page 61: ...the command line interface Completing the configuration Connecting the FortiGate unit to your networks Transparent mode configuration examples Preparing to configure Transparent mode Use Table 14 to gather the information that you need to customize Transparent mode settings Table 14 Transparent mode settings Administrator Password Management IP IP _____ _____ _____ _____ Netmask _____ _____ _____ ...

Page 62: ... Transparent mode management IP address The default FortiGate Transparent mode Management IP address is 10 10 10 1 Starting the setup wizard To start the setup wizard 1 Select Easy Setup Wizard the middle button in the upper right corner of the web based manager 2 Use the information that you gathered in Table 14 on page 61 to fill in the wizard fields Select the Next button to step through the wi...

Page 63: ...o return to the Main Menu 8 Repeat these steps to configure the default gateway if required Using the command line interface As an alternative to the setup wizard you can configure the FortiGate unit using the command line interface CLI To connect to the CLI see Connecting to the command line interface CLI on page 33 Use the information that you gathered in Table 14 on page 61 to complete the foll...

Page 64: ...m route number 0 gw1 204 23 1 2 You have now completed the initial configuration of the FortiGate unit Completing the configuration Use the information in this section to complete the initial configuration of the FortiGate unit Setting the date and time For effective scheduling and logging the FortiGate system date and time should be accurate You can either manually set the system date and time or...

Page 65: ...s and attack definitions are available If it finds new versions the FortiGate unit automatically downloads and installs the updated definitions The FortiGate unit uses HTTPS on port 8890 to check for updates FortiGate interface 2 must have a path to the FortiResponse Distribution Network FDN using port 8890 To configure automatic virus and attack updates see Updating antivirus and attack definitio...

Page 66: ...ese are used for management access and to allow the unit to receive antivirus and definitions updates Also the unit must have sufficient route information to reach the management computer The FortiResponse Distribution Network FDN a DNS server A route is required whenever the FortiGate unit connects to a router to reach a destination If all of the destinations are located on the external network y...

Page 67: ...ds traffic to the next hop router Default route example Static Route example Example default route to an external network Figure 10 shows a FortiGate unit where all destinations including the management computer are located on the external network To reach these destinations the FortiGate unit must connect to the upstream router leading to the external network To facilitate this connection you mus...

Page 68: ...de installation Figure 10 Default route to an external network General configuration steps 1 Set the FortiGate unit to operate in Transparent mode 2 Configure the Management IP address and Netmask of the FortiGate unit 3 Configure the default route to the external network ...

Page 69: ...ystem to operate in Transparent Mode set system opmode transparent 2 Add the Management IP address and Netmask set system management ip 192 168 1 1 255 255 255 0 3 Add the default route to the external network set system route number 1 gw1 192 168 1 2 Example static route to an external destination Figure 11 shows a FortiGate unit that requires routes to the FDN located on the external network The...

Page 70: ...ion steps 1 Set the FortiGate unit to operate in Transparent mode 2 Configure the Management IP address and Netmask of the FortiGate unit 3 Configure the static route to the FortiResponse server 4 Configure the default route to the external network Note This is an example configuration only To configure a static route you require a destination IP address ...

Page 71: ...ting Select New to add the static route to the FortiResponse server Destination IP 24 102 233 5 Mask 255 255 255 0 Gateway 192 168 1 2 Select OK Select New to add the default route to the external network Destination IP 0 0 0 0 Mask 0 0 0 0 Gateway 192 168 1 2 Select OK CLI configuration steps To configure the Fortinet basic settings and a static route using the CLI 1 Set the system to operate in ...

Page 72: ...teway To reach the management computer you need to enter a single static route that leads directly to it This route will point to the internal router as the next hop No route is required for the DNS servers because they are on the same layer 3 subnet as the FortiGate unit Figure 12 Static route to an internal destination General configuration steps 1 Set the unit to operate in Transparent mode 2 C...

Page 73: ...rk Routing Select New to add the static route to the management computer Destination IP 172 16 1 11 Mask 255 255 255 0 Gateway 192 168 1 3 Select OK Select New to add the default route to the external network Destination IP 0 0 0 0 Mask 0 0 0 0 Gateway 192 168 1 2 Select OK CLI configuration steps To configure the FortiGate basic settings a static route and a default route using the CLI 1 Set the ...

Page 74: ...74 Fortinet Inc Transparent mode configuration examples Transparent mode installation ...

Page 75: ...us information to make sure the cluster is functioning properly For this reason the connection between the HA ports of all of the FortiGate units in the cluster must be well maintained An interruption of this communication can cause unpredictable results You can manage the cluster by connecting to any cluster interface configured for management access FortiGate units can be configured to operate i...

Page 76: ...an HA cluster An active active HA cluster consists of a primary FortiGate unit and one or more subordinate FortiGate units all processing traffic The primary FortiGate unit uses a load balancing algorithm to distribute sessions to all of the FortiGate units in the HA cluster In active active HA mode the primary unit uses one of the following scheduling algorithms to distribute network sessions amo...

Page 77: ... quickly converge to the new data path The new primary unit also alerts administrators of the changes to the HA cluster by writing a message to the event log sending an SNMP trap if SNMP is enabled and sending an alert email If a subordinate FortiGate unit fails the primary unit writes a message to the event log and sends an SNMP trap and an alert email The primary unit also adjusts the priority o...

Page 78: ...ter to your network 1 Connect to the FortiGate unit and log into the web based manager 2 Go to System Config HA 3 Select HA You can only select HA if the 4 HA interface is configured for HA operation See Configuring the HA interfaces on page 77 HTTPS To allow secure HTTPS connections to the web based manager through this interface PING If you want this interface to respond to pings Use this settin...

Page 79: ...ased on the Source IP and Destination IP of the packet Least Connection Least connection load balancing If the FortiGate units are connected using switches select Least connection to distribute traffic to the cluster unit with the fewest concurrent connections Round Robin Round robin load balancing If the FortiGate units are connected using switches select round robin to distribute traffic to the ...

Page 80: ...iates Figure 13 Example Active Active HA configuration 10 Repeat this procedure to add each FortiGate unit in the HA cluster When you have configured all of the FortiGate units proceed to Connecting the HA cluster to your network Connecting the HA cluster to your network To connect the HA cluster to your network you must connect all matching interfaces in the cluster to the same hub or switch Then...

Page 81: ...to your network 1 Connect port 1 of each FortiGate unit to a switch or hub connected to your internal network 2 Connect port 2 of each FortiGate unit to a switch or hub connected to your external network 3 Optionally connect port 3 of each FortiGate unit to a switch or hub connected to another network 4 Connect the 4 HA interfaces of the FortiGate units to another switch or hub Figure 14 HA networ...

Page 82: ...llow the instructions in Transparent mode installation on page 61 to install and configure the FortiGate units All of the FortiGate units in the HA cluster should have the same configuration Do not connect the FortiGate units to the network Instead proceed to Configuring the HA interface and HA IP address Configuring the HA interface and HA IP address Configure the 4 HA interfaces of all of the Fo...

Page 83: ...ing connections and monitoring the status of the other FortiGate units The HA mode must be the same for all FortiGate units in the HA cluster 5 Enter and confirm a password for the HA cluster The password must be the same for all FortiGate units in the HA cluster 6 Select a Group ID for the HA cluster The Group ID must be the same for all FortiGate units in the HA cluster HTTPS To allow secure HTT...

Page 84: ...n IP of the packet Least Connection Least connection load balancing If the FortiGate units are connected using switches select Least connection to distribute traffic to the cluster unit with the fewest concurrent connections Round Robin Round robin load balancing If the FortiGate units are connected using switches select round robin to distribute traffic to the next available cluster unit Weighted...

Page 85: ...communicating HA status information to make sure the cluster is functioning properly For this reason the connection between the HA ports of all of the FortiGate units in the cluster must be well maintained An interruption of this communication can cause unpredictable results Switches are recommended for better performance The network equipment to use and the procedure to follow are the same whethe...

Page 86: ... any interface IP address configured for management access connects to that cluster interface which automatically connects you to the primary FortiGate unit You can also connect to and manage individual units in the cluster by connecting to their HA interfaces all of which are configured with a different IP address You can also manage individual cluster units by connect to the primary unit CLI Fro...

Page 87: ...nt CPU and memory usage as well as line graphs of CPU and memory usage for the last minute For more information see Viewing CPU and memory status on page 110 Figure 17 Example cluster Sessions Network display 3 Select Sessions Network Sessions and network status is displayed for each cluster member The primary unit is identified as Local and the other units in the cluster are listed by serial numb...

Page 88: ...anager 2 Go to System Status Session The session table displays the sessions processed by the primary unit in the cluster The sessions include HA communications between the primary unit and the subordinate units Viewing and managing cluster log messages To view log messages for each cluster member 1 Connect to the cluster and log into the web based manager 2 Go to Log Report Logging The primary un...

Page 89: ...isplayed for each cluster unit includes the unit serial number and host name of the unit 3 Complete the command with the number of the subordinate unit to log into For example to log into subordinate unit 1 enter the following command execute ha manage 1 You are connected to and logged into the CLI of the selected subordinate unit If this subordinate unit has a different host name the CLI prompt c...

Page 90: ...FortiGate unit starts up correctly it rejoins the HA cluster which then continues to function normally If the FortiGate unit does not restart normally or does not rejoin the HA cluster you must take it out of the network and either reconfigure or replace it Once the FortiGate unit is reconfigured or replaced change its HA configuration to match that of the FortiGate unit that failed and connect it...

Page 91: ...lect the primary unit To configure a FortiGate unit to be the permanent primary unit in an HA cluster 1 Connect to the CLI of the permanent primary FortiGate unit 2 Set the priority of the permanent primary unit Enter set system ha priority priority_int Where priority_int is the priority to set for the permanent primary unit The unit with the lowest priority becomes the primary unit The default pr...

Page 92: ...r unit One use for this technique would be to reduce the number of connections processed by the primary cluster unit by increasing the weight assigned to the subordinate cluster units Weight values are entered in order according to the priority of the units in the cluster For example if you have a cluster of 3 FortiGate units you can enter the following command to configure the weight values for e...

Page 93: ...tes Manual attack definition updates Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT Route mode Restarting the FortiGate unit Shutting down the FortiGate unit If you log into the web based manager with any other administrator account you can go to System Status to view the system settings including Disp...

Page 94: ...I procedure to revert to a previous firmware version This procedure reverts your FortiGate unit to its factory default configuration Install a firmware image from a system reboot using the CLI Use this procedure to install a new firmware version or revert to a previous firmware version You must run this procedure by connecting to the CLI using the FortiGate console port and a null modem cable This...

Page 95: ...u must have a TFTP server that you can connect to from the FortiGate unit 1 Make sure that the TFTP server is running 2 Copy the new firmware image file to the root directory of the TFTP server 3 Log into the CLI as the admin administrative user 4 Make sure the FortiGate unit can connect to the TFTP server You can use the following command to ping the computer running the TFTP server For example i...

Page 96: ...atenow 9 To confirm that the antivirus and attack definitions have been updated enter the following command to display the antivirus engine virus and attack definitions version contract expiry and last update attempt information get system objver Revert to a previous firmware version Use the following procedures to revert your FortiGate unit to a previous firmware version Reverting to a previous f...

Page 97: ...he procedure Manually updating antivirus and attack definitions on page 119 to update antivirus and attack definitions Reverting to a previous firmware version using the CLI This procedure reverts your FortiGate unit to its factory default configuration and deletes NIDS user defined signatures web content lists email filtering lists and changes to replacement messages Before running this procedure...

Page 98: ...en uploaded a message similar to the following is displayed Get image from tftp server OK This operation will downgarde the current firmware version Do you want to continue y n 6 Type Y 7 The FortiGate unit reverts to the old firmware version resets the configuration to factory defaults and restarts This process takes a few minutes 8 Reconnect to the CLI For information about logging into the web ...

Page 99: ...ersion for example reverting from FortiOS v2 50 to FortiOS v2 36 you may not be able to restore your previous configuration from the backup configuration file To install firmware from a system reboot 1 Connect to the CLI using the null modem cable and FortiGate console port 2 Make sure that the TFTP server is running 3 Copy the new firmware image file to the root directory of your TFTP server 4 Ma...

Page 100: ...g v3 x BIOS G Get firmware image from TFTP server F Format boot device B Boot with backup firmware and set as default Q Quit menu and continue to boot with default firmware H Display this list of options Enter G F B Q or H 8 Type G to get the new firmware image from the TFTP server 9 Type the address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1 188...

Page 101: ...e FortiGate NIDS Guide To restore web content and email filtering lists see the FortiGate Content Protection Guide If you are reverting to a previous firmware version for example reverting from FortiOS v2 50 to FortiOS v2 36 you may not be able to restore your previous configuration from the backup up configuration file 12 Update the virus and attack definitions to the most recent version see Manu...

Page 102: ...ssages appears FortiGate unit running v2 x BIOS Press Any Key To Download Boot Image FortiGate unit running v3 x BIOS Press any key to enter configuration menu 7 Immediately press any key to interrupt the system startup I If you successfully interrupt the startup process one of the following messages appears FortiGate unit running v2 x BIOS Enter TFTP Server Address 192 168 1 168 Go to step 9 Fort...

Page 103: ...a backup firmware image If your FortiGate unit is running BIOS version v3 x you can install a backup firmware image Once the backup firmware image is installed you can switch to this backup image when required This section describes Installing a backup firmware image Switching to the backup firmware image Switching back to the default firmware image Installing a backup firmware image To run this p...

Page 104: ...ntinue to boot with default firmware H Display this list of options Enter G F B Q or H 7 Type G to get the new firmware image from the TFTP server 8 Type the address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1 188 9 Type the address of the interface of the FortiGate unit that can connect to the TFTP server and press Enter The following message app...

Page 105: ... cable and FortiGate console port 2 Enter the following command to restart the FortiGate unit execute reboot As the FortiGate units starts a series of system startup messages are displayed When one of the following messages appears Press any key to enter configuration menu 3 Immediately press any key to interrupt the system startup I If you successfully interrupt the startup process one of the fol...

Page 106: ...mage The FortiGate unit loads the backup firmware image and restarts When the FortiGate unit restarts it is running the backup firmware version with a restored configuration Manual virus definition updates The System Status page of the FortiGate web based manager displays the current installed versions of the FortiGate Antivirus Definitions You can use the following procedure to update the antivir...

Page 107: ...ions update file 5 Select OK to copy the attack definitions update file to the FortiGate unit The FortiGate unit updates the attack definitions This takes about 1 minute 6 Go to System Status to confirm that the Attack Definitions Version information has been updated Displaying the FortiGate serial number 1 Go to System Status The serial number is displayed in the System Status page of the web bas...

Page 108: ...Gate unit restarts loading the new system settings 5 Reconnect to the web based manager and review your configuration to confirm that the uploaded system settings have taken effect Restoring system settings to factory defaults Use the following procedure to restore system settings to the values set at the factory This procedure does not change the firmware version or the antivirus or attack defini...

Page 109: ... you can connect to port1 The default Transparent mode management IP address is 10 10 10 1 Changing to NAT Route mode Use the following procedure to switch the FortiGate unit from Transparent mode to NAT Route mode When the FortiGate unit has changed to NAT Route mode its configuration resets to NAT Route mode factory defaults 1 Go to System Status 2 Select Change to NAT Mode 3 Select NAT Route in...

Page 110: ...t virus and intrusion status The web based manager displays the current number of viruses and attacks as well as a graph of virus and attack levels over the previous 20 hours In each case you can set an automatic refresh interval that updates the display every 5 to 30 seconds You can also refresh the display manually Viewing CPU and memory status Viewing sessions and network status Viewing virus a...

Page 111: ...ften the web based manager updates the display More frequent updates use system resources and increase network traffic However this only occurs when you are viewing the display using the web based manager 3 Select Refresh to manually update the information displayed Viewing sessions and network status Use the session and network status display to track how many network sessions the FortiGate unit ...

Page 112: ... Sessions and network status monitor 3 Set the automatic refresh interval and select Go to control how often the web based manager updates the display More frequent updates use system resources and increase network traffic However this only occurs when you are viewing the display using the web based manager 4 Select Refresh to manually update the information displayed Viewing virus and intrusions ...

Page 113: ... unit You can use the session list to view current sessions FortiGate administrators with read and write permission and the FortiGate admin user can also stop active communication sessions Viewing the session list 1 Go to System Status Session The web based manager displays the total number of active sessions in the FortiGate unit session table and lists the top 16 2 To page through the list of se...

Page 114: ...m status Figure 4 Example session list To IP The destination IP address of the connection To Port The destination port of the connection Expire The time in seconds before the connection expires Clear Stop an active communication session ...

Page 115: ...ister the FortiGate unit on the Fortinet Support web page This chapter describes Updating antivirus and attack definitions Registering FortiGate units Updating registration information Registering a FortiGate unit after an RMA Updating antivirus and attack definitions You can configure the FortiGate unit to connect to the FortiResponse Distribution Network FDN to automatically receive the latest a...

Page 116: ...ate interface 1 using UDP port 9443 To configure push updates see Configuring push updates on page 119 The FDN is a world wide network of FortiResponse Distribution Servers FDSs When your FortiGate unit connects to the FDN it actually connects to the nearest FDS To do this all FortiGate units are programmed with a list of FDS addresses sorted by nearest time zone according to the time zone configu...

Page 117: ...unit and your network so that the FortiGate unit can connect to the Internet and to the FDN For example you may need to add routes to the FortiGate routing table or configure your network to allow the FortiGate unit to use HTTPS on port 8890 to connect to the Internet You may also have to connect to an override FortiResponse server to receive updates See Configuring update logging on page 118 Push...

Page 118: ...nd attack definitions Update log messages are recorded on the FortiGate Event log 1 Go to Log Report Log Setting 2 Select Config Policy for the type of logs that the FortiGate unit is configured to record See Recording logs on page 281 3 Select Update to record log messages when the FortiGate unit updates antivirus and attack definitions 4 Select the following update log options 5 Select OK Failed...

Page 119: ...edure the FortiGate unit must be able to connect to the FDN or to an override FortiResponse server 1 Go to System Update 2 Select Update Now to update the antivirus and attack definitions If the connection to the FDN or override server is successful the web based manager displays a message similar to the following Your update request has been sent Your database will be updated in a few minutes Ple...

Page 120: ...t to connect to the FDN and download updates Push updates through a NAT device If the FDN can only connect to the FortiGate unit through a NAT device you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration Using port forwarding the FDN connects to the FortiGate unit using either port 9443 or an override push port that you assign...

Page 121: ...FortiGate unit on the Internal network so that the FortiGate unit on the Internal network can receive push updates 1 Add a port forwarding virtual IP to the FortiGate NAT device 2 Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP 3 Configure the FortiGate unit on the internal network with an override push IP and port Note Before completing the following...

Page 122: ...interface that the FDN connects to For the example topology select the external interface 5 Select Port Forwarding 6 Enter the External IP address that the FDN connects to For the example topology enter 64 230 123 149 7 Enter the External Service Port that the FDN connects to For the example topology enter 45001 8 Set Map to IP to the IP address of the FortiGate unit on the internal network If the...

Page 123: ...ternal to internal firewall policy 2 Configure the policy with the following settings 3 Select OK Configure the FortiGate unit with an override push IP and port To configure the FortiGate unit on the internal network 1 Go to System Update 2 Select Allow Push Update 3 Select Use override push 4 Set IP to the External IP Address added to the virtual IP For the example topology enter 64 230 123 149 S...

Page 124: ...user name and password required for the proxy server to the autoupdate configuration The full syntax for enabling updates through a proxy server is set system autouopdate tunneling enable address proxy address_ip port proxy port username username_str password password_str For example if the IP address of the proxy server is 64 23 6 89 and its port is 8080 enter the following command set system aut...

Page 125: ...dditional FortiGate units Add or change FortiCare Support Contract numbers for each FortiGate unit View and change registration information Download virus and attack definitions updates Download firmware upgrades Modify registration information after an RMA Soon you will also be able to Access Fortinet user documentation Access the Fortinet knowledge base All registration information is stored in ...

Page 126: ...ormation including First and last name Company name Email address Your Fortinet support login user name and password will be sent to this email address Address Contact phone number A security question and an answer to the security question This information is used for password recovery The security question should be a simple question that only you know the answer to The answer should not be easy ...

Page 127: ... unit product information 7 Select Finish If you have not entered a FortiCare Support Contract number SCN you can return to the previous page to enter the number If you do not have a FortiCare Support Contract you can select Continue to complete the registration If you have entered a support contract number a real time validation is performed to verify that the SCN information matches the FortiGat...

Page 128: ...a security question and answer contact Fortinet tech support 1 Go to System Update Support 2 Select Support Login 3 Enter your Fortinet support user name 4 Select Forgot your password 5 Enter your email address and select Submit The security question that you entered when you registered is displayed 6 Enter the answer to your security question and select Get Password If you entered the correct ans...

Page 129: ...the Serial Number of the FortiGate unit 7 If you have purchased a FortiCare Support Contract for this FortiGate unit enter the support contract number 8 Select Finish The list of FortiGate products that you have registered is displayed The list now includes the new FortiGate unit Adding or changing a FortiCare Support Contract number 1 Go to System Update Support and select Support Login 2 Enter y...

Page 130: ...n or security question 1 Go to System Update Support and select Support Login 2 Enter your Fortinet support user name and password 3 Select Login 4 Select My Profile 5 Select Edit Profile 6 Make the required changes to your contact information 7 Make the required changes to your security question and answer 8 Select Update Profile Your changes are saved to the Fortinet technical support database I...

Page 131: ...unit is still protected by hardware coverage you can return the FortiGate unit that is not functioning to your reseller or distributor The RMA is recorded and you will receive a replacement unit Fortinet adds the RMA information to the Fortinet support database When you receive the replacement unit you can use the following procedure to update your product registration information 1 Go to System U...

Page 132: ...132 Fortinet Inc Registering a FortiGate unit after an RMA Virus and attack definitions updates and registration ...

Page 133: ...policy creation For example if you have two interfaces connected to the Internet you can add both of these interfaces to the same zone Then you can configure policies for connections to and from this zone rather than to and from each interface You can add new zones You can also rename and edit any zone Finally you can delete zones when they appear in the zone list with a Delete icon A new zone wil...

Page 134: ...one select Modify 3 Use the Zone list to select the zone to add the interface to 4 Select OK to save your changes 5 Repeat these steps to add more interfaces to zones Adding VLAN subinterfaces to a zone You can add one or more VLAN subinterfaces to a zone If you have added firewall addresses to a VLAN subinterface you must delete these firewall addresses before you can add the VLAN subinterface to...

Page 135: ...e management interface Transparent mode Viewing the interface list Use the following procedure to view the interface list 1 Go to System Interface The interface list is displayed The interface list shows the following status information for all of the FortiGate interfaces and VLAN subinterfaces The IP address of the interface The netmask of the interface The zone that the interface has been added ...

Page 136: ... secondary IP address from the CLI enter the command set system interface intf_str config secip second_ip netmask_ip You can also configure management access and add a ping server to the secondary IP address set system interface intf_str config secallowaccess ping https ssh snmp http telnet set system interface intf_str config secgwdetect enable Adding a ping server to an interface Add a ping serv...

Page 137: ...to save your changes Changing the MTU size to improve network performance You can change the maximum transmission unit MTU size for port1 port2 port3 and port4 ha if it is not configured for HA To improve the performance of your network connection you can adjust the MTU of the packets that the FortiGate unit transmits from its interfaces Ideally this MTU should be the same as the smallest MTU of a...

Page 138: ...binterfaces to it It can only be connected to the port4 ha of the other FortiGate 400 units in the HA group The FortiGate 400 units in the HA group use this connection to communicate status and configuration information among the members of the HA group To configure port4 ha for HA mode 1 Go to System Network Interface 2 For port4 ha select Modify 3 Select Work as HA to configure the interface for...

Page 139: ... support VLANs and describes how to add VLAN subinterfaces VLAN subinterfaces function like any FortiGate interface You can add firewall addresses for a VLAN subinterface to add it to the policy grid You can also add VLAN subinterfaces to zones VLAN support is available when the FortiGate unit is operating in NAT Route mode This section describes VLAN network configuration Adding VLAN subinterface...

Page 140: ...ant router The router is configured to add VLAN IDs to the packets that it receives from each network and then route the packets out a single interface that is connected to the FortiGate interface This FortiGate unit is configured with subinterfaces that include VLAN IDs that match the VLAN IDs added by the router When the FortiGate unit receives packets with VLAN IDs it directs them to the correc...

Page 141: ...binterface IP addresses are Two or more VLAN subinterfaces can have the same IP address as long as they have different VLAN IDs The IP addresses of two or more VLAN subinterfaces can be on the same subnet as long as they have different VLAN IDs The IP address of a VLAN subinterface must different from IP address of the interface that it is added to The IP address of a VLAN subinterface can be on t...

Page 142: ...o allow secure HTTPS connections to the web based manager through this VLAN subinterface PING If you want this VLAN subinterface to respond to pings Use this setting to verify your installation and for testing HTTP To allow HTTP connections to the web based manager through this VLAN subinterface HTTP connections are not secure and can be intercepted by a third party SSH To allow secure SSH connect...

Page 143: ...fic leaving the external interface 1 Go to System Network Routing Table 2 Select New to add a new route 3 Set the Source IP and Netmask to 0 0 0 0 4 Set the Destination IP and Netmask to 0 0 0 0 5 Set Gateway 1 to the IP address of the routing gateway that routes traffic to the Internet 6 Select OK to save the default route Adding destination based routes to the routing table Use the following pro...

Page 144: ...llowing rules If the Gateway 1 IP address is on the same subnet as a FortiGate interface or VLAN subinterface the system sends the traffic to that interface If the Gateway 1 IP address is not on the same subnet as a FortiGate interface or VLAN subinterface the system routes the traffic to interface 2 using the default route You can use Device 1 to send packets to an interface that is on a differen...

Page 145: ...tion status is unknown For more information see Adding a ping server to an interface on page 136 and The FortiGate unit assigns routes by searching for a match starting at the top of the routing table and moving down until it finds the first match You must arrange routes in the routing table from more specific to more general The default route is the most general route If you add a default route i...

Page 146: ...outed using destination routes The gateway added to a policy route must also be added to a destination route When the FortiGate unit matches packets with a route in the RPDB the FortiGate unit looks in the destination routing table for the gateway that was added to the policy route If a match is found the FortiGate routes the packet using the matched destination route If a match is not found the F...

Page 147: ... to separate ranges The defaultroute exclusionrange iprange and reserve IP addresses must all be on the same subnet as the internal interface To change an exclusion range you must redefine all of the exclusion ranges To remove all exclusion ranges replace the first exclusion range with none iprange start_ip end_ip The starting IP and the ending IP for the range of IP addresses that the FortiGate u...

Page 148: ...148 Fortinet Inc Providing DHCP services to your internal network Network configuration ...

Page 149: ...ture limits the maximum diameter of RIP network to 15 hops RIP uses a split horizon to prevent temporary routing loops caused by network topology changes The premise of a split horizon is that it is never useful to send information about a route back in the direction from which it came For example Router 1 could tell Router 2 that it has a route for network A Router 2 knows that it got this inform...

Page 150: ...only have to change these timers to troubleshoot problems with your RIP configuration Default Metric Change the default metric that is applied to routes with incompatible metrics The default metric assists in resolving how routes with incompatible metrics are redistributed Whenever metrics do not convert RIP uses the default metric to provide a reasonable substitute and allows the redistribution t...

Page 151: ...lddown The time interval in seconds during which routing information regarding better paths is suppressed Holddown should be at least three times the value of Update A route enters into a holddown state when an update packet is received that indicates the route is unreachable The route is marked inaccessible and advertised as unreachable and is no longer used for forwarding packets When holddown e...

Page 152: ...roadcast RIP1 messages RIP2 Send This interface can send RIP2 routing broadcasts to its network The routing broadcasts are UDP packets with a destination port of 520 RIP2 Receive This interface can receive RIP2 routing broadcasts The interface listens on port 520 for broadcast RIP2 messages Split Horizon Configure split horizon to prevent routing loops By default split horizon is enabled This opti...

Page 153: ...ver non broadcast networks When used in combination with the RIP filters the FortiGate unit can be configured to exchange routing information with a subset of routers and access servers on a LAN Adding RIP neighbors 1 Go to System RIP Neighbor 2 Select New to add a RIP neighbor Note MD5 authentication is used to verify the integrity of the routing message sent by the FortiGate unit Using MD5 authe...

Page 154: ...ing a filter or filter list for each of these filter types If you do not select a RIP filter for neighbors or routes no filtering is applied You can add a total of four RIP filters or RIP filter lists but you can only have one active neighbors filter and one active routes filter This section describes Adding a single RIP filter Adding a RIP filter list Adding a neighbors filter Adding a routes fil...

Page 155: ...n be 15 characters long and can contain upper and lower case letters numbers and special characters The name cannot contain spaces Blank Filter Used for Filter lists See Adding a RIP filter list on page 155 IP Add the IP address of the route Mask Add the netmask of the route Action Select Allow so that the filter permits this route to be communicated Select Deny to stop this route from being commu...

Page 156: ...ter 4 Select Apply Routes received from neighbors are filtered using the selected RIP filter or RIP filter list Adding a routes filter You can select a single RIP filter or a RIP filter list to be the routes filter 1 Go to System RIP Filter 2 Add RIP filters and RIP filter lists as required 3 For Routes Filter select the name of the RIP filter or RIP filter list to become the routes filter 4 Selec...

Page 157: ...e information on NTP and to find the IP address of an NTP server that you can use see http www ntp org To set the date and time 1 Go to System Config Time 2 Select Refresh to display the current FortiGate system date and time 3 Select your Time Zone from the list 4 Select Automatically adjust clock for daylight saving changes if you want the FortiGate system clock to be adjusted automatically when...

Page 158: ... page you can Set the system idle timeout Set the authentication timeout Select the language for the web base manager Modify the dead gateway detection settings You can also restrict access to the control buttons and LCD by requiring a PIN Personal Identification Number To set the system idle timeout 1 For Idle Timeout type a number in minutes 2 Select Apply Idle Timeout controls the amount of ina...

Page 159: ...ect PIN Protection under LCD Panel 2 Type a 6 digit PIN Administrators must enter the PIN to use the control buttons and LCD 3 Select Apply To modify the Dead Gateway Detection settings Modify dead gateway detection to control how the FortiGate unit confirms connectivity with a ping server added to an interface configuration To add a ping server to an interface see Adding a ping server to an inter...

Page 160: ...ion from which the administrator can log into the web based manager If you want the administrator to be able to access the FortiGate unit from any address set the trusted host to 0 0 0 0 and the netmask to 0 0 0 0 To limit the administrator to only be able to access the FortiGate unit from a specific network set the trusted host to the address of the network and set the netmask to the netmask for ...

Page 161: ...an 6 characters long the system displays a warning message but still accepts the password 5 Select OK 6 To edit the settings of an administrator account select Edit 7 Optionally type a Trusted Host IP address and netmask for the location from which the administrator can log into the web based manager If you want the administrator to be able to access the FortiGate unit from any address set the tru...

Page 162: ...tically set to the FortiGate host name To change the System Name see Changing the FortiGate host name on page 94 System Location Describe the physical location of the FortiGate unit The system location description can be up to 31 characters long and can contain spaces numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ The characters are not allowed Contact Informa...

Page 163: ... community string functions like a password that is sent with SNMP traps The default trap community string is public Change the trap community string to the one accepted by your trap receivers The trap community string can be up to 31 characters long and can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Spaces and the characters are not allowed Trap R...

Page 164: ...B that includes detailed FortiGate system configuration information Add this MIB to your SNMP manager to monitor all FortiGate configuration settings RFC1213 mib The RFC 1213 MIB is the standard MIB II MIB that describes network management protocols for TCP IP networks Table 1 FortiGate MIBs MIB file name Description Table 2 FortiGate traps Trap message Description The interface_name Interface IP ...

Page 165: ... and add and edit the replacement message sections as required 1 Go to System Config Replacement Messages 2 For the replacement message you want to customize select Modify 3 In the Message setup dialog box edit the content of the message Table 3 lists the replacement message sections that can be added to replacement messages and describes the tags that can appear in each section In addition to the...

Page 166: ...Section End BLOCKED Quarantine Used when quarantine is enabled permitted for all scan services and block services for email only Section Start QUARANTINE Allowed Tag QUARFILE NAME The name of the file that was quarantined Section End QUARANTINE Table 3 Replacement message sections Table 4 Alert email message sections NIDS event Used for NIDS event alert email messages Section Start NIDS_EVENT Allo...

Page 167: ... IP address of the email server that sent the email containing the blocked file For HTTP this is the IP address of web page that sent the blocked file DEST_IP The IP address of the computer that would have received the blocked file For email this is the IP address of the user s computer that attempted to download the message from which the file ware removed EMAIL_FROM The email address of the send...

Page 168: ...168 Fortinet Inc Customizing replacement messages System configuration ...

Page 169: ...erently depending on the time of day or the day of the week month or year Each policy can be individually configured to route connections or to apply network address translation NAT to translate source and destination IP addresses and ports You can add IP pools to use dynamic NAT when the firewall translates source addresses You can use policies to configure port address translation PAT through th...

Page 170: ...s between the port1 to the port2 interfaces To add policies that include the port3 and port4 ha interfaces you must use the following steps to add these interfaces to the firewall policy grid 1 If they are down bring the port3 and port4 ha interfaces up See Bringing up an interface on page 135 2 Add IP addresses to port3 and port4 ha See Changing an interface static IP address on page 136 3 Add fi...

Page 171: ...nfiguration includes the addresses listed in Table 5 The firewall uses these addresses to match the source and destination addresses of packets received by the firewall The default policy matches all connections from the network connected to port1 because it includes the Port1_All address The default policy also matches all connections to the network connected to port2 because it includes the Port...

Page 172: ...iltering and email filtering to web file transfer and email services The FortiGate unit includes the following default content profiles Strict to apply maximum content protection to HTTP FTP IMAP POP3 and SMTP content traffic Scan to apply antivirus scanning to HTTP FTP IMAP POP3 and SMTP content traffic Web to apply antivirus scanning and Web content blocking to HTTP content traffic Unfiltered to...

Page 173: ...ddress or address group that matches the source address of the packet Before you can add this address to a policy you must add it to the source interface To add an address see Addresses on page 179 Destination Select an address or address group that matches the destination address of the packet Before you can add this address to a policy you must add it to the destination interface VLAN subinterfa...

Page 174: ...Manual Key tunnel VPN Tunnel is not available in Transparent mode ACCEPT Accept the connection If you select ACCEPT you can also configure NAT and Authentication for the policy DENY Deny the connection The only other policy option that you can configure is log traffic to log the connections denied by this policy ENCRYPT Make this policy an IPSec VPN policy If you select ENCRYPT you can select an A...

Page 175: ...to use other services for example POP3 or IMAP you can create a service group that includes the services for which you want to require authentication as well as HTTP Telnet and FTP Then users could authenticate with the policy using HTTP Telnet or FTP before using the other service Allow inbound Select Allow inbound so that users behind the remote VPN gateway can connect to the source address Allo...

Page 176: ...i Virus Web filter Enable antivirus protection and web filter content filtering for traffic controlled by this policy You can select Anti Virus Web filter if Service is set to ANY HTTP SMTP POP3 IMAP or FTP or to a service group that includes the HTTP SMTP POP3 IMAP or FTP services Select a content profile to configure how antivirus protection and content filtering is applied to the policy See Con...

Page 177: ...olicies Policy matching in detail When the FortiGate unit receives a connection attempt at an interface it must select a policy list to search through for a policy that matches the connection attempt The FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt The FortiGate unit then starts at the top of the selected policy list and searches do...

Page 178: ...he policy and select OK Enabling and disabling policies You can enable and disable policies in the policy list to control whether the policy is active or not The FortiGate unit matches enabled policies but does not match disabled policies Disabling a policy Disable a policy to temporarily prevent the firewall from selecting the policy Disabling a policy does not stop active communications sessions...

Page 179: ...d Netmask 255 255 255 255 All possible IP addresses represented by IP Address 0 0 0 0 and Netmask 0 0 0 0 This section describes Adding addresses Editing addresses Deleting addresses Organizing addresses into address groups Adding addresses 1 Go to Firewall Address 2 Select the interface VLAN subinterface or zone to which to add the address 3 Select New to add a new address 4 Enter an Address Name...

Page 180: ... cannot edit the address name To change the address name you must delete the address entry and then add the address again with a new name 1 Go to Firewall Address 2 Select the interface list containing the address that you want to edit 3 Choose an address to edit and select Edit Address 4 Make the required changes and select OK to save your changes Deleting addresses Deleting an address removes it...

Page 181: ... zone source or destination address lists Address groups cannot have the same names as individual addresses If an address group is included in a policy it cannot be deleted unless it is first removed from the policy 1 Go to Firewall Address Group 2 Select the interface VLAN subinterface or zone to which to add the address group 3 Enter a Group Name to identify the address group The name can contai...

Page 182: ...ckets of the protocol within GRE packets 47 AH Authentication Header AH provides source host authentication and data integrity but not secrecy This protocol is used for authentication by IPSec remote gateways set to aggressive mode 51 ESP Encapsulating Security Payload This service is used by manual key and AutoIKE VPN tunnels for communicating encrypted data AutoIKE key VPN tunnels use ESP after ...

Page 183: ...s used to access information directories tcp 389 NetMeeting NetMeeting allows users to teleconference using the Internet as the transmission medium tcp 1720 NFS Network File System allows network users to access shared files stored on computers of different types tcp 111 2049 NNTP Network News Transport Protocol is a protocol used to post distribute and retrieve USENET messages tcp 119 NTP Network...

Page 184: ...ork Management Protocol is a set of protocols for managing complex networks tcp 161 162 udp 161 162 SSH SSH service for secure connections to computers for remote management tcp 22 udp 22 SYSLOG Syslog service for remote logging udp 514 TALK A protocol supporting conversations between two or more users udp 517 518 TCP All TCP ports tcp 0 65535 TELNET Telnet service for connecting to a remote compu...

Page 185: ...access for all the services in the group A service group can contain predefined services and custom services in any combination You cannot add service groups to another service group 1 Go to Firewall Service Group 2 Select New 3 Enter a Group Name to identify the group This name appears in the service list when you add a policy and cannot be the same as a predefined service name The name can conta...

Page 186: ... time schedule that activates or deactivates a policy for a specified period of time For example your firewall might be configured with the default policy that allows access to all services on the Internet at all times You can add a one time schedule to block access to the Internet during a holiday period 1 Go to Firewall Schedule One time 2 Select New 3 Enter a Name for the schedule The name can ...

Page 187: ...u can use this technique to create recurring schedules that run from one day to the next You can also create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time 1 Go to Firewall Schedule Recurring 2 Select New to create a new schedule 3 Enter a Name for the schedule The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special...

Page 188: ...and the real address on the destination network This mapping is called a virtual IP For example if the computer hosting your web server is located on the network connected to port3 it could have a private IP address such as 10 10 10 3 If port2 connects to the Internet to get packets from the Internet to the web server you must have an external address for the web server on the Internet You must th...

Page 189: ...warded to the destination network You can select a firewall interface or a VLAN subinterface 5 Make sure Type is set to Static NAT 6 In the External IP Address field enter the external IP address to be mapped to an address on the destination network For example if the virtual IP provides access from the Internet to a web server on a destination network the external IP address must be a static IP a...

Page 190: ...tained from your ISP for this server This address must be a unique address that is not used by another host However this address must be routed to the External Interface selected in step 4 7 Enter the External Service Port number for which to configure port forwarding The external service port number must match the destination port of the packets to be forwarded For example if the virtual IP provi...

Page 191: ...ace must match the interface connected to the network with the Map to IP address 3 Use the following information to configure the policy Source Select the source address from which users can access the server Destination Select the virtual IP Schedule Select a schedule as required Service Select the service that matches the Map to Service that you selected for the port forwarding virtual IP Action...

Page 192: ...e interface for which you are adding the IP pool You can add multiple IP pools to any interface but only the first IP pool is used by the Firewall This section describes Adding an IP pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT Adding an IP pool To add an IP pool 1 Go to Firewall IP Pool 2 Select the interface to which to add the IP pool You can select a firewa...

Page 193: ...nge of Internet addresses but you may have only one Internet connection the external interface of your FortiGate unit You can assign one of your organization s Internet IP addresses to the external interface of your FortiGate unit If your FortiGate unit is operating in NAT Route mode all connections from your network to the Internet appear to come from this IP address If you want connections to or...

Page 194: ...ith the entries in the IP MAC binding list If a match is found then the firewall attempts to match the packet with a policy For example if the IP MAC pair IP 1 1 1 1 and 12 34 56 78 90 ab cd is added to the IP MAC binding list A packet with IP address 1 1 1 1 and MAC address 12 34 56 78 90 ab cd is allowed to go on to be matched with a firewall policy A packet with IP 1 1 1 1 but with a different ...

Page 195: ...MAC address of 12 34 56 78 90 ab cd is dropped immediately to prevent IP spoofing A packet with both the IP address and MAC address not defined in the IP MAC binding table is allowed to connect to the firewall if IP MAC binding is set to Allow traffic is blocked if IP MAC binding is set to Block traffic Adding IP MAC addresses 1 Go to Firewall IP MAC Binding Static IP MAC 2 Select New to add an IP...

Page 196: ...rn on IP MAC binding for packets connecting to the firewall 4 Configure how IP MAC binding handles packets with IP and MAC addresses that are not defined in the IP MAC list Select Allow traffic to allow all packets with IP and MAC address pairs that are not added to the IP MAC binding list Select Block traffic to block packets with IP and MAC address pairs that are not added to the IP MAC binding ...

Page 197: ... Default content profiles The FortiGate unit has the following four default content profiles under Firewall Content Profile You can use these existing content profiles or create your own Adding a content profile If the default content profiles do not provide the protection that you require you can create new content profiles customized to your requirements 1 Go to Firewall Content Profile 2 Select...

Page 198: ... adds Fortinet URL blocking see URL blocking on page 269 and Cerberian URL filtering see Using the Cerberian web filter on page 272 to HTTP traffic accepted by a policy Web Content Block Block web pages that contain unwanted words or phrases See Content blocking on page 268 Web Script Filter Remove scripts from web pages See Script filtering on page 274 Web Exempt List Exempt URLs from web filteri...

Page 199: ...ese services 1 Go to Firewall Policy 2 Select a policy list that contains policies to which to add a content profile For example to enable network protection for files downloaded by internal network users from the web select an internal to external policy list 3 Select New to add a new policy or choose a policy and select Edit 4 Select Anti Virus Web filter 5 Select a content profile 6 Configure t...

Page 200: ...200 Fortinet Inc Content profiles Firewall configuration ...

Page 201: ...T IPSec dialup user phase 1 configurations XAuth functionality for Phase 1 IPSec VPN configurations PPTP L2TP When a user enters a user name and password the FortiGate unit searches the internal user database for a matching user name If Disable is selected for that user name the user cannot authenticate and the connection is dropped If Password is selected for that user and the password matches th...

Page 202: ...e 3 Enter the user name The user name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Select one of the following authentication configurations Disable Prevent this user from authenticating Password Enter the password that this user must use to authenticate The password should be at least six cha...

Page 203: ...to try to connect to other RADIUS servers added to the FortiGate RADIUS configuration 6 Select OK Figure 17 Adding a user name Deleting user names from the internal database You cannot delete user names that have been added to user groups Remove user names from user groups before deleting them 1 Go to User Local 2 Select Delete User for the user name to delete 3 Select OK Note Deleting the user na...

Page 204: ...o to User RADIUS 2 Select New to add a new RADIUS server 3 Enter the name of the RADIUS server You can enter any name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Enter the domain name or IP address of the RADIUS server 5 Enter the RADIUS server secret 6 Select OK Figure 18 Example RA...

Page 205: ...ation of password expiration that is available from some LDAP servers FortiGate LDAP support does not supply information to the user about why authentication failed LDAP user authentication is supported for PPTP L2TP IPSec VPN and firewall authentication With PPTP L2TP and IPSec VPN PAP packet authentication protocol is supported and CHAP Challenge Handshake Authentication Protocol is not This sec...

Page 206: ...ollowing base distinguished name ou marketing dc fortinet dc com where ou is organization unit and dc is domain component You can also specify multiple instances of the same field in the distinguished name for example to specify multiple organization units ou accounts ou marketing dc fortinet dc com 8 Select OK Figure 19 Example LDAP configuration Deleting LDAP servers You cannot delete LDAP serve...

Page 207: ...the selected user group can use PPTP The FortiGate L2TP configuration Only users in the selected user group can use L2TP When you add user names RADIUS servers and LDAP servers to a user group the order in which they are added affects the order in which the FortiGate unit checks for authentication If user names are first then the FortiGate unit checks for a match with these local users If a match ...

Page 208: ...select the right arrow to add the RADIUS server to the Members list 6 To add an LDAP server to the user group select an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list 7 To remove users RADIUS servers or LDAP servers from the user group select a user RADIUS server or LDAP server from the Members list and select the left arrow to remov...

Page 209: ...ublic network Instead of being sent in its original format the data frames are encapsulated within an additional header and then routed between tunnel endpoints Upon arrival at the destination endpoint the data is decapsulated and forwarded to its destination within the private network Encryption transforms data stream from clear text something that a human or a program can interpret to cipher tex...

Page 210: ...er The peers do not actually send the key to each other Instead as part of the security negotiation process they use it in combination with a Diffie Hellman group to create a session key The session key is used for encryption and authentication purposes and is automatically regenerated during the communication session by IKE Pre shared keys are similar to the manual keys in that they require the n...

Page 211: ...ps for a manual key VPN Adding a manual key VPN tunnel General configuration steps for a manual key VPN A manual key VPN configuration consists of a manual key VPN tunnel the source and destination addresses for both ends of the tunnel and an encrypt policy to control access to the VPN tunnel To create a manual key VPN configuration 1 Add a manual key VPN tunnel See Adding a manual key VPN tunnel ...

Page 212: ... Key Each two character combination entered in hexadecimal format represents one byte Use the same authentication key at both ends of the tunnel 11 Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration See Adding a VPN concentrator on page 229 Select OK to save the manual key VPN tunnel DES Enter a 16 character 8 byte hexadecimal number 0 9 A F 3DES Enter a 4...

Page 213: ... the tunnel See Configuring encrypt policies on page 224 Adding a phase 1 configuration for an AutoIKE VPN When you add a phase 1 configuration you define the terms by which the FortiGate unit and a remote VPN peer gateway or client authenticate themselves to each other prior to the establishment of an IPSec VPN tunnel The phase 1 configuration is related to the phase 2 configuration In phase 1 th...

Page 214: ...Hellman groups to propose for phase 1 As a general rule the VPN peers should use the same DH Group settings 8 Enter the Keylife The keylife is the amount of time in seconds before the phase 1 encryption key expires When the key expires a new key is generated without interrupting service P1 proposal keylife can be from 120 to 172 800 seconds 9 For Authentication Method select Preshared Key or RSA S...

Page 215: ...cific VPN peer or a group of VPN peers with a shared user name ID and password pre shared key Also add the peer ID Also add the peer ID Accept peer ID in dialup group Select to authenticate each remote VPN peer with a unique user name ID and password pre shared key Also select a dialup group user group Configure the user group prior to configuring this peer option XAuth Enable as a Client Name Ent...

Page 216: ...le DPD between the local and remote peers Short Idle Set the time in seconds that a link must remain unused before the local VPN peer considers it to be idle After this period of time expires whenever the local peer sends traffic to the remote VPN peer it will also send a DPD probe to determine the status of the link To control the length of time that the FortiGate unit takes to detect a dead peer...

Page 217: ... between the local VPN peer the FortiGate unit and the remote VPN peer the VPN gateway or client To add a phase 2 configuration 1 Go to VPN IPSEC Phase 2 2 Select New to add a new phase 2 configuration 3 Enter a Tunnel Name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Note Adding a Phas...

Page 218: ...ylife expires 8 Select the DH Group s The VPN peers must use the same DH Group settings 9 Enter the Keylife The keylife causes the phase 2 key to expire after a specified amount of time after a specified number of kbytes of data have been processed by the VPN tunnel or both If you select both the key does not expire until both the time has passed and the number of kbytes have been processed When t...

Page 219: ...uter to the certificate authority and from the certificate authority to your local computer Obtaining a signed local certificate Obtaining a CA certificate Obtaining a signed local certificate The signed local certificate provides the FortiGate unit with a means to authenticate itself to other devices Note Digital certificates are not required for configuring FortiGate VPNs Digital certificates ar...

Page 220: ...certified Domain Name For Domain name enter the fully qualified domain name of the FortiGate unit being certified Do not include the protocol specification http or any port number or path names E Mail For E mail enter the email address of the owner of the FortiGate unit being certified Typically e mail addresses are entered only for clients not gateways Organization Unit Enter a name that identifi...

Page 221: ...o VPN Local Certificates 2 Select Download to download the local certificate to the management computer 3 Select Save 4 Name the file and save it in a directory on the management computer Requesting the signed local certificate With this procedure you copy and paste the certificate request from the management computer to the CA web server To request the signed local certificate 1 On the management...

Page 222: ... you connect to the CA web server and download the signed local certificate to the management computer Do this after receiving notification from the CA that it has signed the certificate request To retrieve the signed local certificate 1 Connect the CA web server 2 Follow the CA web server instructions to download the signed local certificate The File Download dialog will display 3 Select Save 4 S...

Page 223: ...remote VPN peer The remote VPN peer obtains the CA certificate in order to validate the digital certificate that it receives from the FortiGate unit Retrieving a CA certificate Connect to the CA web server and download the CA certificate to the management computer To retrieve the CA certificate 1 Connect the CA web server 2 Follow the CA web server instructions to download the CA certificate The F...

Page 224: ...u can configure the encrypt policy for services such as DNS FTP and POP3 and to allow connections according to a predefined schedule by the time of the day or the day of the week month or year You can also configure the encrypt policy for Inbound NAT to translate the source of incoming packets Outbound NAT to translate the source address of outgoing packets Traffic shaping to control the bandwidth...

Page 225: ...s 3 Select New to add an address 4 Enter the Address Name IP Address and NetMask for a single computer or for an entire subnetwork on an internal interface of the remote VPN peer 5 Select OK to save the source address Adding an encrypt policy 1 Go to Firewall Policy 2 Use the policy grid to choose the policy list to which to add the policy For example port1 port2 or port3 port2 3 Select New to add...

Page 226: ...ocal hosts to see the IP addresses of remote hosts hosts located on the network behind the remote VPN gateway Outbound NAT The FortiGate unit translates the source address of outgoing packets to the IP address of the FortiGate interface connected to the destination address network Typically this is an external interface of the FortiGate unit Outbound NAT makes it impossible for remote hosts to see...

Page 227: ...N peer is a FortiGate unit functioning as the hub or concentrator it requires a VPN configuration connecting it to each spoke AutoIKE phase 1 and 2 settings or manual key settings plus encrypt policies It also requires a concentrator configuration that groups the hub and spoke tunnels together The concentrator configuration defines the FortiGate unit as the hub in a hub and spoke network If the VP...

Page 228: ...r a client on the Internet or a network located behind a gateway See Adding a source address on page 225 3 Add the concentrator configuration This step groups the tunnels together on the FortiGate unit The tunnels link the hub to the spokes The tunnels are added as part of the AutoIKE phase 2 configuration or the manual key configuration See Adding a VPN concentrator on page 229 4 Add an encrypt p...

Page 229: ...o add a VPN concentrator 3 Enter the name of the new concentrator in the Concentrator Name field 4 To add tunnels to the VPN concentrator select a VPN tunnel from the Available Tunnels list and select the right arrow 5 To remove tunnels from the VPN concentrator select the tunnel in the Members list and select the left arrow 6 Select OK to add the VPN concentrator Figure 26 Adding a VPN concentrat...

Page 230: ... addresses for each remote VPN spoke The destination address is the address of the spoke either a client on the Internet or a network located behind a gateway See Adding a destination address on page 225 4 Add a separate outbound encrypt policy for each remote VPN spoke These policies control the encrypted connections initiated by the local VPN spoke The encrypt policy must include the appropriate...

Page 231: ...ers one can have multiple Internet connections while the other has only one Internet connection Of course with an asymmetrical configuration the level redundancy will vary from one end of the VPN to the other Configuring redundant IPSec VPN Prior to configuring the VPN make sure that both FortiGate units have multiple connections to the Internet For each unit first add multiple two or more externa...

Page 232: ...Make sure that the remote VPN peer Remote Gateway has a static IP address See Adding a phase 1 configuration for an AutoIKE VPN on page 213 2 Add the phase 2 parameters VPN tunnel for up to three VPN connections If the Internet connections are in the same zone add one VPN tunnel and add the remote gateways to it You can add up to three remote gateways If the Internet connections are in separate zo...

Page 233: ...as the tunnel time out To view VPN tunnel status 1 Go to VPN IPSEC AutoIKE Key The Status column displays the status of each tunnel If Status is Up the tunnel is active If Status is Down the tunnel is not active The Timeout column displays the time before the next key exchange The time is calculated by subtracting the time elapsed since the last key exchange from the keylife Figure 27 AutoIKE key ...

Page 234: ...cal peer Figure 28 Dialup Monitor Testing a VPN To confirm that a VPN between two networks has been configured correctly use the ping command from one internal network to connect to a computer on the other internal network The IPSec VPN tunnel starts automatically when the first data packet destined for the VPN is intercepted by the FortiGate unit To confirm that a VPN between a network and one or...

Page 235: ... configuration changes to the client computer and the FortiGate unit This chapter provides an overview of how to configure FortiGate PPTP and L2TP VPN For a complete description of FortiGate PPTP and L2TP see the FortiGate VPN Guide This chapter describes Configuring PPTP Configuring L2TP Configuring PPTP As its name suggests PPTP involves the Point to Point protocol PPTP packages data within PPP ...

Page 236: ...o to User Local 2 Add and configure PPTP users See Adding user names and configuring authentication on page 202 3 Go to User User Group 4 Add and configure PPTP user groups See Configuring user groups on page 207 Enabling PPTP and specifying an address range 1 Go to VPN PPTP PPTP Range 2 Select Enable PPTP 3 Enter the Starting IP and the Ending IP for the PPTP address range 4 Select the User Group...

Page 237: ... in the PPTP address range Adding an address group Organize the source addresses into an address group 1 Go to Firewall Address Group 2 Add a new address group to the interface to which PPTP clients connect This can be an interface VLAN subinterface or zone 3 Enter a Group Name to identify the address group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special ch...

Page 238: ...TP VPN tunnel 1 Go to Firewall Policy 2 Use the policy grid to choose the policy list to which to add the policy 3 Select New to add a new policy 4 Set Source to the group that matches the PPTP address range 5 Set Destination to the address to which PPTP users can connect 6 Set Service to match the traffic type inside the PPTP VPN tunnel For example if PPTP users can access a web server select HTT...

Page 239: ...Uncheck IPX SPX Compatible 9 Select TCP IP Settings 10 Uncheck Use IP header compression 11 Uncheck Use default gateway on remote network 12 Select OK twice Connecting to the PPTP VPN 1 Start the dialup connection that you configured in the previous procedure 2 Enter your PPTP VPN User Name and Password 3 Select Connect Configuring a Windows 2000 client for PPTP Use the following procedure to conf...

Page 240: ... it can connect to a FortiGate PPTP VPN Configuring a PPTP dialup connection 1 Go to Start Control Panel 2 Select Network and Internet Connections 3 Select Create a Connection to the network of your workplace and select Next 4 Select Virtual Private Network Connection and select Next 5 Name the connection and select Next 6 If the Public Network dialog box appears choose the appropriate initial con...

Page 241: ... Connecting to the PPTP VPN 1 Connect to your ISP 2 Start the VPN connection that you configured in the previous procedure 3 Enter your PPTP VPN User Name and Password 4 Select Connect 5 In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password Configuring L2TP Some...

Page 242: ...o to User Local 2 Add and configure L2TP users See Adding user names and configuring authentication on page 202 3 Go to User User Group 4 Add and configure L2TP user groups See Configuring user groups on page 207 Enabling L2TP and specifying an address range 1 Go to VPN L2TP L2TP Range 2 Select Enable L2TP 3 Enter the Starting IP and the Ending IP for the L2TP address range 4 Select the User Group...

Page 243: ... address list 8 Add a policy to allow L2TP clients to connect through the FortiGate unit Adding a source address Add a source address for every address in the L2TP address range 1 Go to Firewall Address 2 Select the interface to which L2TP clients connect This can be an interface VLAN subinterface or zone 3 Select New to add an address 4 Enter the Address Name IP Address and NetMask for an address...

Page 244: ...interface Methods will differ slightly between FortiGate models 3 Select New to add an address 4 Enter the Address Name IP Address and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer 5 Select OK to save the source address Adding a firewall policy Add a policy which specifies the source and destination addresses and sets the service for the p...

Page 245: ...yption is selected 10 Select the Networking tab 11 Set VPN server type to Layer 2 Tunneling Protocol L2TP 12 Save your changes and continue with the following procedure Disabling IPSec 1 Select the Networking tab 2 Select Internet Protocol TCP IP properties 3 Double click the Advanced tab 4 Go to the Options tab and select IP security properties 5 Make sure that Do not use IPSEC is selected 6 Sele...

Page 246: ...he User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password Configuring a Windows XP client for L2TP Use the following procedure to configure a client computer running Windows XP so that it can connect to a FortiGate L2TP VPN Configuring an L2TP VPN dialup connection 1 Go to Start Settings 2 Sele...

Page 247: ...KEY_LOCAL_MACHINE System CurrentControlSet Services Rasman Parameters 8 Add the following registry value to this key Value Name ProhibitIpSec Data Type REG_DWORD Value 1 9 Save your changes and restart the computer for the changes to take effect You must add the ProhibitIpSec registry value to each Windows XP based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter fo...

Page 248: ...PN connection that you configured in the previous procedure 3 Enter your L2TP VPN User Name and Password 4 Select Connect 5 In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password ...

Page 249: ...acks Logging attacks Detecting attacks The NIDS Detection module detects a wide variety of suspicious network traffic and network based attacks Use the following procedures to configure the general NIDS settings and the NIDS Detection module Signature List For the general NIDS settings you need to select which interfaces will be monitored for network based attacks You also need to decide whether t...

Page 250: ...to make sure that they have not been changed in transit The NIDS can run checksum verification on IP TCP UDP and ICMP traffic For maximum detection you can turn on checksum verification for all types of traffic However if the FortiGate unit does not need to run checksum verification you can turn it off for some or all types of traffic to improve system performance For example you might not need to...

Page 251: ...gnature list 1 Go to NIDS Detection Signature List 2 Select View Details to display the members of a signature group Select a signature and copy its attack ID 3 Open a web browser and enter this URL http www fortinet com ids ID attack ID Remember to include the attack ID For example to view the Fortinet Attack Analysis web page for the ssh CRC32 overflow bin sh attack ID 101646338 use the followin...

Page 252: ...ocate specific attack signatures by ID number and name 3 Uncheck the Enable check box 4 Select OK 5 Repeat steps 2 to 4 for each NIDS attack signature group that you want to disable Select Check All to enable all NIDS attack signature groups in the signature list Select Uncheck All to disable all NIDS attack signature groups in the signature list Adding user defined signatures You can create a use...

Page 253: ...the text file as well as a name for the text file Preventing attacks NIDS attack prevention protects the FortiGate unit and the networks connected to it from common TCP ICMP UDP and IP attacks You can enable the NIDS attack prevention to prevent a set of default attacks with default threshold values You can also enable and set the threshold values for individual attack signatures Enabling NIDS att...

Page 254: ...S attack prevention signature list 4 Select Uncheck All to disable all signatures in the NIDS attack prevention signature list 5 Select Reset to Default Values to enable only the default NIDS attack prevention signatures and return to the default threshold values Figure 36 Example NIDS attack prevention signature list entries Setting signature threshold values You can change the default threshold ...

Page 255: ...alue units Default threshold value Minimum threshold value Maximum threshold value synflood Maximum number of SYN segments received per second 200 30 3000 portscan Maximum number of SYN segments received per second 128 10 256 srcsession Total number of TCP sessions initiated from the same source 2048 128 10240 ftpovfl Maximum buffer size for an FTP command bytes 256 128 1024 smtpovfl Maximum buffe...

Page 256: ... attack log Use the following procedure to log attack messages to the attack log 1 Go to Log Report Log Setting 2 Select Config Policy for the log locations you have set 3 Select Attack Log 4 Select Attack Detection and Attack Prevention 5 Select OK Value Description Minimum value Maximum value Default value Threshold Number of SYN requests sent to a destination host or server per second If the SY...

Page 257: ...ge is compared with the previous messages If the new message is not a duplicate the FortiGate unit sends it immediately and puts a copy in the queue If the new message is a duplicate the FortiGate unit deletes it and increases an internal counter for the number of message copies in the queue The FortiGate unit holds duplicate alert email messages for 60 seconds If a duplicate message has been in t...

Page 258: ...258 Fortinet Inc Logging attacks Network Intrusion Detection System NIDS ...

Page 259: ...ons in a new or existing content profile See Adding a content profile on page 197 2 Select the Anti Virus Web filter option in firewall policies that allow web HTTP FTP and email IMAP POP3 and SMTP connections through the FortiGate unit Select a content profile that provides the antivirus protection options that you want to apply to a policy See Adding a content profile to a policy on page 199 3 C...

Page 260: ...bzip2 Tar Gzip Bzip2 If a file is found to contain a virus it is removed from the content stream and replaced with a replacement message If your FortiGate unit includes a hard disk and if quarantine is enabled for infected files for the matching traffic protocol the FortiGate unit adds the file to the quarantine list To scan FortiGate firewall traffic for viruses 1 Select antivirus scanning in a c...

Page 261: ... extremely high risk situations in which there is no other way to prevent viruses from entering your network On a FortiGate unit with a hard disk if quarantining is enabled for blocked files for the matching traffic protocol the FortiGate unit adds the file to the quarantine list File blocking deletes all files that match a list of enabled file patterns The FortiGate unit replaces the file with an...

Page 262: ... Select file blocking in a content profile See Adding a content profile on page 197 2 Add this content profile to firewall policies to apply content blocking to the traffic controlled by the firewall policy See Adding a content profile to a policy on page 199 Adding file patterns to block 1 Go to Anti Virus File Block 2 Select New 3 Type the new pattern in the File Pattern field You can use an ast...

Page 263: ...ine infected files found in HTTP FTP POP3 IMAP and SMTP traffic controlled by firewall policies 1 Go to Anti Virus Quarantine Quarantine Config 2 Select the Content protocols for which to quarantine infected files 3 Select antivirus scanning in a content profile See Adding a content profile on page 197 4 Select Quarantine to save to the quarantine any files that are found to be infected with a vir...

Page 264: ...service from which the file was quarantined HTTP FTP IMAP POP3 SMTP Status A color coded status indicator Red File is infected Yellow File caught by heuristics Green File blocked by block pattern Blue File is over size limit Fortinet recommends that you send yellow status files to the FortiResponse Center as these files could contain a new virus or a variant of a known virus Status Description Spe...

Page 265: ...uarantine Quarantine Config 2 For each traffic protocol select the applicable Quarantine Infected Files and Quarantine Blocked Files check boxes The FortiGate unit quarantines infected and blocked files for the selected traffic 3 Type the Age Limit TTL in hours to specify how long files are left in quarantine The maximum number of hours is 480 The FortiGate unit automatically deletes a file when t...

Page 266: ...ssage that is forwarded to the receiver It is recommend that you disable the fragmenting of email messages in the client email software To exempt fragmented emails from automatic antivirus blocking you can enable Pass Fragmented Email for the email content protocols IMAP POP3 and SMTP Configure the FortiGate unit to pass fragmented emails by doing the following 1 Enable Pass Fragmented Emails for ...

Page 267: ... configuration steps Content blocking URL blocking Using the Cerberian web filter Script filtering Exempt URL list General configuration steps Configuring web filtering involves the following general steps 1 Select web filtering options in a new or existing content profile See Adding a content profile on page 197 2 Select the Anti Virus Web filter option in firewall policies that allow HTTP connec...

Page 268: ... set that you choose 4 Type a banned word or phrase If you type a single word for example banned the FortiGate unit blocks all web pages that contain that word If you type a phrase for example banned phrase the FortiGate unit blocks web pages that contain both words When this phrase appears on the banned word list the FortiGate unit inserts plus signs in place of spaces for example banned phrase I...

Page 269: ...web filter You can configure the FortiGate unit to block all pages on a website by adding the top level URL or IP address You can also block individual pages on a website by including the full path and filename of the web page to block This section describes Adding URLs or URL patterns to the block list Clearing the URL block list Downloading the URL block list Uploading a URL block list Adding UR...

Page 270: ... You can enter multiple URLs and patterns and then select Check All to enable all items in the URL block list Each page of the URL block list displays 100 URLs 6 Use Page Up and Page Down to navigate through the URL block list Figure 39 Example URL block list Clearing the URL block list 1 Go to Web Filter URL Block 2 Select Clear URL Block List to remove all URLs and patterns from the URL block li...

Page 271: ...lists available at http www squidguard org blacklist as a starting point for creating your own URL block list Three times per week the squidGuard robot searches the web for new URLs to add to the blacklists You can upload the squidGuard blacklists to the FortiGate unit as a text file with only minimal editing to remove comments at the top of each list and to combine the lists that you want into a ...

Page 272: ...license key determines the number of end users allowed to use Cerberian web filtering through the FortiGate unit 1 Go to Web Filter URL Block 2 Select Cerberian URL Filtering 3 Enter the license number 4 Select Apply Adding a Cerberian user to the FortiGate unit The Cerberian web policies can only be applied to user groups You can add users on the FortiGate unit and then add the users to user grou...

Page 273: ...icies to the group The default group is a place for All the users who are not assigned alias names on the FortiGate unit All the users who are not assigned to any other user groups The Cerberian web filter groups the web pages into 53 categories The default policy blocks the URLs of 12 categories You can modify the default policy and apply it to any user groups To configure the Cerberian web filte...

Page 274: ...ering You can configure the FortiGate unit to remove Java applets cookies and ActiveX scripts from the HTML web pages Enabling the script filter Selecting script filter options Enabling the script filter 1 Go to Firewall Content Profile 2 Select the content profile for which you want to enable script filtering 3 Select Script Filter 4 Select OK Selecting script filter options 1 Go to Web Filter Sc...

Page 275: ...to add an item to the exempt URL list 3 Type the URL to exempt Type a complete URL including path and filename to exempt access to a page on a website For example www goodsite com index html exempts access to the main page of this example website You can also add IP addresses for example 122 63 44 67 index html exempts access to the main web page at this address Do not include http in the URL to e...

Page 276: ... to the exempt URL list You can enter multiple URLs and then select Check All to activate all items in the exempt URL list Each page of the exempt URL list displays 100 URLs 6 Use Page Down and Page Up to navigate through the exempt URL list Figure 42 Example exempt URL list ...

Page 277: ...iguration steps Configuring email filtering involves the following general steps 1 Select email filter options in a new or existing content profile See Adding a content profile on page 197 2 Select the Anti Virus Web filter option in firewall policies that allow IMAP and POP3 connections through the FortiGate unit Select a content profile that provides the email filtering options that you want to ...

Page 278: ...a phrase for example banned phrase the FortiGate unit tags email that contains both words When this phrase appears on the banned word list the FortiGate unit inserts plus signs in place of spaces for example banned phrase If you type a phrase in quotes for example banned word the FortiGate unit tags all email in which the words are found together as a phrase Content filtering is not case sensitive...

Page 279: ...subdomain name For example mail abccompany com To tag email from an entire organization category type the top level domain name For example type com to tag email sent from all organizations that use com as the top level domain The pattern can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters hyphen _ underscore and Spaces and other special characters are not al...

Page 280: ...d other special characters are not allowed 4 Select Enable to exempt the address pattern 5 Select OK to add the address pattern to the email exempt list You can enter multiple patterns and then select Check All to activate all patterns in the email exempt list You can also enable any pattern in the email exempt list by checking the box in the Enable column Adding a subject tag When the FortiGate u...

Page 281: ...e of a computer running a syslog server a computer running a WebTrends firewall reporting server the FortiGate hard disk if your FortiGate unit contains a hard disk the console You can also configure logging to record event attack antivirus web filter and email filter logs to the FortiGate system memory if your FortiGate unit does not contain a hard disk Logging to memory allows quick access to on...

Page 282: ...onfig Policy Select the Log type for which you want the FortiGate unit to record logs For each Log type select the activities for which you want the FortiGate unit to record log messages Select OK For more information on log types and activities see Filtering log messages on page 284 and Configuring traffic logging on page 286 7 Select Apply Recording logs on a NetIQ WebTrends server Use the follo...

Page 283: ...e the current log file is closed and saved and a new active log file is started The default maximum log file size is 10 Mbytes and the maximum allowed is 2 GBytes 4 Type a log time interval in days After the specified time interval the current log file is closed and saved and a new one is started The default log time interval is 10 days 5 Select the severity level for which you want to record log ...

Page 284: ...vents to record use the procedures in Filtering log messages on page 284 5 Select Apply Filtering log messages You can configure which logs to record and which message categories to record in each log 1 Go to Log Report Log Setting 2 Select Config Policy for the log location that you selected in Recording logs on page 281 3 Select the log types that you want FortiGate unit to record Note The Forti...

Page 285: ...elected Event Log Virus Log Web Filtering Log Attack Log Email Filter Log or Update in step 3 5 Select OK Figure 43 Example log filter configuration Email Filter Log Record activity events such as detection of email that contains unwanted content and email from unwanted senders Update Record log messages when the FortiGate connects to the FDN to download antivirus and attack updates ...

Page 286: ...gs Adding traffic filter entries Enabling traffic logging You can enable logging on any interface VLAN subinterface and firewall policy Enabling traffic logging for an interface If you enable traffic logging for an interface all connections to and through the interface and recorded in the traffic log 1 Go to System Network Interface 2 Select Edit in the Modify column beside the interface for which...

Page 287: ... settings that you want to apply to all Traffic Log messages 3 Select Apply Figure 44 Example traffic filter list Resolve IP Select Resolve IP if you want traffic log messages to list the IP address and the domain name stored on the DNS server If the primary and secondary DNS server addresses provided to you by your ISP have not already been added go to System Network DNS and add the addresses Typ...

Page 288: ...e type of traffic that you want to record on the traffic log 4 Select OK The traffic filter list displays the new traffic address entry with the settings that you selected in Enabling traffic logging on page 286 Figure 45 Example new traffic address entry Name Type a name to identify the traffic filter entry The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special c...

Page 289: ...vigate through the log message pages select Go to next page or Go to previous page Searching logs Use the following procedure to search log messages saved in system memory 1 Go to Log Report Logging 2 Select Event Log Attack Log Antivirus Log Web Filter Log or Email Filter Log 3 Select to search the messages in the selected log 4 Select AND to search for messages that match all the specified searc...

Page 290: ... the log the size of the log file and its name 3 To view a log file select View 4 The web based manager displays the messages in the selected log 5 You can set the number of log messages to view on a single page to 30 50 or 1000 You can scroll through the log entries 6 To view a specific line in the log file type a line number in the Go to line field and select 7 To navigate through the log messag...

Page 291: ...ile Each line of the text file consists of a log message the messages are the formatted the same way as they appear on the web based manager Select Download file in CSV format to download the log messages to text file in comma separated value CSV format In this format a comma is added between each field in each message If you open this file in a spreadsheet program each message field appears in a ...

Page 292: ...g alert email Enabling alert email Adding alert email addresses Because the FortiGate unit uses the SMTP server name to connect to the mail server it must be able to look up this name on your DNS server Therefore before configuring alert email ensure that you have configured at least one DNS server To add a DNS server 1 Go to System Network DNS 2 If they have not already been added add the primary...

Page 293: ...Go to Log Report Alert Mail Categories 2 Select Enable alert email for virus incidents to have the FortiGate unit send an alert email when antivirus scanning detects a virus Alert email is not sent when antivirus file blocking deletes a file 3 Select Enable alert email for block incidents to have the FortiGate unit send an alert email when it blocks files affected by viruses 4 Select Enable alert ...

Page 294: ...294 Fortinet Inc Configuring alert email Logging and reporting ...

Page 295: ...messages are formatted and transmitted and what actions Web servers and browsers should take in response to various commands HTTPS The SSL protocol for transmitting private documents over the Internet using a Web browser Internal interface The FortiGate interface that is connected to an internal private network Internet A collection of networks connected together that span the entire globe using t...

Page 296: ...ified address and waiting for a reply POP3 Post Office Protocol A protocol used to transfer e mail from a mail server to a mail client across the Internet Most e mail clients use POP PPP Point to Point Protocol A TCP IP protocol that provides host to network and router to router connections PPTP Point to Point Tunneling Protocol A Windows based technology for creating VPNs PPTP is supported by Win...

Page 297: ...tworks TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent UDP User Datagram Protocol A connectionless protocol that like TCP runs on top of IP networks Unlike TCP UDP provides very few error recovery services offering instead a direct way to send and receive datagrams over an IP network It is used primarily for broadcasting ...

Page 298: ...298 Fortinet Inc Glossary ...

Page 299: ...k full 293 intrusion attempts 293 reducing messages 252 testing 293 virus incidents 293 allow inbound encrypt policy 175 allow outbound encrypt policy 175 allow traffic IP MAC binding 194 195 Anti Virus Web filter policy 176 antivirus definition updates manual 106 antivirus definitions updating 115 antivirus updates 117 configuring 118 through a proxy server 124 attack definition updates downloadi...

Page 300: ...ntact information registration 130 SNMP 162 content blocking exempting URLs 275 279 web page 268 278 content filter 267 277 content profiles default 197 cookies blocking 274 critical firewall events alert email 293 critical VPN events alert email 293 custom service 184 customer service 28 D date and time setting example 158 165 date setting 157 default gateway configuring Transparent mode 64 delet...

Page 301: ... 20 46 62 starting 46 62 firmware changing 94 installing 99 re installing current version 99 reverting to an older version 99 upgrading 94 upgrading to a new version 95 upgrading using the CLI 95 97 upgrading using the web base manager 95 96 first trap receiver IP address SNMP 163 fixed port 174 FortiCare service contracts 125 support contract number 129 Fortinet customer service 28 Fortinet suppo...

Page 302: ...195 block traffic 194 195 enabling 196 static IP MAC list 194 IPSec 295 IPSec VPN authentication for user group 207 AutoIKE 210 certificates 210 disabling 245 247 manual keys 210 pre shared keys 210 remote gateway 207 status 233 timeout 233 234 IPSec VPN tunnel testing 234 J Java applets 274 275 removing from web pages 274 K keyword log search 289 291 L L2TP 207 295 configuring Windows XP client 2...

Page 303: ...63 MIB FortiGate 163 mode Transparent 18 monitor system status 110 111 112 113 monitored interfaces 250 MTU size 137 changing 137 definition 296 improving network performance 137 N NAT introduction 17 policy option 174 push updates 120 NAT mode adding policy 172 IP addresses 47 NAT Route mode configuration from the CLI 47 HA 77 introduction 17 neighbor RIP 153 netmask administrator account 160 161...

Page 304: ...rver 124 push updates 124 push updates configuring 119 through a NAT device 120 through a proxy server 124 Q quarantine list filtering 265 sorting 264 viewing 264 quarantining blocked files 263 file 263 infected files 263 R RADIUS definition 296 example configuration 204 RADIUS server adding server address 204 deleting 204 read write access level administrator account 160 read only access level ad...

Page 305: ...0 serial number displaying 107 service 182 custom 184 group 185 policy option 174 predefined 182 service name 182 user defined 184 service contracts Forticare 125 service group adding 185 service name traffic filter display 287 session clearing 113 set time 157 setup wizard 46 62 starting 46 62 shutting down 110 signature threshold values 254 SMTP 184 configuring alert email 292 definition 296 SNM...

Page 306: ...ap community SNMP 163 traps SNMP 164 troubleshooting 233 trusted host administrator account 160 161 U UDP configuring checksum verification 250 unwanted content blocking 268 278 update 285 attack 118 push 119 updated antivirus 118 updating attack definitions 115 119 virus definitions 115 119 upgrade firmware 95 upgrading firmware 94 firmware using the CLI 95 97 firmware using the web based manager...

Page 307: ... 233 W web content filtering introduction 16 web filtering ActiveX 274 cookies 274 Java applets 274 overview 267 277 web filtering log 284 web page content blocking 268 278 web based manager 20 changing options 158 connecting to 32 introduction 20 language 159 timeout 158 WebTrends recording logs on NetIQ WebTrends server 282 Windows 2000 configuring for L2TP 245 configuring for PPTP 239 connectin...

Page 308: ...308 Fortinet Inc Index ...

Reviews:

No comments