manualshive.com logo in svg

Fortinet FortiGate 50A, Installation And Configuration Manual

The Fortinet FortiGate 50A is a powerful network security appliance designed to safeguard your business network. Ensure a smooth installation process with the detailed "Installation Manual" available for "free download" at our website. Equip your network with top-notch security by accessing the manual from manualshive.com.

Share
Download
background image

196

Fortinet Inc.

IPSec VPN concentrators

IPSec VPN

To make sure that the encrypt policy is matched for VPN connections, arrange the 
encrypt policy above other policies with similar source and destination addresses and 
services in the policy list.

Figure 25: Adding an encrypt policy

IPSec VPN concentrators 

In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer called a 
hub. The peers that connect to the hub are known as spokes. The hub functions as a 
concentrator on the network, managing the VPN connections between the spokes.

The advantage of a hub-and-spoke network is that the spokes are simpler to configure 
because they require fewer policy rules. Also, a hub-and-spoke network provides 
some processing efficiencies, particularly on the spokes. The disadvantage of a hub-
and-spoke network is its reliance on a single peer to handle management of all VPNs. 
If this peer fails, encrypted communication in the network is impossible.

A hub-and-spoke VPN network requires a special configuration. Setup varies 
depending on the role of the VPN peer.

Summary of Contents for FortiGate 50A

Page 1: ...FortiGate 50A Installation and Configuration Guide INTERNAL EXTERNAL LINK 100 LINK 100 PWR STATUS A FortiGate User Manual Volume 1 Version 2 50 29 February 2004 ...

Page 2: ...allation and Configuration Guide Version 2 50 29 February 2004 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS CAUTION RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS For technical support please visit http www fo...

Page 3: ... configuration 23 Factory default Transparent mode network configuration 23 Factory default firewall configuration 23 Factory default content profiles 25 Planning the FortiGate configuration 27 NAT Route mode 27 Transparent mode 28 Configuration options 28 FortiGate model maximum values matrix 30 Next steps 31 NAT Route mode installation 33 Installing the FortiGate unit using the default configura...

Page 4: ...g your FortiGate 45 Configuring virus and attack definition updates 45 Transparent mode configuration examples 46 Default routes and static routes 46 Example default route to an external network 47 Example static route to an external destination 48 Example static route to an internal destination 51 System status 53 Changing the FortiGate host name 54 Changing the FortiGate firmware 54 Upgrading to...

Page 5: ...dding an override server 77 Enabling scheduled updates through a proxy server 78 Enabling push updates 78 Enabling push updates 79 Push updates when FortiGate IP addresses change 79 Enabling push updates through a NAT device 79 Registering FortiGate units 83 FortiCare Service Contracts 84 Registering the FortiGate unit 85 Updating registration information 86 Recovering a lost Fortinet support pass...

Page 6: ...ination based routes to the routing table 101 Adding routes in Transparent mode 102 Configuring the routing table 102 Policy routing 103 Configuring DHCP services 104 Configuring a DHCP relay agent 104 Configuring a DHCP server 105 Configuring the modem interface 107 Connecting a modem to the FortiGate unit 108 Configuring modem settings 108 Connecting to a dialup account 109 Disconnecting the mod...

Page 7: ... 137 Default firewall configuration 138 Addresses 138 Services 139 Schedules 139 Content profiles 139 Adding firewall policies 140 Firewall policy options 140 Configuring policy lists 144 Policy matching in detail 145 Changing the order of policies in a policy list 145 Enabling and disabling policies 146 Addresses 146 Adding addresses 147 Editing addresses 148 Deleting addresses 148 Organizing add...

Page 8: ...ding content profiles 167 Adding content profiles to policies 169 Users and authentication 171 Setting authentication timeout 172 Adding user names and configuring authentication 172 Adding user names and configuring authentication 172 Deleting user names from the internal database 173 Configuring RADIUS support 174 Adding RADIUS servers 174 Deleting RADIUS servers 174 Configuring LDAP support 175...

Page 9: ...lup VPN connection status 201 Testing a VPN 202 PPTP and L2TP VPN 203 Configuring PPTP 203 Configuring the FortiGate unit as a PPTP gateway 203 Configuring a Windows 98 client for PPTP 206 Configuring a Windows 2000 client for PPTP 207 Configuring a Windows XP client for PPTP 207 Configuring L2TP 209 Configuring the FortiGate unit as an L2TP gateway 209 Configuring a Windows 2000 client for L2TP 2...

Page 10: ...ing the Banned Word list 233 Backing up the Banned Word list 233 Restoring the Banned Word list 233 URL blocking 235 Configuring FortiGate Web URL blocking 235 Configuring FortiGate Web pattern blocking 237 Configuring Cerberian URL filtering 238 Installing a Cerberian license key 238 Adding a Cerberian user 238 Configuring Cerberian web filter 239 Enabling Cerberian URL filtering 239 Script filte...

Page 11: ... 250 Adding a subject tag 250 Logging and reporting 251 Recording logs 251 Recording logs on a remote computer 251 Recording logs on a NetIQ WebTrends server 252 Log message levels 253 Filtering log messages 253 Configuring traffic logging 254 Enabling traffic logging 255 Configuring traffic filter settings 255 Adding traffic filter entries 256 Configuring alert email 257 Adding alert email addres...

Page 12: ...Contents 12 Fortinet Inc ...

Page 13: ...ode the FortiGate 50A is installed as a privacy barrier between the internal network and the Internet The firewall provides network address translation NAT to protect the internal private network You can control whether firewall policies run in NAT mode or route mode NAT mode policies route allowed connections between firewall interfaces performing network address translation to hide addresses on ...

Page 14: ...g variable keyword xxx_integer indicates an integer variable keyword xxx_ip indicates an IP address variable keyword vertical bar and curly brackets to separate alternative mutually exclusive required keywords For example set system opmode nat transparent You can enter set system opmode nat or set system opmode transparent square brackets to indicate that a keyword is optional For example get fire...

Page 15: ...ient detailed configuration information for FortiGate PPTP and L2TP VPN and VPN configuration examples Volume 3 FortiGate Content Protection Guide Describes how to configure antivirus protection web content filtering and email filtering to protect content as it passes through the FortiGate unit Volume 4 FortiGate NIDS Guide Describes how to configure the FortiGate NIDS to detect and protect the Fo...

Page 16: ...m the following addresses For information on Fortinet telephone support see http support fortinet com When requesting technical support please provide the following information Your name Company name Location Email address Telephone number FortiGate unit serial number FortiGate model FortiGate FortiOS firmware version Detailed description of the problem amer_support fortinet com For customers in t...

Page 17: ...he following If you are going to operate the FortiGate unit in NAT Route mode go to NAT Route mode installation on page 33 If you are going to operate the FortiGate unit in Transparent mode go to Transparent mode installation on page 41 This chapter describes Package contents Mounting Powering on Connecting to the web based manager Connecting to the command line interface CLI Factory default Forti...

Page 18: ... side to allow for adequate air flow and cooling Dimensions 8 63 x 6 13 x 1 38 in 21 9 x 15 6 x 3 5 cm Weight 1 5 lb 0 68 kg Power requirements DC input voltage 5 V DC input current 3 A PWR STATUS INTERNAL EXTERNAL LINK 100 LINK 100 PWR STATUS A Power LED Status LED External Interface Internal Interface Null Modem Cable RS 232 Documentation Ethernet Cables Orange Crossover Grey Straight through US...

Page 19: ...ade with the web based manager are effective immediately without resetting the firewall or interrupting service To connect to the web based manager you need a computer with an ethernet connection Internet Explorer version 4 0 or higher a crossover cable or an ethernet hub and two ethernet cables Table 1 FortiGate 50A LED indicators Power Green The FortiGate unit is powered on Off The FortiGate uni...

Page 20: ...ess https 192 168 1 99 The FortiGate login is displayed 4 Type admin in the Name field and select Login The Register Now window is displayed Use the information in this window to register your FortiGate unit so that Fortinet can contact you for firmware updates You must also register to receive updates to the FortiGate virus and attack definitions Figure 2 FortiGate login Connecting to the command...

Page 21: ...s port on the computer to which you have connected the null modem cable and select OK 5 Select the following port settings and select OK 6 Press Enter to connect to the FortiGate CLI The following prompt is displayed FortiGate 50A login 7 Type admin and press Enter twice The following prompt is displayed Type for a list of commands For information about how to use the CLI see the FortiGate CLI Ref...

Page 22: ...nternal network You can add more policies to provide more control of the network traffic passing through the FortiGate unit The factory default content profiles can be used to apply different levels of antivirus protection web content filtering and email filtering to the network traffic that is controlled by firewall policies Factory default DHCP configuration Factory default NAT Route mode networ...

Page 23: ...onfiguration listed in Table 4 Factory default firewall configuration The factory default firewall configuration is the same in NAT Route and Transparent mode Table 3 Factory default NAT Route mode network configuration Administrator account User name admin Password none Internal interface IP 192 168 1 99 Netmask 255 255 255 0 Management Access HTTPS Ping External interface Addressing Mode DHCP Ma...

Page 24: ...Traffic Shaping Traffic shaping is not selected The policy does not apply traffic shaping to the traffic controlled by the policy You can select this option to control the maximum or minimum amount of bandwidth available to traffic processed by the policy Authentication Authentication is not selected Users do not have to authenticate with the firewall before connecting to their destination address...

Page 25: ...tion for different firewall policies For example while traffic between internal and external addresses might need strict protection traffic between trusted internal addresses might need moderate protection You can configure policies for different traffic services to use the same or different content profiles Content profiles can be added to NAT Route mode and Transparent mode policies Strict conte...

Page 26: ...at control HTTP traffic Table 7 Scan content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan File Block Web URL Block Web Content Block Web Script Filter Web Exempt List Email Block List Email Exempt List Email Content Block Oversized File Email Block pass pass pass pass pass Pass Fragmented Emails Table 8 Web content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan File Block Web URL...

Page 27: ... network Like a router all its interfaces are on different subnets The following interfaces are available in NAT Route mode External is the interface to the external network usually the Internet Internal is the interface to the internal network You can add security policies to control whether communications through the FortiGate unit operate in NAT or Route mode Security policies control the flow ...

Page 28: ...ce you have selected Transparent or NAT Route mode operation you can complete the configuration plan and begin to configure the FortiGate unit You can use the web based manager setup wizard or the command line interface CLI for the basic configuration of the FortiGate unit Setup wizard If you are configuring the FortiGate unit to operate in NAT Route mode the default the setup wizard prompts you t...

Page 29: ...teway and the DNS server addresses CLI If you are configuring the FortiGate unit to operate in NAT Route mode you can add the administration password and the Internal interface address You can also use the CLI to configure the external interface for either a manual static or a dynamic DHCP or PPPoE address Using the CLI you can also add DNS server IP addresses and a default route for the external ...

Page 30: ...ses 500 500 500 500 3000 3000 6000 6000 10000 10000 10000 10000 Firewall address groups 500 500 500 500 500 500 500 500 500 500 500 500 Firewall custom services 500 500 500 500 500 500 500 500 500 500 500 500 Firewall service groups 500 500 500 500 500 500 500 500 500 500 500 500 Firewall recurring schedules 256 256 256 256 256 256 256 256 256 256 256 256 Firewall onetime schedules 256 256 256 256...

Page 31: ...rators 500 500 500 500 500 500 500 500 500 500 500 500 PPTP users 500 500 500 500 500 500 500 500 500 500 500 500 L2TP users 500 500 500 500 500 500 500 500 500 500 500 500 NIDS user defined signatures 100 100 100 100 100 100 100 100 100 100 100 100 Antivirus file block patterns 56 56 56 56 56 56 56 56 56 56 56 56 Web filter and email filter lists Limit varies depending on available system memory ...

Page 32: ...32 Fortinet Inc Next steps Getting started ...

Page 33: ...ation If the factory default settings in Table 11 are compatible with your requirements all you need to do is configure your internal network and then connect the FortiGate unit Table 11 FortiGate unit factory default configuration Operating Mode NAT Route mode Firewall Policy One NAT mode policy that allows users on the internal network to access any Internet service No other traffic is allowed A...

Page 34: ...rmation in the rest of this chapter to change the default configuration as required Preparing to configure NAT Route mode Use Table 12 to gather the information that you need to customize NAT Route mode settings Table 12 NAT Route mode settings Administrator password Internal interface IP _____ _____ _____ _____ Netmask _____ _____ _____ _____ External interface IP _____ _____ _____ _____ Netmask ...

Page 35: ...tup wizard to change the IP address of the internal interface you must reconnect to the web based manager using a new IP address Browse to https followed by the new IP address of the internal interface Otherwise you can reconnect to the web based manager by browsing to https 192 168 1 99 You have now completed the initial configuration of your FortiGate unit and you can proceed to Connecting the F...

Page 36: ...mode static ip 192 168 1 1 255 255 255 0 3 Set the IP address and netmask of the external interface to the external IP address and netmask that you recorded in Table 12 on page 34 To set the manual IP address and netmask enter set system interface external static ip IP address netmask Example set system interface external mode static ip 204 23 1 5 255 255 255 0 To set the external interface to use...

Page 37: ...ateway_ip Example set system route number 0 dst 0 0 0 0 0 0 0 0 gw1 204 23 1 2 Figure 5 FortiGate 50A network connections Connecting the FortiGate unit to your networks When you have completed the initial configuration you can connect the FortiGate unit between your internal network and the Internet There are two 10 100 BaseTX connectors on the FortiGate 50A Internal for connecting to your interna...

Page 38: ... that the connected FortiGate unit is functioning properly by connecting to the Internet from a computer on your internal network You should be able to connect to any Internet address Completing the configuration Use the information in this section to complete the initial configuration of the FortiGate unit Setting the date and time For effective scheduling and logging the FortiGate system date an...

Page 39: ...iGate units in a single session without re entering your contact information For more information about registration see Registering FortiGate units on page 83 Configuring virus and attack definition updates You can go to System Update to configure the FortiGate unit to automatically check to see if new versions of the virus definitions and attack definitions are available If it finds new versions...

Page 40: ...40 Fortinet Inc Completing the configuration NAT Route mode installation ...

Page 41: ...rks Completing the configuration Transparent mode configuration examples Preparing to configure Transparent mode Use Table 14 to gather the information that you need to customize Transparent mode settings Table 14 Transparent mode settings Administrator Password Management IP IP _____ _____ _____ _____ Netmask _____ _____ _____ _____ Default Gateway _____ _____ _____ _____ The management IP addres...

Page 42: ... Select Easy Setup Wizard the middle button in upper right corner of the web based manager 2 Use the information that you gathered in Table 14 on page 41 to fill in the wizard fields Select the Next button to step through the wizard pages 3 Confirm your configuration settings and then select Finish and Close Reconnecting to the web based manager If you changed the IP address of the management inte...

Page 43: ...P address and netmask that you recorded in Table 14 on page 41 Enter set system management ip IP address netmask Example set system management ip 10 10 10 2 255 255 255 0 3 Confirm that the address is correct Enter get system management The CLI lists the management IP address and netmask Configure the Transparent mode default gateway 1 Log into the CLI if you are not already logged in 2 Set the de...

Page 44: ...his means that all of its interfaces are on the same IP subnet and that it appears to other devices as a bridge Typically the FortiGate unit would be deployed in Transparent mode when it is intended to provide antivirus and content scanning behind an existing firewall solution A FortiGate unit in Transparent mode can also perform firewalling Even though it takes no part in the layer 3 topology it ...

Page 45: ...nges Registering your FortiGate After purchasing and installing a new FortiGate unit you can register the unit by going to System Update Support or using a web browser to connect to http support fortinet com and selecting Product Registration Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased Registration...

Page 46: ...to enter one or more static routes in addition to the default route This section describes Default routes and static routes Example default route to an external network Example static route to an external destination Example static route to an internal destination Default routes and static routes To create a route to a destination you need to define an IP prefix which consists of an IP network add...

Page 47: ...To facilitate this connection you must enter a single default route that points to the upstream router as the next hop default gateway Figure 7 Default route to an external network General configuration steps 1 Set the FortiGate unit to operate in Transparent mode 2 Configure the Management IP address and Netmask of the FortiGate unit 3 Configure the default route to the external network Internal ...

Page 48: ... Transparent Mode set system opmode transparent 2 Add the Management IP address and Netmask set system management ip 192 168 1 1 255 255 255 0 3 Add the default route to the external network set system route number 1 gw1 192 168 1 2 Example static route to an external destination Figure 8 shows a FortiGate unit that requires routes to the FDN located on the external network The Fortigate unit does...

Page 49: ...ress and Netmask of the FortiGate unit 3 Configure the static route to the FortiResponse server 4 Configure the default route to the external network Note This is an example configuration only To configure a static route you require a destination IP address Management Computer Internal Network DMZ Internet Upstream Router Gateway IP 192 168 1 2 Management IP 192 168 1 1 FortiResponse Distribution ...

Page 50: ...add the static route to the FortiResponse server Destination IP 24 102 233 5 Mask 255 255 255 0 Gateway 192 168 1 2 Select OK Select New to add the default route to the external network Destination IP 0 0 0 0 Mask 0 0 0 0 Gateway 192 168 1 2 Select OK CLI configuration steps To configure the Fortinet basic settings and a static route using the CLI 1 Set the system to operate in Transparent Mode se...

Page 51: ... it This route will point to the internal router as the next hop No route is required for the DNS servers because they are on the same layer 3 subnet as the FortiGate unit Figure 9 Static route to an internal destination General configuration steps 1 Set the unit to operate in Transparent mode 2 Configure the Management IP address and Netmask of the FortiGate unit 3 Configure the static route to t...

Page 52: ...em Network Routing Select New to add the static route to the management computer Destination IP 172 16 1 11 Mask 255 255 255 0 Gateway 192 168 1 3 Select OK Select New to add the default route to the external network Destination IP 0 0 0 0 Mask 0 0 0 0 Gateway 192 168 1 2 Select OK CLI configuration steps To configure the FortiGate basic settings a static route and a default route using the CLI 1 ...

Page 53: ... updates Manual attack definition updates Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT Route mode Restarting the FortiGate unit Shutting down the FortiGate unit If you log into the web based manager with another administrator account you can view the system settings including Displaying the FortiGate...

Page 54: ...OS firmware version or to a more recent build of the same firmware version Reverting to a previous firmware version Use the web based manager or CLI procedure to revert to a previous firmware version This procedure reverts the FortiGate unit to its factory default configuration Installing firmware images from a system reboot using the CLI Use this procedure to install a new firmware version or rev...

Page 55: ...anually initiating antivirus and attack definitions updates on page 75 Upgrading the firmware using the CLI To use the following procedure you must have a TFTP server that the FortiGate unit can connect to To upgrade the firmware using the CLI 1 Make sure that the TFTP server is running 2 Copy the new firmware image file to the root directory of the TFTP server 3 Log into the CLI as the admin admi...

Page 56: ...d enter get system status 8 Use the procedure Manually initiating antivirus and attack definitions updates on page 75 to update antivirus and attack definitions or from the CLI enter execute updatecenter updatenow 9 To confirm that the antivirus and attack definitions are successfully updated enter the following command to display the antivirus engine virus and attack definitions version contract ...

Page 57: ...ngs on page 64 10 Update antivirus and attack definitions For information about antivirus and attack definitions see Manually initiating antivirus and attack definitions updates on page 75 Reverting to a previous firmware version using the CLI This procedure reverts your FortiGate unit to its factory default configuration and deletes NIDS user defined signatures web content lists email filtering l...

Page 58: ...uild045 FORTINET out 192 168 1 168 The FortiGate unit uploads the firmware image file After the file uploads a message similar to the following is displayed Get image from tftp server OK This operation will downgrade the current firmware version Do you want to continue y n 6 Type Y 7 The FortiGate unit reverts to the old firmware version resets the configuration to factory defaults and restarts Th...

Page 59: ...ined signatures For information see the FortiGate NIDS Guide Back up web content and email filtering lists For information see the FortiGate Content Protection Guide If you are reverting to a previous FortiOS version for example reverting from FortiOS v2 50 to FortiOS v2 36 you might not be able to restore your previous configuration from the backup configuration file To install firmware from a sy...

Page 60: ...wing message appears Enter Local Address 192 168 1 188 10 Type the address of the internal interface of the FortiGate unit and press Enter The following message appears Enter File Name image out 11 Enter the firmware image filename and press Enter The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following are displayed Save as Default firmware Run i...

Page 61: ...age 75 Testing a new firmware image before installing it You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory After completing this procedure the FortiGate unit operates using the new firmware image with the current configuration This new firmware image is not permanently installed The next time the FortiGate unit restarts it operat...

Page 62: ...of the internal interface of the FortiGate unit and press Enter The following message appears Enter File Name image out 11 Enter the firmware image file name and press Enter The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear Save as Default firmware Run image without saving D R 12 Type R The FortiGate image is installed to system memo...

Page 63: ...Attack Definitions used by the Network Intrusion Detection System NIDS To update the attack definitions manually 1 Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web based manager 2 Start the web based manager and go to System Status 3 In the Attack Definitions Version section select Definitions Update 4 Type the path and...

Page 64: ...tem settings 1 Go to System Status 2 Select System Settings Backup 3 Select Backup System Settings 4 Type a name and location for the file The system settings file is backed up to the management computer 5 Select Return to go back to the Status page Restoring system settings You can restore system settings by uploading a previously downloaded system settings text file To restore system settings 1 ...

Page 65: ... to Transparent mode After you change the FortiGate unit to Transparent mode most of the configuration resets to Transparent mode factory defaults The following items are not set to Transparent mode factory defaults The admin administrator account password see Adding and editing administrator accounts on page 123 Custom replacement messages see Replacement messages on page 133 To change to Transpa...

Page 66: ...e to NAT Route mode 1 Go to System Status 2 Select Change to NAT Mode 3 Select NAT Route in the operation mode list 4 Select OK The FortiGate unit changes operation mode 5 To reconnect to the web based manager you must connect to the interface configured by default for management access By default in NAT Route mode you can connect to the internal interface The default Transparent mode management I...

Page 67: ...ager displays CPU and memory usage for core processes only CPU and memory use for management processes for example for HTTPS connections to the web based manager is excluded If CPU and memory use is low the FortiGate unit is able to process much more network traffic than is currently running If CPU and memory use is high the FortiGate unit is performing near its full capacity Putting additional de...

Page 68: ...rt The Network utilization section displays the total network bandwidth being used through all FortiGate interfaces It also displays network utilization as a percentage of the maximum network bandwidth that can be processed by the FortiGate unit To view sessions and network status 1 Go to System Status Monitor 2 Select Sessions Network Sessions and network status is displayed The display includes ...

Page 69: ...tor 2 Select Virus Intrusions Virus and intrusions status is displayed The display includes bar graphs of the number viruses and intrusions detected per hour as well as line graphs of the number of viruses and intrusions detected for the last 20 hours 3 Set the automatic refresh interval and select Go to control how often the web based manager updates the display More frequent updates use system r...

Page 70: ...e permission and the FortiGate admin user can also stop active communication sessions To view the session list 1 Go to System Status Session The web based manager displays the total number of active sessions in the FortiGate unit session table and lists the top 16 2 To navigate the list of sessions select Page Up or Page Down 3 Select Refresh to update the session list 4 If you are logged in as an...

Page 71: ... list Protocol The service protocol of the connection for example udp tcp or icmp From IP The source IP address of the connection From Port The source port of the connection To IP The destination IP address of the connection To Port The destination port of the connection Expire The time in seconds before the connection expires Clear Stop an active communication session ...

Page 72: ...72 Fortinet Inc Session list System status ...

Page 73: ...ate unit on the Fortinet support web page This chapter describes Updating antivirus and attack definitions Scheduling updates Enabling push updates Registering FortiGate units Updating registration information Registering a FortiGate unit after an RMA Updating antivirus and attack definitions You can configure the FortiGate unit to connect to the FortiResponse Distribution Network FDN to automatic...

Page 74: ... the FortiGate unit connects to the FDN it connects to the nearest FDS To do this all FortiGate units are programmed with a list of FDS addresses sorted by nearest time zone according to the time zone configured for the FortiGate unit To make sure the FortiGate unit receives updates from the nearest FDS check that you have selected the correct time zone for your area To make sure the FortiGate uni...

Page 75: ...nnections to the FDN Connections Status Comments FortiResponse Distribution Network Available The FortiGate unit can connect to the FDN You can configure the FortiGate unit for scheduled updates See Scheduling updates on page 76 Not available The FortiGate unit cannot connect to the FDN You must configure your FortiGate unit and your network so that the FortiGate unit can connect to the Internet a...

Page 76: ... check for and download updated definitions hourly daily or weekly according to a schedule that you specify This section describes Enabling scheduled updates Adding an override server Enabling scheduled updates through a proxy server Enabling scheduled updates To enable scheduled updates 1 Go to System Update 2 Select the Scheduled Update check box 3 Select one of the following to check for and do...

Page 77: ...se server you can use the following procedure to add the IP address of an override FortiResponse server To add an override server 1 Go to System Update 2 Select the Use override server address check box 3 Type the IP address of a FortiResponse server 4 Select Apply The FortiGate unit tests the connection to the override server If the FortiResponse Distribution Network setting changes to available ...

Page 78: ...t required to connect to the FDN The proxy server establishes the connection to the FDN and passes information between the FortiGate unit and the FDN The CONNECT method is used mostly for tunneling SSL traffic Some proxy servers do not allow the CONNECT to connect to any port they restrict the allowed ports to the well known ports for HTTPS and perhaps some other similar services Because FortiGate...

Page 79: ...de the SETUP message includes the FortiGate external IP address If your FortiGate unit is running in Transparent mode the SETUP message includes the FortiGate management IP address The FDN must be able to connect to this IP address for your FortiGate unit to be able to receive push update messages If your FortiGate unit is behind a NAT device see Enabling push updates through a NAT device on page ...

Page 80: ...f it is operating in NAT Route mode or the Management IP address of the FortiGate unit if it is operating in Transparent mode Figure 2 Example network topology Push updates through a NAT device Note You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic for example set using PPPoE or DHCP Note This example describes the configuration for a Fort...

Page 81: ...ortiGate NAT device 1 Go to Firewall Virtual IP 2 Select New 3 Type a name for the virtual IP 4 In the External Interface section select the external interface that the FDN connects to For the example topology select the external interface 5 In the Type section select Port Forwarding 6 In the External IP Address section type the external IP address that the FDN connects to For the example topology...

Page 82: ... a new external to internal firewall policy 2 Configure the policy with the following settings 3 Select OK Configuring the FortiGate unit with an override push IP and port To configure the FortiGate unit on the internal network 1 Go to System Update 2 Select the Allow Push Update check box 3 Select the Use override push check box Source External_All Destination The virtual IP added above Schedule ...

Page 83: ...purchasing and installing a new FortiGate unit you can register the unit using the web based manager by going to System Update Support page or by using a web browser to connect to http support fortinet com and selecting Product Registration Registration consists of entering your contact information and the serial numbers of the FortiGate units that you or your organization purchased You can regist...

Page 84: ...rized Fortinet reseller or distributor Different levels of service are available so you can purchase the support that you need For maximum network protection Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates See your Fortinet reseller or distributor for details of packages and pricing To activate the FortiCare Support Co...

Page 85: ...ou know the answer to The answer should not be easy to guess The product model and serial number for each FortiGate unit that you want to register The serial number is located on a label on the bottom of the FortiGate unit You can view the Serial number from the web based manager by going to System Status The serial number is also available from the CLI using the get system status command FortiCar...

Page 86: ...ed information about the Fortinet technical support services available to you for the registered FortiGate unit Your Fortinet support user name and password is sent to the email address provided with your contact information Updating registration information You can use your Fortinet support user name and password to log on to the Fortinet Support web site at any time to view or update your Fortin...

Page 87: ...o the security question an email containing a new password is sent to your email address You can use your current user name and this password to log into the Fortinet support web site 7 Select Support Login 8 When you receive your new password enter your user name and new password to log into the Fortinet support web site Viewing the list of registered FortiGate units To view the list of registere...

Page 88: ... the product model that you want to register 7 Enter the serial number of the FortiGate unit 8 If you have purchased a FortiCare Support Contract for this FortiGate unit enter the support contract number 9 Select Finish The list of FortiGate products that you have registered is displayed The list now includes the new FortiGate unit Adding or changing a FortiCare Support Contract number To add or c...

Page 89: ...My Profile 6 Select Change Password 7 Enter your current password 8 Enter and confirm a new password An email is sent to your email address confirming that your password has been changed Use your current user name and new password the next time you log into the Fortinet technical support web site Changing your contact information or security question To change your contact information or security ...

Page 90: ...ortiGate unit To download virus and attack definitions updates 1 Go to System Update Support 2 Select Support Login 3 Enter your Fortinet support user name and password 4 Select Login 5 Select Download Virus Attack Update 6 If required select the FortiOS version 7 Select the virus and attack definitions to download Figure 8 Downloading virus and attack definition updates For information about how ...

Page 91: ...r The RMA is recorded and you will receive a replacement unit Fortinet adds the RMA information to the Fortinet support database When you receive the replacement unit you can use the following procedure to update your product registration information To register a FortiGate unit after an RMA 1 Go to System Update Support 2 Select Support Login 3 Enter your Fortinet support user name and password t...

Page 92: ...92 Fortinet Inc Registering a FortiGate unit after an RMA Virus and attack definitions updates and registration ...

Page 93: ...ng interfaces Use the following procedures to configure FortiGate interfaces Viewing the interface list Changing the administrative status of an interface Configuring an interface with a manual IP address Configuring an interface for DHCP Configuring an interface for PPPoE Adding a secondary IP address to an interface Adding a ping server to an interface Controlling administrative access to an int...

Page 94: ...ept traffic To change the administrative status see Changing the administrative status of an interface on page 94 Changing the administrative status of an interface You can use the following procedures to start an interface that is administratively down and stop and interface that is administratively up To start up an interface that is administratively down 1 Go to System Network Interface The int...

Page 95: ...er You can disable the option Retrieve default gateway and DNS from server if you do not want the DHCP server to configure these FortiGate settings To configure an interface for DHCP 1 Go to System Network Interface 2 Choose an interface and select Modify 3 In the Addressing Mode section select DHCP 4 Clear the Retrieve default gateway and DNS from server check box if you do not want the FortiGate...

Page 96: ...ate unit to obtain a default gateway IP address and DNS server IP addresses from the PPPoE server By default this option is enabled 6 Clear the Connect to Server check box if you do not want the FortiGate unit to connect to the PPPoE server By default this option is enabled 7 Select Apply The FortiGate unit attempts to contact the PPPoE server from the interface to set the IP address netmask defau...

Page 97: ...n settings on page 123 5 Select OK to save the changes Controlling administrative access to an interface For a FortiGate unit running in NAT Route mode you can control administrative access to an interface to control how administrators access the FortiGate unit and the FortiGate interfaces to which administrators can connect Controlling administrative access for an interface connected to the Inter...

Page 98: ...and DHCP addressing mode the MTU size can be from 576 to 1500 bytes For PPPoE addressing mode the MTU size can be from 576 to 1492 bytes Configuring traffic logging for connections to an interface To configure traffic logging for connections to an interface 1 Go to System Network Interface 2 Choose an interface and select Modify 3 Select the Log check box to record log messages whenever a firewall...

Page 99: ...e secure administrative access to this interface using only HTTPS or SSH Do not change the system idle timeout from the default value of 5 minutes see To set the system idle timeout on page 122 To configure the management interface in Transparent mode 1 Go to System Network Management 2 Change the Management IP and Netmask as required This must be a valid IP address for the network that you want t...

Page 100: ...ort more advanced routing functions You can also use routing to create a multiple Internet connection configuration that supports redundancy and load sharing between the two Internet connections This section describes Adding a default route Adding destination based routes to the routing table Adding routes in Transparent mode Configuring the routing table Policy routing Adding a default route You ...

Page 101: ...uting Table 2 Select New to add a new route 3 Type the Destination IP address and netmask for the route 4 Add the IP address of Gateway 1 Gateway 1 is the IP address of the primary destination for the route Gateway 1 must be on the same subnet as a Fortigate interface If you are adding a static route from the FortiGate unit to a single destination router you need to specify only one gateway 5 Add ...

Page 102: ... add more routes as required Configuring the routing table The routing table shows the destination IP address and mask of each route that you add as well as the gateways and devices added to the route The routing table also displays the gateway connection status A green check mark indicates that the FortiGate unit has used the ping server and dead gateway detection to determine that it can connect...

Page 103: ...it matches the traffic with the policy routes added to the RPDB starting at the top of the list The first policy route that matches is used to set the route for the traffic The route supplies the next hop gateway as well as the FortiGate interface to be used by the traffic Packets are matched with policy routes before they are matched with destination routes If a packet does not match a policy rou...

Page 104: ...ction describes the following Configuring a DHCP relay agent Configuring a DHCP server Configuring a DHCP relay agent In a DHCP relay configuration the FortiGate unit forwards DHCP requests from DHCP clients through the FortiGate unit to a DHCP server The FortiGate unit also returns responses from the DHCP server to the DHCP clients The DHCP server must have a route to the FortiGate unit that is c...

Page 105: ...configured an interface as a DHCP server the interface requires at least one scope also called an address scope The scope designates the starting IP and ending IP for the range of addresses that the FortiGate unit assigns to DHCP clients You can add multiple scopes to an interface so that the DHCP server added to that interface can supply IP addresses to computers on multiple subnets Add multiple ...

Page 106: ...n select it 4 Select a scope You must configure an address scope for the interface before you can select it 5 Select New to add a reserved IP 6 Configure the reserved IP Scope Name Enter the address scope name IP Pool Enter the starting IP and ending IP for the range of IP addresses that this DHCP server assigns to DHCP clients Netmask Enter the netmask that the DHCP server assigns to the DHCP cli...

Page 107: ...thernet interface when that ethernet interface is unavailable In standalone mode the modem interface is the connection from the FortiGate unit to the Internet When connecting to the ISP in either configuration the FortiGate unit modem can automatically dial up to three dialup accounts until the modem connects to an ISP Connecting a modem to the FortiGate unit Configuring modem settings Connecting ...

Page 108: ...em interface network connection Configuring modem settings Configure modem settings so that the FortiGate unit uses the modem to connect to your ISP dialup accounts You can configure the modem to connect to up to three dialup accounts You can also enable and disable FortiGate modem support configure how the modem dials and select the FortiGate interface that the modem is redundant for To configure...

Page 109: ...he dialup account Redial Limit The maximum number of times 1 10 that the FortiGate unit dials the ISP to restore an active connection on the modem interface The default redial limit is 1 Select None to allow the modem to never stop redialing Holddown Timer For backup configurations The time 1 60 seconds that the FortiGate unit waits before switching from the modem interface to the primary interfac...

Page 110: ... in the modem configuration and configure a ping server for that interface You must also configure firewall policies for connections between the modem interface and other FortiGate interfaces To configure backup mode 1 Go to System Network Modem 2 From the Redundant for list select the ethernet interface that you want the modem to back up 3 Configure other modem settings as required See Configurin...

Page 111: ... there is correct information in one or more Dialup Accounts 4 Select Dial Up The FortiGate unit initiates dialing into each dialup account in turn until the modem connects to an ISP 5 Configure firewall policies for connections to the modem interface See Adding firewall policies for modem connections on page 111 Adding firewall policies for modem connections The modem interface requires firewall ...

Page 112: ...112 Fortinet Inc Configuring the modem interface Network configuration ...

Page 113: ...ortiGate RIP RIP settings Configuring RIP for FortiGate interfaces Adding RIP filters RIP settings To configure RIP on the FortiGate unit 1 Go to System RIP Settings 2 Select Enable RIP When you enable RIP the Fortigate unit starts the RIP process The FortiGate unit does not send or receive RIP packets until you enable RIP on at least one interface For information about configuring RIP see Configu...

Page 114: ...he default output delay is 0 milliseconds Update The time interval in seconds between RIP updates The default is 30 seconds Invalid The time interval in seconds after which a route is declared invalid Invalid should be at least three times the value of Update During the invalid interval after the first update is missed and before the invalid timer expires the route is marked inaccessible and adver...

Page 115: ...e routing broadcasts are UDP packets with a destination port of 520 RIP1 Receive Enables listening on port 520 of an interface for RIP version 1 broadcasts RIP2 Send Enables sending RIP version 2 broadcasts from this interface to the network it is connected to The routing broadcasts are UDP packets with a destination port of 520 RIP2 Receive Enables listening on port 520 of an interface for RIP ve...

Page 116: ...e an MD5 hash MD5 only guarantees the authenticity of the update packet not the confidentiality of the routing information in the packet Metric Changes the metric for routes sent by this interface All routes sent from this interface have this metric added to their current metric value You can change the interface metric to give a higher priority to an interface For example if you have two interfac...

Page 117: ...xes in the routing table entries in the update packet For the outgoing filter RIP attempts to match prefixes in the filter list against prefixes in the RIP routing table You can add up to four RIP filter lists to the FortiGate RIP configuration You can then select one RIP filter list for each RIP filter type neighbors incoming routes outgoing routes If you do not select a RIP filter list for any o...

Page 118: ...low or deny 5 For Interface enter the name of the interface to which to apply the entry 6 Select OK to add the entry to the RIP filter list 7 Repeat steps 2 to 6 to add entries to the RIP filter list Assigning a RIP filter list to the neighbors filter The neighbors filter allows or denies updates from other routers You can assign a single RIP filter list to the neighbors filter To assign a RIP fil...

Page 119: ...ilter allows or denies adding routes to outgoing RIP update packets You can assign a single RIP filter list to the outgoing filter To assign a RIP filter list to the outgoing filter 1 Go to System RIP Filter 2 Add RIP filter lists as required 3 For Outgoing Routes Filter select the name of the RIP filter list to assign to the outgoing filter 4 Select Apply ...

Page 120: ...120 Fortinet Inc Adding RIP filters RIP configuration ...

Page 121: ... Refresh to display the current FortiGate system date and time 3 Select your Time Zone from the list 4 Select the Automatically adjust clock for daylight saving changes check box if you want the FortiGate system clock to be adjusted automatically when your time zone changes to daylight saving time 5 Select Set Time and set the FortiGate system date and time to the correct date and time if required...

Page 122: ...er Modify the dead gateway detection settings To set the system idle timeout 1 Go to System Config Options 2 For Idle Timeout type a number in minutes 3 Select Apply Idle Timeout controls the amount of inactive time that the web based manager waits before requiring the administrator to log in again The default idle time out is 5 minutes The maximum idle time out is 480 minutes 8 hours To set the A...

Page 123: ...Adding a ping server to an interface on page 97 To modify the dead gateway detection settings 1 Go to System Config Options 2 For Detection Interval type a number in seconds to specify how often the FortiGate unit tests the connection to the ping target 3 For Fail over Detection type a number of times that the connection test fails before the FortiGate unit assumes that the gateway is no longer fu...

Page 124: ...the network For example to limit an administrator to accessing the FortiGate unit from your internal network set the trusted host to the address of your internal network for example 192 168 1 0 and set the netmask to 255 255 255 0 6 Set the Permission level for the administrator 7 Select OK to add the administrator account Editing administrator accounts The admin account user can change individual...

Page 125: ...d host to the address of the network and set the netmask to the netmask for the network For example to limit an administrator to accessing the FortiGate unit from your internal network set the trusted host to the address of your internal network for example 192 168 1 0 and set the netmask to 255 255 255 0 8 Change the administrator s permission level as required 9 Select OK 10 To delete an adminis...

Page 126: ...efore a remote SNMP manager can connect to the FortiGate agent you must configure one or more FortiGate interface s to accept SNMP connections The configuration steps to follow depend on whether the FortiGate unit is operating in NAT Route mode or Transparent mode To configure SNMP access to an interface in NAT Route mode 1 Go to System Network Interface 2 Choose the interface that the SNMP manage...

Page 127: ...sent to the FortiGate unit When an SNMP manager sends a get request to the FortiGate unit it must include the correct get community string The default get community string is public Change the default get community string to keep intruders from using get requests to retrieve information about your network configuration The get community string must be used in your SNMP manager to enable it to acce...

Page 128: ...tion fortinet trap mib The Fortinet trap MIB is a proprietary MIB that is required for your SNMP manager to receive traps from the FortiGate SNMP agent For more information about FortiGate traps see FortiGate traps on page 129 fortinet mib The Fortinet MIB is a proprietary MIB that includes detailed FortiGate system configuration information Add this MIB to your SNMP manager to monitor all FortiGa...

Page 129: ...he trap message includes the name of the interface the new IP address of the interface and the serial number of the FortiGate unit This trap can be used to track interface IP address changes for interfaces configured with dynamic IP addresses set using DHCP or PPPoE Table 3 FortiGate system traps Trap message Description interface interface_name is up An interface changes from the up state to the ...

Page 130: ...sage Description VPN tunnel is up An IPSec VPN tunnel starts up and begins processing network traf fic VPN tunnel down An IPSec VPN tunnel shuts down Table 5 FortiGate NIDS traps Trap message Description Flood attack happened NIDS attack prevention detects and provides protection from a syn flood attack Port scan attack hap pened NIDS attack prevention detects and provides protection from a port s...

Page 131: ...s fnSysNetwork FortiGate system network configuration including the interface VLAN rout ing DHCP zone and DNS configuration fnSysConfig FortiGate system configuration including time options administrative users and HA configuration fnSysSnmp FortiGate SNMP configuration Table 9 Firewall MIB fields MIB field Description fnFirewallPolicy FortiGate firewall policy list including complete configuratio...

Page 132: ...NidsDetection NIDS detection configuration fnNidsPrevention NIDS prevention configuration fnNidsResponse NIDS response configuration Table 13 Antivirus MIB fields fnAvFileBlock Antivirus file blocking configuration fnAvQuarantine Antivirus quarantine configuration fnAVConfig Antivirus configuration including the current virus definition virus list Table 14 Web filter MIB fields fnWebFiltercfgMsgTa...

Page 133: ...o alert email messages to control the information that appears in alert emails for virus incidents NIDS events critical system events and disk full events This section describes Customizing replacement messages Customizing alert emails Figure 3 Sample replacement message Customizing replacement messages Each of the replacement messages in the replacement message list is created by combining replac...

Page 134: ...setup dialog box edit the text of the message Table 17 lists the replacement message sections that can be added to alert email messages and describes the tags that can appear in each section In addition to the allowed tags you can add text and HTML code 4 Select OK to save the changes Table 16 Replacement message sections File blocking Used for file blocking all services Section Start BLOCKED Allo...

Page 135: ...us EMAIL_FROM The email address of the sender of the message in which the virus was found EMAIL_TO The email address of the intended receiver of the message in which the virus was found Section End VIRUS_ALERT Block alert Used for file block alert email messages Section Start BLOCK_ALERT Allowed Tags FILE The name of the file that was blocked PROTOCOL The service for which the file was blocked SOU...

Page 136: ...placement messages System configuration Critical event Used for critical firewall event alert emails Section Start CRITICAL_EVENT Allowed Tags CRITICAL_EVENT The firewall critical event message Section End CRITICAL_EVENT ...

Page 137: ...process the packet as an IPSec VPN packet You can also add schedules to policies so that the firewall can process connections differently depending on the time of day or the day of the week month or year Each policy can be individually configured to route connections or apply network address translation NAT to translate source and destination IP addresses and ports You can add IP pools to use dyna...

Page 138: ...t The default policy also applies virus scanning to all HTTP FTP SMTP POP3 and IMAP traffic matched by the policy The policy applies virus scanning because the Antivirus Web Filter option is selected and the Content profile is set to Scan For more information about content profiles see Content profiles on page 166 Figure 4 Default firewall policy Addresses Services Schedules Content profiles Addre...

Page 139: ...ured with over 40 predefined services You can add these services to a policy for more control over the services that can be used by connections through the firewall You can also add user defined services For more information about services see Services on page 149 Schedules Policies can control connections based on the time of day or day of the week when the firewall receives the connection The de...

Page 140: ... address or address group that matches the source address of the packet Before you can add this address to a policy you must add it to the source interface For information about adding an address see Addresses on page 146 Destination Select an address or address group that matches the destination address of the packet Before you can add this address to a policy you must add it to the destination i...

Page 141: ... configure NAT and Authentication for the policy DENY Deny the connection The only other policy option that you can configure is Log Traffic to log the connections denied by this policy ENCRYPT Make this policy an IPSec VPN policy If you select ENCRYPT you can select an AutoIKE Key or Manual Key VPN tunnel for the policy and configure other IPSec settings You cannot add authentication to an ENCRYP...

Page 142: ...rom an IP pool The IP pool must be added to the destination interface of the policy You cannot select Dynamic IP Pool if the destination interface is configured using DHCP or PPPoE For information about adding IP pools see IP pools on page 161 Fixed Port Select Fixed Port to prevent NAT from translating the source port Some applications do not function correctly if the source port is changed If yo...

Page 143: ...ost cases you should make sure that users can use DNS through the firewall without authentication If DNS is not available users cannot connect to a web FTP or Telnet server using a domain name Anti Virus Web filter Enable antivirus protection and web filter content filtering for traffic controlled by this policy You can select Anti Virus Web filter if Service is set to ANY HTTP SMTP POP3 IMAP or F...

Page 144: ...n about logging see Logging and reporting on page 251 Comments You can add a description or other information about the policy The comment can be up to 63 characters long including spaces Configuring policy lists The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match You must arrange policies in the policy list f...

Page 145: ...rnal network users can browse the web use POP3 to get email use FTP to download files through the firewall and so on If the default policy is at the top of the Int Ext policy list the firewall allows all connections from the internal network to the Internet because all connections match the default policy If more specific policies are added to the list below the default policy they are never match...

Page 146: ...firewall can match connections with the policy To enable a policy 1 Go to Firewall Policy 2 Select the policy list that contains the policy that you want to enable 3 Select the check box of the policy to enable it Addresses All policies require source and destination addresses To add addresses to a policy between two interfaces you must first add addresses to the address list for each interface Yo...

Page 147: ...ress The IP address can be The IP address of a single computer for example 192 45 46 45 The IP address of a subnetwork for example 192 168 1 0 for a class C subnet 0 0 0 0 to represent all possible IP addresses 6 Enter the Netmask The netmask corresponds to the type of address that you are adding For example The netmask for the IP address of a single computer should be 255 255 255 255 The netmask ...

Page 148: ...s into address groups You can organize related addresses into address groups to make it easier to add policies For example if you add three addresses and then add them to an address group you only have to add one policy using the address group rather than a separate policy for each address You can add address groups to any interface The address group can only contain addresses from that interface ...

Page 149: ...u can add any of the predefined services to a policy You can also create custom services and add services to service groups This section describes Predefined services Adding custom TCP and UDP services Adding custom ICMP services Adding custom IP services Grouping services Predefined services The FortiGate predefined firewall services are listed in Table 18 You can add these services to any policy...

Page 150: ...3 udp 53 FINGER A network service that provides information about users tcp 79 FTP FTP service for transferring files tcp 21 GOPHER Gopher communication service Gopher organizes and displays Internet server contents as a hierarchically structured list of files tcp 70 H323 H 323 multimedia protocol H 323 is a standard approved by the International Telecommunication Union ITU that defines how audiov...

Page 151: ...nformation request messages icmp 15 INFO_ADDRESS ICMP address mask request messages icmp 17 POP3 Post office protocol email protocol for downloading email from a POP3 server tcp 110 PPTP Point to Point Tunneling Protocol is a protocol that allows corporations to extend their own corporate network through private tunnels over the public Internet tcp 1723 QUAKE For connections used by the popular Qu...

Page 152: ...oth the low and high fields 7 If the service has more than one port range select Add to specify additional protocols and port ranges If there are too many port range rows select Delete to remove each extra row 8 Select OK to add the custom service You can now add this custom service to a policy TCP All TCP ports tcp 0 65535 TELNET Telnet service for connecting to a remote computer to run commands ...

Page 153: ... IP service if you need to create a policy for a service that is not in the predefined service list To add a custom IP service 1 Go to Firewall Service Custom 2 Select IP from the Protocol list 3 Select New 4 Type a Name for the new custom IP service This name appears in the service list used when you add a policy The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the spe...

Page 154: ...rvices from the service group select a service from the Members list and select the left arrow to remove it from the group 6 Select OK to add the service group Figure 9 Adding a service group Schedules Use schedules to control when policies are active or inactive You can create one time schedules and recurring schedules You can use one time schedules to create policies that are effective once for ...

Page 155: ...for the schedule The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Set the Start date and time for the schedule Set Start and Stop times to 00 for the schedule to be active for the entire day 5 Set the Stop date and time for the schedule One time schedules use a 24 hour clock 6 Select OK t...

Page 156: ...dule 3 Type a Name for the schedule The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Select the days of the week that you want the schedule to be active on 5 Set the Start and Stop hours in between which you want the schedule to be active Recurring schedules use a 24 hour clock 6 Select O...

Page 157: ...t have a private IP address such as 192 168 1 34 To get packets from the Internet to the web server you must have an external address for the web server on the Internet You must then add a virtual IP to the firewall that maps the external IP address of the web server to the actual address of the web server on the internal network To allow connections from the Internet to the web server you must th...

Page 158: ...erver This address must be a unique address that is not used by another host and cannot be the same as the IP address of the external interface selected in step 4 However this address must be routed to this interface The virtual IP address and the external IP address can be on different subnets If the IP address of the external interface selected in step 4 is set using PPPoE or DHCP you can enter ...

Page 159: ... Forwarding 6 Enter the External IP Address that you want to map to an address on the destination zone You can set the external IP address to the IP address of the external interface selected in step 4 or to any other address If the IP address of the external interface selected in step 4 is set using PPPoE or DHCP you can enter 0 0 0 0 for the External IP Address The FortiGate unit substitutes the...

Page 160: ...estination network For example the real IP address could be the IP address of a web server on an internal network 9 In Map to Port enter the port number to be added to packets when they are forwarded If you do not want to translate the port enter the same number as the External Service Port If you want to translate the port enter the port number to which to translate the destination port of the pa...

Page 161: ...g limited to the IP address of the destination interface For example if you add an IP pool to the internal interface you can select Dynamic IP pool for Ext Int policies You can add multiple IP pools to any interface but only the first IP pool is used by the firewall This section describes Adding an IP pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT Source Select t...

Page 162: ...ar service You can select fixed port for NAT policies to prevent source port translation However selecting fixed port means that only one connection can be supported through the firewall for this service To be able to support multiple connections you can add an IP pool to the destination interface and then select dynamic IP pool in the policy The firewall randomly selects an IP address from the IP...

Page 163: ...e IP addresses and their corresponding MAC addresses to the dynamic IP MAC table For information about viewing the table see Viewing a DHCP server dynamic IP list on page 107 The dynamic IP MAC binding table is not available in Transparent mode You can enable IP MAC binding for packets in sessions connecting to the firewall or passing through the firewall This section describes Configuring IP MAC ...

Page 164: ...ets going to the firewall Use the following procedure to use IP MAC binding to filter packets that would normally connect with the firewall for example when an administrator is connecting to the FortiGate unit for management To configure IP MAC binding for packets going to the firewall 1 Go to Firewall IP MAC Binding Setting 2 Select the Enable IP MAC binding going to the firewall check box 3 Go t...

Page 165: ... are not allowed 5 Select the Enable check box to enable IP MAC binding for the IP MAC pair 6 Select OK to save the IP MAC binding pair Viewing the dynamic IP MAC list To view the dynamic IP MAC list 1 Go to Firewall IP MAC Binding Dynamic IP MAC Enabling IP MAC binding To enable IP MAC binding 1 Go to Firewall IP MAC Binding Setting 2 Select the Enable IP MAC binding going through the firewall ch...

Page 166: ... Pass fragmented email for POP3 SMTP and IMAP policies Using content profiles you can build protection configurations that can be applied to different types of firewall policies This allows you to customize types and levels of protection for different firewall policies For example while traffic between internal and external addresses might need strict protection traffic between trusted internal ad...

Page 167: ...firewall policies that control HTTP traffic Unfiltered Use if you do not want to apply content protection to content traffic You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected Anti Virus Scan Scan web FTP and email traffic for viruses and worms See Antivirus scanning on page 226 File Blo...

Page 168: ...ed addresses See Email block list on page 248 Email Exempt List Exempt sender address patterns from email filtering See Email exempt list on page 249 Email Content Block Add a subject tag to email that contains unwanted words or phrases See Email banned word list on page 246 Oversized File Email Block or pass files and email that exceed thresholds configured as a percent of system memory See Block...

Page 169: ...Firewall Policy 2 Select a policy list that contains policies that you want to add a content profile to For example to enable network protection for files downloaded by internal network users from the web select an internal to external policy list 3 Select New to add a new policy or choose a policy and select Edit 4 Select the Anti Virus Web filter check box 5 Select a content profile from the lis...

Page 170: ...170 Fortinet Inc Content profiles Firewall configuration ...

Page 171: ...ec dialup user phase 1 configurations XAuth functionality for phase 1 IPSec VPN configurations PPTP L2TP When a user enters a user name and password the FortiGate unit searches the internal user database for a matching user name If Disable is selected for that user name the user cannot authenticate and the connection is dropped If Password is selected for that user and the password matches the con...

Page 172: ...d user names and configure authentication This section describes Adding user names and configuring authentication Deleting user names from the internal database Adding user names and configuring authentication To add a user name and configure authentication 1 Go to User Local 2 Select New to add a new user name 3 Type the User Name The user name can contain numbers 0 9 uppercase and lowercase lett...

Page 173: ...g them To delete a user name from the internal database 1 Go to User Local 2 Select Delete User for the user name that you want to delete 3 Select OK LDAP Require the user to authenticate to an LDAP server Select the name of the LDAP server to which the user must authenticate You can only select an LDAP server that has been added to the FortiGate LDAP configuration See Configuring LDAP support on ...

Page 174: ...to add a new RADIUS server 3 Type the Name of the RADIUS server You can type any name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Enter the Server Name or IP address of the RADIUS server 5 Enter the RADIUS server secret 6 Select OK Figure 18 Example RADIUS configuration Deleting RADI...

Page 175: ...ch as notification of password expiration that is available from some LDAP servers FortiGate LDAP support does not supply information to the user about why authentication failed LDAP user authentication is supported for PPTP L2TP IPSec VPN and firewall authentication With PPTP L2TP and IPSec VPN PAP packet authentication protocol is supported and CHAP Challenge Handshake Authentication Protocol is...

Page 176: ...distinguished name ou marketing dc fortinet dc com where ou is organization unit and dc is domain component You can also specify multiple instances of the same field in the distinguished name for example to specify multiple organization units ou accounts ou marketing dc fortinet dc com 8 Select OK Figure 19 Example LDAP configuration Deleting LDAP servers You cannot delete an LDAP server that has ...

Page 177: ...tiGate unit checks for a match with these local users If a match is not found the FortiGate unit checks the RADIUS or LDAP server If a RADIUS or LDAP server is added first the FortiGate unit checks the server and then the local users If the user group contains users RADIUS servers and LDAP servers the FortiGate unit checks them in the order in which they have been added to the user group This sect...

Page 178: ...erver from the Members list and select the left arrow to remove the name RADIUS server or LDAP server from the group 8 Select OK Deleting user groups You cannot delete user groups that have been selected in a policy a dialup user phase 1 configuration or a PPTP or L2TP configuration To delete a user group 1 Go to User User Group 2 Select Delete beside the user group that you want to delete 3 Selec...

Page 179: ...public network Instead of being sent in its original format the data frames are encapsulated within an additional header and then routed between tunnel endpoints Upon arrival at the destination endpoint the data is decapsulated and forwarded to its destination within the private network Encryption changes a data stream from clear text something that a human or a program can interpret to cipher tex...

Page 180: ... do not send the key to each other Instead as part of the security negotiation process they use it in combination with a Diffie Hellman group to create a session key The session key is used for encryption and authentication and is automatically regenerated by IKE during the communication session Pre shared keys are similar to manual keys in that they require the network administrator to distribute...

Page 181: ...manual key VPN configuration consists of a manual key VPN tunnel the source and destination addresses for both ends of the tunnel and an encrypt policy to control access to the VPN tunnel To create a manual key VPN configuration 1 Add a manual key VPN tunnel See Adding a manual key VPN tunnel on page 181 2 Configure an encrypt policy that includes the tunnel source address and destination address ...

Page 182: ...to save the manual key VPN tunnel AutoIKE IPSec VPNs FortiGate units support two methods of Automatic Internet Key Exchange AutoIKE for establishing IPSec VPN tunnels AutoIKE with pre shared keys and AutoIKE with digital certificates General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPN Adding a phase 2 configuration for an AutoIKE VPN DES Enter a 16 char...

Page 183: ...lated to the phase 2 configuration In phase 1 the VPN peers are authenticated in phase 2 the tunnel is established You have the option to use the same phase 1 parameters to establish multiple tunnels In other words the same remote VPN peer gateway or client can have multiple tunnels to the local VPN peer the FortiGate unit When the FortiGate unit receives an IPSec VPN connection request it authent...

Page 184: ...life is the amount of time in seconds before the phase 1 encryption key expires When the key expires a new key is generated without interrupting service P1 proposal keylife can be from 120 to 172 800 seconds 9 For Authentication Method select Preshared Key or RSA Signature Preshared Key Enter a key that is shared by the VPN peers The key must contain at least 6 printable characters and should only...

Page 185: ...thenticates VPN peers at the user level If the the FortiGate unit the local VPN peer is configured as an XAuth server it authenticates remote VPN peers by referring to a user group The users contained in the user group can be configured locally on the FortiGate unit or on remotely located LDAP or RADIUS servers If the FortiGate unit is configured as an XAuth client it provides a user name and pass...

Page 186: ... traversal has no effect Both ends of the VPN both VPN peers must have the same NAT traversal setting Keepalive Frequency If you enable NAT traversal you can change the number of seconds in the Keepalive Frequency field This number specifies in seconds how frequently empty UDP packets are sent through the NAT device to ensure that the NAT mapping does not change until P1 and P2 keylife expires The...

Page 187: ...IPSec VPN AutoIKE IPSec VPNs FortiGate 50A Installation and Configuration Guide 187 Figure 21 Adding a phase 1 configuration Standard options Figure 22 Adding a phase 1 configuration Advanced options ...

Page 188: ...ays are necessary if you are configuring IPSec redundancy 5 Configure the P2 Proposal Select up to three encryption and authentication algorithm combinations to propose for phase 2 The VPN peers must use the same P2 proposal settings 6 Optionally enable Replay Detection Replay detection protects the VPN tunnel from replay attacks 7 Optionally enable Perfect Forward Secrecy PFS PFS improves securit...

Page 189: ...IKE key VPN tunnel Figure 23 Adding a phase 2 configuration Use selectors from policy Select this option for policy based VPNs A policy based VPN uses an encrypt policy to select which VPN tunnel to use for the connection In this configuration the VPN tunnel is referenced directly from the encrypt policy You must select this option if both VPN peers are FortiGate units Use wildcard selectors Selec...

Page 190: ...s 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Configure the Subject Information that identifies the object being certified Preferably use an IP address or domain name If this is impossible such as with a dialup client use an email address 5 Configure the Optional Information to further identify the object being ...

Page 191: ...anization Enter the legal name of the organization that is requesting the certificate for the FortiGate unit such as Fortinet Locality Enter the name of the city or town where the FortiGate unit is located such as Vancouver State Province Enter the name of the state or province where the FortiGate unit is located such as California or CA Country Select the country where the FortiGate unit is locat...

Page 192: ...nt computer 4 Select OK The signed local certificate is displayed on the Local Certificates list with a status of OK Backing up and restoring the local certificate and private key When you back up a FortiGate configuration that includes IPSec VPN tunnels using certificates you must also back up the local certificate and private key in a password protected PKCS12 file Before restoring the configura...

Page 193: ... is to define and limit which addresses on these networks can use the VPN A VPN requires only one encrypt policy to control both inbound and outbound connections Depending on how you configure it the policy controls whether users on your internal network can establish a tunnel to the remote network the outbound connection and whether users on the remote network can establish a tunnel to your inter...

Page 194: ...cy intercepts the connection attempt and starts the VPN tunnel added to the policy The tunnel uses the remote gateway added to its configuration to connect to the remote VPN gateway When the remote VPN gateway receives the connection attempt it checks its own policy gateway and tunnel configuration If the configuration is allowed an IPSec VPN tunnel is negotiated between the two VPN peers Adding a...

Page 195: ...t to the source address Allow outbound Select Allow outbound to enable outbound users to connect to the destination address Inbound NAT The FortiGate unit translates the source address of incoming packets to the IP address of the FortiGate interface connected to the source address network Typically this is an internal interface of the FortiGate unit Inbound NAT makes it impossible for local hosts ...

Page 196: ...e known as spokes The hub functions as a concentrator on the network managing the VPN connections between the spokes The advantage of a hub and spoke network is that the spokes are simpler to configure because they require fewer policy rules Also a hub and spoke network provides some processing efficiencies particularly on the spokes The disadvantage of a hub and spoke network is its reliance on a...

Page 197: ...1 Configure one of the following tunnels for each spoke A manual key tunnel consists of a name for the tunnel the IP address of the spoke client or gateway at the opposite end of the tunnel and the encryption and authentication algorithms to use for the tunnel See Manual key IPSec VPNs on page 181 An AutoIKE tunnel consists of phase 1 and phase 2 parameters The phase 1 parameters include the name ...

Page 198: ...ternal_All Adding a VPN concentrator To add a VPN concentrator configuration 1 Go to VPN IPSec Concentrator 2 Select New to add a VPN concentrator 3 Enter the name of the new concentrator in the Concentrator Name field 4 To add tunnels to the VPN concentrator select a VPN tunnel from the Available Tunnels list and select the right arrow 5 To remove tunnels from the VPN concentrator select the tunn...

Page 199: ...ate encrypted connections A single inbound encrypt policy This policy allows the local VPN spoke to accept encrypted connections To create a VPN spoke configuration 1 Configure a tunnel between the spoke and the hub Choose between a manual key tunnel or an AutoIKE tunnel To add a manual key tunnel see Manual key IPSec VPNs on page 181 To add an AutoIKE tunnel see AutoIKE IPSec VPNs on page 182 2 A...

Page 200: ...he policies in the following order outbound encrypt policies inbound encrypt policy default non encrypt policy Internal_All External_All Source The local VPN spoke address Destination The remote VPN spoke address Action ENCRYPT VPN Tunnel The VPN tunnel name added in step 1 Use the same tunnel for all encrypt policies Allow inbound Do not enable Allow outbound Select allow outbound Inbound NAT Sel...

Page 201: ...way The monitor also lists the tunnel lifetime timeout proxy ID source and proxy ID destination for each tunnel To view dialup connection status 1 Go to VPN IPSec Dialup Monitor 2 View the dialup connection status information for the FortiGate unit Status The status of each tunnel If Status is Up the tunnel is active If Status is Down the tunnel is not active If Status is Connecting the tunnel is ...

Page 202: ...ercepted by the FortiGate unit To confirm that a VPN between a network and one or more clients has been configured correctly start a VPN client and use the ping command to connect to a computer on the internal network The VPN tunnel initializes automatically when the client makes a connection attempt You can start the tunnel and test it at the same time by pinging from the client to an address on ...

Page 203: ...to configure FortiGate PPTP and L2TP VPN For a complete description of FortiGate PPTP and L2TP see the FortiGate VPN Guide This chapter describes Configuring PPTP Configuring L2TP Configuring PPTP Point to Point protocol PPTP packages data within PPP packets and then encapsulates the PPP packets within IP packets for transmission through a VPN tunnel This section describes Configuring the FortiGat...

Page 204: ...nable PPTP 3 Enter the Starting IP and the Ending IP for the PPTP address range 4 Select the User Group that you added in To add users and user groups on page 203 5 Select Apply to enable PPTP through the FortiGate unit Figure 29 Example PPTP Range configuration To add a source address Add a source address for every address in the PPTP address range 1 Go to Firewall Address 2 Select the interface ...

Page 205: ...s 2 Select the internal interface 3 Select New to add an address 4 Enter the Address Name IP Address and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer 5 Select OK to save the destination address To add a firewall policy Add a policy which specifies the source and destination addresses and sets the service for the policy to the traffic type...

Page 206: ...iskettes or CDs as required 9 Restart the computer To configure a PPTP dialup connection 1 Go to My Computer Dial Up Networking Configuration 2 Double click Make New Connection 3 Name the connection and select Next 4 Enter the IP address or host name of the FortiGate unit to connect to and select Next 5 Select Finish An icon for the new connection appears in the Dial Up Networking folder 6 Right c...

Page 207: ...ect OK To connect to the PPTP VPN 1 Start the dialup connection that you configured in the previous procedure 2 Enter your PPTP VPN User Name and Password 3 Select Connect 4 In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password Configuring a Windows XP client fo...

Page 208: ...wing options are selected TCP IP QoS Packet Scheduler 11 Make sure that the following options are not selected File and Printer Sharing for Microsoft Networks Client for Microsoft Networks 12 Select OK To connect to the PPTP VPN 1 Connect to your ISP 2 Start the VPN connection that you configured in the previous procedure 3 Enter your PPTP VPN User Name and Password 4 Select Connect 5 In the conne...

Page 209: ...nfigure the FortiGate unit as an L2TP gateway To add users and user groups Add a user for each L2TP client 1 Go to User Local 2 Add and configure L2TP users See Adding user names and configuring authentication on page 172 3 Go to User User Group 4 Add and configure L2TP user groups See Configuring user groups on page 177 To enable L2TP and specify an address range 1 Go to VPN L2TP L2TP Range 2 Sel...

Page 210: ...p 1 Go to Firewall Address Group 2 Add a new address group to the interface to which L2TP clients connect 3 Enter a Group Name to identify the address group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 To add addresses to the address group select an address from the Available Addresse...

Page 211: ...ect 6 Set Service to match the traffic type inside the L2TP VPN tunnel For example if L2TP users can access a web server select HTTP 7 Set Action to ACCEPT 8 Select NAT if address translation is required You can also configure traffic shaping logging and antivirus and web filter settings for L2TP policies 9 Select OK to save the firewall policy Configuring a Windows 2000 client for L2TP Use the fo...

Page 212: ...ndows 2000 based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created When the ProhibitIpSec registry value is set to 1 your Windows 2000 based computer does not create the automatic filter that uses CA authentication Instead it checks for a local or active directory IPSec policy To connect to the L2TP VPN 1 Start the dialup...

Page 213: ...it to connect to and select Next 8 Select Finish To configure the VPN connection 1 Right click the icon that you created 2 Select Properties Security 3 Select Typical to configure typical settings 4 Select Require data encryption 5 Select Advanced to configure advanced settings 6 Select Settings 7 Select Challenge Handshake Authentication Protocol CHAP 8 Make sure that none of the other settings a...

Page 214: ...P and IPSec traffic from being created When the ProhibitIpSec registry value is set to 1 your Windows XP based computer does not create the automatic filter that uses CA authentication Instead it checks for a local or active directory IPSec policy To connect to the L2TP VPN 1 Connect to your ISP 2 Start the VPN connection that you configured in the previous procedure 3 Enter your L2TP VPN User Nam...

Page 215: ... Logging attacks Detecting attacks The NIDS Detection module detects a wide variety of suspicious network traffic and network based attacks Use the following procedures to configure the general NIDS settings and the NIDS Detection module Signature List For the general NIDS settings you must select which interfaces you want to be monitored for network based attacks You also need to decide whether t...

Page 216: ...e files that pass through the FortiGate unit to make sure that they have not been changed in transit The NIDS can run checksum verification on IP TCP UDP and ICMP traffic For maximum detection you can turn on checksum verification for all types of traffic However if the FortiGate unit does not need to run checksum verification you can turn it off for some or all types of traffic to improve system ...

Page 217: ...nature list To view attack descriptions 1 Go to NIDS Detection Signature List 2 Select View Details to display the members of a signature group 3 Select a signature and copy its attack ID 4 Open a web browser and enter the following URL http www fortinet com ids ID attack ID Make sure that you include the attack ID For example to view the Fortinet Attack Analysis web page for the ssh CRC32 overflo...

Page 218: ...ose in the signature group members list You can scroll through a signature group members list to locate specific attack signatures by ID number and name 3 Clear the Enable check box 4 Select OK 5 Repeat steps 2 to 4 for each NIDS attack signature group that you want to disable Select Check All to enable all NIDS attack signature groups in the signature list Select Uncheck All to disable all NIDS a...

Page 219: ...xample user defined signature list Downloading the user defined signature list You can back up the user defined signature list by downloading it to a text file on the management computer To download the user defined signature list 1 Go to NIDS Detection User Defined Signature List 2 Select Download The FortiGate unit downloads the user defined signature list to a text file on the management comput...

Page 220: ...left corner Enabling NIDS attack prevention signatures The NIDS Prevention module contains signatures that are designed to protect your network against attacks Some signatures are enabled by default others must be enabled For a complete list of NIDS Prevention signatures and descriptions see the FortiGate NIDS Guide To enable attack prevention signatures 1 Go to NIDS Prevention 2 Select the Enable...

Page 221: ... value Maximum threshold value synflood Threshold Maximum number of SYN segments received per second 2048 1 1000000 Queue Size Maximum proxied connections 4096 100 1000000 Timeout Number of seconds for the SYN cookie to keep a proxied connection alive 15 1 3600 portscan Maximum number of SYN segments received per second 512 1 1000000 srcsession Total number of TCP sessions initiated from the same ...

Page 222: ...ct Config Policy for the log locations you have set 3 Select Attack Log 4 Select Attack Detection and Attack Prevention 5 Select OK Reducing the number of NIDS attack log and email messages Intrusion attempts might generate an excessive number of attack messages Based on the frequency that messages are generated the FortiGate unit automatically deletes duplicates If you still receive an excessive ...

Page 223: ...han 60 seconds the FortiGate unit deletes the message and increases the copy number If the copy number is greater than 1 the FortiGate unit sends a summary email that includes Repeated x times in the subject header the statement The following email has been repeated x times in the last y seconds and the original message Manual message reduction If you want to reduce the number of alerts that the N...

Page 224: ...224 Fortinet Inc Logging attacks Network Intrusion Detection System NIDS ...

Page 225: ...irewall policies that allow web HTTP FTP and email IMAP POP3 and SMTP connections through the FortiGate unit Select a content profile that provides the antivirus protection options that you want to apply to a policy See Adding content profiles to policies on page 169 3 Configure antivirus protection settings to control how the FortiGate unit applies antivirus protection to the web FTP and email tr...

Page 226: ... macros are scanned for macro viruses FortiGate virus scanning does not scan the following file types cdimage floppy image ace bzip2 Tar Gzip Bzip2 If a file is found to contain a virus the FortiGate unit removes the file from the content stream and replaces it with a replacement message To scan FortiGate firewall traffic for viruses 1 Select antivirus scanning in a content profile For information...

Page 227: ... so By default when blocking is enabled the FortiGate unit blocks the following file patterns executable files bat com and exe compressed or archive files gz rar tar tgz and zip dynamic link libraries dll HTML application hta Microsoft Office files doc ppt xl Microsoft Works files wps Visual Basic files vb screen saver files scr Blocking files in firewall traffic Use content profiles to apply file...

Page 228: ... To configure limits for oversized files and email 1 Go to Anti Virus Config Config 2 Type the size limit in MB 3 Select Apply Exempting fragmented email from blocking A fragmented email is a large email message that has been split into smaller messages that are sent individually and recombined when they are received By default when antivirus protection is enabled the FortiGate unit blocks fragmen...

Page 229: ...guration Guide 229 Viewing the virus list You can view the names of the viruses and worms in the current virus definition list To view the virus list 1 Go to Anti Virus Config Virus List 2 Scroll through the virus and worm list to view the names of all viruses and worms in the list ...

Page 230: ...230 Fortinet Inc Viewing the virus list Antivirus protection ...

Page 231: ... blocking URL blocking Configuring Cerberian URL filtering Script filtering Exempt URL list General configuration steps Configuring web filtering involves the following general steps 1 Select web filtering options in a new or existing content profile See Adding content profiles on page 167 2 Select the Anti Virus Web filter option in firewall policies that allow HTTP connections through the FortiG...

Page 232: ...ck 2 Select New to add a word or phrase to the Banned Word list 3 Choose a language or character set for the banned word or phrase You can choose Western Chinese Simplified Chinese Traditional Japanese or Korean Your computer and web browser must be configured to enter characters in the character set that you choose 4 Type a banned word or phrase If you type a single word for example banned the Fo...

Page 233: ...nned Word List The FortiGate unit downloads the list to a text file on the management computer You can specify a location to which to download the text file as well as a name for the text file Restoring the Banned Word list You can create a Banned Word list in a text editor and then upload the text file to the FortiGate unit Add one banned word or phrase to each line of the text file The word or p...

Page 234: ...anges to the text file and uploading it again as necessary Table 21 Banned Word list configuration parameters Parameter Setting Description Status 0 Disabled 1 Enabled Language 0 ASCII 1 Simplified Chinese 2 Traditional Chinese 3 Japanese 4 Korean banned 1 0 banned phrase 1 1 3 banned phrase 2 1 1 Note All changes made to the banned word list using the web based manager are lost when you upload a ...

Page 235: ...www badsite com or 122 133 144 155 blocks access to all pages at this website Type a top level URL followed by the path and filename to block access to a single page on a website For example www badsite com news html or 122 133 144 155 news html blocks the news page on this website To block all pages with a URL that ends with badsite com add badsite com to the block list For example adding badsite...

Page 236: ...t to a text file on the management computer To download a Web URL block list 1 Go to Web Filter Web URL Block 2 Select Download URL Block List The FortiGate unit downloads the list to a text file on the management computer You can specify a location to which to download the text file as well as a name for the text file Uploading a URL block list You can create a URL block list in a text editor and...

Page 237: ...own and Page Up to navigate through the Web URL block list 8 You can continue to maintain the Web URL block list by making changes to the text file and uploading it again Configuring FortiGate Web pattern blocking You can configure FortiGate web pattern blocking to block web pages that match a URL pattern Create URL patterns using regular expressions for example badsite matches badsite com badsite...

Page 238: ...number of end users allowed to use Cerberian web filtering through the FortiGate unit To install a Cerberian licence key 1 Go to Web Filter URL Block 2 Select Cerberian URL Filtering 3 Enter the license number 4 Select Apply Adding a Cerberian user The Cerberian web policies can be applied only to user groups You can add users on the FortiGate unit and then add the users to user groups on the Cerb...

Page 239: ...ult group and apply any policies to the group Use the default group to add All the users who are not assigned alias names on the FortiGate unit All the users who are not assigned to other user groups The Cerberian web filter groups URLs into 53 categories The default policy blocks the URLs of 12 categories You can modify the default policy and apply it to any user groups To configure Cerberian web...

Page 240: ...and ActiveX scripts from the HTML web pages Enabling script filtering Selecting script filter options Enabling script filtering 1 Go to Firewall Content Profile 2 Select the content profile for which you want to enable script filtering 3 Select Script Filter 4 Select OK Selecting script filter options 1 Go to Web Filter Script Filter 2 Select the script filter options that you want to enable You c...

Page 241: ...w goodsite com index html exempts access to the main page of this example website You can also add IP addresses for example 122 63 44 67 index html exempts access to the main web page at this address Do not include http in the URL to exempt Exempting a top level URL such as www goodsite com exempts all requested subpages for example www goodsite com badpage from all content and URL filtering rules...

Page 242: ...d or phrase should be followed by a parameter specifying the status of the entry If you do not add this information to the text file the FortiGate unit automatically enables all URLs and patterns that are followed with a 1 or no number when you upload the text file Figure 41 Example URL Exempt list text file 1 In a text editor create the list of URLs to exempt 2 Using the web based manager go to W...

Page 243: ...e the path and filename of your URL Exempt List text file or select Browse and locate the file 5 Select OK to upload the file to the FortiGate unit 6 Select Return to display the updated URL Exempt List 7 You can continue to maintain the URL Exempt List by making changes to the text file and uploading it again as necessary ...

Page 244: ...244 Fortinet Inc Exempt URL list Web filtering ...

Page 245: ...s Configuring email filtering involves the following general steps 1 Select email filter options in a new or existing content profile See Adding content profiles on page 167 2 Select the Anti Virus Web filter option in firewall policies that allow IMAP and POP3 connections through the FortiGate unit Select a content profile that provides the email filtering options that you want to apply to a poli...

Page 246: ...r phrase If you type a single word for example banned the FortiGate unit tags all IMAP and POP3 email that contains that word If you type a phrase for example banned phrase the FortiGate unit tags email that contains both words When this phrase appears on the banned word list the FortiGate unit inserts plus signs in place of spaces for example banned phrase If you type a phrase in quotes for examp...

Page 247: ...tional Japanese or Korean characters Your computer and web browser must be configured to enter characters in the character set that you use All words are enabled by default Optionally you can enter a space and a 1 after the word to enable it and another space and a number to indicate the language If you do not add this information to all items in the text file the FortiGate unit automatically enab...

Page 248: ...ect New 3 Type a Block Pattern To tag email from a specific email address type the email address For example sender abccompany com To tag email from a specific domain type the domain name For example abccompany com To tag email from a specific subdomain type the subdomain name For example mail abccompany com To tag email from an entire organization category type the top level domain name For examp...

Page 249: ...xt editor create the list of patterns to block 2 Using the web based manager go to Email Filter Block List 3 Select Upload 4 Type the path and filename of your email block list text file or select Browse and locate the file 5 Select OK to upload the file to the FortiGate unit 6 Select Return to display the updated email block list 7 You can continue to maintain the email block list by making chang...

Page 250: ... pattern can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters hyphen _ underscore and Spaces and other special characters are not allowed 4 Select OK to add the address pattern to the email exempt list Adding a subject tag When the FortiGate unit receives email from an unwanted address or email that contains an item in the email banned word list the FortiGate ...

Page 251: ... more of a computer running a syslog server a computer running a WebTrends firewall reporting server the console For information about filtering the log types and activities that the FortiGate unit records see Filtering log messages on page 253 For information about traffic logs see Configuring traffic logging on page 254 This section describes Recording logs on a remote computer Recording logs on...

Page 252: ...orage and analysis FortiGate log formats comply with WebTrends Enhanced Log Format WELF and are compatible with WebTrends NetIQ Security Reporting Center 2 0 and Firewall Suite 4 1 For more information see the Security Reporting Center and Firewall Suite documentation To record logs on a NetIQ WebTrends server 1 Go to Log Report Log Setting 2 Select the Log in WebTrends Enhanced Log Format check b...

Page 253: ...bout normal events Antivirus Web filter and email filter log messages 6 Information General information about system operations Antivirus Web filter email filter log messages and other event log messages Traffic Log Record all connections to and through the interface To configure traffic filtering see Adding traffic filter entries on page 256 Event Log Record management and activity events in the ...

Page 254: ...tion Configuring traffic logging You can configure the FortiGate unit to record traffic log messages for connections to An interface A firewall policy The FortiGate unit can filter traffic logs for a source and destination address and service You can also enable the following global settings resolve IP addresses to host names display the port number or service The traffic filter list displays the ...

Page 255: ...If you enable traffic logging for a firewall policy all connections accepted by the firewall policy are recorded in the traffic log To enable traffic logging for a firewall policy 1 Go to Firewall Policy 2 Select a policy tab 3 Select Log Traffic 4 Select OK Configuring traffic filter settings You can configure the information recorded in all traffic log messages To configure traffic filter settin...

Page 256: ...3 Configure the traffic filter for the type of traffic that you want to record on the traffic log 4 Select OK The traffic filter list displays the new traffic address entry with the settings that you selected in Enabling traffic logging on page 255 Name Type a name to identify the traffic filter entry The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characte...

Page 257: ...l Adding alert email addresses Testing alert email Enabling alert email Adding alert email addresses Because the FortiGate unit uses the SMTP server name to connect to the mail server the FortiGate unit must look up this name on your DNS server Before you configure alert email make sure that you configure at least one DNS server To add a DNS server 1 Go to System Network DNS 2 If they are not alre...

Page 258: ... alert email in response to virus incidents intrusion attempts and critical firewall or VPN events or violations If you have configured logging to a local disk you can enable sending an alert email when the hard disk is almost full To enable alert email 1 Go to Log Report Alert Mail Categories 2 Select Enable alert email for virus incidents Alert email is not sent when antivirus file blocking dele...

Page 259: ...ssages are formatted and transmitted and what actions Web servers and browsers should take in response to various commands HTTPS The SSL protocol for transmitting private documents over the Internet using a Web browser Internal interface The FortiGate interface that is connected to an internal private network Internet A collection of networks connected together that span the entire globe using the...

Page 260: ...ified address and waiting for a reply POP3 Post Office Protocol A protocol used to transfer e mail from a mail server to a mail client across the Internet Most e mail clients use POP PPP Point to Point Protocol A TCP IP protocol that provides host to network and router to router connections PPTP Point to Point Tunneling Protocol A Windows based technology for creating VPNs PPTP is supported by Win...

Page 261: ...tworks TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent UDP User Datagram Protocol A connectionless protocol that like TCP runs on top of IP networks Unlike TCP UDP provides very few error recovery services offering instead a direct way to send and receive datagrams over an IP network It is used primarily for broadcasting ...

Page 262: ...262 Fortinet Inc Glossary ...

Page 263: ...rd disk full 258 intrusion attempts 258 reducing messages 218 testing 258 virus incidents 258 allow inbound encrypt policy 142 allow outbound encrypt policy 142 allow traffic IP MAC binding 164 Anti Virus Web filter policy 143 antivirus definition updates manual 63 antivirus definitions updating 73 antivirus updates 76 configuring 77 through a proxy server 78 attack definition updates downloading ...

Page 264: ...istration 89 SNMP 127 content blocking exempting URLs 241 249 web page 232 246 content filter 231 245 content profiles default 167 cookies blocking 240 CPU status 67 68 critical firewall events alert email 258 critical VPN events alert email 258 custom ICMP service 153 custom IP service 153 custom TCP service 152 custom UDP service 152 customer service 16 D date and time setting example 122 133 da...

Page 265: ...iResponse Distribution Server 74 filename pattern adding 227 blocking 227 filter RIP 117 filtering log messages 253 filtering traffic 254 firewall authentication timeout 122 configuring 137 overview 137 firewall events enabling alert email 258 firewall policies modem 111 firewall policy accept 141 Comments 144 deny 141 guaranteed bandwidth 142 Log Traffic 144 maximum bandwidth 143 firewall setup w...

Page 266: ...259 intrusion attempts alert email 258 intrusion status 69 IP configuring checksum verification 216 IP address interface 94 IP MAC binding 163 IP addresses configuring from the CLI 36 42 IP pool adding 161 IP service custom 153 IP spoofing 163 IP MAC binding 163 adding 165 allow traffic 164 block traffic 164 dynamic IP MAC list 163 enabling 165 static IP MAC list 163 IPSec 259 IPSec VPN authentica...

Page 267: ...ng 107 configuring settings 108 connecting to a dialup account 109 connecting to FortiGate unit 108 disconnecting 109 interface 107 standalone mode 107 110 viewing status 110 monitor system status 70 monitored interfaces 216 monitoring system status 67 MTU size 98 changing 98 definition 260 improving network performance 98 interface 98 N NAT policy option 142 push update 79 NAT mode adding policy ...

Page 268: ...Windows 98 client 206 configuring Windows XP client 207 PPTP gateway configuring 203 predefined services 149 pre shared keys introduction 180 prevention NIDS 220 protocol service 149 system status 71 proxy server 78 push updates 78 push update configuring 78 external IP address changes 79 management IP address changes 79 through a NAT device 79 through a proxy server 78 Q quick mode identifier use...

Page 269: ...ling 76 scope adding a DHCP scope 105 script filter 240 example settings 240 scripts removing from web pages 240 250 secondary IP interface 96 security question registration 89 serial number displaying 64 server DHCP 104 105 service 149 custom ICMP 153 custom IP 153 custom TCP 152 custom UDP 152 group 153 policy option 140 predefined 149 service name 149 user defined ICMP 153 user defined IP 153 u...

Page 270: ...system status 71 to port system status 71 traffic configuring global settings 255 filtering 254 logging 254 traffic filter adding entries 256 display 255 log setting 255 port number 255 resolve IP 255 service name 255 traffic log 253 Traffic Priority 143 Traffic Shaping 142 Transparent mode 13 adding routes 102 changing to 43 65 configuring the default gateway 43 management interface 99 management...

Page 271: ...g alert email 258 virus list displaying 229 viewing 229 virus log 253 virus protection overview 225 virus status 69 VPN configuring L2TP gateway 209 configuring PPTP gateway 203 209 Tunnel 142 viewing dialup connection status 201 VPN events enabling alert email 258 VPN tunnel viewing status 201 W web filtering ActiveX 240 cookies 240 Java applets 240 overview 231 245 web filtering log 253 web page...

Page 272: ...272 Fortinet Inc Index ...

Reviews:

No comments

Related manuals for FortiGate 50A

ADTRAN NetVanta 2730 Getting Started Manual preview
NetVanta 2730
Brand: ADTRAN Pages: 74
Eli ADF-WG-A53 User Manual preview
ADF-WG-A53
Brand: Eli Pages: 24
AXIOMTEK NA342 User Manual preview
NA342
Brand: AXIOMTEK Pages: 52
AXIOMTEK NA-330 Series User Manual preview
NA-330 Series
Brand: AXIOMTEK Pages: 60
AXIOMTEK NA-401 Hardware Installation Manual preview
NA-401
Brand: AXIOMTEK Pages: 68

Brands by name

Popular brands

Load more brands