FortiGate 60
Installation Guide
INTERNAL
DMZ
4
3
2
1
LINK 100 LINK 100
LINK 100
WAN1
WAN2
PWR
STATUS
Version 2.80 MR8
28 January 2005
01-28008-0018-20050128
Page 1: ...FortiGate 60 Installation Guide INTERNAL DMZ 4 3 2 1 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN1 WAN2 PWR STATUS Version 2 80 MR8 28 January 2005 01 28008 0018 20050128...
Page 2: ...rior written permission of Fortinet Inc FortiGate 60 Installation Guide Version 2 80 MR8 28 January 2005 01 28008 0018 20050128 Trademarks Products mentioned in this document are trademarks or registe...
Page 3: ...nd off 15 Connecting to the web based manager 16 Connecting to the command line interface CLI 17 Quick installation using factory defaults 18 Factory default FortiGate configuration settings 19 Factor...
Page 4: ...Connecting the FortiGate unit to your network 44 Next steps 45 High availability installation 47 Priorities of heartbeat device and monitor priorities 47 Configuring FortiGate units for HA operation...
Page 5: ...architecture analyzes content and behavior in real time enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks The FortiGate 60 m...
Page 6: ...esetting the firewall or interrupting service Once you are satisfied with a configuration you can download and save it The saved configuration can be restored at any time Figure 1 FortiGate web based...
Page 7: ...string that uses the digits 0 9 and letters A F xxx_ipv4 indicates a dotted decimal IPv4 address xxx_v4mask indicates a dotted decimal IPv4 netmask xxx_ipv4mask indicates a dotted decimal IPv4 address...
Page 8: ...edures connection procedures and basic configuration procedures Choose the guide for your product model number FortiGate Administration Guide Provides basic information about how to configure a FortiG...
Page 9: ...Related documentation Additional information about Fortinet products is available from the following related documentation FortiManager documentation FortiManager QuickStart Guide Explains how to ins...
Page 10: ...log files It also describes how to view FortiGate and FortiMail log files generate and view log reports and use the FortiLog unit as a NAS server FortiLog online help Provides a searchable version of...
Page 11: ...ation on Fortinet telephone support see http support fortinet com When requesting technical support please provide the following information Your name Company name Location Email address Telephone num...
Page 12: ...12 01 28008 0018 20050128 Fortinet Inc Customer service and technical support Introduction...
Page 13: ...p and powering on a FortiGate Antivirus Firewall unit This section includes Package contents Mounting Turning the FortiGate unit power on and off Connecting to the web based manager Connecting to the...
Page 14: ...de to allow for adequate air flow and cooling Dimensions 8 63 x 6 13 x 1 38 in 21 9 x 15 6 x 3 5 cm Weight 1 5 lb 0 68 kg INTERNAL DMZ 4 3 2 1 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LIN...
Page 15: ...s The Power and Status LEDs are on To power off the FortiGate unit Always shut down the FortiGate operating system properly before turning off the power switch 1 From the web based manager go to Syste...
Page 16: ...ion to the static IP address 192 168 1 2 with a netmask of 255 255 255 0 You can also configure the management computer to obtain an IP address automatically using DHCP The FortiGate DHCP server assig...
Page 17: ...the communications port of your computer and to the FortiGate Console port 2 Make sure that the FortiGate unit is powered on 3 Start HyperTerminal enter a name for the connection and select OK 4 Conf...
Page 18: ...sses added to the FortiGate unit configuration and returns lookup results to the internal network For more information about default DHCP server settings see Factory default DHCP server configuration...
Page 19: ...to operate the FortiGate unit in Transparent mode you can switch to Transparent mode from the factory default configuration and then configure the FortiGate unit onto the network in Transparent mode O...
Page 20: ...strative access means this interface responds to ping requests Table 2 FortiGate DHCP Server default configuration Name internal_dhcp_server Interface Internal Default Gateway 192 168 1 99 IP Range 19...
Page 21: ...for information about adding firewall policies The following firewall configuration settings are included in the default firewall configuration to make it easier to add firewall policies Network Setti...
Page 22: ...c between trusted internal addresses might need moderate protection You can configure firewall policies for different traffic services to use the same or different protection profiles Protection profi...
Page 23: ...ute mode In NAT Route mode the FortiGate unit is visible to the network Like a router all its interfaces are on different subnets The following interfaces are available in NAT Route mode Internal is t...
Page 24: ...ition to the internal private network you could create route mode firewall policies for traffic flowing between them Figure 6 Example NAT Route mode network configuration NAT Route mode with multiple...
Page 25: ...ehind an existing firewall or behind a router The FortiGate unit performs firewall functions IPSec VPN virus scanning IPS web content filtering and Spam filtering Figure 8 Example Transparent mode net...
Page 26: ...Explorer version 6 0 or higher on the management computer CLI The FortiGate CLI is a full featured management tool Use it to configure the administrator password the interface addresses the default g...
Page 27: ...g the setup wizard Connecting the FortiGate unit to the network s Configuring the networks Configuring the modem interface Next steps Preparing to configure the FortiGate unit in NAT Route mode Use Ta...
Page 28: ...FortiGate unit You can also continue to use the web based manager for all FortiGate unit settings For information about connecting to the web based manager see Connecting to the web based manager on...
Page 29: ...nd any other required settings For information about how to configure these and other interface settings see the FortiGate online help or the FortiGate Administration Guide 5 Select OK 6 Repeat this p...
Page 30: ...g the command line interface CLI For information about connecting to the CLI see Connecting to the command line interface CLI on page 17 Configuring the FortiGate unit to operate in NAT Route mode Use...
Page 31: ...static set ip address_ip netmask end Example config system interface edit wan1 set mode static set ip 204 23 1 5 255 255 255 0 end To set the WAN1 interface to use DHCP enter config system interface...
Page 32: ...is connected to an external network The default route is not required if the interface connected to the external network is configured using DHCP or PPPoE Set the default route to the Default Gateway...
Page 33: ...ttings Table 8 Setup wizard settings Password Prepare an administrator password Internal Interface Use the information you gathered in Table 6 on page 28 External Interface Use the information you gat...
Page 34: ...r connecting to a second public switch or router and the Internet for a redundant Internet connection Antivirus High Create a protection profile that enables virus scanning file blocking and blocking...
Page 35: ...ternal or LAN connection of your DSL or cable modem 3 Optionally connect the WAN2 interface to the Internet Connect to the public switch or router usually provided by a different Internet Service Prov...
Page 36: ...ate unit is functioning properly by connecting to the Internet from a computer on the internal network You should be able to connect to any Internet address Configuring the Modem interface In NAT Rout...
Page 37: ...Config Time 2 Select Synchronize with NTP Server to configure the FortiGate unit to use NTP to automatically set the system time and date 3 Enter the IP address or domain name of the NTP server that t...
Page 38: ...work such as the Internet to which a connection to the FDN can be established If FortiProtect Distribution Network changes to Available then the FortiGate unit can connect to the FDN 3 Select Schedule...
Page 39: ...nt mode see Planning the FortiGate configuration on page 23 This chapter describes Preparing to configure Transparent mode Using the web based manager Using the command line interface Using the setup...
Page 40: ...e management computer to 10 10 10 2 Connect to the internal or DMZ interface and browse to https followed by the Transparent mode management IP address The default FortiGate Transparent mode managemen...
Page 41: ...b based manager by browsing to https 10 10 10 1 If you connect to the management interface through a router make sure that you have added a default gateway for that router to the management IP default...
Page 42: ...ystem manageip set ip 10 10 10 2 255 255 255 0 end 3 Confirm that the address is correct Enter get system manageip The CLI lists the management IP address and netmask To configure DNS server settings...
Page 43: ...ent computer to 10 10 10 2 Connect to the internal or DMZ interface and browse to https followed by the Transparent mode management IP address The default FortiGate Transparent mode management IP addr...
Page 44: ...onnect the Internal interface connectors to PCs and other network devices in your internal network The Internal interface functions as a switch allowing up to four devices to be connected to the inter...
Page 45: ...tem date and time 6 Set the hour minute second month day and year as required 7 Select Apply To use NTP to set the FortiGate date and time 1 Go to System Config Time 2 Select Synchronize with NTP Serv...
Page 46: ...e FDN the FortiGate unit default route must point to a network such as the Internet to which a connection to the FDN can be established If FortiProtect Distribution Network changes to Available then t...
Page 47: ...steps for changing the priorities of heartbeat devices or for configuring monitor priorities settings Both of these HA settings should be configured after the cluster is up and running Configuring For...
Page 48: ...in the cluster get the same virtual MAC address This virtual MAC address is set according to the group ID Group ID MAC Address 0 00 09 0f 06 ff 00 1 00 09 0f 06 ff 01 2 00 09 0f 06 ff 02 3 00 09 0f 06...
Page 49: ...ches select Least connection to distribute traffic to the cluster unit with the fewest concurrent connections Round Robin Round robin load balancing If the FortiGate units are connected using switches...
Page 50: ...ce all of the units are configured continue with Connecting the cluster to your networks on page 51 11 If you are configuring a Transparent mode cluster reconnect to the web based manager You may have...
Page 51: ...he FortiGate units in the cluster Once all of the units are configured continue with Connecting the cluster to your networks on page 51 3 If you are configuring a Transparent mode cluster switch the F...
Page 52: ...ach FortiGate unit to a switch or hub connected to your internal network Connect the WAN1 interfaces of each FortiGate unit to a switch or hub connected to your external network Connect the DMZ interf...
Page 53: ...the FortiGate units in the cluster are synchronized so that the FortiGate units can function as a cluster Because of this synchronization you configure and manage the HA cluster instead of managing th...
Page 54: ...54 01 28008 0018 20050128 Fortinet Inc Installing and configuring the cluster High availability installation...
Page 55: ...ngs Connecting and disconnecting the modem in Standalone mode Defining a Ping Server Adding firewall policies for modem connections Selecting a modem mode The external modem when connected to the Fort...
Page 56: ...account The modem interface operates as the primary connection to the Internet The FortiGate unit routes traffic through the modem interface which remains permanently connected to the dialup account...
Page 57: ...FortiGate interface that the modem is redundant for Figure 13 Modem settings Standalone and Redundant Enable Modem or Enable USB Modem Select to enable the FortiGate modem Depending on the model the m...
Page 58: ...ut Standalone mode only Enter the timeout duration in minutes After this period of inactivity the modem disconnects Holddown Timer Redundant mode only Enter the time 1 60 seconds that the FortiGate un...
Page 59: ...interface To add a ping server to an interface 1 Go to System Network Interface 2 Choose an interface and select Edit 3 Set Ping Server to the IP address of the next hop router on the network connecte...
Page 60: ...or modem connections The modem interface requires firewall addresses and policies You can add one or more addresses to the modem interface For information about adding addresses see the FortiGate Admi...
Page 61: ...vironmental specifications 15 F firewall policies modem 60 firewall setup wizard 6 28 32 40 43 starting 29 34 40 43 Fortinet customer service 10 H HA configuring FortiGate units for HA operation 47 co...
Page 62: ...onfiguring 56 modem 55 56 starting IP DHCP 20 synchronize with NTP server 37 45 T technical support 10 time zone 37 45 Transparent mode changing to 41 configuring the default gateway 42 management IP...
