Fortinet Fortiwifi fortiwifi-60 Administration Manual Download Page 255

Page: 255 / 394

VPN

Phase 1

FortiWiFi-60 Administration Guide

01-28006-0014-20041105

255

Configuring XAuth

XAuth authenticates users in a separate exchange held between Phases 1 and 2.

Encryption

The FortiWiFi unit supports the following encryption methods:
DES
3DES
AES128
AES192
AES256

Authentication

The FortiWiFi unit supports the following authentication methods:
MD5
SHA1

DH Group

Select one or more Diffie-Hellman groups from DH group 1, 2, and 5.
When the VPN peers have static IP addresses and use aggressive mode,

select a single matching DH group.
When the VPN peers use aggressive mode in a dialup configuration, select up

to three DH groups for the dialup server and select one DH group for the

dialup user (client or gateway).
When the VPN peers employ main mode, you can select multiple DH groups.

Keylife

The keylife is the amount of time in seconds before the IKE encryption key

expires. When the key expires, a new key is generated without interrupting

service. P1 proposal keylife can be from 120 to 172,800 seconds.

Local ID

If you are using peer IDs for authentication, enter the peer ID that the

FortiWiFi unit will use to authenticate itself to remote VPN peers.
If you are using certificates for authentication, enter the distinguished name

(DN) of the local certificate.

XAuth

You can configure the FortiWiFi unit as an Extended Authentication (XAuth)

client or an XAuth server. For more information, see

“Configuring XAuth” on

page 255

Nat-traversal

Enable this option if you expect the IPSec VPN traffic to go through a gateway

that performs NAT. If no NAT device is detected, enabling NAT traversal has

no effect. Both ends of the VPN must have the same NAT traversal setting. If

you enable NAT traversal you can set the keepalive frequency. NAT traversal

is enabled by default.

Keepalive
Frequency

If NAT Traversal is selected, enter the Keepalive Frequency in seconds.
The keepalive frequency specifies how frequently empty UDP packets are

sent through the NAT device to ensure that the NAT mapping does not change

until the IKE and IPSec keylife expires.
The keepalive frequency can be from 0 to 900 seconds.

Dead Peer
Detection

Enable this option to clean up dead VPN connections and establish new VPN

connections. You can specify additional Dead Peer Detection (DPD) settings

such as long idle, short idle, retry count and retry interval through the CLI. See

“ipsec phase1” on page 279

XAuth: Enable as Client
Username

Enter the user name the local VPN peer uses to authenticate itself to the

remote VPN peer.

Password

Enter the password the local VPN peer uses to authenticate itself to the

remote VPN peer.

Summary of Contents for Fortiwifi fortiwifi-60

Page 1: ...Administration Guide INTERNAL DMZ 4 3 2 1 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN1 WAN2 PWR WLAN FortiWiFi 60 Administration Guide Version 2 80 MR6 5 November 2004 01 28006...

Page 2: ...ion Guide Version 2 80 MR6 5 November 2004 01 28006 0014 20041105 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Complian...

Page 3: ...22 Related documentation 22 FortiManager documentation 23 FortiClient documentation 23 FortiMail documentation 23 FortiLog documentation 23 Customer service and technical support 24 System status 25...

Page 4: ...WiFi units and VLANs 64 VLANs in NAT Route mode 64 Rules for VLAN IDs 65 Rules for VLAN IP addresses 65 Adding VLAN subinterfaces 66 VLANs in Transparent mode 67 Rules for VLAN IDs 69 Transparent mode...

Page 5: ...16 Administrators options 116 Access profiles 117 Access profile list 118 Access profile options 118 System maintenance 121 Backup and restore 121 Backing up and Restoring 122 Update center 124 Updati...

Page 6: ...eneral 153 Networks list 154 Networks options 155 Interface list 155 Interface options 156 Distribute list 157 Distribute list options 158 Offset list 159 Offset list options 159 Router objects 160 Ac...

Page 7: ...service list 209 Custom service list 212 Custom service options 212 Configuring custom services 213 Service group list 215 Service group options 215 Configuring service groups 216 Schedule 216 One ti...

Page 8: ...r list 241 RADIUS server options 242 LDAP 242 LDAP server list 243 LDAP server options 243 User group 245 User group list 245 User group options 246 CLI configuration 247 peer 247 peergrp 248 VPN 251...

Page 9: ...VPN access for specific certificate holders 278 CLI configuration 279 ipsec phase1 279 ipsec phase2 281 ipsec vip 282 Authenticating peers with preshared keys 284 Gateway to gateway VPN 284 Dialup VP...

Page 10: ...ine 312 Quarantined files list 312 Quarantined files list options 313 AutoSubmit list 314 AutoSubmit list options 314 Configuring the AutoSubmit list 314 Config 315 Config 316 Virus list 316 Config 31...

Page 11: ...ports 337 Category block reports options 338 Generating a category block report 338 Category block CLI configuration 338 Script filter 339 Web script filter options 340 Spam filter 341 IP address 344...

Page 12: ...E mail options 360 Log filter options 361 Configuring log filters 364 Enabling traffic logging 364 Log access 365 Viewing log messages 365 Searching log messages 367 CLI configuration 368 fortilog se...

Page 13: ...rvice and technical support About FortiWiFi Antivirus Firewalls The FortiWiFi Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include a...

Page 14: ...SMTP POP3 and IMAP content as it passes through the FortiWiFi unit FortiWiFi antivirus protection uses pattern matching and heuristics to find viruses If a virus is found antivirus protection removes...

Page 15: ...out denying access to it completely To prevent unintentionally blocking legitimate web pages you can add URLs to an exempt list that overrides the URL blocking and content blocking lists The exempt li...

Page 16: ...The FortiWiFi firewall can operate in NAT Route mode or Transparent mode NAT Route mode In NAT Route mode the FortiWiFi unit is a Layer 3 device This means that each of its interfaces is associated wi...

Page 17: ...firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network You can develop and manage interfaces VLAN subinterfaces zones f...

Page 18: ...an connect to an IPSec VPN tunnel VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another through the FortiWiFi unit IPSec Redundancy to create a redundant A...

Page 19: ...manage the FortiWiFi unit The web based manager supports multiple languages You can configure the FortiWiFi unit for HTTP and HTTPS administration from any FortiWiFi interface You can use the web bas...

Page 20: ...ing the WebTrends enhanced log format Some models can also save logs to an optional internal hard drive If a hard drive is not installed you can configure most FortiWiFi units to log the most recent e...

Page 21: ...e_str To show the settings for all interfaces you can enter show system interface To show the settings for the internal interface you can enter show system interface internal A space to separate optio...

Page 22: ...ltering and spam filtering and how to configure a VPN FortiWiFi online help Provides a context sensitive and searchable version of the Administration Guide in HTML format You can access online help fr...

Page 23: ...rtiClient software FortiMail documentation FortiMail Administration Guide Describes how to install configure and manage a FortiMail unit in gateway mode and server mode including how to configure the...

Page 24: ...our region For information about our priority support hotline live support see http support fortinet com When requesting technical support please provide the following information your name your compa...

Page 25: ...n log This chapter includes Console access Status Session list Changing the FortiWiFi firmware Console access An alternative to the web based manager discussed in this manual is text based Console Acc...

Page 26: ...s on page 117 Viewing system status Changing unit information Viewing system status Figure 2 System status System status Connect Select Connect to connect to the CLI Disconnect Select Disconnect to di...

Page 27: ...of the FortiWiFi Antivirus Definitions Attack Definitions The current installed version of the FortiWiFi Attack Definitions used by the Intrusion Prevention System IPS Serial Number The serial number...

Page 28: ...aximum network bandwidth that can be processed by the FortiWiFi unit History Select History to view a graphical representation of the last minute of CPU memory sessions and network usage This page als...

Page 29: ...P System Name To update the firmware version For information on updating the firmware see Changing the FortiWiFi firmware on page 32 To update the antivirus definitions manually 1 Download the latest...

Page 30: ...ettings see HA on page 90 To change to Transparent mode 1 Go to System Status Status 2 In the Operation Mode field of the Unit Information section select Change 3 In the Operation Mode field select Tr...

Page 31: ...m IP Set source IP address for list filtering From Port Set source port for list filtering To IP Set destination IP address for list filtering To Port Set destination port for list filtering Apply Fil...

Page 32: ...to a more recent build of the same firmware version Reverting to a previous firmware version Use the web based manager or CLI procedure to revert to a previous firmware version This procedure reverts...

Page 33: ...the CLI 1 Make sure that the TFTP server is running 2 Copy the new firmware image file to the root directory of the TFTP server 3 Log into the CLI 4 Make sure the FortiWiFi unit can connect to the TFT...

Page 34: ...Reverting to a previous firmware version Use the following procedures to revert your FortiWiFi unit to a previous firmware version Reverting to a previous firmware version using the web based manager...

Page 35: ...page 121 10 Update antivirus and attack definitions For information about antivirus and attack definitions see To update antivirus and attack definitions on page 127 Reverting to a previous firmware...

Page 36: ...mage FGT_300 v280 build158 FORTINET out 192 168 1 168 The FortiWiFi unit responds with the message This operation will replace the current firmware version Do you want to continue y n 6 Type y The For...

Page 37: ...e Backing up and Restoring on page 122 Back up the IPS custom signatures For information see Backing up and restoring custom signature files on page 303 Back up web content and email filtering lists F...

Page 38: ...Download Boot Image FortiWiFi unit running v3 x BIOS Press any key to display configuration menu Immediately press any key to interrupt the system startup If you successfully interrupt the startup pr...

Page 39: ...e and restarts The installation might take a few minutes to complete Restoring the previous configuration Change the internal interface address if required You can do this from the CLI using the comma...

Page 40: ...internal interface To test a new firmware image 1 Connect to the CLI using a null modem cable and FortiWiFi console port 2 Make sure the TFTP server is running 3 Copy the new firmware image file to th...

Page 41: ...he FTP server The IP address must be on the same network as the TFTP server but make sure you do not use the IP address of another device on this network The following message appears Enter File Name...

Page 42: ...42 01 28006 0014 20041105 Fortinet Inc Changing the FortiWiFi firmware System status...

Page 43: ...etwork configuration Interface Zone Management DNS Routing table Transparent Mode Configuring the modem interface VLAN overview VLANs in NAT Route mode VLANs in Transparent mode FortiWiFi IPv6 support...

Page 44: ...The modem interface is available if a modem is connected to the USB port see Configuring the modem interface on page 59 If you have added VLAN subinterfaces they also appear in the name list below th...

Page 45: ...e To change the MTU size of the packets leaving an interface To configure traffic logging for connections to an interface Name The name of the Interface Interface Select the name of the physical inter...

Page 46: ...ministrative distance for the default gateway retrieved from the DHCP server The administrative distance an integer from 1 255 specifies the relative priority of a route when there are multiple routes...

Page 47: ...session if it is idle for this number of seconds PADT must be supported by your ISP Set initial PADT timeout to 0 to disable Distance Enter the administrative distance for the default gateway retriev...

Page 48: ...connect You can select the following administrative access options connected The interface retrieves an IP address netmask and other settings from the PPPoE server failed The interface was unable to...

Page 49: ...e traffic log for a logging location and set the logging severity level to Notification or lower Go to Log Report Log Config to configure logging locations and types For information about logging see...

Page 50: ...for the interface and then add the interface to the zone 1 Go to System Network Zone 2 Choose the zone to add the interface or VLAN subinterface to and select Edit 3 Select the names of the interfaces...

Page 51: ...iWiFi unit attempts to contact the DHCP server from the interface to set the IP address netmask and optionally the default gateway IP address and DNS server IP addresses 7 Select Status to refresh the...

Page 52: ...terface edit intf_str config secondaryip edit 0 set ip second_ip netmask_ip Optionally you can also configure management access and add a ping server to the secondary IP address set allowaccess ping h...

Page 53: ...e 56 1 Go to System Network Interface 2 Choose an interface and select Edit 3 Select the Administrative Access methods for the interface 4 Select OK to save the changes To change the MTU size of the p...

Page 54: ...l domain to which you want to add the zone 2 Go to System Network Zone 3 Select Create New 4 In the New Zone dialog box type a name for the zone Create New Select Create New to create a zone Name The...

Page 55: ...al domain go to System Virtual Domain Current Virtual Domain and select the virtual domain in which to edit the zone 2 Go to System Network Zone 3 Select Edit to modify a zone 4 Select or deselect Blo...

Page 56: ...value of 5 minutes see To set the system idle timeout on page 89 Figure 10 Management To configure the management interface 1 Go to System Network Management 2 Enter the Management IP Netmask 3 Enter...

Page 57: ...d or that the FortiWiFi unit obtained automatically Figure 11 DNS To add DNS server IP addresses 1 Go to System Network DNS 2 Change the primary and secondary DNS server IP addresses as required 3 Sel...

Page 58: ...te number IP The destination IP address for this route Mask The netmask for this route Gateway The IP address of the next hop router to which this route directs traffic Distance The the relative prefe...

Page 59: ...o an ISP Connecting a modem to the FortiWiFi unit Configuring modem settings Connecting and disconnecting the modem Backup mode configuration Standalone mode configuration Adding firewall policies for...

Page 60: ...redial limit is 1 Select None to allow the modem to never stop redialing Holddown Timer For backup configurations The time 1 60 seconds that the FortiWiFi unit waits before switching from the modem in...

Page 61: ...until the modem connects to an ISP To disconnect the modem Use the following procedure to disconnect the modem from a dialup account 1 Go to System Network Modem 2 Select Hang Up if you want to disco...

Page 62: ...iguration In standalone mode you manually connect the modem to a dialup account The modem interface operates as the primary connection to the Internet The FortiWiFi unit routes traffic through the mod...

Page 63: ...terfaces on the FortiWiFi unit For information about adding firewall policies see To add a firewall policy on page 202 VLAN overview A VLAN is group of PCs servers and other network devices that commu...

Page 64: ...rom each security domain is given a different VLAN ID The FortiWiFi unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between security domains The FortiWi...

Page 65: ...t physical interfaces There is no internal connection or link between two VLAN subinterfaces with same VLAN ID Their relationship is the same as the relationship between any two FortiWiFi network inte...

Page 66: ...hes the VLAN ID of the packets to be received by this VLAN subinterface 6 Select the virtual domain to which to add this VLAN subinterface See System virtual domain on page 137 for information about v...

Page 67: ...tween the FortiWiFi Internal and external interface you would add a VLAN subinterface to the internal interface and another VLAN subinterface to the external interface If these VLAN subinterfaces have...

Page 68: ...ured with three VLAN subinterfaces In this configuration the FortiWiFi unit could be added to this network to provide virus scanning web content filtering and other services to each VLAN VLAN1 VLAN1 V...

Page 69: ...ork interfaces Transparent mode virtual domains and VLANs VLAN subinterfaces are added to and associated with virtual domains By default the FortiWiFi configuration includes one virtual domain named r...

Page 70: ...Domain Select a virtual domain to display the VLAN interfaces added to this virtual domain Name The name of the interface or VLAN subinterface Access The administrative access configuration for the i...

Page 71: ...or disable using a Dynamic DNS service DDNS If the FortiWiFi unit uses a dynamic IP address you can arrange with a DDNS service provider to use a domain name to provide redirection of traffic to your...

Page 72: ...periodic router advertisements and tunneling of IPv6 addressed traffic over an IPv4 addressed network All of these features must be configured through the Command Line Interface CLI See the FortiGate...

Page 73: ...an connect through the FortiWiFi 60 unit to the Internet or to internal or DMZ networks The FortiWiFi 60 supports the following wireless network standards IEEE 802 11b 2 4 GHz Band IEEE 802 11g 2 4 GH...

Page 74: ...the FortiWiFi 60 wireless network should configure their computers with the same settings Key For a 64 bit WEP key enter 10 hexadecimal digits 0 9 a f For a 128 bit WEP key enter 26 hexadecimal digits...

Page 75: ...regulatory domain Channels 1 through 8 are for indoor use only Channels 9 through 11 can be used indoors and outdoors You must make sure that the channel number complies with the regulatory standards...

Page 76: ...ettings 2 Set Geography to your country or region 3 Select a channel number for your FortiWiFi 60 wireless network 4 Enter the required Service Set ID SSID 5 Enable or disable SSID Broadcast as requir...

Page 77: ...opriate 5 To move MAC addresses between lists select the MAC address and then select the appropriate arrow key 6 To remove a MAC address from a list select the MAC address and then select the Remove b...

Page 78: ...78 01 28006 0014 20041105 Fortinet Inc Wireless MAC Filter System wireless...

Page 79: ...e cannot provide both functions at the same time This section describes Service Server Exclude range IP MAC binding Dynamic IP Service Go to System DHCP Service to configure the DHCP service provided...

Page 80: ...3 Select DHCP Relay Agent Interface List of FortiWiFi interfaces Service The DHCP service provided by the interface none DHCP Relay or DHCP Server Edit View icon Select to view or modify the DHCP serv...

Page 81: ...nfiguration for this interface See To configure a DHCP server for an interface on page 82 Server You can configure one or more DHCP servers for any FortiWiFi interface As a DHCP server the interface d...

Page 82: ...ding IP for the range of IP addresses that this DHCP server assigns to DHCP clients Network Mask Enter the netmask that the DHCP server assigns to DHCP clients Lease Time Select Unlimited for an unlim...

Page 83: ...cted subnets sends a DHCP request it is relayed to the FortiWiFi interface by the router using DHCP relay The FortiWiFi unit selects the DHCP server configuration with an IP range that matches the sub...

Page 84: ...the device When you add the MAC address and an IP address to the IP MAC binding list the DHCP server always assigns this IP address to the MAC address IP MAC binding pairs apply to all FortiWiFi DHCP...

Page 85: ...esses and the expiry time and date for these addresses To view the dynamic IP list 1 Go to System DHCP Dynamic IP 2 Select the interface for which you want to view the list Name Enter a name for the I...

Page 86: ...86 01 28006 0014 20041105 Fortinet Inc Dynamic IP System DHCP...

Page 87: ...et the FortiWiFi system time For effective scheduling and logging the FortiWiFi system time must be accurate You can either manually set the FortiWiFi system time or you can configure the FortiWiFi un...

Page 88: ...ions Timeout settings including the idle timeout and authentication timeout The language displayed by the web based manager Dead gateway detection interval and failover detection Automatically adjust...

Page 89: ...s 8 hours To improve security keep the idle timeout at the default value of 5 minutes Auth Timeout Set the firewall user authentication timeout to control how long an authenticated connection can be i...

Page 90: ...ion synchronize the cluster routing table and report individual cluster member status The units in the cluster are constantly communicating HA status information to make sure that the cluster is opera...

Page 91: ...distribute virus scanning to all the FortiWiFi units in the HA cluster By default the FortiWiFi unit load balances virus scanning among all of the FortiWiFi units in the cluster Using the CLI you can...

Page 92: ...e same virtual MAC address This virtual MAC address is set according to the group ID Table 5 lists the virtual MAC address set for each group ID If you have more than one HA cluster on the same networ...

Page 93: ...ates a different cluster unit becomes the primary cluster unit Override Master Configure a cluster unit to always override the current primary cluster unit and become the primary cluster unit Enable o...

Page 94: ...s are connected to load balancing switches Hub Load balancing if the cluster interfaces are connected to a hub Traffic is distributed to cluster units based on the Source IP and Destination IP of the...

Page 95: ...m to be able to process heartbeat packets In HA mode the cluster assigns virtual IP addresses to the heartbeat device interfaces The primary cluster unit heartbeat device interface is assigned the IP...

Page 96: ...cluster becomes the new primary unit to provide better service to the high priority network If a low priority interface fails on one cluster unit and a high priority interface fails on another cluster...

Page 97: ...er When you select apply you may temporarily lose connectivity with the FortiWiFi unit as the HA cluster negotiates 13 If you are configuring a NAT Route mode cluster power off the FortiWiFi unit and...

Page 98: ...e that the cluster is operating properly This cluster communication is also called the cluster heartbeat Inserting an HA cluster into your network temporarily interrupts communications on the network...

Page 99: ...onfiguration as the other units in the cluster 2 If the cluster is running in Transparent mode change the operating mode of the new FortiWiFi unit to Transparent mode 3 Connect the new FortiWiFi unit...

Page 100: ...te unit priority 1 weight 3 The next three connections are processed by the second subordinate unit priority 2 weight 3 The subordinate units process more connections than the primary unit and both su...

Page 101: ...logs for individual cluster units To monitor cluster units for failover To manage individual cluster units To view the status of each cluster member 1 Connect to the cluster and log into the web base...

Page 102: ...Cluster Members list The host name and serial number of the primary cluster unit changes The new primary unit logs the following messages to the event log HA slave became master Detected HA member dea...

Page 103: ...luster Each cluster unit is numbered starting at 1 The information displayed for each cluster unit includes the unit serial number and the host name of the unit 3 Complete the command with the number...

Page 104: ...system location description can be up to 35 characters long Contact Enter the contact information for the person responsible for this FortiWiFi unit The contact information can be up to 35 characters...

Page 105: ...three SNMP communities Each community can have a different configuration for SNMP queries and traps Each community can be configured to monitor the FortiWiFi unit for a different set of events You can...

Page 106: ...d one or more SNMP communities IP Address The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiWiFi unit You can also set the IP address to 0 0 0 0 to...

Page 107: ...compiled into your SNMP manager you do not have to compile them again Table 8 FortiWiFi MIBs MIB file name or RFC Description fortinet 2 80 mib The Fortinet MIB is a proprietary MIB that includes det...

Page 108: ...rap message includes the name of the interface and the serial number of the FortiWiFi unit HA state HA state changes The trap message includes the previous state the new state and a flag indicating wh...

Page 109: ...Flood NIDS attack prevention detects and provides protection from a syn flood attack Port scan attack IdsPortScan NIDS attack prevention detects and provides protection from a port scan attack Table 1...

Page 110: ...priority of the individual FortiWiFi unit in a cluster override The master override setting enable or disable for an individual FortiWiFi unit in a cluster autoSync Auto config synchronization flag sc...

Page 111: ...Can be password LDAP or RADIUS state Whether the local user is enabled or disable Table 20 Virtual domains MIB field Description index The index number virtual domain added to the FortiWiFi unit name...

Page 112: ...igure 40 Replacement messages list To change a replacement message 1 Go to System Config Replacement Messages 2 Select the category of replacement message to edit by clicking on the blue triangle for...

Page 113: ...a file that contained a virus or was blocked by antivirus file blocking QUARFILENAME can be used in virus and file block messages Quarantining is only available on FortiWiFi units with a local disk UR...

Page 114: ...le was removed EMAIL_TO The email address of the intended receiver of the message from which the file was removed NIDSEVENT The IPS attack message NIDSEVENT is added to alert email intrusion messages...

Page 115: ...read only write only or both read and write access to the following FortiWiFi features This chapter describes Administrators Access profiles Administrators Use the admin account or an account with sys...

Page 116: ...e Password icon The admin administrator account cannot be deleted Administrator Enter the login name for the administrator account Password Type a password for the administrator account For improved s...

Page 117: ...r must connect only through the subnet or subnets you specify You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255 255 255...

Page 118: ...nder Access Control Allow Write All Select Allow Write All to give an administrator write privilege on all the items under Access Control System Configuration Allow or deny access to the system status...

Page 119: ...1105 119 To configure an access profile 1 Go to System Admin Access Profile 2 Select Create New to add an access profile or select the edit icon to edit an existing access profile 3 Enter a name for t...

Page 120: ...120 01 28006 0014 20041105 Fortinet Inc Access profiles System administration...

Page 121: ...pam filtering files to the management computer You can also restore system configuration VPN certificate web and spam filtering files from previously downloaded backup files Figure 48 Backup and resto...

Page 122: ...system to its original configuration including resetting interface addresses This procedure does not change the firmware version or the antivirus or attack definitions Debug Log Download debug log Web...

Page 123: ...r select Browse and locate the file 4 Select OK If you restore the system configuration the FortiWiFi unit restarts loading the new system settings You should then reconnect to the web based manager a...

Page 124: ...t 9443 To receive push updates the FDN must be able to route packets to the FortiWiFi unit using UDP port 9443 For information about configuring push updates see To enable push updates on page 129 The...

Page 125: ...FortiWiFi unit to send push updates Push updates may not be available if you have not registered the FortiWiFi unit see To register a FortiWiFi unit on page 134 if there is a NAT device installed bet...

Page 126: ...was successful and new updates were installed Other messages can indicate that the FortiWiFi was not able to connect to the FDN and other error conditions Allow Push Update Select this check box to a...

Page 127: ...whether the update was successful or not To enable scheduled updates 1 Go to System Maintenance Update center 2 Select the Scheduled Update check box 3 Select one of the following to check for and dow...

Page 128: ...m autoupdate tunneling set address proxy address_ip set port proxy port set username username_str set password password_str set status enable end For example if the IP address of the proxy server is 6...

Page 129: ...ded as the only method for obtaining updates The FortiWiFi unit might not receive the push notification Also when the FortiWiFi unit receives a push notification it makes only one attempt to connect t...

Page 130: ...FortiWiFi NAT device and the FortiWiFi unit on the internal network so that the FortiWiFi unit on the internal network can receive push updates 1 Add a port forwarding virtual IP to the FortiWiFi NAT...

Page 131: ...lect the Use override push check box 4 Set IP to the external IP address added to the virtual IP 5 Set Port to the external service port added to the virtual IP 6 Select Apply The FortiWiFi unit sends...

Page 132: ...gister the FortiWiFi unit with FortiNet Contact Information Enter the contact information so that FortiNet support can reply to your bug report Items marked with an are required Bug Description Enter...

Page 133: ...rtiWiFi units in a single session without re entering your contact information Once registration is completed Fortinet sends a Support Login user name and password to your email address You can use th...

Page 134: ...you purchase a FortiCare Support Contract you can update the registration information to add the support contract number A single FortiCare Support Contract can cover multiple FortiWiFi units You must...

Page 135: ...entered a support contract number a real time validation is performed to verify that the SCN information matches the FortiWiFi unit If the information does not match you can try entering it again A we...

Page 136: ...the values set at the factory This procedure does not change the firmware version or the antivirus or attack definitions 1 Go to System Maintenance Shutdown 2 Select Reset to factory default 3 Select...

Page 137: ...ctions between VLAN subinterfaces or zones in the virtual domain Packets never cross the virtual domain border The remainder of FortiWiFi functionality is shared between virtual domains This means tha...

Page 138: ...s Physical interfaces see To add physical interfaces to a virtual domain on page 142 VLAN subinterfaces see To add VLAN subinterfaces to a virtual domain on page 143 Zones see To add zones to a virtua...

Page 139: ...rus Definitions and engine Attack Definitions and engine Serial Number Operation Mode Network configuration DNS settings DHCP configuration DHCP settings are applied per interface no matter which virt...

Page 140: ...l domain if you want these systems to communicate with network resources that can connect to a different virtual domain Virtual domains Go to System Virtual domain Virtual domains to view and add virt...

Page 141: ...Name The virtual domain must not have the same name as a VLAN or zone 4 Select OK Selecting a virtual domain The following procedure applies to NAT Route and Transparent mode To select a virtual doma...

Page 142: ...nfigure virtual domains Adding interfaces VLAN subinterfaces and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec...

Page 143: ...dure describes how to move a VLAN subinterface from one virtual domain to another You cannot remove a VLAN subinterface from a virtual domain if firewall policies have been added for it Delete the fir...

Page 144: ...on for the current virtual domain To configure the routing table for a virtual domain in Transparent mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual do...

Page 145: ...le 3 Choose the virtual domain for which to configure firewall addresses 4 Select OK 5 Go to Firewall Address 6 Add new firewall addresses address ranges and address groups to the current virtual doma...

Page 146: ...rtual domain The following procedure applies to NAT Route and Transparent mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the table 3...

Page 147: ...You can decrease the distance value of a static route to indicate that the route is preferable compared to another static route that specifies a different gateway to the same destination network Rout...

Page 148: ...8 10 1 Device Name of the interface connected to network 192 168 10 0 24 e g external Distance 10 The Gateway setting specifies the IP address of the next hop router interface to the FortiGate externa...

Page 149: ...ination IP mask 192 168 30 0 24 Gateway 192 168 10 2 Device dmz Distance 10 To route packets from Network_2 to Network_1 Router_2 must be configured to use the FortiGate dmz interface as its default g...

Page 150: ...ence number for this route IP The destination IP address for this route Mask The netmask for this route Gateway The IP address of the first next hop router to which this route directs traffic Device T...

Page 151: ...list and attempts to match the packet with a policy The policy route supplies the next hop gateway as well as the FortiWiFi interface to be used by the traffic If no policy route matches the packet th...

Page 152: ...IP supports both RIP version 1 as defined by RFC 1058 and RIP version 2 as defined by RFC 2453 RIP version 2 enables RIP messages to carry more information and to support simple authentication and sub...

Page 153: ...servers in the network should have the same RIP timer settings Update The time interval in seconds between RIP updates Garbage The time in seconds that must elapse after the timeout interval for a rou...

Page 154: ...sed for the redistributed routes 4 Select a Route map name 5 Select Apply Networks list Identify the networks for which to send and receive RIP updates If a network is not specified interfaces in that...

Page 155: ...2 authentication RIP version send and receive for the specified interface and configure and enable split horizon Authentication is only available for RIP version 2 packets sent and received by an int...

Page 156: ...the Receive Version here overrides the default RIP version for this interface Split Horizon Configure RIP to use either regular or poisoned reverse split horizon on this interface Select Regular to pr...

Page 157: ...list If you do not specify an interface the filter will be applied to all interfaces in the current virtual domain You must configure the access list or prefix list that you want the distribute list t...

Page 158: ...ibute list Direction The direction for the filter Filter The type of filter and the filter name Interface The interface to use this filter on If no interface name is displayed this distribute list is...

Page 159: ...rtual domain go to System Virtual Domain Virtual Domains and select the virtual domain Create New Add a new offset list Direction The direction for the offset list Access list The access list to use f...

Page 160: ...x exactly or to match the prefix and any more specific prefix The FortiWiFi unit attempts to match a packet against the rules in an access list starting at the top of the list If it finds a match for...

Page 161: ...Match a network address enter the IP address and netmask that define the prefix for this access list entry 6 Select Exact match if required 7 Select OK Prefix list A prefix list is an enhanced versio...

Page 162: ...ure such as RIP or OSPF Figure 73 Prefix list New Prefix list Figure 74 Prefix list name configuration To add a prefix list name 1 Go to Router Router Objects Prefix List 2 Select Create New 3 Enter a...

Page 163: ...elect OK Route map list Route maps are a specialized form of filter Route maps are similar to access lists but have enhanced matching criteria and in addition to permit or deny actions can be configur...

Page 164: ...iple match statements are defined in a rule all the match statements must match before the set statements can be used For a route map to take effect it must be called by another FortiWiFi routing feat...

Page 165: ...to deny routes that match this entry Match The criteria to match Interface Match a route with the selected destination interface Address Match a route if the destination address is included in the sel...

Page 166: ...tes from one key to the next according to the scheduled send and receive lifetimes The sending and receiving routers should have their system dates and times synchronized but overlapping the key lifet...

Page 167: ...required hour minute second year month and day to start using this key for received routing updates Key chain entry The key chain name and the ID number for this key chain entry Key The key password...

Page 168: ...i routing table Routing monitor list Figure 82 Routing monitor To filter the routing monitor display 1 Go to Router Monitor Routing Monitor 2 Select a type of route to display or select all to display...

Page 169: ...router info ospf database get router info ospf interface get router info protocols Show the current state of active routing protocols Command syntax get router info protocols Note You can configure T...

Page 170: ...nnected to more than one area is an area border router ABR Routing information is contained in a link state database Routing information is communicated between routers using link state advertisements...

Page 171: ...ng the overflow state The lsas_integer must be the same on all routers attached to the OSPF area and the OSPF backbone The valid range for lsas_integer is 0 to 4294967294 10000 All models database ove...

Page 172: ...hat only supports RFC 1583 When RFC 1583 compatibility is enabled routers choose the path with the lowest cost Otherwise routers choose the lowest cost intra area path through a non backbone area disa...

Page 173: ...backbone area that all areas can connect to You can use a virtual link to connect areas that do not have a physical connection to the backbone Routers within an OSPF area maintain link state databases...

Page 174: ...n for interfaces the authentication configured for the area is not used Authentication passwords or keys are defined per interface See config ospf interface on page 186 none All models default cost co...

Page 175: ...A You can set the translator role to always to ensure this FortiWiFi unit always acts as a translator if it is in a NSSA even if other routers in the NSSA are also acting as translators You can set th...

Page 176: ...x list on page 161 config filter list command syntax pattern config filter list edit id_integer set keyword variable end config filter list edit id_integer unset keyword end config filter list delete...

Page 177: ...e shows how to display the configuration for area 15 1 1 1 config router ospf config area edit 15 1 1 1 show end config range Access the config range subcommand using the config area command Use the a...

Page 178: ...5 1 1 1 get end Note Only the prefix keyword is required All other keywords are optional range command keywords and variables Keywords and variables Description Default Availability advertise disable...

Page 179: ...nection to the backbone A virtual link allows traffic from the area to transit a directly connected area to reach the backbone The transit area cannot be a stub area Virtual links can only be set up b...

Page 180: ...authentication The authentication key must be the same on both ends of the virtual link The maximum length for the authentication key is 15 characters No default All models authentication must be set...

Page 181: ...g router ospf command retransmit interval seconds_integer The time in seconds to wait before sending a LSA retransmission The value for the retransmit interval must be greater than the expected round...

Page 182: ...distribute list edit id_integer unset keyword end config distribute list delete id_integer end config distribute list edit id_integer get end config distribute list edit id_integer show end Example T...

Page 183: ...r distribute list 2 config router ospf config distribute list edit 2 show end config neighbor Access the config neighbor subcommand using the config router ospf command Use this command to manually co...

Page 184: ...ther keywords are optional neighbor command keywords and variables Keywords and variables Description Default Availability cost cost_integer Enter the cost to use for this neighbor The valid range for...

Page 185: ...integer end config network edit id_integer get end config network edit id_integer show end Example Use the following command to enable OSPF for the interfaces attached to networks specified by the IP...

Page 186: ...nterface command syntax pattern config ospf interface edit interface name_str set keyword variable end config ospf interface edit interface name_str unset keyword end config ospf interface delete inte...

Page 187: ...uter is mistakenly added to the network If you configure authentication for the interface authentication for areas is not used All routers on the network must use the same authentication type none All...

Page 188: ...without unsetting all of the keys The key ID and key must be the same on all neighboring routers The valid range for id_integer is 1 to 255 key_str is an alphanumeric string of up to 16 characters No...

Page 189: ...iority router ID is used Point to point networks do not elect a DR or BDR therefore this setting has no effect on a point to point network The valid range for priority_integer is 0 to 255 1 All models...

Page 190: ...on key a2b3c4d5e end end This example shows how to display the settings for the OSPF interface configuration named test config router ospf config ospf interface edit test get end This example shows ho...

Page 191: ...ter ospf config summary address Access the config summary address subcommand using the config router ospf command redistribute command keywords and variables Keywords and variables Description Default...

Page 192: ...get router ospf show router ospf Example This example shows how to summarize routes using the prefix 10 0 0 0 255 0 0 0 config router ospf config summary address edit 5 set prefix 10 0 0 0 255 0 0 0...

Page 193: ...te that best matches the destination address of the packet If a match is not found the FortiWiFi unit routes the packet using the default route Command syntax pattern config router static6 edit sequen...

Page 194: ...60 set gateway 12AB 0 0 CD30 123 4567 89AB CDEF end This example shows how to display the list of IPV6 static route numbers get router static6 This example shows how to display the settings for IPV6 s...

Page 195: ...Each policy can be individually configured to route connections or apply network address translation NAT to translate source and destination IP addresses and ports You can add IP pools to use dynamic...

Page 196: ...mpt source and destination addresses service port and time and date at which the connection attempt was received The first policy that matches is applied to the connection attempt If no policy matches...

Page 197: ...on page 204 Schedule The schedule that controls when the policy should be active See Schedule on page 216 Service The service to which the policy applies See Service on page 208 Action The response to...

Page 198: ...Before you can add this address to a policy you must add it to the destination interface VLAN subinterface or zone For information about adding an address see Addresses on page x For NAT Route mode po...

Page 199: ...you select NAT you can also select Dynamic IP Pool and Fixed Port NAT is not available in Transparent mode Dynamic IP Pool Select Dynamic IP Pool to translate the source address to an address randoml...

Page 200: ...ups for authentication You can select Authentication for any service Users can authenticate with the firewall using HTTP Telnet or FTP For users to be able to authenticate you must add an HTTP Telnet...

Page 201: ...le routers sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header You can use the FortiWiFi DiffServ feature to change the DSCP Differenti...

Page 202: ...e results that you expect For information about arranging policies in a policy list see How policy matching works on page 196 To delete a policy 1 Go to Firewall Policy 2 Select the Delete icon beside...

Page 203: ...To enable a policy 1 Go to Firewall Policy 2 Select Enable Policy CLI configuration The natip keyword for the firewall policy command is used in encrypted VPN policies A natip address cannot be added...

Page 204: ...Configuring address groups firewall policy command keywords and variables Keywords and variables Description Default Availability natip address_ipv4mask Configure natip for a firewall policy with act...

Page 205: ...net IP address 192 168 20 0 and Netmask 255 255 255 0 A single IP address for example IP Address 192 168 20 1 and Netmask 255 255 255 255 All possible IP addresses represented by IP Address 0 0 0 0 an...

Page 206: ...ss 1 Go to Firewall Address 2 Select Create New 3 Enter a name to identify the address 4 Enter the IP address and netmask or the IP address range 5 Select OK To edit an address Edit an address to chan...

Page 207: ...Figure 91 Address group options Address group has the following options Note If an address group is included in a policy it cannot be deleted unless it is first removed from the policy Create New Sele...

Page 208: ...all Address Group 2 Select the Delete icon beside the address group you want to delete 3 Select OK To edit an address group 1 Go to Firewall Address Group 2 Select the Edit icon beside the address gro...

Page 209: ...lows an arbitrary network protocol to be transmitted over any other arbitrary network protocol by encapsulating the packets of the protocol within GRE packets 47 AH Authentication Header AH provides s...

Page 210: ...tocol used for retrieving email messages tcp 143 Internet Locator Service Internet Locator Service includes LDAP User Locator Service and LDAP over TLS SSL tcp 389 IRC Internet Relay Chat allows peopl...

Page 211: ...Routing Information Protocol is a common distance vector routing protocol udp 520 SIP MSNmessenger Session Initiation Protocol is used by Microsoft Messenger to initiate an interactive possibly multi...

Page 212: ...WAIS Wide Area Information Server is an Internet search protocol tcp 210 WINFRAME For WinFrame communications between computers running Windows NT tcp 1494 X WINDOWS For remote communications between...

Page 213: ...and high port numbers If the service uses one port number enter this number in both the low and high fields Destination Port Specify the Destination Port number range for the service by entering the l...

Page 214: ...service 6 Select OK You can now add this custom service to a policy To add a custom IP service 1 Go to Firewall Service Custom 2 Select Create New 3 Enter a name for the new custom IP service 4 Selec...

Page 215: ...s the following icons and features Service group options Service group options are configurable when creating or editing a service group Figure 98 Service group options Service group has the following...

Page 216: ...ewall Service Group 2 Select the Edit icon beside the service group you want to modify 3 Make any required changes 4 Select OK Schedule Use schedules to control when policies are active or inactive Yo...

Page 217: ...e schedule list has the following icons and features One time schedule options Figure 100 One time schedule options One time schedule has the following options Configuring one time schedules To add a...

Page 218: ...of the day or on specified days of the week For example you might want to prevent game play during working hours by creating a recurring schedule Figure 101 Sample recurring schedule list The recurri...

Page 219: ...edules use a 24 hour clock 6 Select OK To delete a recurring schedule 1 Go to Firewall Schedule Recurring 2 Select the Delete icon beside the recurring schedule you want to delete 3 Select OK To edit...

Page 220: ...e types of virtual IPs This section describes Virtual IP list Virtual IP options Configuring virtual IPs Note To change the one time schedule name you must delete the schedule and add it with a new na...

Page 221: ...ic NAT or port forwarding Figure 104 Virtual IP options static NAT Figure 105 Virtual IP options port forwarding Create New Select Create New to add a virtual IP Name The name of the virtual IP IP The...

Page 222: ...ted in step 4 However the external IP address must be routed to the selected interface The virtual IP address and the external IP address can be on different subnets 7 Enter the Map to IP address to w...

Page 223: ...ust be routed to the external interface selected in step 4 The virtual IP address and the external IP address can be on different subnets 7 Enter the External Service Port number for which you want to...

Page 224: ...server the external service port number should be 1723 the PPTP port See PPTP passthrough on page 268 for more information 8 Enter the Map to IP address to which to map the external IP address For ex...

Page 225: ...he IP pool to use when configuring a firewall policy You can enter an IP address range using the following formats x x x x x x x x for example 192 168 110 100 192 168 110 120 x x x x x for example 192...

Page 226: ...he IP pool as required 4 Select OK to save the changes IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the source po...

Page 227: ...tion As a result connections to the Internet appear to be originating from any of the IP addresses in the IP pool Protection profile Use protection profiles to apply different protection settings for...

Page 228: ...policy or included in a user group Strict To apply maximum protection to HTTP FTP IMAP POP3 and SMTP traffic You may not wish to use the strict protection profile under normal circumstances but it is...

Page 229: ...or disable virus scanning for viruses and worms for each protocol HTTP FTP IMAP POP3 SMTP Grayware if enabled in Antivirus Config Config is included with the Virus Scan Heuristic if enabled in the CL...

Page 230: ...and patterns in the content block list Web URL Block Enable or disable web page filtering for HTTP traffic based on the URL block list Web Exempt List Enable or disable web page filtering for HTTP tr...

Page 231: ...to circumvent web category blocking Allow websites when a rating error occurs HTTP only Allow web pages that return a rating error from the web filtering service Category The FortiGuard web filtering...

Page 232: ...you to append a custom tag to the subject or header of email identified as spam For SMTP you can choose between tagged or discard Discard immediately drops the connection You can tag email by appendin...

Page 233: ...profile to a policy You can enable protection profiles for firewall policies with action set to allow or encrypt and with service set to ANY HTTP FTP IMAP POP3 SMTP or a service group that includes t...

Page 234: ...ion profiles Use protection profiles to apply different protection settings for traffic controlled by firewall policies Command syntax pattern config firewall profile edit profilename_str set keyword...

Page 235: ...etes When downloading files from an FTP server the FortiWiFi unit sends 1 byte every 30 seconds to prevent the client from timing out during scanning and download If a virus is detected the FortiWiFi...

Page 236: ...he FortiWiFi unit to simultaneously scan an email and send it to the SMTP server If the FortiWiFi unit detects a virus it terminates the server connection and returns an error message to the sender li...

Page 237: ...profile command get firewall profile This example shows how to display the settings for the spammail profile get firewall profile spammail This example shows how to display the configuration for the f...

Page 238: ...238 01 28006 0014 20041105 Fortinet Inc Protection profile Firewall...

Page 239: ...the user s credentials locally or using an external LDAP or RADIUS server Authentication expires if the user leaves the connection idle for longer than the authentication timeout period You need to d...

Page 240: ...minutes Local Go to User Local to add local user names and configure authentication Local user list Figure 116 Local user list Local user options Figure 117 Local user options Create New Add a new loc...

Page 241: ...authentication The default port for RADIUS traffic is 1812 If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port For more information see the config system glo...

Page 242: ...me that you want to delete 3 Select OK LDAP If you have configured LDAP support and a user is required to authenticate using an LDAP server the FortiWiFi unit contacts the LDAP server for authenticati...

Page 243: ...ure 120 LDAP server list LDAP server options Figure 121 LDAP server configuration Create New Add a new LDAP server Server Name IP The domain name or IP address of the LDAP server Port The port used to...

Page 244: ...ct Delete beside the LDAP server name that you want to delete 3 Select OK Common Name Identifier Enter the common name identifier for the LDAP server The common name identifier for most LDAP servers i...

Page 245: ...uth The FortiWiFi PPTP configuration Only users in the selected user group can use PPTP The FortiWiFi L2TP configuration Only users in the selected user group can use L2TP When you add user names RADI...

Page 246: ...group select an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list 7 To remove users RADIUS servers or LDAP servers from the user group sel...

Page 247: ...syntax pattern config user peer edit name_str set keyword variable config user peer edit name_str unset keyword config user peer delete name_str get user peer name_str show user peer name_str Example...

Page 248: ...str set keyword variable config user peergrp edit name_str unset keyword config user peergrp delete name_str get user peergrp name_str show user peergrp name_str Example This example shows how to add...

Page 249: ...is example shows how to display the settings for the peergrp EU_branches get user peergrp EU_branches This example shows how to display the configuration for all the peers groups show user peergrp Thi...

Page 250: ...250 01 28006 0014 20041105 Fortinet Inc CLI configuration Users and authentication...

Page 251: ...l L2TP This chapter contains information about the following VPN topics Phase 1 Phase 2 Manual key Concentrator Ping Generator Monitor PPTP L2TP Certificates CLI configuration Authenticating peers wit...

Page 252: ...re Phase 1 list Figure 124 IPSec VPN Phase 1 list Create New Select Create New to add a Phase 1 configuration also called a remote gateway Gateway Name The names of the Phase 1 configurations remote g...

Page 253: ...fields may become available or be removed IP Address If you select Static IP Address for Remote Gateway enter the IP address of the gateway or client Dynamic DNS If you select Dynamic DNS for Remote...

Page 254: ...icate name of the remote client or peer for the remote client or peer to start a VPN session with the FortiWiFi unit Select Accept any peer ID to accept the local ID or peer ID of any remote client or...

Page 255: ...hentication enter the distinguished name DN of the local certificate XAuth You can configure the FortiWiFi unit as an Extended Authentication XAuth client or an XAuth server For more information see C...

Page 256: ...AP between the XAuth client and the FortiWiFi unit and CHAP between the FortiWiFi unit and the authentication server Use CHAP whenever possible Use PAP if the authentication server does not support CH...

Page 257: ...identification process For information about how to create a Phase 1 Dialup User configuration see Dialup VPN on page 285 If the tunnel is to connect a static remote gateway select the name of an exis...

Page 258: ...d session NULL Do not use a message digest MD5 Message Digest 5 the hash algorithm developed by RSA Data Security SHA1 Secure Hash Algorithm 1 which produces a 160 bit message digest To specify one co...

Page 259: ...keep alive to keep the VPN connection open even if no data is being transferred DHCP IPSec If the tunnel will service remote dialup clients that broadcast a DHCP request when connecting to the tunnel...

Page 260: ...name for the VPN tunnel Local SPI The local Security Parameter Index SPI identifies the local manual key VPN peer Enter a hexadecimal number digits can be 0 to 9 a to f in the range bb8 to FFFFFFF Thi...

Page 261: ...to two segments of 16 characters For AES192 enter a 48 character 24 byte hexadecimal number 0 9 A F Separate the number into three segments of 16 characters For AES256 enter a 64 character 32 byte hex...

Page 262: ...through two tunnels simultaneously The ping interval is fixed at 40 seconds The source and destination IP addresses refer to the source and destination addresses of IP packets that are to be transport...

Page 263: ...Sec VPN monitor to view connections to IPSec VPN tunnels The display provides information about tunnel connections including addressing proxy IDs and status information Enable Disable or enable pingin...

Page 264: ...the tunnel connected and idle The dialup client must disconnect before another tunnel can be initiated Flush dialup tunnels icon Stop all dialup tunnels and stop the traffic passing through all dialup...

Page 265: ...enable authentication you must add a user group to the FortiWiFi unit Within the user group add a user name for each PPTP client You can add users to the FortiWiFi user database to authentication ser...

Page 266: ...example if you want PPTP clients to be able to access a web server set the service to HTTP See To add a firewall policy on page 202 6 Configure the Windows clients See Configuring a Windows 2000 clie...

Page 267: ...ocedure 2 Enter your PPTP VPN User Name and Password 3 Select Connect 4 In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name...

Page 268: ...he same as your VPN user name and password PPTP passthrough The FortiWiFi unit supports PPTP passthrough by configuring a port forwarding virtual IP to use port 1723 Normally PPTP passthrough requires...

Page 269: ...nternal 4 For Address name Set Source to All Set Destination to PPTP_pass 5 Set Schedule as required 6 Set Service to ANY 7 Set action to ACCEPT 8 Select NAT 9 Select OK L2TP You can set up VPN connec...

Page 270: ...L2TP range See To add an address on page 206 4 Add a destination address The destination address is the address to which the L2TP clients can connect For example if the destination address is on the...

Page 271: ...ination Address enter the address of the FortiWiFi unit to connect to and select Next 5 Set Connection Availability to Only for myself and select Next 6 Select Finish 7 In the Connect window select Pr...

Page 272: ...ndows 2000 based computer does not create the automatic filter that uses CA authentication Instead it checks for a local or active directory IPSec policy To connect to the L2TP VPN 1 Start the dialup...

Page 273: ...1 Make sure that the following options are not selected File and Printer Sharing for Microsoft Networks Client for Microsoft Networks To disable IPSec 1 Select the Networking tab 2 Select Internet Pro...

Page 274: ...a public key and some identifying information that has been digitally signed by a trusted third party known as a certificate authority CA Because CAs can be trusted the certificates issued by a CA ar...

Page 275: ...509 standard To generate a certificate request 1 Go to VPN Certificates Local Certificates 2 Select Generate 3 Enter a Certificate Name Typically this is the name of the FortiWiFi unit being certifie...

Page 276: ...upport all three key sizes 7 Select OK The request is generated and displayed in the Local Certificates list with a status of Pending 8 Select the Download button to download the request to a PC on th...

Page 277: ...Certificates Certificate Name Type a certificate name Subject Information Enter an ID type and the related information for the FortiWiFi unit being certified You can use one of the following three ID...

Page 278: ...y CA_Cert_1 CA_Cert_2 CA_Cert_3 and so on Enabling VPN access for specific certificate holders When a VPN peer is configured to authenticate using digital certificates it sends the Distinguished Name...

Page 279: ...o the group The group must be added to the FortiWiFi configuration through the config user peergrp CLI command before it can be selected here For more information see the config user chapter of the CL...

Page 280: ...is period of time expires whenever the local peer sends traffic to the remote VPN peer it will also send a DPD probe to determine the status of the link The dpd idleworry range is 1 to 300 To control...

Page 281: ...le_GW set Type dynamic set proposal des md5 set authmethod psk set psksecret Qf2p3O93jIj2bz7E set mode aggressive set dpd enable set dpd idlecleanup 1000 set dpd idleworry 150 set dpd retrycount 5 set...

Page 282: ...ffic to the intended destinations automatically Each IPSec VIP entry is identified by an integer An entry identifies the name of the FortiWiFi interface to the destination network and the IP address o...

Page 283: ...set out interface external next edit 2 set ip 192 168 12 2 set out interface external end This example shows how to display the settings for the vpn ipsec vip command get vpn ipsec vip This example s...

Page 284: ...is often referred to as adding a tunnel See Phase 2 on page 256 4 Add the firewall configuration required for the VPN See Adding firewall policies for IPSec VPN tunnels on page 286 Gateway to gateway...

Page 285: ...Dynamic DNS VPN allows remote users or gateways with dynamic IP addresses to use VPN to connect to a private network In this case the gateway or client at the remote end of the VPN tunnel has a dynami...

Page 286: ...bout firewall policies You can also use firewall policies for IPSec VPN to apply protection profiles to VPN traffic to log IPSec VPN traffic and to apply advanced features to IPSec VPN traffic such as...

Page 287: ...icy direction See Setting the encryption policy direction on page 286 3 Add the source and destination addresses See To add an address on page 206 4 Set Action to ENCRYPT 5 From the VPN tunnel list se...

Page 288: ...al source interface Then create Internet access policies for VPN users For example if the virtual source interface is VLAN_21 and the wan 1 interface is connected to the Internet you would require cre...

Page 289: ...guration to define the parameters used to authenticate the remote VPN peer 2 Set other phase 1 options as required See Phase 1 on page 252 3 Add the phase 2 configuration to define the parameters used...

Page 290: ...s the address of the spoke either a client on the Internet or a network located behind a gateway See To add an address on page 206 3 Add the concentrator configuration This step groups the tunnels tog...

Page 291: ...e VPN concentrator configuration To add a VPN concentrator configuration 1 Go to VPN IPSEC Concentrator 2 Select New to add a VPN concentrator 3 Enter the name of the new concentrator in the Concentra...

Page 292: ...the address of the spoke either a client on the Internet or a network located behind a gateway See To add an address on page 206 4 Add a separate outbound encrypt policy for each remote VPN spoke Thes...

Page 293: ...en two VPN peers one peer can have multiple Internet connections while the other has only one Internet connection In the case of an asymmetrical configuration the level of redundancy varies from one e...

Page 294: ...three VPN connections If the Internet connections are in the same zone add one VPN tunnel and add the remote gateways to it You can add up to three remote gateways If the Internet connections are in s...

Page 295: ...the two sites have been coordinated to protect against ambiguous routing no two IP addresses are the same Setting up a configuration like this involves performing the following tasks at FortiGate_1 an...

Page 296: ...remote peer software configuration Check the FortiWiFi firewall configuration Configuration Error Correction Wrong remote network information Check the IP addresses of the remote gateway and network W...

Page 297: ...file select edit or Create New and select IPS See Protection profile options on page 228 Protection profile configuration For information about adding protection profiles to firewall policies see To a...

Page 298: ...tion to an extensive list of predefined attack signatures you can also create your own custom attack signatures for the FortiWiFi unit See Adding custom signatures on page 303 Predefined Predefined si...

Page 299: ...s Action can be Pass Drop Reset Reset Client Reset Server Drop Session Clear Session or Pass Session See Table 26 Revision The revision number for individual signatures To show the signature group mem...

Page 300: ...Used for TCP connections only If you set this action for non TCP connection based attacks the action will behave as Clear Session If the Reset Client action is triggered before the TCP connection is f...

Page 301: ...a signature 1 Go to IPS Signature Predefined 2 Select the blue triangle next to a signature group name to display the members of that group 3 Select the Reset icon for the signature you want to resto...

Page 302: ...out If a session is idle for longer than this number of seconds the session will not be maintained by tcp_reassembler min_ttl A packet with a higher ttl number in its IP header than the number specifi...

Page 303: ...custom signatures from the custom signature group Reset to recommended settings Reset all the custom signatures to the recommended settings Name The custom signature names Revision The revision number...

Page 304: ...essions targeting a single destination in one second is over a threshold the destination is experiencing flooding Scan If the number of sessions from a single source in one second is over a threshold...

Page 305: ...t Reset Server Drop Session Clear Session or Pass Session Modify The Edit and Reset icons If you have changed the settings for an anomaly you can use the Reset icon to change the settings back to the...

Page 306: ...is fully established it acts as Clear Session Reset Client The FortiWiFi unit drops the packet that triggered the anomaly sends a reset to the client and removes the session from the FortiWiFi session...

Page 307: ...dit name_str unset keyword end config limit delete name_str Example Use the following command to configure the limit for the tcp_src_session anomaly config ips anomaly tcp_src_session config limit edi...

Page 308: ...g signatures for attacks that your system is not vulnerable to for example web attacks when you are not running a web server For more information on FortiWiFi logging and alert email see Log Report on...

Page 309: ...ocol HTTP FTP IMAP POP3 SMTP View a read only list of current viruses File Block Antivirus File Block Enable or disable file blocking for each protocol Configure file patterns to block enable or disab...

Page 310: ...rtiProtect Center at http www fortinet com FortiProtectCenter To set up automatic and push updates see Update center on page 124 This chapter describes File block Quarantine Config CLI configuration F...

Page 311: ...nformation files pif Figure 155 Default file block list File block list has the following icons and features Create New Select Create New to add a new file pattern to the file block list Apply Select...

Page 312: ...ed files list Quarantined files list options AutoSubmit list AutoSubmit list options Configuring the AutoSubmit list Config Quarantined files list The quarantined files list displays information about...

Page 313: ...versize exe Date The date and time that the file was quarantined in the format dd mm yyyy hh mm This value indicates the time that the first file was quarantined if the duplicate count increases Servi...

Page 314: ...ions AutoSubmit list has the following icons and features Configuring the AutoSubmit list To add a file pattern to the AutoSubmit list 1 Go to Anti Virus Quarantine AutoSubmit 2 Select Create New Figu...

Page 315: ...e time limit in hours for which to keep files in quarantine The age limit is used to formulate the value in the TTL column of the quarantined files list When the limit is reached the TTL column displa...

Page 316: ...he FortiWiFi unit to receive automatic updates daily or whenever required To manually upload a virus list update see Changing unit information on page 29 To find out how to use the Fortinet Update Cen...

Page 317: ...t all new categories are disabled Grayware is enabled in a protection profile when Virus Scan is enabled Grayware options Grayware categories are populated with known executable files Each time the Fo...

Page 318: ...or bookmarks start pages and menu options Plugin Select enable to block browser plugins Browser plugins can often be harmless Internet browsing tools that are installed and operate directly from the b...

Page 319: ...for the antivirus heuristic command show antivirus heuristic quarantine The quarantine command also allows configuration of heuristic related settings Table 28 antivirus heuristic command keywords an...

Page 320: ...s Description Default Availability drop_heuristic ftp http imap pop3 smtp Do not quarantine files found by heuristic scanning in traffic for the specified protocols imap smtp pop3 http ftp FortiGate m...

Page 321: ...tiWiFi unit handles antivirus scanning of large files how the FortiWiFi unit handles the buffering and uploading of files to an FTP server and what ports the FortiWiFi unit virus scans for FTP traffic...

Page 322: ...igure how the FortiWiFi unit handles antivirus scanning of large files and what ports the FortiWiFi unit virus scans for POP3 traffic Command syntax pattern config antivirus service pop3 set keyword v...

Page 323: ...command to configure how the FortiWiFi unit handles antivirus scanning of large files and what ports the FortiWiFi unit virus scans for IMAP traffic Command syntax pattern config antivirus service im...

Page 324: ...this command to configure how the FortiWiFi unit handles antivirus scanning of large files in SMTP traffic and what ports the FortiWiFi unit scans for SMTP Command syntax pattern config antivirus serv...

Page 325: ...r SMTP traffic Adding more ports for scanning does not erase the default port 25 Use the unset command to remove all ports from the list config antivirus service smtp set port 465 end This example sho...

Page 326: ...326 01 28006 0014 20041105 Fortinet Inc CLI configuration Antivirus...

Page 327: ...ned words and patterns in the content block list for HTTP traffic Add words and patterns to block web pages containing those words or patterns Web URL Block Web Filter URL Block Enable or disable web...

Page 328: ...r Content block Control web content by blocking specific words or word patterns The FortiWiFi unit blocks web pages containing banned words and displays a replacement message instead You can use Perl...

Page 329: ...egular expression i For example bad language i will block all instances of bad language regardless of case Wildcard patterns are not case sensitive Note Enable Web filtering Web Content Block in your...

Page 330: ...t the pattern type if required 5 Select the language character set 6 Select Enable 7 Select OK URL block You can block access to specific URLs by adding them to the URL block list You can also add pat...

Page 331: ...must be separated by hard returns to upload correctly Figure 165 Sample Web URL block list Web URL block options Web URL block has the following icons and features Configuring the web URL block list N...

Page 332: ...all pages with a URL that ends with badsite com add badsite com to the block list For example adding badsite com blocks access to www badsite com mail badsite com www finance badsite com and so on 5...

Page 333: ...3 Select Create New Figure 168 Adding a new pattern 4 Enter a pattern to add to the web pattern block list 5 Select Enable 6 Select OK URL exempt This section describes URL exempt list URL exempt list...

Page 334: ...L to the URL exempt list 1 Go to Web Filter URL Exempt 2 Select Create New Figure 170 Adding a new exempt URL 3 Enter the URL to add to the URL exempt list 4 Select Enable 5 Select OK Note Enable Web...

Page 335: ...dded to or updated as the Internet evolves Users can also choose to allow block or monitor entire groups of categories to make configuration simpler Blocked pages are replaced with a message indicatin...

Page 336: ...If you have ordered FortiGuard through Fortinet technical support or are using the free 30 day trial you only need to enable the service to start configuring and using FortiGuard Figure 171 Category b...

Page 337: ...230 and FortiGuard categories on page 373 Once you select Apply the FortiGuard license type and expiration date appears on the configuration screen Web Filter Category Block Category block reports You...

Page 338: ...Guide for descriptions of all webfilter catblock keywords Profile Select the profile for which you want to generate a report Report Type Select the time frame for which you want to generate the repor...

Page 339: ...uration for the catblock settings show webfilter catblock If the show command returns you to the prompt the settings are at default Script filter You can configure the FortiWiFi unit to filter certain...

Page 340: ...for script filtering Note Enable Web filtering Web Script Filter in your firewall Protection Profile to activate the script filter settings Javascript Select Javascript to block all Javascript based...

Page 341: ...able or disable checking incoming IP addresses against the configured spam filter IP address list SMTP only Add to and edit IP addresses to the list You can configure the action to take as spam clear...

Page 342: ...ers against the configured spam filter MIME header list Add to and edit MIME headers to the list with the option of using wildcards and regular expressions You can configure the action to take as spam...

Page 343: ...s the IP address list from email captured by spam probes located around the world Spam probes are email addresses purposely configured to attract spam and identify known spam sources to create the ant...

Page 344: ...You can mark each IP address as clear spam or reject You can filter single IP addresses or a range of addresses at the network level by configuring an address and mask Figure 174 Sample IP address lis...

Page 345: ...eral free and subscription servers available that provide reliable access to continually updated RBLs and ORDBLs Check with the service you are using to confirm the correct domain name for connecting...

Page 346: ...to add 4 Select the action to take on email matched by the server 5 Select Enable 6 Select OK Create New Select Create New to add a server to the RBL ORDBL list Total The number of items in the list...

Page 347: ...m a domain such as sample net You can mark each email address as clear or spam Figure 178 Sample email address list Email address options Email address list has the following icons and features Config...

Page 348: ...ontent_Type image jpg The first part of the MIME header is called the header key or just header The second part is called the value Spammers will often insert comments into header values or leave them...

Page 349: ...Filter MIME headers 2 Select Create New Create New Select Create New to add a MIME header to the MIME headers list Total The number of items in the list The Page up Page down and Remove all entries ic...

Page 350: ...52 This section describes Banned word list Banned word options Configuring the banned word list Banned word list You can add one or more banned words to sort email containing those words in the email...

Page 351: ...wildcard or regular expression See Using Perl regular expressions on page 352 Language The character set to which the banned word belongs Simplified Chinese Traditional Chinese French Japanese Korean...

Page 352: ...any single character It is similar to the character in wildcard match pattern As a result fortinet com not only matches fortinet com but also matches fortinetacom fortinetbcom fortinetccom and so on...

Page 353: ...nd of the string a b either of a and b abc abc the string abc at the beginning or at the end of the string ab 2 4 c an a followed by two three or four b s followed by a c ab 2 c an a followed by at le...

Page 354: ...d perl B perl when not followed by a word boundary e g in perlert but not in perl stuff x tells the regular expression parser to ignore white space that is neither backslashed nor within a character c...

Page 355: ...You can configure the FortiWiFi unit to send alert email to up to three recipients when selected events occur It is not necessary for an event to be logged to trigger an alert email The FortiWiFi uni...

Page 356: ...52 device_id APS3012803033139 log_id 0101023002 type event subtype ipsec pri notice loc_ip 172 16 81 2 loc_port 500 rem_ip 172 16 81 1 rem_port 500 out_if dmz vpn_tunnel ToDmz action negotiate init lo...

Page 357: ...l the FortiWiFi unit begins to overwrite the oldest messages All log entries are deleted when the FortiWiFi unit restarts Syslog A remote computer running a syslog server WebTrends A remote computer r...

Page 358: ...e is started Roll log policy The policy to follow for saving the current log and starting a new active log Overwritten deletes the oldest log entry when the disk is full Block traffic stops all networ...

Page 359: ...e logging severity level you select For example if you select Error the unit logs Error Critical Alert and Emergency level messages See Table 38 Logging severity levels on page 358 Facility Facility i...

Page 360: ...email Test Select Test to send a test alert email to the configured recipients Level The FortiWiFi unit sends alert email for all messages at and above the logging severity level you select Emergency...

Page 361: ...t email 7 Select Apply Log filter options For each logging location you enable you can create a customized log filter based on the log types described in the following sections Information The interva...

Page 362: ...ting gateway has been added You can apply the following filters Policy allowed traffic The FortiWiFi unit logs all traffic that is allowed according to the firewall policy settings Policy violation tr...

Page 363: ...nit logs all pattern update events such as antivirus and IPS pattern updates and update failures Virus infected The FortiWiFi unit logs all virus infections Filename blocked The FortiWiFi unit logs al...

Page 364: ...5 Repeat steps 1 through 4 for each interface for which you want to enable logging 6 Make sure you enable traffic logs for a logging location and set the logging severity level to Notification or lowe...

Page 365: ...following table describes the features and icons you can use to navigate and search the logs when viewing logs through the web based manager Type The location of the log messages memory Go to previous...

Page 366: ...ess the log contains information not available in any of the other more specific columns Column settings button Select to choose columns for log display Raw or Formatted Select Raw to switch to an unf...

Page 367: ...Searching log messages There are two ways to search log messages a simple keyword search or an advanced search that enables you to use multiple keywords and specify a time range To perform a simple ke...

Page 368: ...nfig log fortilog setting unset keyword get log fortilog setting show log fortilog setting all of the following The message must contain all of the keywords any of the following The message must conta...

Page 369: ...server You can configure the FortiWiFi unit to send logs to a remote computer running a syslog server psksecret str_psk Enter the pre shared key for the IPSec VPN tunnel to a FortiLog unit You can cr...

Page 370: ...es disable All models facility alert audit auth authpriv clock cron daemon ftp kernel local0 local1 local2 local3 local4 local5 local6 local7 lpr mail news ntp syslog user uucp Enter the facility type...

Page 371: ...lay the configuration for logging to a remote syslog server show log syslogd setting If the show command returns you to the prompt the settings are at default Table 39 Facility types Facility type Des...

Page 372: ...372 01 28006 0014 20041105 Fortinet Inc CLI configuration Log Report...

Page 373: ...ites that provide information about or promote the cultivation preparation or use of marijuana 2 Cult or Occult Sites that provide information about or promote religions not specified in Traditional R...

Page 374: ...y with no pornographic intent 9 Advocacy Groups Sites that promote change or reform in public policy public opinion social practice economic activities and relationships 10 Alcohol and Tobacco Sites t...

Page 375: ...cussion groups message boards and list servers includes blogs and mail magazines Digital post cards Sites for sending viewing digital post cards 22 Pay to Surf Sites that pay users to view Web sites a...

Page 376: ...nformation about or cater to gay lesbian or bisexual lifestyles including those that support online shopping but excluding those that are sexually or issue oriented 33 Health Sites that provide inform...

Page 377: ...s devoted to professional advancement or workers interests Service and Philanthropic Organizations Sites sponsored by or that support or offer information about organizations devoted to doing good as...

Page 378: ...ated business firms including sites supporting the sale of hardware software peripherals and services 53 Military Organizations Military Sites sponsored by branches or agencies of the armed services O...

Page 379: ...2 32 32 32 32 32 system interface ip6 prefix list 32 32 32 32 32 32 32 32 32 32 32 32 32 system ipv6_tunnel 4 4 4 4 4 4 4 4 4 4 4 4 4 system accprofile 8 8 8 16 16 16 16 16 64 64 64 64 64 system admin...

Page 380: ...500 500 500 500 500 500 firewall service group member 300 300 300 300 300 300 300 300 300 300 300 300 300 firewall schedule onetime 256 500 256 256 256 256 256 256 256 256 256 256 256 firewall schedu...

Page 381: ...tem memory and performance considerations ips anomaly limit 100 100 100 100 100 100 100 100 100 100 100 100 100 ips custom 32 32 32 32 32 32 32 32 32 32 32 32 32 log trafficfilter rule 50 50 50 50 50...

Page 382: ...100 100 100 100 router ospf network 100 100 100 100 100 100 100 100 100 100 100 100 100 router ospf neighbor 10 10 10 10 10 10 10 10 10 10 10 10 10 router ospf passive interface 100 100 100 100 100 10...

Page 383: ...es are formatted and transmitted and what actions Web servers and browsers should take in response to various commands HTTPS The SSL protocol for transmitting private documents over the Internet using...

Page 384: ...o the specified address and waiting for a reply POP3 Post Office Protocol A protocol used to transfer e mail from a mail server to a mail client across the Internet Most e mail clients use POP PPP Poi...

Page 385: ...networks TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent UDP User Datagram Protocol A connectionless protocol that like TCP...

Page 386: ...386 01 28006 0014 20041105 Fortinet Inc Glossary...

Page 387: ...ive 259 B back up configuration 122 backup mode modem 59 61 bandwidth guaranteed 201 202 maximum 201 202 banned word spam 350 beacon interval wireless setting 74 bindtoif 282 browsing the Internet thr...

Page 388: ...280 dpd retryinterval 280 dst 193 263 dst2 263 Dynamic DNS 253 on network interface 48 dynamic DNS monitor 263 264 Dynamic DNS VPN 285 dynamic IP pool IP pool 205 240 241 243 245 dynamic port forwardi...

Page 389: ...orities 96 override master 93 password 93 priorities of heartbeat device 94 schedule 94 status 101 unit priority 93 view the status of each cluster member 101 HA cluster configuring 96 HA monitor acti...

Page 390: ...reless setting 74 MAC filter configure the wireless MAC filter 77 wireless 77 manage cluster units HA 103 Managing digital certificates 274 Manual Key 259 Manual key IPSec VPN 286 Manual key list 260...

Page 391: ...abling authentication 245 guaranteed bandwidth 201 202 IPSec VPN 286 matching 196 maximum bandwidth 201 202 policy routing 151 poll interval 184 POP3 211 384 port 370 port forward dynamic 220 port for...

Page 392: ...custom UDP 212 213 group 215 predefined 209 service name 209 user defined TCP 212 213 user defined UDP 212 213 set time 88 shortcut 175 Signature list 299 Signatures 298 SMTP 211 definition 384 smtp...

Page 393: ...roperties 138 virtual IP 220 dynamic port forwarding 224 port forwarding 220 static NAT 220 virus detected HA monitor 102 virus protection worm protection 14 VLAN overview 63 VLAN subinterface bringin...

Page 394: ...the wireless MAC filter 77 configure wireless settings 76 fragmentation threshold 74 geography 74 key 74 MAC address 74 MAC filter 77 operation mode 74 pre shared key 74 radius server name 74 RTS thre...

Search results

Summary of Contents for Fortiwifi fortiwifi-60

Reviews:

Brands by name

Popular brands

Fortinet Fortiwifi fortiwifi-60, Administration Manual

Search results

Summary of Contents for Fortiwifi fortiwifi-60

Reviews:

Brands by name

Popular brands