manualshive.com logo in svg

Fortinet FortiGate-60 series, Руководство администратора

Поделиться
Скачать
Fortinet FortiGate-60 series Скачать руководство пользователя страница 64

64

01-28006-0002-20041105

Fortinet Inc.

VLANs in NAT/Route mode

System network

Figure 16: Basic VLAN topology

FortiGate units and VLANs

In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3 
routers or firewalls add VLAN tags to packets. Packets passing between devices in 
the same VLAN can be handled by layer 2 switches. Packets passing between 
devices in different VLANs must be handled by a layer 3 device such as router, 
firewall, or layer 3 switch.

Using VLANs, a single FortiGate unit can provide security services and control 
connections between multiple security domains. Traffic from each security domain is 
given a different VLAN ID. The FortiGate unit can recognize VLAN IDs and apply 
security policies to secure network and IPSec VPN traffic between security domains. 
The FortiGate unit can also apply authentication, protection profiles, and other firewall 
policy features for network and VPN traffic that is allowed to pass between security 
domains.

VLANs in NAT/Route mode

Operating in NAT/Route mode, the FortiGate unit functions as a layer 3 device to 
control the flow of packets between VLANs. The FortiGate unit can also remove VLAN 
tags from incoming VLAN packets and forward untagged packets to other networks, 
such as the Internet.

 VLAN Switch or router

Internet

VLAN 1

VLAN 2

VLAN 1 network

VLAN 2 network

VLAN trunk

POWER

VLAN 1
VLAN 2

Firewall or 

Router

Esc

Enter

Untagged

packets

Содержание FortiGate-60 series

Страница 1: ...Administration Guide INTERNAL DMZ 4 3 2 1 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN1 WAN2 PWR STATUS FortiGate 60 Administration Guide Version 2 80 MR6 5 November 2004 01 28006 0002 20041105 ...

Страница 2: ...tion Guide Version 2 80 MR6 5 November 2004 01 28006 0002 20041105 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS CAUTION RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS For technical support please visit http ww...

Страница 3: ...n 22 Related documentation 22 FortiManager documentation 23 FortiClient documentation 23 FortiMail documentation 23 FortiLog documentation 23 Customer service and technical support 24 System status 25 Console access 25 Status 26 Viewing system status 26 Changing unit information 29 Session list 31 Changing the FortiGate firmware 32 Upgrading to a new firmware version 32 Reverting to a previous fir...

Страница 4: ...ts and VLANs 64 VLANs in NAT Route mode 64 Rules for VLAN IDs 65 Rules for VLAN IP addresses 65 Adding VLAN subinterfaces 66 VLANs in Transparent mode 67 Rules for VLAN IDs 69 Transparent mode virtual domains and VLANs 69 Transparent mode VLAN list 70 Transparent mode VLAN settings 70 FortiGate IPv6 support 72 System DHCP 73 Service 73 DHCP service settings 74 Server 75 DHCP server settings 76 Exc...

Страница 5: ...oring 116 Update center 118 Updating antivirus and attack definitions 120 Enabling push updates 123 Support 125 Sending a bug report 126 Registering a FortiGate unit 127 Shutdown 129 System virtual domain 131 Virtual domain properties 132 Exclusive virtual domain properties 132 Shared configuration settings 133 Administration and management 134 Virtual domains 134 Adding a virtual domain 135 Selec...

Страница 6: ...st options 152 Offset list 153 Offset list options 153 Router objects 154 Access list 154 New access list 154 New access list entry 155 Prefix list 155 New Prefix list 156 New prefix list entry 157 Route map list 157 New Route map 158 Route map list entry 159 Key chain list 160 New key chain 160 Key chain list entry 161 Monitor 162 Routing monitor list 162 CLI configuration 163 get router info osp...

Страница 7: ...d service list 203 Custom service list 206 Custom service options 206 Configuring custom services 207 Service group list 209 Service group options 209 Configuring service groups 210 Schedule 210 One time schedule list 211 One time schedule options 211 Configuring one time schedules 211 Recurring schedule list 212 Recurring schedule options 213 Configuring recurring schedules 213 Virtual IP 214 Vir...

Страница 8: ...er list 235 RADIUS server options 236 LDAP 237 LDAP server list 237 LDAP server options 237 User group 239 User group list 239 User group options 240 CLI configuration 241 peer 241 peergrp 242 VPN 245 Phase 1 246 Phase 1 list 246 Phase 1 basic settings 247 Phase 1 advanced options 248 Configuring XAuth 249 Phase 2 250 Phase 2 list 250 Phase 2 basic settings 251 Phase 2 advanced options 252 Manual ...

Страница 9: ...g VPN access for specific certificate holders 272 CLI configuration 273 ipsec phase1 273 ipsec phase2 275 ipsec vip 276 Authenticating peers with preshared keys 278 Gateway to gateway VPN 278 Dialup VPN 279 Dynamic DNS VPN 279 Manual key IPSec VPN 280 Adding firewall policies for IPSec VPN tunnels 280 Setting the encryption policy direction 280 Setting the source address for encrypted traffic 280 ...

Страница 10: ...tine 306 Quarantined files list 306 Quarantined files list options 307 AutoSubmit list 308 AutoSubmit list options 308 Configuring the AutoSubmit list 308 Config 309 Config 310 Virus list 310 Config 310 Grayware 311 Grayware options 311 CLI configuration 312 heuristic 312 quarantine 313 service http 314 service ftp 315 service pop3 316 service imap 317 service smtp 318 Web filter 321 Content block...

Страница 11: ...eports 331 Category block reports options 332 Generating a category block report 332 Category block CLI configuration 332 Script filter 333 Web script filter options 334 Spam filter 335 IP address 338 IP address list 338 IP address options 338 Configuring the IP address list 339 RBL ORDBL 339 RBL ORDBL list 340 RBL ORDBL options 340 Configuring the RBL ORDBL list 340 Email address 341 Email addres...

Страница 12: ...t E mail options 354 Log filter options 355 Configuring log filters 358 Enabling traffic logging 358 Log access 360 Viewing log messages 360 Searching log messages 362 CLI configuration 363 fortilog setting 363 syslogd setting 364 FortiGuard categories 367 FortiGate maximum values 373 Glossary 377 Index 381 ...

Страница 13: ...ervice and technical support About FortiGate Antivirus Firewalls The FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include application level services such as virus protection and content filtering network level services such as firewall intrusion detection VPN and traffic shaping The FortiGate Antivirus Firewall uses Fort...

Страница 14: ...e user s consent or knowledge Grayware programs are generally considered an annoyance but these programs can cause system performance problems or be used for malicious means If the FortiGate unit contains a hard disk infected or blocked files and grayware files can be quarantined The FortiGate administrator can download quarantined files so that they can be virus scanned cleaned and forwarded to t...

Страница 15: ... IP address email address mime headers and content Mail messages can be identified as spam or clear You can also add the names of known Real time Blackhole List RBL and Open Relay Database List ORDBL servers These services contain lists of known spam sources If an email message is found to be spam the FortiGate adds an email tag to the subject line of the email The recipient can use the mail clien...

Страница 16: ...ach of its interfaces is associated with a different IP subnet and that it appears to other devices as a router This is how a firewall is normally deployed In NAT Route mode you can create NAT mode policies and Route mode policies NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network Route mode policies accept or deny c...

Страница 17: ...e firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network You can develop and manage interfaces VLAN subinterfaces zones firewall policies routing and VPN configuration for each virtual domain separately For these configuration settings each virtual domain is functionally similar to a single FortiGate unit This separati...

Страница 18: ...can connect to an IPSec VPN tunnel VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another through the FortiGate unit IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network High availability Fortinet achieves high availability HA using redundant hardware and the FortiGate Clustering Protocol FGCP Each FortiGate unit in...

Страница 19: ...d manage the FortiGate unit The web based manager supports multiple languages You can configure the FortiGate unit for HTTP and HTTPS administration from any FortiGate interface You can use the web based manager to configure most FortiGate settings You can also use the web based manager to monitor the status of the FortiGate unit Configuration changes made using the web based manager are effective...

Страница 20: ...age blocking report attacks detected by the IPS send alert email to system administrators to report virus incidents intrusions and firewall or VPN events or violations Logs can be sent to a remote syslog server or a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format Some models can also save logs to an optional internal hard drive If a hard ...

Страница 21: ...cal bar and curly brackets to separate alternative mutually exclusive required keywords For example set opmode nat transparent You can enter set opmode nat or set opmode transparent Square brackets to indicate that a keyword or variable is optional For example show system interface name_str To show the settings for all interfaces you can enter show system interface To show the settings for the int...

Страница 22: ...iltering and spam filtering and how to configure a VPN FortiGate online help Provides a context sensitive and searchable version of the Administration Guide in HTML format You can access online help from the web based manager as you work FortiGate CLI Reference Guide Describes how to use the FortiGate CLI and contains a reference to all FortiGate CLI commands FortiGate Log Message Reference Guide ...

Страница 23: ...ortiClient software FortiMail documentation FortiMail Administration Guide Describes how to install configure and manage a FortiMail unit in gateway mode and server mode including how to configure the unit create profiles and policies configure antispam and antivirus filters create user accounts and set up logging and reporting FortiMail online help Provides a searchable version of the Administrat...

Страница 24: ...your region For information about our priority support hotline live support see http support fortinet com When requesting technical support please provide the following information your name your company s name and location your email address your telephone number your support contract number if applicable the product name and model number the product serial number if applicable the software or fi...

Страница 25: ...on log This chapter includes Console access Status Session list Changing the FortiGate firmware Console access An alternative to the web based manager discussed in this manual is text based Console Access using the FortiGate command line interface CLI You can get console access by selecting Console Access button in the upper right corner of the web based manager The management computer must have J...

Страница 26: ...es on page 111 Viewing system status Changing unit information Viewing system status Figure 2 System status System status Connect Select Connect to connect to the CLI Disconnect Select Disconnect to disconnect from the CLI Clear screen Select Clear screen to start a new page Automatic Refresh Interval Select to control how often the web based manager updates the system status display Go Select to ...

Страница 27: ...n of the FortiGate Antivirus Definitions Attack Definitions The current installed version of the FortiGate Attack Definitions used by the Intrusion Prevention System IPS Serial Number The serial number of the current FortiGate unit The serial number is specific to the FortiGate unit and does not change with firmware upgrades Operation Mode The operation mode of the current FortiGate unit Time The ...

Страница 28: ...maximum network bandwidth that can be processed by the FortiGate unit History Select History to view a graphical representation of the last minute of CPU memory sessions and network usage This page also shows the virus and intrusion detections over the last 20 hours CPU Usage History CPU usage for the previous minute Memory Usage History Memory usage for the previous minute Session History Session...

Страница 29: ...P System Name To update the firmware version For information on updating the firmware see Changing the FortiGate firmware on page 32 To update the antivirus definitions manually 1 Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web based manager 2 Start the web based manager and go to System Status Status 3 In the Antiv...

Страница 30: ...settings see HA on page 84 To change to Transparent mode 1 Go to System Status Status 2 In the Operation Mode field of the Unit Information section select Change 3 In the Operation Mode field select Transparent 4 Select OK The FortiGate unit changes operation mode 5 To reconnect to the web based manager connect to the interface configured for Transparent mode management access and browse to https ...

Страница 31: ...om IP Set source IP address for list filtering From Port Set source port for list filtering To IP Set destination IP address for list filtering To Port Set destination port for list filtering Apply Filter Select to filter session list Virtual Domain Select a virtual domain to list the sessions being processed by that virtual domain Select All to view sessions being processed by all virtual domains...

Страница 32: ...r to a more recent build of the same firmware version Reverting to a previous firmware version Use the web based manager or CLI procedure to revert to a previous firmware version This procedure reverts the FortiGate unit to its factory default configuration Installing firmware images from a system reboot using the CLI Use this procedure to install a new firmware version or revert to a previous fir...

Страница 33: ... the CLI 1 Make sure that the TFTP server is running 2 Copy the new firmware image file to the root directory of the TFTP server 3 Log into the CLI 4 Make sure the FortiGate unit can connect to the TFTP server You can use the following command to ping the computer running the TFTP server For example if the IP address of the TFTP server is 192 168 1 168 execute ping 192 168 1 168 5 Enter the follow...

Страница 34: ... Reverting to a previous firmware version Use the following procedures to revert your FortiGate unit to a previous firmware version Reverting to a previous firmware version using the web based manager The following procedures revert the FortiGate unit to its factory default configuration and deletes IPS custom signatures web content lists email filtering lists and changes to replacement messages B...

Страница 35: ...n page 115 10 Update antivirus and attack definitions For information about antivirus and attack definitions see To update antivirus and attack definitions on page 121 Reverting to a previous firmware version using the CLI This procedure reverts the FortiGate unit to its factory default configuration and deletes IPS custom signatures web content lists email filtering lists and changes to replaceme...

Страница 36: ...image FGT_300 v280 build158 FORTINET out 192 168 1 168 The FortiGate unit responds with the message This operation will replace the current firmware version Do you want to continue y n 6 Type y The FortiGate unit uploads the firmware image file After the file uploads a message similar to the following is displayed Get image from tftp server OK Check image OK This operation will downgrade the curre...

Страница 37: ...ee Backing up and Restoring on page 116 Back up the IPS custom signatures For information see Backing up and restoring custom signature files on page 297 Back up web content and email filtering lists For information see Web filter on page 321 and Spam filter on page 335 If you are reverting to a previous FortiOS version for example reverting from FortiOS v2 80 to FortiOS v2 50 you might not be abl...

Страница 38: ...o Download Boot Image FortiGate unit running v3 x BIOS Press any key to display configuration menu Immediately press any key to interrupt the system startup If you successfully interrupt the startup process one of the following messages appears FortiGate unit running v2 x BIOS Enter TFTP Server Address 192 168 1 168 Go to step 9 FortiGate unit running v3 x BIOS G Get firmware image from TFTP serve...

Страница 39: ...ge and restarts The installation might take a few minutes to complete Restoring the previous configuration Change the internal interface address if required You can do this from the CLI using the command config system interface edit internal set ip address_ipv4mask set allowaccess ping https ssh telnet http end After changing the interface address you can access the FortiGate unit from the web bas...

Страница 40: ... internal interface To test a new firmware image 1 Connect to the CLI using a null modem cable and FortiGate console port 2 Make sure the TFTP server is running 3 Copy the new firmware image file to the root directory of the TFTP server 4 Make sure that the internal interface is connected to the same network as the TFTP server You can use the following command to ping the computer running the TFTP...

Страница 41: ...the FTP server The IP address must be on the same network as the TFTP server but make sure you do not use the IP address of another device on this network The following message appears Enter File Name image out 11 Enter the firmware image file name and press Enter The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear FortiGate unit runni...

Страница 42: ...42 01 28006 0002 20041105 Fortinet Inc Changing the FortiGate firmware System status ...

Страница 43: ...network configuration Interface Zone Management DNS Routing table Transparent Mode Configuring the modem interface VLAN overview VLANs in NAT Route mode VLANs in Transparent mode FortiGate IPv6 support Interface In NAT Route mode go to System Network Interface to configure FortiGate interfaces and to add and configure VLAN subinterfaces For information about VLANs in NAT Route mode see VLANs in NA...

Страница 44: ...8 The modem interface is available if a modem is connected to the USB port see Configuring the modem interface on page 59 If you have added VLAN subinterfaces they also appear in the name list below the physical interface that they have been added to See VLAN overview on page 63 IP The current IP address of the interface Netmask The netmask of the interface Access The administrative access configu...

Страница 45: ...ce To change the MTU size of the packets leaving an interface To configure traffic logging for connections to an interface Name The name of the Interface Interface Select the name of the physical interface to add the VLAN subinterface to All VLAN subinterfaces must be associated with a physical interface Once created the VLAN is listed below its physical interface in the Interface list VLAN ID Ent...

Страница 46: ...dministrative distance for the default gateway retrieved from the DHCP server The administrative distance an integer from 1 255 specifies the relative priority of a route when there are multiple routes to the same destination A lower administrative distance indicates a more preferred route The default distance for the default gateway is 1 Retrieve default gateway from server Enable Retrieve defaul...

Страница 47: ...E session if it is idle for this number of seconds PADT must be supported by your ISP Set initial PADT timeout to 0 to disable Distance Enter the administrative distance for the default gateway retrieved from the PPPoE server The administrative distance an integer from 1 255 specifies the relative priority of a route when there are multiple routes to the same destination A lower administrative dis...

Страница 48: ...n connect You can select the following administrative access options connected The interface retrieves an IP address netmask and other settings from the PPPoE server failed The interface was unable to retrieve an IP address and other information from the PPPoE server Server Select a DDNS server to use The client software for these services is built into the FortiGate firmware The FortiGate unit ca...

Страница 49: ...u must also enable traffic log for a logging location and set the logging severity level to Notification or lower Go to Log Report Log Config to configure logging locations and types For information about logging see Log Report on page 349 Configuring interfaces Use the following procedures to configure FortiGate interfaces and VLAN subinterfaces You cannot use the following procedures for the mod...

Страница 50: ... for the interface and then add the interface to the zone 1 Go to System Network Zone 2 Choose the zone to add the interface or VLAN subinterface to and select Edit 3 Select the names of the interfaces or VLAN subinterfaces to add to the zone 4 Select OK to save the changes To add an interface to a virtual domain If you have added virtual domains to the FortiGate unit you can use this procedure to...

Страница 51: ...tiGate unit attempts to contact the DHCP server from the interface to set the IP address netmask and optionally the default gateway IP address and DNS server IP addresses 7 Select Status to refresh the addressing mode status message 8 Select OK To configure an interface for PPPoE Use this procedure to configure any FortiGate interface to use PPPoE See PPPoE on page 47 for information on PPPoE sett...

Страница 52: ...nterface edit intf_str config secondaryip edit 0 set ip second_ip netmask_ip Optionally you can also configure management access and add a ping server to the secondary IP address set allowaccess ping https ssh snmp http telnet set gwdetect enable Save the changes end To add a ping server to an interface 1 Go to System Network Interface 2 Choose an interface and select Edit 3 Set Ping Server to the...

Страница 53: ...ge 56 1 Go to System Network Interface 2 Choose an interface and select Edit 3 Select the Administrative Access methods for the interface 4 Select OK to save the changes To change the MTU size of the packets leaving an interface 1 Go to System Network Interface 2 Choose an interface and select Edit 3 Select Override default MTU value 1500 4 Set the MTU size To configure traffic logging for connect...

Страница 54: ...al domain to which you want to add the zone 2 Go to System Network Zone 3 Select Create New 4 In the New Zone dialog box type a name for the zone Create New Select Create New to create a zone Name The names of the zones that you have added Block intra zone traffic Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between interfaces in the same zone is not blo...

Страница 55: ...ual domain go to System Virtual Domain Current Virtual Domain and select the virtual domain in which to edit the zone 2 Go to System Network Zone 3 Select Edit to modify a zone 4 Select or deselect Block intra zone traffic 5 Select the names of the interfaces or VLAN subinterfaces to add to the zone 6 Clear the check box for the names of the interfaces or VLAN subinterfaces to remove from the zone...

Страница 56: ... value of 5 minutes see To set the system idle timeout on page 83 Figure 10 Management To configure the management interface 1 Go to System Network Management 2 Enter the Management IP Netmask 3 Enter the Default Gateway 4 Select the Management Virtual Domain 5 Select Apply The FortiGate unit displays the following message Management IP address was changed Click here to redirect 6 Click on the mes...

Страница 57: ...ed or that the FortiGate unit obtained automatically Figure 11 DNS To add DNS server IP addresses 1 Go to System Network DNS 2 Change the primary and secondary DNS server IP addresses as required 3 Select Apply to save the changes Routing table Transparent Mode In Transparent mode you can configure routing to add static routes from the FortiGate unit to local routers Routing table list Figure 12 R...

Страница 58: ...ute number IP The destination IP address for this route Mask The netmask for this route Gateway The IP address of the next hop router to which this route directs traffic Distance The the relative preferability of this route 1 is most preferred Delete icon Select to remove a route View edit icon Select to view or edit a route Move To icon Select to change the order of a route in the list Destinatio...

Страница 59: ... to an ISP Connecting a modem to the FortiGate unit Configuring modem settings Connecting and disconnecting the modem Backup mode configuration Standalone mode configuration Adding firewall policies for modem connections Figure 14 Example modem interface network connection Connecting a modem to the FortiGate unit The FortiGate unit can operate with most standard external serial interface modems th...

Страница 60: ... redial limit is 1 Select None to allow the modem to never stop redialing Holddown Timer For backup configurations The time 1 60 seconds that the FortiGate unit waits before switching from the modem interface to the primary interface after the primary interface has been restored The default is 1 second Configure a higher value if you find the FortiGate unit switching repeatedly between the primary...

Страница 61: ...n until the modem connects to an ISP To disconnect the modem Use the following procedure to disconnect the modem from a dialup account 1 Go to System Network Modem 2 Select Hang Up if you want to disconnect from the dialup account To disconnect the modem 1 Go to System Network Modem Modem status is one of the following A green check mark indicates the active dialup account The IP address and netma...

Страница 62: ...figuration In standalone mode you manually connect the modem to a dialup account The modem interface operates as the primary connection to the Internet The FortiGate unit routes traffic through the modem interface which remains permanently connected to the dialup account If the connection to the dialup account fails the FortiGate unit redials the modem The modem redials the number of times specifi...

Страница 63: ...nterfaces on the FortiGate unit For information about adding firewall policies see To add a firewall policy on page 196 VLAN overview A VLAN is group of PCs servers and other network devices that communicate as if they were on the same LAN segment even though they may not be For example the workstations and servers for an accounting department could be scattered throughout an office connected to n...

Страница 64: ...from each security domain is given a different VLAN ID The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between security domains The FortiGate unit can also apply authentication protection profiles and other firewall policy features for network and VPN traffic that is allowed to pass between security domains VLANs in NAT Route mode Opera...

Страница 65: ...nt physical interfaces There is no internal connection or link between two VLAN subinterfaces with same VLAN ID Their relationship is the same as the relationship between any two FortiGate network interfaces Rules for VLAN IP addresses IP addresses of all FortiGate interfaces cannot overlap That is the IP addresses of all interfaces must be on different subnets This rule applies to both physical i...

Страница 66: ...ches the VLAN ID of the packets to be received by this VLAN subinterface 6 Select the virtual domain to which to add this VLAN subinterface See System virtual domain on page 131 for information about virtual domains 7 Select the name of a zone if you want this VLAN subinterface to belong to a zone You can only select a zone that has been added to the virtual domain selected in the previous step Se...

Страница 67: ...etween the FortiGate Internal and external interface you would add a VLAN subinterface to the internal interface and another VLAN subinterface to the external interface If these VLAN subinterfaces have the same VLAN IDs the FortiGate unit applies firewall policies to the traffic on this VLAN If these VLAN subinterfaces have different VLAN IDs or if you add more than two VLAN subinterfaces you can ...

Страница 68: ...gured with three VLAN subinterfaces In this configuration the FortiGate unit could be added to this network to provide virus scanning web content filtering and other services to each VLAN VLAN1 VLAN1 VLAN2 VLAN2 VLAN3 VLAN3 root virtual domain New virtual domain Internal External VLAN1 VLAN3 VLAN2 VLAN Switch or router VLAN Switch or router VLAN trunk VLAN1 VLAN2 VLAN3 VLAN trunk FortiGate unit VL...

Страница 69: ...work interfaces Transparent mode virtual domains and VLANs VLAN subinterfaces are added to and associated with virtual domains By default the FortiGate configuration includes one virtual domain named root and you can add as many VLAN subinterfaces as you require to this virtual domain You can add more virtual domains if you want to separate groups of VLAN subinterfaces into virtual domains For inf...

Страница 70: ...l Domain Select a virtual domain to display the VLAN interfaces added to this virtual domain Name The name of the interface or VLAN subinterface Access The administrative access configuration for the interface See To control administrative access to an interface on page 52 for information about administrative access options Status The administrative status for the interface If the administrative s...

Страница 71: ... or disable using a Dynamic DNS service DDNS If the FortiGate unit uses a dynamic IP address you can arrange with a DDNS service provider to use a domain name to provide redirection of traffic to your network whenever the IP address changes 8 Configure the administrative access MTU and log settings as you would for any FortiGate interface See Interface settings on page 44 for more descriptions of ...

Страница 72: ...g periodic router advertisements and tunneling of IPv6 addressed traffic over an IPv4 addressed network All of these features must be configured through the Command Line Interface CLI See the FortiGate CLI Reference Guide for information on the following commands Table 2 IPv6 CLI commands Feature CLI Command Interface configuration including periodic router advertisements config system interface S...

Страница 73: ...ce cannot provide both functions at the same time This section describes Service Server Exclude range IP MAC binding Dynamic IP Service Go to System DHCP Service to configure the DHCP service provided by each FortiGate interface You can configure each interface to be a DHCP relay or a DHCP server or you can turn off DHCP services Figure 22 DHCP service list Note To configure DHCP server or DHCP re...

Страница 74: ... 3 Select DHCP Relay Agent Interface List of FortiGate interfaces Service The DHCP service provided by the interface none DHCP Relay or DHCP Server Edit View icon Select to view or modify the DHCP service configuration for an interface Interface The name of the interface None No DHCP services provided by the interface DHCP Relay Agent Select to configure the interface to be a DHCP relay agent Type...

Страница 75: ...onfiguration for this interface See To configure a DHCP server for an interface on page 76 Server You can configure one or more DHCP servers for any FortiGate interface As a DHCP server the interface dynamically assigns IP addresses to hosts on a network connected to the interface You can add more than one DHCP server to a single interface to be able to provide DHCP services to multiple networks F...

Страница 76: ...nding IP for the range of IP addresses that this DHCP server assigns to DHCP clients Network Mask Enter the netmask that the DHCP server assigns to DHCP clients Lease Time Select Unlimited for an unlimited lease time or enter the interval in days hours and minutes after which a DHCP client must ask the DHCP server for new settings The lease time can range from 5 minutes to 100 days DNS Server Ente...

Страница 77: ...ected subnets sends a DHCP request it is relayed to the FortiGate interface by the router using DHCP relay The FortiGate unit selects the DHCP server configuration with an IP range that matches the subnet address from which the DHCP request was received and uses this DHCP server to assign an IP configuration to the computer that made the DHCP request The DHCP configuration packets are sent back to...

Страница 78: ... the device When you add the MAC address and an IP address to the IP MAC binding list the DHCP server always assigns this IP address to the MAC address IP MAC binding pairs apply to all FortiGate DHCP servers Figure 28 IP MAC binding list Starting IP Enter the starting IP of an exclude range Ending IP Enter the ending IP of an exclude range Create New Select Create New to add a DHCP IP MAC binding...

Страница 79: ...resses and the expiry time and date for these addresses To view the dynamic IP list 1 Go to System DHCP Dynamic IP 2 Select the interface for which you want to view the list Name Enter a name for the IP MAC address pair IP Address Enter the IP address for the IP and MAC address pair The IP address must be within the configured IP range MAC Address Enter the MAC address of the device Interface Sele...

Страница 80: ...80 01 28006 0002 20041105 Fortinet Inc Dynamic IP System DHCP ...

Страница 81: ...set the FortiGate system time For effective scheduling and logging the FortiGate system time must be accurate You can either manually set the FortiGate system time or you can configure the FortiGate unit to automatically keep its system time correct by synchronizing with a Network Time Protocol NTP server Figure 30 System time System Time The current FortiGate system date and time Refresh Select R...

Страница 82: ...tions Timeout settings including the idle timeout and authentication timeout The language displayed by the web based manager Dead gateway detection interval and failover detection Automatically adjust clock for daylight saving changes Select the Automatically adjust clock for daylight saving changes check box if you want the FortiGate system clock to be adjusted automatically when your time zone c...

Страница 83: ...es 8 hours To improve security keep the idle timeout at the default value of 5 minutes Auth Timeout Set the firewall user authentication timeout to control how long an authenticated connection can be idle before the user must authenticate again The maximum authtimeout is 480 minutes 8 hours The default Auth Timeout is 15 minutes For more information see Setting authentication timeout on page 234 L...

Страница 84: ...tion synchronize the cluster routing table and report individual cluster member status The units in the cluster are constantly communicating HA status information to make sure that the cluster is operating properly This communication is called the HA heartbeat FortiGate HA supports link failover device failover and HA heartbeat failover FortiGate units can be configured to operate in active passiv...

Страница 85: ...o distribute virus scanning to all the FortiGate units in the HA cluster By default the FortiGate unit load balances virus scanning among all of the FortiGate units in the cluster Using the CLI you can configure the FortiGate unit to load balance all network traffic among the FortiGate units in the cluster See the FortiGate CLI Reference Guide for more information HA configuration Configuring an H...

Страница 86: ...he same virtual MAC address This virtual MAC address is set according to the group ID Table 3 lists the virtual MAC address set for each group ID If you have more than one HA cluster on the same network each cluster should have a different group ID If two clusters on the same network have the same group ID the duplicate MAC addresses cause addressing conflicts on the network Active Active Load bal...

Страница 87: ...tiates a different cluster unit becomes the primary cluster unit Override Master Configure a cluster unit to always override the current primary cluster unit and become the primary cluster unit Enable override master for the cluster unit that you have given the highest unit priority Enabling Override Master means that this cluster unit always becomes the primary cluster unit In a typical FortiGate...

Страница 88: ...es are connected to load balancing switches Hub Load balancing if the cluster interfaces are connected to a hub Traffic is distributed to cluster units based on the Source IP and Destination IP of the packet Least Connection Least connection load balancing If the cluster units are connected using switches select Least Connection to distribute network traffic to the cluster unit currently processin...

Страница 89: ...em to be able to process heartbeat packets In HA mode the cluster assigns virtual IP addresses to the heartbeat device interfaces The primary cluster unit heartbeat device interface is assigned the IP address 10 0 0 1 and the subordinate unit is assigned the IP address 10 0 0 2 A third cluster unit would be assigned the IP address 10 0 0 3 and so on For best results isolate each heartbeat device o...

Страница 90: ... cluster becomes the new primary unit to provide better service to the high priority network If a low priority interface fails on one cluster unit and a high priority interface fails on another cluster unit a unit in the cluster with a working connection to the high priority interface would if it becomes necessary to negotiate a new primary unit be selected instead of a unit with a working connect...

Страница 91: ...ter When you select apply you may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates 13 If you are configuring a NAT Route mode cluster power off the FortiGate unit and then repeat this procedure for all the FortiGate units in the cluster Once all of the units are configured continue with To connect a FortiGate HA cluster on page 92 14 If you are configuring a Trans...

Страница 92: ...re that the cluster is operating properly This cluster communication is also called the cluster heartbeat Inserting an HA cluster into your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluster Also starting the cluster interrupts network traffic until the individual FortiGate units in the cluster are funct...

Страница 93: ...nfiguration as the other units in the cluster 2 If the cluster is running in Transparent mode change the operating mode of the new FortiGate unit to Transparent mode 3 Connect the new FortiGate unit to the cluster 4 Power on the new FortiGate unit When the unit starts it negotiates to join the cluster After it joins the cluster the cluster synchronizes the new unit configuration with the configura...

Страница 94: ...ate unit priority 1 weight 3 The next three connections are processed by the second subordinate unit priority 2 weight 3 The subordinate units process more connections than the primary unit and both subordinate units on average process the same number of connections Managing an HA cluster The configurations of all of the FortiGate units in the cluster are synchronized so that the FortiGate units c...

Страница 95: ...logs for individual cluster units To monitor cluster units for failover To manage individual cluster units To view the status of each cluster member 1 Connect to the cluster and log into the web based manager 2 Go to System Config HA 3 Select Cluster Members A list of cluster members appears The list includes the cluster ID of each cluster member as well as status information for each cluster memb...

Страница 96: ...Cluster Members list The host name and serial number of the primary cluster unit changes The new primary unit logs the following messages to the event log HA slave became master Detected HA member dead Up Time The time in days hours minutes and seconds since the cluster unit was last started Monitor Displays system status information for each cluster unit CPU Usage The current CPU status of each c...

Страница 97: ...cluster Each cluster unit is numbered starting at 1 The information displayed for each cluster unit includes the unit serial number and the host name of the unit 3 Complete the command with the number of the subordinate unit to log into For example to log into subordinate unit 1 enter the following command execute ha manage 1 Press Enter to connect to and log into the CLI of the selected subordina...

Страница 98: ... system location description can be up to 35 characters long Contact Enter the contact information for the person responsible for this FortiGate unit The contact information can be up to 35 characters long Apply Save changes made to the description location and contact information Create New Select Create New to add a new SNMP community Communities The list of SNMP communities added to the FortiGa...

Страница 99: ...he FortiGate unit to view system information and receive SNMP traps You can add up to three SNMP communities Each community can have a different configuration for SNMP queries and traps Each community can be configured to monitor the FortiGate unit for a different set of events You can also add the IP addresses of up to 8 SNMP managers to each community Figure 36 SNMP community options part 1 Figu...

Страница 100: ...fy the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit IP Address The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit You can also set the IP address to 0 0 0 0 to so that any SNMP manager can use this SNMP community Interface Optionally select the name of the interface that this SNMP manager ...

Страница 101: ... agent are already compiled into your SNMP manager you do not have to compile them again Table 6 FortiGate MIBs MIB file name or RFC Description fortinet 2 80 mib The Fortinet MIB is a proprietary MIB that includes detailed FortiGate system configuration information Add this MIB to your SNMP manager to monitor all FortiGate configuration settings For more information about FortiGate MIB fields see...

Страница 102: ...trap message includes the name of the interface and the serial number of the FortiGate unit HA state HA state changes The trap message includes the previous state the new state and a flag indicating whether the unit is the master HA switch The primary unit in an HA cluster fails and is replaced with a new primary unit Memory low SysMemLow Memory usage exceeds 90 The interface_name Interface IP is ...

Страница 103: ...nFlood NIDS attack prevention detects and provides protection from a syn flood attack Port scan attack IdsPortScan NIDS attack prevention detects and provides protection from a port scan attack Table 11 FortiGate antivirus traps Trap message Description Virus detected AvVirus The FortiGate unit detects a virus and removes the infected file from an HTTP or FTP download or from an email message Tabl...

Страница 104: ... priority of the individual FortiGate unit in a cluster override The master override setting enable or disable for an individual FortiGate unit in a cluster autoSync Auto config synchronization flag schedule Load balancing schedule for A A mode stats Statistics for all of the units in the HA cluster index The index number of the FortiGate unit serial The FortiGate unit serial number cpuUsage The c...

Страница 105: ...r Can be password LDAP or RADIUS state Whether the local user is enabled or disable Table 18 Virtual domains MIB field Description index The index number virtual domain added to the FortiGate unit name The name of the virtual domain added to the FortiGate unit Each FortiGate unit includes at least one virtual domain named root auth The authentication type of for the local user Can be password LDAP...

Страница 106: ...Figure 38 Replacement messages list To change a replacement message 1 Go to System Config Replacement Messages 2 Select the category of replacement message to edit by clicking on the blue triangle for that category 3 For the replacement message that you want to change select Edit 4 Edit the content of the message Name The type of replacement message You can change messages added to email web pages...

Страница 107: ... a file that contained a virus or was blocked by antivirus file blocking QUARFILENAME can be used in virus and file block messages Quarantining is only available on FortiGate units with a local disk URL The URL of a web page This can be a web page that is blocked by web filter content or URL blocking URL can also be used in http virus and file block messages to be the URL of the web page from whic...

Страница 108: ...ile was removed EMAIL_TO The email address of the intended receiver of the message from which the file was removed NIDSEVENT The IPS attack message NIDSEVENT is added to alert email intrusion messages SERVICE The name of the web filtering service CATEGORY The name of the content category of the web site FORTINET The Fortinet logo Table 20 Replacement message tags Continued Tag Description Enable F...

Страница 109: ... read only write only or both read and write access to the following FortiGate features This chapter describes Administrators Access profiles Administrators Use the admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels System Configuration Can access the system status interface virtual domain HA routing...

Страница 110: ...ge Password icon The admin administrator account cannot be deleted Administrator Enter the login name for the administrator account Password Type a password for the administrator account For improved security the password should be at least 6 characters long Confirm Password Type the password for the administrator account a second time to confirm that you have typed it correctly Trusted Host 1 Tru...

Страница 111: ...or must connect only through the subnet or subnets you specify You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255 255 255 255 When you set trusted hosts for all administrators the FortiGate unit does not respond to administrative access attempts from any other hosts This provides the highest security If you leave even ...

Страница 112: ...under Access Control Allow Write All Select Allow Write All to give an administrator write privilege on all the items under Access Control System Configuration Allow or deny access to the system status interface virtual domain HA routing option SNMP time and replacement message features Log Report Allow or deny access to the log setting log access and alert email features Security Policy Allow or ...

Страница 113: ...41105 113 To configure an access profile 1 Go to System Admin Access Profile 2 Select Create New to add an access profile or select the edit icon to edit an existing access profile 3 Enter a name for the access profile 4 Select or clear the Access Control check boxes as required 5 Select OK ...

Страница 114: ...114 01 28006 0002 20041105 Fortinet Inc Access profiles System administration ...

Страница 115: ...spam filtering files to the management computer You can also restore system configuration VPN certificate web and spam filtering files from previously downloaded backup files Figure 46 Backup and restore list Category The list of files that can be backed up and restored Latest Backup The date and time of the last backup The Restore Upload Backup and Reset to factory default icons All Configuration...

Страница 116: ... system to its original configuration including resetting interface addresses This procedure does not change the firmware version or the antivirus or attack definitions Debug Log Download debug log Web Filtering Web Content Block Restore or back up the Web Content Block list Web URL Block List Restore or back up the Web URL Block list Web URL Exempt List Restore or back up the Web URL Exempt list ...

Страница 117: ...or select Browse and locate the file 4 Select OK If you restore the system configuration the FortiGate unit restarts loading the new system settings You should then reconnect to the web based manager and review your configuration to confirm that the uploaded system settings have taken effect 5 Select Return This step does not apply if you restore the system configuration To back up VPN certificate...

Страница 118: ...rt 9443 To receive push updates the FDN must be able to route packets to the FortiGate unit using UDP port 9443 For information about configuring push updates see To enable push updates on page 123 The FDN is a world wide network of FortiProtect Distribution Servers FDSs When the FortiGate unit connects to the FDN it connects to the nearest FDS To do this all FortiGate units are programmed with a ...

Страница 119: ...e FortiGate unit to send push updates Push updates may not be available if you have not registered the FortiGate unit see To register a FortiGate unit on page 128 if there is a NAT device installed between the FortiGate unit and the FDN see Enabling push updates through a NAT device on page 124 or if your FortiGate unit connects to the Internet using a proxy server see To enable scheduled updates ...

Страница 120: ...t was successful and new updates were installed Other messages can indicate that the FortiGate was not able to connect to the FDN and other error conditions Allow Push Update Select this check box to allow automatic updates of the FortiGate unit Use override push IP Select this check box and enter the override IP address and port number Override push IP addresses and ports are used when there is a...

Страница 121: ... whether the update was successful or not To enable scheduled updates 1 Go to System Maintenance Update center 2 Select the Scheduled Update check box 3 Select one of the following to check for and download updates 4 Select Apply The FortiGate unit starts the next scheduled update according to the new update schedule Whenever the FortiGate unit runs a scheduled update the event is recorded in the ...

Страница 122: ...em autoupdate tunneling set address proxy address_ip set port proxy port set username username_str set password password_str set status enable end For example if the IP address of the proxy server is 67 35 50 34 its port is 8080 the user name is proxy_user and the password is proxy_pwd enter the following command config system autoupdate tunneling set address 67 35 50 34 set port 8080 set username...

Страница 123: ...nded as the only method for obtaining updates The FortiGate unit might not receive the push notification Also when the FortiGate unit receives a push notification it makes only one attempt to connect to the FDN and download updates To enable push updates 1 Go to System Maintenance Update center 2 Select Allow Push Update 3 Select Apply Push updates when FortiGate IP addresses change The SETUP mess...

Страница 124: ... FortiGate NAT device and the FortiGate unit on the internal network so that the FortiGate unit on the internal network can receive push updates 1 Add a port forwarding virtual IP to the FortiGate NAT device 2 Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP 3 Configure the FortiGate unit on the internal network with an override push IP and port To add...

Страница 125: ...elect the Use override push check box 4 Set IP to the external IP address added to the virtual IP 5 Set Port to the external service port added to the virtual IP 6 Select Apply The FortiGate unit sends the override push IP address and port to the FDN The FDN now uses this IP address and port for push updates to the FortiGate unit on the internal network If the external IP address or external servi...

Страница 126: ...egister the FortiGate unit with FortiNet Contact Information Enter the contact information so that FortiNet support can reply to your bug report Items marked with an are required Bug Description Enter a description of the problem you have encountered with the FortiGate unit Send diagnostic information Send diagnostic information about the FortiGate unit including its current configuration to Forti...

Страница 127: ...organization purchased You can register multiple FortiGate units in a single session without re entering your contact information Once registration is completed Fortinet sends a Support Login user name and password to your email address You can use this user name and password to log on to the Fortinet support web site to View your list of registered FortiGate units Register additional FortiGate un...

Страница 128: ...d the FortiCare Support Contract number to the registration information You can also register the FortiGate unit without purchasing a FortiCare Support Contract In that case when you purchase a FortiCare Support Contract you can update the registration information to add the support contract number A single FortiCare Support Contract can cover multiple FortiGate units You must enter the same servi...

Страница 129: ...ontract number SCN you can return to the previous page to enter the number If you do not have a FortiCare Support Contract you can select Continue to complete the registration If you have entered a support contract number a real time validation is performed to verify that the SCN information matches the FortiGate unit If the information does not match you can try entering it again A web page is di...

Страница 130: ...ts Use the following procedure to reset system settings to the values set at the factory This procedure does not change the firmware version or the antivirus or attack definitions 1 Go to System Maintenance Shutdown 2 Select Reset to factory default 3 Select Apply The FortiGate unit restarts with the configuration that it had when it was first powered on 4 Reconnect to the web based manager and re...

Страница 131: ...ections between VLAN subinterfaces or zones in the virtual domain Packets never cross the virtual domain border The remainder of FortiGate functionality is shared between virtual domains This means that there is one IPS configuration one antivirus configuration one web filter configuration one protection profile configuration and so on shared by all virtual domains As well virtual domains share fi...

Страница 132: ...gs Physical interfaces see To add physical interfaces to a virtual domain on page 136 VLAN subinterfaces see To add VLAN subinterfaces to a virtual domain on page 137 Zones see To add zones to a virtual domain on page 137 Management IP Transparent mode see To select a management virtual domain and add a management IP on page 136 Routing configuration Router configuration in NAT Route mode see To c...

Страница 133: ...irus Definitions and engine Attack Definitions and engine Serial Number Operation Mode Network configuration DNS settings DHCP configuration DHCP settings are applied per interface no matter which virtual domain the interface has been added to System Config Time Options HA SNMP v1 v2c Replacement messages FortiManager configuration System Admin Administrators Access profiles System Maintenance Upd...

Страница 134: ...al domain if you want these systems to communicate with network resources that can connect to a different virtual domain Virtual domains Go to System Virtual domain Virtual domains to view and add virtual domains Figure 51 Virtual domain list Create New Add a new virtual domain Current The name of the current virtual domain Select Change to choose a different domain The default virtual domain is r...

Страница 135: ...n Name The virtual domain must not have the same name as a VLAN or zone 4 Select OK Selecting a virtual domain The following procedure applies to NAT Route and Transparent mode To select a virtual domain to configure 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the table 3 Choose the virtual domain to configure 4 Select OK The footer...

Страница 136: ...onfigure virtual domains Adding interfaces VLAN subinterfaces and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtual domain Adding interfaces VLAN subinterfaces and zones to a virtual domain To add physical interfaces to a virtual domain A virtual domain must contain at least two interfaces These...

Страница 137: ...edure describes how to move a VLAN subinterface from one virtual domain to another You cannot remove a VLAN subinterface from a virtual domain if firewall policies have been added for it Delete the firewall policies or remove the VLAN subinterface from the firewall policies first If the VLAN subinterface has been added to a zone it is removed from the zone when you move it to a different virtual d...

Страница 138: ...ion for the current virtual domain To configure the routing table for a virtual domain in Transparent mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the table 3 Choose the virtual domain for which to configure routing 4 Select OK 5 Go to System Network Routing Table 6 Configure the routing table for the current virtual domain as r...

Страница 139: ...ble 3 Choose the virtual domain for which to configure firewall addresses 4 Select OK 5 Go to Firewall Address 6 Add new firewall addresses address ranges and address groups to the current virtual domain See Address on page 198 To add IP pools to a virtual domain The following procedure applies to NAT Route mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current vi...

Страница 140: ...irtual domain The following procedure applies to NAT Route and Transparent mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the table 3 Choose the virtual domain for which to configure VPN 4 Select OK 5 Go to VPN 6 Configure IPSec VPN PPTP L2TP and certificates as required See VPN on page 245 ...

Страница 141: ...d You can decrease the distance value of a static route to indicate that the route is preferable compared to another static route that specifies a different gateway to the same destination network Routes having lower administrative distances are preferable and are selected first when two or more routes to the same destination network are available The FortiGate unit routes packets using a best mat...

Страница 142: ...68 10 1 Device Name of the interface connected to network 192 168 10 0 24 e g external Distance 10 The Gateway setting specifies the IP address of the next hop router interface to the FortiGate external interface The interface behind the router 192 168 10 1 is the default gateway for FortiGate_1 In some cases there may be routers behind the FortiGate unit If the destination IP address of a packet ...

Страница 143: ...tination IP mask 192 168 30 0 24 Gateway 192 168 10 2 Device dmz Distance 10 To route packets from Network_2 to Network_1 Router_2 must be configured to use the FortiGate dmz interface as its default gateway On the FortiGate unit you would create a new static route with these settings Destination IP mask 192 168 20 0 24 Gateway 192 168 10 1 Device internal Distance 10 Static route list Figure 54 S...

Страница 144: ...uence number for this route IP The destination IP address for this route Mask The netmask for this route Gateway The IP address of the first next hop router to which this route directs traffic Device The name of the FortiGate interface through which to route traffic Distance The administrative distance for the route The Delete Edit and Move to icons Destination IP Mask Enter the destination IP add...

Страница 145: ... list and attempts to match the packet with a policy The policy route supplies the next hop gateway as well as the FortiGate interface to be used by the traffic If no policy route matches the packet the FortiGate unit routes the packet using the regular routing table Policy route list Figure 57 Policy routes Create New Add a new policy route The sequence number for this policy route Incoming The p...

Страница 146: ...RIP supports both RIP version 1 as defined by RFC 1058 and RIP version 2 as defined by RFC 2453 RIP version 2 enables RIP messages to carry more information and to support simple authentication and subnet masks Protocol Match packets that have this protocol number Incoming Interface Match packets that are received on this interface Source Address Mask Match packets that have this source IP address...

Страница 147: ... servers in the network should have the same RIP timer settings Update The time interval in seconds between RIP updates Garbage The time in seconds that must elapse after the timeout interval for a route expires before RIP deletes the route If RIP receives an update for the route after the timeout timer expires but before the garbage timer expires then the entry is switched back to reachable Timeo...

Страница 148: ...used for the redistributed routes 4 Select a Route map name 5 Select Apply Networks list Identify the networks for which to send and receive RIP updates If a network is not specified interfaces in that network will not be advertised in RIP updates Figure 60 RIP Networks list Route map Enter the name of the route map to use for the redistributed connected routes For information on how to configure ...

Страница 149: ...n 2 authentication RIP version send and receive for the specified interface and configure and enable split horizon Authentication is only available for RIP version 2 packets sent and received by an interface Set authentication to None if Send Version or Receive Version are set to 1 or 1 2 Figure 62 RIP interface list Create New Add a new RIP interface Interface The FortiGate interface name Send Ve...

Страница 150: ... the Receive Version here overrides the default RIP version for this interface Split Horizon Configure RIP to use either regular or poisoned reverse split horizon on this interface Select Regular to prevent RIP from sending updates for a route back out the interface from which it received that route Select Poisoned reverse to send updates with routes learned on an interface back out the same inter...

Страница 151: ... list If you do not specify an interface the filter will be applied to all interfaces in the current virtual domain You must configure the access list or prefix list that you want the distribute list to use before you configure the distribute list For more information on configuring access lists and prefix lists see Access list on page 154 and Prefix list on page 155 Figure 64 RIP Distribute list ...

Страница 152: ...ribute list Direction The direction for the filter Filter The type of filter and the filter name Interface The interface to use this filter on If no interface name is displayed this distribute list is used for all interfaces Enable The status of this distribute list The Delete and Edit icons Direction Set the direction for the filter Select In to filter incoming packets Select Out to filter outgoi...

Страница 153: ...irtual domain go to System Virtual Domain Virtual Domains and select the virtual domain Create New Add a new offset list Direction The direction for the offset list Access list The access list to use for this offset list Offset The offset number to add to the metric for this offset list Interface The interface to match for this offset list Enable The status of this offset list The Delete and Edit ...

Страница 154: ...ix exactly or to match the prefix and any more specific prefix The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list If it finds a match for the prefix it takes the action specified for that prefix If no match is found the default action is deny For an access list to take effect it must be called by another FortiGate routing feature such ...

Страница 155: ...d Match a network address enter the IP address and netmask that define the prefix for this access list entry 6 Select Exact match if required 7 Select OK Prefix list A prefix list is an enhanced version of an access list that allows you to control the length of the prefix netmask Each rule in a prefix list consists of a prefix IP address and netmask the action to take for this prefix permit or den...

Страница 156: ...ture such as RIP or OSPF Figure 71 Prefix list New Prefix list Figure 72 Prefix list name configuration To add a prefix list name 1 Go to Router Router Objects Prefix List 2 Select Create New 3 Enter a name for the prefix list 4 Select OK Create New Add a new prefix list name An access list and a prefix list cannot have the same name Name The prefix list name Action The action to take for the pref...

Страница 157: ...Select OK Route map list Route maps are a specialized form of filter Route maps are similar to access lists but have enhanced matching criteria and in addition to permit or deny actions can be configured to make changes as defined by set statements list Entry The prefix list name and the number of this entry Action Set the action to take for this prefix to Permit or Deny Prefix Select Match any to...

Страница 158: ...tiple match statements are defined in a rule all the match statements must match before the set statements can be used For a route map to take effect it must be called by another FortiGate routing feature such as RIP Figure 74 Route map list New Route map Figure 75 Route map name configuration To add a route map name 1 Go to Router Router Objects Route map 2 Select Create New 3 Enter a name for th...

Страница 159: ... to deny routes that match this entry Match The criteria to match Interface Match a route with the selected destination interface Address Match a route if the destination address is included in the selected access list or prefix list Next hop Match a route that has a next hop router address included in the selected access list or prefix list Metric Match a route with the specified metric The metri...

Страница 160: ...ates from one key to the next according to the scheduled send and receive lifetimes The sending and receiving routers should have their system dates and times synchronized but overlapping the key lifetimes ensures that a key is always available even if there is some difference in the system times See System time on page 81 for information on setting the FortiGate system date and time Figure 77 Key...

Страница 161: ...e required hour minute second year month and day to start using this key for received routing updates Key chain entry The key chain name and the ID number for this key chain entry Key The key password can be up to 35 characters long Accept Lifetime Set the time period during which the key can be received Send Lifetime Set the time period during which the key can be sent Start For both accept and s...

Страница 162: ...te routing table Routing monitor list Figure 80 Routing monitor To filter the routing monitor display 1 Go to Router Monitor Routing Monitor 2 Select a type of route to display or select all to display routes of all types For example select Connected to display all the directly connected routes or select RIP to display all the routes learned from RIP Type FIlter the display to show routes of the s...

Страница 163: ...t router info ospf database get router info ospf interface get router info protocols Show the current state of active routing protocols Command syntax get router info protocols Note You can configure Type Network and Gateway filters individually or in any combination router info ospf command keywords and variables Keywords and variables Description Availability border routers Show OSPF routing tab...

Страница 164: ...onnected to more than one area is an area border router ABR Routing information is contained in a link state database Routing information is communicated between routers using link state advertisements LSAs More information on OSPF can be found in RFC 2328 Command syntax pattern config router ospf set keyword variable end config router ospf unset keyword end get router ospf show router ospf The co...

Страница 165: ...ing the overflow state The lsas_integer must be the same on all routers attached to the OSPF area and the OSPF backbone The valid range for lsas_integer is 0 to 4294967294 10000 All models database overflow time to recover seconds_integer Enter the time in seconds after which the FortiGate unit will attempt to leave the overflow state If seconds_integer is set to 0 the FortiGate unit will not leav...

Страница 166: ...that only supports RFC 1583 When RFC 1583 compatibility is enabled routers choose the path with the lowest cost Otherwise routers choose the lowest cost intra area path through a non backbone area disable All models router id address_ipv4 Set the router ID The router ID is a unique number in IP address dotted decimal format that is used to identify an OSPF router to other OSPF routers The router I...

Страница 167: ... backbone area that all areas can connect to You can use a virtual link to connect areas that do not have a physical connection to the backbone Routers within an OSPF area maintain link state databases for their own areas config area command syntax pattern config area edit id_ipv4 set keyword variable end config area edit id_ipv4 unset keyword variable end config area delete id_ipv4 end config are...

Страница 168: ...on for interfaces the authentication configured for the area is not used Authentication passwords or keys are defined per interface See config ospf interface on page 180 none All models default cost cost_integer Enter the metric to use for the summary default route in a stub area or not so stubby area NSSA A lower default cost indicates a more preferred route The valid range for cost_integer is 1 ...

Страница 169: ...SA You can set the translator role to always to ensure this FortiGate unit always acts as a translator if it is in a NSSA even if other routers in the NSSA are also acting as translators You can set the translator role to candidate to have this FortiGate unit participate in the process for electing a translator for a NSSA You can set the translator role to never to ensure this FortiGate unit never...

Страница 170: ...ix list on page 155 config filter list command syntax pattern config filter list edit id_integer set keyword variable end config filter list edit id_integer unset keyword end config filter list delete id_integer end config filter list edit id_integer get end config filter list edit id_integer show end Note Both keywords are required filter list command keywords and variables Keywords and variables...

Страница 171: ...le shows how to display the configuration for area 15 1 1 1 config router ospf config area edit 15 1 1 1 show end config range Access the config range subcommand using the config area command Use the area range command to summarize routes at an area boundary If the network numbers in an area are contiguous the ABR advertises a summary route that includes all the networks within the area that are w...

Страница 172: ... how to display the configuration for area 15 1 1 1 Note Only the prefix keyword is required All other keywords are optional range command keywords and variables Keywords and variables Description Default Availability advertise disable enable Enable or disable advertising the specified range enable All models prefix address_ipv4mask Specify the range of addresses to summarize No default All models...

Страница 173: ...link allows traffic from the area to transit a directly connected area to reach the backbone The transit area cannot be a stub area Virtual links can only be set up between two area border routers ABRs config virtual link command syntax pattern config virtual link edit name_str set keyword variable end config virtual link edit name_str unset keyword end config virtual link delete name_str end conf...

Страница 174: ...t authentication The authentication key must be the same on both ends of the virtual link The maximum length for the authentication key is 15 characters No default All models authentication must be set to text dead interval seconds_integer The time in seconds to wait for a hello packet before declaring a router down The value of the dead interval should be four times the value of the hello interva...

Страница 175: ...ig router ospf command retransmit interval seconds_integer The time in seconds to wait before sending a LSA retransmission The value for the retransmit interval must be greater than the expected round trip delay for a packet The valid range for seconds_integer is 1 to 65535 5 All models transmit delay seconds_integer The estimated time in seconds required to send a link state update packet on this...

Страница 176: ...g distribute list edit id_integer unset keyword end config distribute list delete id_integer end config distribute list edit id_integer get end config distribute list edit id_integer show end Example This example shows how to configure a distribute list numbered 2 to use an access list named acc_list1 for all static routes Note Both keywords are required distribute list command keywords and variab...

Страница 177: ...or distribute list 2 config router ospf config distribute list edit 2 show end config neighbor Access the config neighbor subcommand using the config router ospf command Use this command to manually configure an OSPF neighbor on nonbroadcast networks OSPF packets are unicast to the specified neighbor address You can configure multiple neighbors config neighbor command syntax pattern config neighbo...

Страница 178: ...other keywords are optional neighbor command keywords and variables Keywords and variables Description Default Availability cost cost_integer Enter the cost to use for this neighbor The valid range for cost_integer is 1 to 65535 10 All models ip address_ipv4 Enter the IP address of the neighbor 0 0 0 0 All models poll interval seconds_integer Enter the time in seconds between hello packets sent to...

Страница 179: ..._integer end config network edit id_integer get end config network edit id_integer show end Example Use the following command to enable OSPF for the interfaces attached to networks specified by the IP address 10 0 0 0 and the netmask 255 255 255 0 and to add these interfaces to area 10 1 1 1 config router ospf config network edit 2 set area 10 1 1 1 set prefix 10 0 0 0 255 255 255 0 end end networ...

Страница 180: ...interface command syntax pattern config ospf interface edit interface name_str set keyword variable end config ospf interface edit interface name_str unset keyword end config ospf interface delete interface name_str end config ospf interface edit interface name_str get end config ospf interface edit interface name_str show end Note The interface name_str variable in the syntax pattern below repres...

Страница 181: ...outer is mistakenly added to the network If you configure authentication for the interface authentication for areas is not used All routers on the network must use the same authentication type none All models authentication key password_str Enter the password to use for text authentication The authentication key must be the same on all neighboring routers The maximum length for the authentication ...

Страница 182: ...y without unsetting all of the keys The key ID and key must be the same on all neighboring routers The valid range for id_integer is 1 to 255 key_str is an alphanumeric string of up to 16 characters No default All models authentication must be set to md5 mtu mtu_integer Change the Maximum Transmission Unit MTU size included in database description packets sent out this interface The valid range fo...

Страница 183: ...riority router ID is used Point to point networks do not elect a DR or BDR therefore this setting has no effect on a point to point network The valid range for priority_integer is 0 to 255 1 All models retransmit interval seconds_integer The time in seconds to wait before sending a LSA retransmission The value for the retransmit interval must be greater than the expected round trip delay for a pac...

Страница 184: ...ion key a2b3c4d5e end end This example shows how to display the settings for the OSPF interface configuration named test config router ospf config ospf interface edit test get end This example shows how to display the configuration for the OSPF interface configuration named test config router ospf config ospf interface edit test show end config redistribute Access the config redistribute subcomman...

Страница 185: ...uter ospf config summary address Access the config summary address subcommand using the config router ospf command redistribute command keywords and variables Keywords and variables Description Default Availability metric metric_integer Enter the metric to be used for the redistributed routes The metric_integer range is from 1 to 16777214 10 All models metric type 1 2 Specify the external link typ...

Страница 186: ...d get router ospf show router ospf Example This example shows how to summarize routes using the prefix 10 0 0 0 255 0 0 0 config router ospf config summary address edit 5 set prefix 10 0 0 0 255 0 0 0 end end This example shows how to display the OSPF settings get router ospf Note Only the prefix keyword is required All other keywords are optional summary address command keywords and variables Key...

Страница 187: ...ute that best matches the destination address of the packet If a match is not found the FortiGate unit routes the packet using the default route Command syntax pattern config router static6 edit sequence_integer set keyword variable end config router static6 edit sequence_integer unset keyword end config router static6 delete sequence_integer end get router static6 sequence_integer show router sta...

Страница 188: ... 60 set gateway 12AB 0 0 CD30 123 4567 89AB CDEF end This example shows how to display the list of IPV6 static route numbers get router static6 This example shows how to display the settings for IPV6 static route 2 get router static6 2 This example shows how to display the IPV6 static route configuration show router static6 This example shows how to display the configuration for IPV6 static route ...

Страница 189: ... Each policy can be individually configured to route connections or apply network address translation NAT to translate source and destination IP addresses and ports You can add IP pools to use dynamic NAT when the firewall translates source addresses You can use policies to configure port address translation PAT through the FortiGate You can add protection profiles to firewall policies to apply di...

Страница 190: ...empt source and destination addresses service port and time and date at which the connection attempt was received The first policy that matches is applied to the connection attempt If no policy matches the connection is dropped The default policy accepts all connection attempts from the internal network to the Internet From the internal network users can browse the web use POP3 to get email use FT...

Страница 191: ... on page 198 Schedule The schedule that controls when the policy should be active See Schedule on page 210 Service The service to which the policy applies See Service on page 202 Action The response to make when the policy matches a connection attempt Enable Enable or disable the policy Enabling the policy makes it available for the firewall to match it to incoming connections source destination n...

Страница 192: ... Before you can add this address to a policy you must add it to the destination interface VLAN subinterface or zone For information about adding an address see Addresses on page x For NAT Route mode policies where the address on the destination network is hidden from the source network using NAT the destination can also be a virtual IP that maps the destination address of the packet to a hidden de...

Страница 193: ...f you select NAT you can also select Dynamic IP Pool and Fixed Port NAT is not available in Transparent mode Dynamic IP Pool Select Dynamic IP Pool to translate the source address to an address randomly selected from the IP pool An IP pool dropdown list appears when the policy destination interface is the same as the IP pool interface You cannot select Dynamic IP Pool if the destination interface ...

Страница 194: ...oups for authentication You can select Authentication for any service Users can authenticate with the firewall using HTTP Telnet or FTP For users to be able to authenticate you must add an HTTP Telnet or FTP policy that is configured for authentication When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password If you want users ...

Страница 195: ...ble routers sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header You can use the FortiGate DiffServ feature to change the DSCP Differentiated Services Code Point value for all packets accepted by a policy The network uses these DSCP values to classify mark shape and police traffic and to perform intelligent queuing DSCP features are a...

Страница 196: ...he results that you expect For information about arranging policies in a policy list see How policy matching works on page 190 To delete a policy 1 Go to Firewall Policy 2 Select the Delete icon beside the policy you want to delete 3 Select OK To edit a policy 1 Go to Firewall Policy 2 Select the Edit icon beside the policy you want to edit 3 Edit the policy as required 4 Select OK To change the p...

Страница 197: ...e To enable a policy 1 Go to Firewall Policy 2 Select Enable Policy CLI configuration The natip keyword for the firewall policy command is used in encrypted VPN policies A natip address cannot be added using the web based manager You can configure complete firewall policies using from the CLI See the FortiGate CLI Reference Guide for descriptions of all firewall policy keywords Command syntax patt...

Страница 198: ...s Configuring address groups firewall policy command keywords and variables Keywords and variables Description Default Availability natip address_ipv4mask Configure natip for a firewall policy with action set to encrypt and with outbound NAT enabled Specify the IP address and subnet mask to translate the source address of outgoing packets Set natip for peer to peer VPNs to control outbound NAT IP ...

Страница 199: ...bnet IP address 192 168 20 0 and Netmask 255 255 255 0 A single IP address for example IP Address 192 168 20 1 and Netmask 255 255 255 255 All possible IP addresses represented by IP Address 0 0 0 0 and Netmask 0 0 0 0 Create New Select Create New to add a firewall address Name The name of the firewall address Address The IP address and mask or IP address range of the firewall The Delete and Edit ...

Страница 200: ...ess 1 Go to Firewall Address 2 Select Create New 3 Enter a name to identify the address 4 Enter the IP address and netmask or the IP address range 5 Select OK To edit an address Edit an address to change its IP information You cannot edit the address name 1 Go to Firewall Address Address 2 Select the Edit icon beside the address you want to edit 3 Make any required changes 4 Select OK To delete an...

Страница 201: ... Figure 89 Address group options Address group has the following options Note If an address group is included in a policy it cannot be deleted unless it is first removed from the policy Create New Select Create New to add an address group Group Name The name of the address group Members The addresses in the address group The Delete and Edit View icons Group Name Enter a name to identify the addres...

Страница 202: ...wall Address Group 2 Select the Delete icon beside the address group you want to delete 3 Select OK To edit an address group 1 Go to Firewall Address Group 2 Select the Edit icon beside the address group you want to modify 3 Make any required changes 4 Select OK Service Use services to determine the types of communication accepted or denied by the firewall You can add any of the predefined service...

Страница 203: ...llows an arbitrary network protocol to be transmitted over any other arbitrary network protocol by encapsulating the packets of the protocol within GRE packets 47 AH Authentication Header AH provides source host authentication and data integrity but not secrecy This protocol is used for authentication by IPSec remote gateways set to aggressive mode 51 ESP Encapsulating Security Payload This servic...

Страница 204: ...otocol used for retrieving email messages tcp 143 Internet Locator Service Internet Locator Service includes LDAP User Locator Service and LDAP over TLS SSL tcp 389 IRC Internet Relay Chat allows people connected to the Internet to join live discussions tcp 6660 6669 L2TP L2TP is a PPP based tunnel protocol for remote access tcp 1701 LDAP Lightweight Directory Access Protocol is a set of protocols...

Страница 205: ...P Routing Information Protocol is a common distance vector routing protocol udp 520 SIP MSNmessenger Session Initiation Protocol is used by Microsoft Messenger to initiate an interactive possibly multimedia session SMTP Simple Mail Transfer Protocol is used to send mail between email servers on the Internet tcp 25 SNMP Simple Network Management Protocol is a set of protocols for managing complex n...

Страница 206: ...s WAIS Wide Area Information Server is an Internet search protocol tcp 210 WINFRAME For WinFrame communications between computers running Windows NT tcp 1494 X WINDOWS For remote communications between an X Window server and X Window clients tcp 6000 6063 Table 21 FortiGate predefined services Continued Service name Description Protocol Port Create New Select a protocol and then Create New to add ...

Страница 207: ... and high port numbers If the service uses one port number enter this number in both the low and high fields Destination Port Specify the Destination Port number range for the service by entering the low and high port numbers If the service uses one port number enter this number in both the low and high fields Name The name of the ICMP custom service Protocol Type Select the protocol type of the s...

Страница 208: ...e service 6 Select OK You can now add this custom service to a policy To add a custom IP service 1 Go to Firewall Service Custom 2 Select Create New 3 Enter a name for the new custom IP service 4 Select IP as the Protocol Type 5 Enter the IP protocol number for the service 6 Select OK You can now add this custom service to a policy To delete a custom service 1 Go to Firewall Service Custom 2 Selec...

Страница 209: ...as the following icons and features Service group options Service group options are configurable when creating or editing a service group Figure 96 Service group options Service group has the following options Create New Select Create New to add a service group Group Name The name to identify the service group Members The services added to the service group The Delete and Edit View icons Group Nam...

Страница 210: ...rewall Service Group 2 Select the Edit icon beside the service group you want to modify 3 Make any required changes 4 Select OK Schedule Use schedules to control when policies are active or inactive You can create one time schedules and recurring schedules You can use one time schedules to create policies that are effective once for the period of time specified in the schedule Recurring schedules ...

Страница 211: ...ime schedule list has the following icons and features One time schedule options Figure 98 One time schedule options One time schedule has the following options Configuring one time schedules To add a one time schedule 1 Go to Firewall Schedule One time 2 Select Create New 3 Type a name for the schedule Create New Select Create New to add a one time schedule Name The name of the one time schedule ...

Страница 212: ...s of the day or on specified days of the week For example you might want to prevent game play during working hours by creating a recurring schedule Figure 99 Sample recurring schedule list The recurring schedule list has the following icons and features Note To change the one time schedule name you must delete the schedule and add it with a new name Note If you create a recurring schedule with a s...

Страница 213: ...hedules use a 24 hour clock 6 Select OK To delete a recurring schedule 1 Go to Firewall Schedule Recurring 2 Select the Delete icon beside the recurring schedule you want to delete 3 Select OK To edit a recurring schedule 1 Go to Firewall Schedule Recurring 2 Select the Edit icon beside the recurring schedule you want to modify 3 Modify the schedule as required Stop The stop time of the recurring ...

Страница 214: ...ee types of virtual IPs This section describes Virtual IP list Virtual IP options Configuring virtual IPs Note To change the one time schedule name you must delete the schedule and add it with a new name Static NAT Used to translate an address on a source network to a hidden address on a destination network Static NAT translates the source address of return packets to the address on the source net...

Страница 215: ...tic NAT or port forwarding Figure 102 Virtual IP options static NAT Figure 103 Virtual IP options port forwarding Create New Select Create New to add a virtual IP Name The name of the virtual IP IP The external IP address mapped to an address on the destination network Service Port The external port number of the service from the IP Map to IP The real IP address on the destination network Map to P...

Страница 216: ...cted in step 4 However the external IP address must be routed to the selected interface The virtual IP address and the external IP address can be on different subnets 7 Enter the Map to IP address to which to map the external IP address For example the IP address of a web server on an internal network 8 Select OK Name Enter the name to identify the virtual IP Addresses address groups and virtual I...

Страница 217: ...must be routed to the external interface selected in step 4 The virtual IP address and the external IP address can be on different subnets 7 Enter the External Service Port number for which you want to configure port forwarding The external service port number must match the destination port of the packets to be forwarded For example if the virtual IP provides access from the Internet to a web ser...

Страница 218: ...P server the external service port number should be 1723 the PPTP port See PPTP passthrough on page 262 for more information 8 Enter the Map to IP address to which to map the external IP address For example the IP address of a PPTP server on an internal network 9 Enter the Map to Port number to be added to packets when they are forwarded If you do not want to translate the port enter the same numb...

Страница 219: ...the IP pool to use when configuring a firewall policy You can enter an IP address range using the following formats x x x x x x x x for example 192 168 110 100 192 168 110 120 x x x x x for example 192 168 110 100 120 This section describes IP pool list IP pool options Configuring IP pools IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT IP pool list Figure 104 Sample I...

Страница 220: ...the IP pool as required 4 Select OK to save the changes IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection NAT translates source ports to keep track of connections for a particular service You can select fixed port for NAT policies to prevent source port translation Ho...

Страница 221: ...ction As a result connections to the Internet appear to be originating from any of the IP addresses in the IP pool Protection profile Use protection profiles to apply different protection settings for traffic that is controlled by firewall policies You can use protection profiles to Configure antivirus protection for HTTP FTP IMAP POP3 and SMTP policies Configure web filtering for HTTP policies Co...

Страница 222: ... policy or included in a user group Strict To apply maximum protection to HTTP FTP IMAP POP3 and SMTP traffic You may not wish to use the strict protection profile under normal circumstances but it is available if you have extreme problems with viruses and require maximum screening Scan To apply virus scanning to HTTP FTP IMAP POP3 and SMTP traffic Web To apply virus scanning and web content block...

Страница 223: ...e or disable virus scanning for viruses and worms for each protocol HTTP FTP IMAP POP3 SMTP Grayware if enabled in Antivirus Config Config is included with the Virus Scan Heuristic if enabled in the CLI is also included with the Virus Scan File Block Enable or disable file pattern blocking for each protocol You can block files by name by extension or any other pattern giving you the flexibility to...

Страница 224: ...s and patterns in the content block list Web URL Block Enable or disable web page filtering for HTTP traffic based on the URL block list Web Exempt List Enable or disable web page filtering for HTTP traffic based on the URL exempt list Exempt URLs are not scanned for viruses Web Script Filter Enable or disable blocking scripts from web pages for HTTP traffic Web resume download block Enable to blo...

Страница 225: ...s to circumvent web category blocking Allow websites when a rating error occurs HTTP only Allow web pages that return a rating error from the web filtering service Category The FortiGuard web filtering service provides many categories by which to filter web traffic You can set the action to take on web pages for each category Choose from allow block or monitor IP address BWL check Black white list...

Страница 226: ... you to append a custom tag to the subject or header of email identified as spam For SMTP you can choose between tagged or discard Discard immediately drops the connection You can tag email by appending a custom word or phrase to the subject or inserting a MIME header and value into the email header You can choose to log any spam action in the event log Note Choosing to tag spam email messages aut...

Страница 227: ...n profile to a policy You can enable protection profiles for firewall policies with action set to allow or encrypt and with service set to ANY HTTP FTP IMAP POP3 SMTP or a service group that includes these services 1 Go to Firewall Policy 2 Select a policy list to which you want to add a protection profile For example to enable network protection for files downloaded from the web by internal netwo...

Страница 228: ...tion profiles Use protection profiles to apply different protection settings for traffic controlled by firewall policies Command syntax pattern config firewall profile edit profilename_str set keyword variable end config firewall profile edit profilename_str unset keyword end config firewall profile delete profilename_str end get firewall profile profilename_str show firewall profile profilename_s...

Страница 229: ...letes When downloading files from an FTP server the FortiGate unit sends 1 byte every 30 seconds to prevent the client from timing out during scanning and download If a virus is detected the FortiGate unit stops the download The user must then delete the partially downloaded file There should not be enough content in the file to cause any harm Enabling splice reduces timeouts when uploading and do...

Страница 230: ...the FortiGate unit to simultaneously scan an email and send it to the SMTP server If the FortiGate unit detects a virus it terminates the server connection and returns an error message to the sender listing the virus name and infected filename In this mode the SMTP server is not able to deliver the email if it was sent with an infected attachment Throughput is higher when splice is enabled When sp...

Страница 231: ... profile command get firewall profile This example shows how to display the settings for the spammail profile get firewall profile spammail This example shows how to display the configuration for the firewall profile command show firewall profile This example shows how to display the configuration for the spammail profile show firewall profile spammail ...

Страница 232: ...232 01 28006 0002 20041105 Fortinet Inc Protection profile Firewall ...

Страница 233: ...y the user s credentials locally or using an external LDAP or RADIUS server Authentication expires if the user leaves the connection idle for longer than the authentication timeout period You need to determine the number and membership of your user groups appropriate to your authentication needs To set up user groups 1 If external authentication is needed configure RADIUS or LDAP servers See RADIU...

Страница 234: ... minutes Local Go to User Local to add local user names and configure authentication Local user list Figure 114 Local user list Local user options Figure 115 Local user options Create New Add a new local username User Name The local user name Type The authentication type to use for this user The Delete and Edit icons User Name Enter the user name Disable Select Disable to prevent this user from au...

Страница 235: ... contacts the RADIUS server for authentication The default port for RADIUS traffic is 1812 If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port For more information see the config system global command entry in the FortiGate CLI Reference Guide RADIUS server list Figure 116 RADIUS server list LDAP Select LDAP to require the user to authenticate to an LDAP ...

Страница 236: ...the RADIUS server 5 Enter the RADIUS server secret 6 Select OK To delete a RADIUS server You cannot delete a RADIUS server that has been added to a user group 1 Go to User RADIUS 2 Select the Delete icon beside the RADIUS server name that you want to delete 3 Select OK Create New Add a new RADIUS server Name The RADIUS server name Server Name IP The domain name or IP address of the RADIUS server T...

Страница 237: ...validating user names and passwords FortiGate LDAP supports all LDAP servers compliant with LDAP v3 FortiGate LDAP support does not extend to proprietary functionality such as notification of password expiration that is available from some LDAP servers FortiGate LDAP support does not supply information to the user about why authentication failed LDAP server list Figure 118 LDAP server list LDAP se...

Страница 238: ...e LDAP server Server Name IP Enter the domain name or IP address of the LDAP server Server Port Enter the port used to communicate with the LDAP server By default LDAP uses port 389 Common Name Identifier Enter the common name identifier for the LDAP server The common name identifier for most LDAP servers is cn However some servers use other common name identifiers such as uid Distinguished Name E...

Страница 239: ...Auth The FortiGate PPTP configuration Only users in the selected user group can use PPTP The FortiGate L2TP configuration Only users in the selected user group can use L2TP When you add user names RADIUS servers and LDAP servers to a user group the order in which they are added determines the order in which the FortiGate unit checks for authentication If user names are first then the FortiGate uni...

Страница 240: ... group select an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list 7 To remove users RADIUS servers or LDAP servers from the user group select a user RADIUS server or LDAP server from the Members list and select the left arrow to remove the name RADIUS server or LDAP server from the group 8 Select a protection profile from the Protectio...

Страница 241: ...d syntax pattern config user peer edit name_str set keyword variable config user peer edit name_str unset keyword config user peer delete name_str get user peer name_str show user peer name_str Example This example shows how to add the branch_office peer config user peer edit branch_office set ca set cn set cn type end radius command keywords and variables Keywords and variables Description Defaul...

Страница 242: ..._str set keyword variable config user peergrp edit name_str unset keyword config user peergrp delete name_str get user peergrp name_str show user peergrp name_str Example This example shows how to add peers to the peergrp EU_branches config user peergrp edit EU_branches set member Sophia_branch Valencia_branch Cardiff_branch end This example shows how to display the list of configured peer groups ...

Страница 243: ...his example shows how to display the settings for the peergrp EU_branches get user peergrp EU_branches This example shows how to display the configuration for all the peers groups show user peergrp This example shows how to display the configuration for the peergrp EU_branches show user peergrp EU_branches ...

Страница 244: ...244 01 28006 0002 20041105 Fortinet Inc CLI configuration Users and authentication ...

Страница 245: ...ol L2TP This chapter contains information about the following VPN topics Phase 1 Phase 2 Manual key Concentrator Ping Generator Monitor PPTP L2TP Certificates CLI configuration Authenticating peers with preshared keys Gateway to gateway VPN Dialup VPN Dynamic DNS VPN Manual key IPSec VPN Adding firewall policies for IPSec VPN tunnels Internet browsing through a VPN tunnel IPSec VPN in Transparent ...

Страница 246: ...ure Phase 1 list Figure 122 IPSec VPN Phase 1 list Create New Select Create New to add a Phase 1 configuration also called a remote gateway Gateway Name The names of the Phase 1 configurations remote gateways added Gateway IP The IP address of the remote gateway if this is a static IP address phase 1 Dialup if this is a dialup Phase 1 configuration and the domain name if this is a dynamic DNS phas...

Страница 247: ...n fields may become available or be removed IP Address If you select Static IP Address for Remote Gateway enter the IP address of the gateway or client Dynamic DNS If you select Dynamic DNS for Remote Gateway enter the Dynamic DNS DDNS name DDNS allows a computer to keep the same domain name even if its IP address changes Mode Select Aggressive or Main ID Protection mode Both modes establish a sec...

Страница 248: ...ficate name of the remote client or peer for the remote client or peer to start a VPN session with the FortiGate unit Select Accept any peer ID to accept the local ID or peer ID of any remote client or VPN peer Select Accept this peer ID to accept a remote client or group that has a particular local ID or peer ID Enter the value Select Accept peer ID in dialup group to accept remote clients that b...

Страница 249: ...thentication enter the distinguished name DN of the local certificate XAuth You can configure the FortiGate unit as an Extended Authentication XAuth client or an XAuth server For more information see Configuring XAuth on page 249 Nat traversal Enable this option if you expect the IPSec VPN traffic to go through a gateway that performs NAT If no NAT device is detected enabling NAT traversal has no ...

Страница 250: ...PAP between the XAuth client and the FortiGate unit and CHAP between the FortiGate unit and the authentication server Use CHAP whenever possible Use PAP if the authentication server does not support CHAP Use PAP with all implementations of LDAP and some implementations of Microsoft RADIUS Use MIXED if the authentication server supports CHAP but the XAuth client does not Use MIXED with the Fortinet...

Страница 251: ... identification process For information about how to create a Phase 1 Dialup User configuration see Dialup VPN on page 279 If the tunnel is to connect a static remote gateway select the name of an existing Phase 1 configuration from the Static IP Address section of the list See Gateway to gateway VPN on page 278 for information about how to define a Phase 1 Static IP Address configuration You can ...

Страница 252: ...rypted session NULL Do not use a message digest MD5 Message Digest 5 the hash algorithm developed by RSA Data Security SHA1 Secure Hash Algorithm 1 which produces a 160 bit message digest To specify one combination only set the Encryption and Authentication options of the second combination to NULL To specify a third combination use the add button beside the fields for the second combination Enabl...

Страница 253: ...y keep alive to keep the VPN connection open even if no data is being transferred DHCP IPSec If the tunnel will service remote dialup clients that broadcast a DHCP request when connecting to the tunnel select DHCP IPSec The FortiGate unit can relay the request to an external DHCP server For more information see System DHCP on page 73 Internet browsing Select the Interface through which remote VPN ...

Страница 254: ... name for the VPN tunnel Local SPI The local Security Parameter Index SPI identifies the local manual key VPN peer Enter a hexadecimal number digits can be 0 to 9 a to f in the range bb8 to FFFFFFF This number must be added to the Remote SPI at the opposite end of the tunnel Remote SPI The remote Security Parameter Index identifies the remote manual key VPN peer Enter a hexadecimal number of up to...

Страница 255: ...nto two segments of 16 characters For AES192 enter a 48 character 24 byte hexadecimal number 0 9 A F Separate the number into three segments of 16 characters For AES256 enter a 64 character 32 byte hexadecimal number 0 9 A F Separate the number into four segments of 16 characters Authentication Algorithm Select an Authentication Algorithm from the list Use the same algorithm at both ends of the tu...

Страница 256: ... through two tunnels simultaneously The ping interval is fixed at 40 seconds The source and destination IP addresses refer to the source and destination addresses of IP packets that are to be transported through the VPN When a destination address of 0 0 0 0 is entered for the ping generator the address means none Members The names of the Phase 2 configurations and manual key configurations added t...

Страница 257: ...splay provides information about tunnel connections including addressing proxy IDs and status information To monitor a VPN tunnel 1 Go to VPN IPSEC Monitor You can establish or take down a VPN tunnel manually through the Monitor tab Enable Disable or enable pinging between the specified source and destination addresses Source IP 1 Enter the private IP address from which traffic may originate local...

Страница 258: ... before another tunnel can be initiated Flush dialup tunnels icon Stop all dialup tunnels and stop the traffic passing through all dialup tunnels Dialup users may have to re connect to establish new VPN sessions Name The name of the phase 2 for the dialup tunnel followed by the number of the dialup tunnel For example if there are 4 dialup tunnels running that use a phase 2 configuration named Dial...

Страница 259: ...o enable authentication you must add a user group to the FortiGate unit Within the user group add a user name for each PPTP client You can add users to the FortiGate user database to authentication servers RADIUS or LDAP or to both See Users and authentication on page 233 2 Enable PPTP and specify a PPTP address range See Enabling PPTP and specifying a PPTP range on page 260 Name The name of the t...

Страница 260: ...r example if you want PPTP clients to be able to access a web server set the service to HTTP See To add a firewall policy on page 196 6 Configure the Windows clients See Configuring a Windows 2000 client for PPTP Configuring a Windows XP client for PPTP Enabling PPTP and specifying a PPTP range The PPTP address range is the range of addresses reserved for remote PPTP clients When a remote PPTP cli...

Страница 261: ...rocedure 2 Enter your PPTP VPN User Name and Password 3 Select Connect 4 In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password Configuring a Windows XP client for PPTP To configure a PPTP dialup connection 1 Go to Start Control Panel 2 Select Network and Interne...

Страница 262: ...the same as your VPN user name and password PPTP passthrough The FortiGate unit supports PPTP passthrough by configuring a port forwarding virtual IP to use port 1723 Normally PPTP passthrough requires the generic routing encapsulation GRE protocol on IP port 47 When you configure PPTP passthrough using the following procedure the FortiGate unit automatically enables the GRE protocol for PPTP pass...

Страница 263: ...internal 4 For Address name Set Source to All Set Destination to PPTP_pass 5 Set Schedule as required 6 Set Service to ANY 7 Set action to ACCEPT 8 Select NAT 9 Select OK L2TP You can set up VPN connections between FortiGate units and remote Windows clients using Layer 2 Tunneling Protocol L2TP L2TP lets you create a secure connection between a client computer running Microsoft Windows and your in...

Страница 264: ...e L2TP range See To add an address on page 200 4 Add a destination address The destination address is the address to which the L2TP clients can connect For example if the destination address is on the internal network you would create an external to internal policy to control the access that L2TP users have through the FortiGate unit Typically you would add only one destination address for the ent...

Страница 265: ...tination Address enter the address of the FortiGate unit to connect to and select Next 5 Set Connection Availability to Only for myself and select Next 6 Select Finish 7 In the Connect window select Properties 8 Select the Security tab 9 Make sure that Require data encryption is selected 10 Select the Networking tab 11 Set VPN server type to Layer 2 Tunneling Protocol L2TP 12 Save your changes and...

Страница 266: ...indows 2000 based computer does not create the automatic filter that uses CA authentication Instead it checks for a local or active directory IPSec policy To connect to the L2TP VPN 1 Start the dialup connection that you configured in the previous procedure 2 Enter your L2TP VPN User Name and Password 3 Select Connect 4 In the connect window enter the User Name and Password that you use to connect...

Страница 267: ...11 Make sure that the following options are not selected File and Printer Sharing for Microsoft Networks Client for Microsoft Networks To disable IPSec 1 Select the Networking tab 2 Select Internet Protocol TCP IP properties 3 Double click the Advanced tab 4 Go to the Options tab and select IP security properties 5 Make sure that Do not use IPSec is selected 6 Select OK and close the connection pr...

Страница 268: ...y a public key and some identifying information that has been digitally signed by a trusted third party known as a certificate authority CA Because CAs can be trusted the certificates issued by a CA are deemed to be trustworthy To obtain a personal or site certificate you must send a request to a CA that provides digital certificates that adhere to the X 509 standard The FortiGate unit provides a ...

Страница 269: ...X 509 standard To generate a certificate request 1 Go to VPN Certificates Local Certificates 2 Select Generate 3 Enter a Certificate Name Typically this is the name of the FortiGate unit being certified Generate Select to use the FortiGate unit to generate a local certificate request Import Select to import a signed local certificate Name The name of the local certificate or certificate request Su...

Страница 270: ...support all three key sizes 7 Select OK The request is generated and displayed in the Local Certificates list with a status of Pending 8 Select the Download button to download the request to a PC on the local network 9 In the File Download dialog box select Save 10 Name the file and save it on the local file system 11 Submit the request to your CA as follows Using the web browser on the local PC b...

Страница 271: ... Certificates Certificate Name Type a certificate name Subject Information Enter an ID type and the related information for the FortiGate unit being certified You can use one of the following three ID types If you select Host IP enter the IP address of the FortiGate unit being certified If you select Domain Name enter the fully qualified domain name of the FortiGate unit being certified If you sel...

Страница 272: ...When a VPN peer is configured to authenticate using digital certificates it sends the Distinguished Name DN on its certificate to the remote peer This DN can be used to deny VPN access For example a FortiGate unit can be configured to deny connections to all remote peers except the one having the specified DN If the FortiGate unit participates in a gateway to gateway configuration and you want bot...

Страница 273: ...rgrp CLI command before it can be selected here For more information see the config user chapter of the CLI Reference Guide 3 If you want to define the DN of the FortiGate unit select Advanced and from the Local ID list select the DN of the FortiGate unit 4 Select OK CLI configuration This guide only covers Command Line Interface CLI commands keywords or variables in bold that are not represented ...

Страница 274: ...his period of time expires whenever the local peer sends traffic to the remote VPN peer it will also send a DPD probe to determine the status of the link The dpd idleworry range is 1 to 300 To control the length of time that the FortiGate unit takes to detect a dead peer with DPD probes use the dpdretrycount and dpd retryinterval keywords 10 seconds All models dpd must be set to enable dpd retryco...

Страница 275: ...ple_GW set Type dynamic set proposal des md5 set authmethod psk set psksecret Qf2p3O93jIj2bz7E set mode aggressive set dpd enable set dpd idlecleanup 1000 set dpd idleworry 150 set dpd retrycount 5 set dpd retryinterval 30 end ipsec phase2 In addition to the advanced IPSec Phase 2 settings the config vpn ipsec phase2 CLI command provides a way to bind the VPN tunnel selected in a Phase 2 configura...

Страница 276: ...affic to the intended destinations automatically Each IPSec VIP entry is identified by an integer An entry identifies the name of the FortiGate interface to the destination network and the IP address of a destination host on the destination network Specify an IP address for every host that needs to be accessed on the other side of the tunnel you can define a maximum of 32 IPSec VIP addresses on th...

Страница 277: ...1 set out interface external next edit 2 set ip 192 168 12 2 set out interface external end This example shows how to display the settings for the vpn ipsec vip command get vpn ipsec vip This example shows how to display the settings for the VIP entry named 1 get vpn ipsec vip 1 This example shows how to display the current configuration of all existing VIP entries show vpn ipsec vip ipsec vip com...

Страница 278: ... is often referred to as adding a tunnel See Phase 2 on page 250 4 Add the firewall configuration required for the VPN See Adding firewall policies for IPSec VPN tunnels on page 280 Gateway to gateway VPN Using a peer to peer VPN users on a network behind a VPN gateway can connect to another remote network behind a remote VPN gateway Both VPN gateways or peers are FortiGate units or other VPN gate...

Страница 279: ... Dynamic DNS VPN allows remote users or gateways with dynamic IP addresses to use VPN to connect to a private network In this case the gateway or client at the remote end of the VPN tunnel has a dynamic IP address but the FortiGate unit can get the IP address by looking up a domain name The remote client or gateway uses dynamic DNS to re map this domain name to its IP address whenever the IP addre...

Страница 280: ...about firewall policies You can also use firewall policies for IPSec VPN to apply protection profiles to VPN traffic to log IPSec VPN traffic and to apply advanced features to IPSec VPN traffic such as traffic shaping and differentiated services Adding a firewall policy for an IPSec VPN involves creating an internal external policy setting the policy action to ENCRYPT and selecting the VPN tunnel ...

Страница 281: ...licy direction See Setting the encryption policy direction on page 280 3 Add the source and destination addresses See To add an address on page 200 4 Set Action to ENCRYPT 5 From the VPN tunnel list select a phase 2 tunnel configuration 6 Configure the following options if required 7 Select additional options if required to apply a protection profile and or other firewall policy features 8 Select ...

Страница 282: ...ual source interface Then create Internet access policies for VPN users For example if the virtual source interface is VLAN_21 and the wan 1 interface is connected to the Internet you would require create VLAN_21 external firewall policies To configure Internet browsing through a VPN tunnel 1 Go to VPN IPSec Phase 1 2 Add a phase 1 configuration to define the parameters used to authenticate the re...

Страница 283: ...iguration to define the parameters used to authenticate the remote VPN peer 2 Set other phase 1 options as required See Phase 1 on page 246 3 Add the phase 2 configuration to define the parameters used to create and maintain the AutoKey VPN tunnel See Phase 2 on page 250 4 Add the firewall configuration required for the VPN See Adding firewall policies for IPSec VPN tunnels on page 280 Special rul...

Страница 284: ...is the address of the spoke either a client on the Internet or a network located behind a gateway See To add an address on page 200 3 Add the concentrator configuration This step groups the tunnels together on the FortiGate unit The tunnels link the hub to the spokes The tunnels are added as part of the AutoIKE phase 2 configuration or the manual key configuration See To add an address on page 200...

Страница 285: ...le VPN concentrator configuration To add a VPN concentrator configuration 1 Go to VPN IPSEC Concentrator 2 Select New to add a VPN concentrator 3 Enter the name of the new concentrator in the Concentrator Name field 4 To add tunnels to the VPN concentrator select a VPN tunnel from the Available Tunnels list and select the right arrow 5 To remove tunnels from the VPN concentrator select the tunnel ...

Страница 286: ... the address of the spoke either a client on the Internet or a network located behind a gateway See To add an address on page 200 4 Add a separate outbound encrypt policy for each remote VPN spoke These policies control the encrypted connections initiated by the local VPN spoke The encrypt policy must include the appropriate source and destination addresses and the tunnel added in step 1 Use the f...

Страница 287: ...een two VPN peers one peer can have multiple Internet connections while the other has only one Internet connection In the case of an asymmetrical configuration the level of redundancy varies from one end of the VPN to the other Configuring redundant IPSec VPNs For each FortiGate unit first add multiple two or more external interfaces Then assign each interface to an external zone Finally add a rou...

Страница 288: ... three VPN connections If the Internet connections are in the same zone add one VPN tunnel and add the remote gateways to it You can add up to three remote gateways If the Internet connections are in separate zones or assigned to unique interfaces add a VPN tunnel for each remote gateway entered See Phase 2 on page 250 3 Add the source and destination addresses See To add an address on page 200 4 ...

Страница 289: ... the two sites have been coordinated to protect against ambiguous routing no two IP addresses are the same Setting up a configuration like this involves performing the following tasks at FortiGate_1 and FortiGate_2 To enable IPSec VPN communication between two network hosts that coordinate the same private address space on physically separate networks perform the following tasks at the local and r...

Страница 290: ... remote peer software configuration Check the FortiGate firewall configuration Configuration Error Correction Wrong remote network information Check the IP addresses of the remote gateway and network Wrong preshared key Reenter the preshared key Wrong Aggressive Mode peer ID Reset to the correct Peer ID Mismatched IKE or IPSec proposal combination in the proposal lists Make sure both the FortiGate...

Страница 291: ...ofile select edit or Create New and select IPS See Protection profile options on page 222 Protection profile configuration For information about adding protection profiles to firewall policies see To add a protection profile to a policy on page 227 IPS updates and information FortiProtect services are a valuable customer resource and include automatic updates of virus and IPS attack engines and de...

Страница 292: ...ition to an extensive list of predefined attack signatures you can also create your own custom attack signatures for the FortiGate unit See Adding custom signatures on page 297 Predefined Predefined signatures are arranged into groups based on the type of attack By default all signature groups are enabled while some signatures within groups are not Check the default settings to ensure they meet th...

Страница 293: ...rs Action can be Pass Drop Reset Reset Client Reset Server Drop Session Clear Session or Pass Session See Table 24 Revision The revision number for individual signatures To show the signature group members click on the blue triangle Modify The Configure and Reset icons Reset only appears when the default settings have been modified Selecting Reset restores the default settings Table 24 Actions to ...

Страница 294: ... Used for TCP connections only If you set this action for non TCP connection based attacks the action will behave as Clear Session If the Reset Client action is triggered before the TCP connection is fully established it acts as Clear Session Reset Server The FortiGate unit drops the packet that triggered the signature sends a reset to the server and removes the session from the FortiGate session ...

Страница 295: ...f a signature 1 Go to IPS Signature Predefined 2 Select the blue triangle next to a signature group name to display the members of that group 3 Select the Reset icon for the signature you want to restore to recommended settings The Reset icon is displayed only if the settings for the signature have been changed from recommended settings 4 Select OK Configuring parameters for dissector signatures T...

Страница 296: ...eout If a session is idle for longer than this number of seconds the session will not be maintained by tcp_reassembler min_ttl A packet with a higher ttl number in its IP header than the number specified here is not processed by tcp_reassembler port_list A comma separated list of ports The dissector can decode these TCP ports bad_flag_list A comma separated list of bad TCP flags reassembly_ direct...

Страница 297: ... custom signatures from the custom signature group Reset to recommended settings Reset all the custom signatures to the recommended settings Name The custom signature names Revision The revision number for each custom signature The revision number is a number you assign to the signature when you create or revise it Enable The status of each custom signature A white check mark in a green circle ind...

Страница 298: ...sessions targeting a single destination in one second is over a threshold the destination is experiencing flooding Scan If the number of sessions from a single source in one second is over a threshold the source is scanning Source session limit If the number of concurrent sessions from a single source is over a threshold the source session limit is reached Destination session limit If the number o...

Страница 299: ...nt Reset Server Drop Session Clear Session or Pass Session Modify The Edit and Reset icons If you have changed the settings for an anomaly you can use the Reset icon to change the settings back to the recommended settings Name The anomaly name Enable Select the Enable box to enable the anomaly or clear the Enable box to disable the anomaly Logging Select the Logging box to enable logging for the a...

Страница 300: ... is fully established it acts as Clear Session Reset Client The FortiGate unit drops the packet that triggered the anomaly sends a reset to the client and removes the session from the FortiGate session table Used for TCP connections only If you set this action for non TCP connection based attacks the action will behave as Clear Session If the Reset Client action is triggered before the TCP connect...

Страница 301: ...edit name_str unset keyword end config limit delete name_str Example Use the following command to configure the limit for the tcp_src_session anomaly config ips anomaly tcp_src_session config limit edit subnet1 set ipaddress 1 1 1 0 255 255 255 0 set threshold 300 end end Note This guide only covers Command Line Interface CLI commands that are not represented in the web based manager For complete ...

Страница 302: ...ng signatures for attacks that your system is not vulnerable to for example web attacks when you are not running a web server For more information on FortiGate logging and alert email see Log Report on page 349 Default fail open setting If for any reason the IPS should cease to function it will fail open by default This means that crucial network traffic will not be blocked and the Firewall will c...

Страница 303: ...tocol HTTP FTP IMAP POP3 SMTP View a read only list of current viruses File Block Antivirus File Block Enable or disable file blocking for each protocol Configure file patterns to block enable or disable blocking for each protocol Quarantine Antivirus Quarantine Enable or disable quarantining for each protocol Quarantine is only available on units with a local disk View and sort the list of quaran...

Страница 304: ...ortiProtect Center at http www fortinet com FortiProtectCenter To set up automatic and push updates see Update center on page 118 This chapter describes File block Quarantine Config CLI configuration File block Configure file blocking to remove all files that are a potential threat and to prevent active computer virus attacks You can block files by name by extension or any other pattern giving you...

Страница 305: ...information files pif Figure 153 Default file block list File block list has the following icons and features Create New Select Create New to add a new file pattern to the file block list Apply Select Apply to apply any changes to the file block configuration Pattern The current list of blocked file patterns You can create a pattern by using or wildcard characters Check All Select a check box besi...

Страница 306: ...ned files list Quarantined files list options AutoSubmit list AutoSubmit list options Configuring the AutoSubmit list Config Quarantined files list The quarantined files list displays information about each file that is quarantined because of virus infection or file blocking You can sort the files by any one of file name date service status duplicate count DC or time to live TTL You can also filte...

Страница 307: ...oversize exe Date The date and time that the file was quarantined in the format dd mm yyyy hh mm This value indicates the time that the first file was quarantined if the duplicate count increases Service The service from which the file was quarantined HTTP FTP IMAP POP3 SMTP Status The reason the file was quarantined infected heuristics or blocked Status Description Specific information related to...

Страница 308: ...tions AutoSubmit list has the following icons and features Configuring the AutoSubmit list To add a file pattern to the AutoSubmit list 1 Go to Anti Virus Quarantine AutoSubmit 2 Select Create New Figure 156 Adding a file pattern 3 Enter the file pattern or file name you want to automatically upload to Fortinet for analysis 4 Select Enable 5 Select OK Create New Select Create New to add a new file...

Страница 309: ...he time limit in hours for which to keep files in quarantine The age limit is used to formulate the value in the TTL column of the quarantined files list When the limit is reached the TTL column displays EXP and the file is deleted although a record is maintained in the quarantined files list Entering an age limit of 0 zero means files are stored on disk indefinitely depending on low disk space ac...

Страница 310: ...the FortiGate unit to receive automatic updates daily or whenever required To manually upload a virus list update see Changing unit information on page 29 To find out how to use the Fortinet Update Center see Update center on page 118 Figure 158 Virus list partial Config Oversize threshold configuration refers to the size limits you can apply to scan files and email in memory Figure 159 Example th...

Страница 311: ...lt all new categories are disabled Grayware is enabled in a protection profile when Virus Scan is enabled Grayware options Grayware categories are populated with known executable files Each time the FortiGate unit receives a virus and attack definitions update the grayware categories and contents are updated Figure 160 Sample grayware options The categories may change or expand when the FortiGate ...

Страница 312: ... or bookmarks start pages and menu options Plugin Select enable to block browser plugins Browser plugins can often be harmless Internet browsing tools that are installed and operate directly from the browser window Some toolbars and plugins can attempt to control or record and send browsing preferences NMT Select enable to block network management tools Network management tools can be installed an...

Страница 313: ...n for the antivirus heuristic command show antivirus heuristic quarantine The quarantine command also allows configuration of heuristic related settings Table 26 antivirus heuristic command keywords and variables Keywords and variables Description Default Availability mode pass block disable Enter pass to enable heuristics but pass detected files to the recipient Suspicious files are quarantined i...

Страница 314: ...es Description Default Availability drop_heuristic ftp http imap pop3 smtp Do not quarantine files found by heuristic scanning in traffic for the specified protocols imap smtp pop3 http ftp FortiGate models numbered 200 and higher store_heuristic ftp http imap pop3 smtp Quarantine files found by heuristic scanning in traffic for the specified protocols No default FortiGate models numbered 200 and ...

Страница 315: ...rtiGate unit handles antivirus scanning of large files how the FortiGate unit handles the buffering and uploading of files to an FTP server and what ports the FortiGate unit virus scans for FTP traffic Command syntax pattern config antivirus service ftp set keyword variable end config antivirus service ftp unset keyword end get antivirus service ftp show antivirus service ftp Note This command has...

Страница 316: ...figure how the FortiGate unit handles antivirus scanning of large files and what ports the FortiGate unit virus scans for POP3 traffic Command syntax pattern config antivirus service pop3 set keyword variable end config antivirus service pop3 unset keyword end get antivirus service pop3 show antivirus service pop3 Note This command has more keywords than are listed in this Guide See the FortiGate ...

Страница 317: ...s command to configure how the FortiGate unit handles antivirus scanning of large files and what ports the FortiGate unit virus scans for IMAP traffic Command syntax pattern config antivirus service imap set keyword variable end config antivirus service imap unset keyword end get antivirus service imap show antivirus service imap Note This command has more keywords than are listed in this Guide Se...

Страница 318: ... this command to configure how the FortiGate unit handles antivirus scanning of large files in SMTP traffic and what ports the FortiGate unit scans for SMTP Command syntax pattern config antivirus service smtp set keyword variable end config antivirus service smtp unset keyword end get antivirus service smtp show antivirus service smtp Note This command has more keywords than are listed in this Gu...

Страница 319: ...or SMTP traffic Adding more ports for scanning does not erase the default port 25 Use the unset command to remove all ports from the list config antivirus service smtp set port 465 end This example shows how to display the antivirus SMTP traffic settings get antivirus service smtp This example shows how to display the configuration for antivirus SMTP traffic show antivirus service smtp ...

Страница 320: ...320 01 28006 0002 20041105 Fortinet Inc CLI configuration Antivirus ...

Страница 321: ...nned words and patterns in the content block list for HTTP traffic Add words and patterns to block web pages containing those words or patterns Web URL Block Web Filter URL Block Enable or disable web page filtering for HTTP traffic based on the URL block list Add URLs and URL patterns to block web pages from specific sources Web Exempt List Web Filter URL Exempt Enable or disable web page filteri...

Страница 322: ...er Content block Control web content by blocking specific words or word patterns The FortiGate unit blocks web pages containing banned words and displays a replacement message instead You can use Perl regular expressions or wildcards to add banned word patterns to the list See Using Perl regular expressions on page 346 Protection Profile web category filtering Web Filter setting Enable category bl...

Страница 323: ...regular expression i For example bad language i will block all instances of bad language regardless of case Wildcard patterns are not case sensitive Note Enable Web filtering Web Content Block in your firewall Protection Profile to activate the content block settings Create new Select Create New to add a banned word to the web content block list total The number of banned words in the web content ...

Страница 324: ...et the pattern type if required 5 Select the language character set 6 Select Enable 7 Select OK URL block You can block access to specific URLs by adding them to the URL block list You can also add patterns using text and regular expressions or wildcard characters to block URLs The FortiGate unit blocks web pages matching any specified URLs or patterns and displays a replacement message instead Ba...

Страница 325: ... must be separated by hard returns to upload correctly Figure 163 Sample Web URL block list Web URL block options Web URL block has the following icons and features Configuring the web URL block list Note URL blocking does not block access to other services that users can access with a web browser For example URL blocking does not block access to ftp ftp badsite com Instead you can use firewall po...

Страница 326: ...k all pages with a URL that ends with badsite com add badsite com to the block list For example adding badsite com blocks access to www badsite com mail badsite com www finance badsite com and so on 5 Select Enable 6 Select OK Web pattern block list In addition to blocking specific or partial URLs you can block all URLs that match patterns you create using text and regular expressions or wildcard ...

Страница 327: ... 3 Select Create New Figure 166 Adding a new pattern 4 Enter a pattern to add to the web pattern block list 5 Select Enable 6 Select OK URL exempt This section describes URL exempt list URL exempt list options Configuring URL exempt Create New Select Create New to add a new pattern to the web pattern block list Pattern The current list of blocked patterns Select the check box to enable all the web...

Страница 328: ...dd a URL to the URL exempt list 1 Go to Web Filter URL Exempt 2 Select Create New Figure 168 Adding a new exempt URL 3 Enter the URL to add to the URL exempt list 4 Select Enable Note Enable Web filtering Web Exempt List in your firewall Protection Profile to activate the URL exempt settings Create New Select Create New to add a URL to the URL exempt list total The number of URLs in the URL exempt...

Страница 329: ...ay be added to or updated as the Internet evolves Users can also choose to allow block or monitor entire groups of categories to make configuration simpler Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy FortiGuard ratings are performed by a combination of proprietary methods including text analysis exploitation of the Web...

Страница 330: ... If you have ordered FortiGuard through Fortinet technical support or are using the free 30 day trial you only need to enable the service to start configuring and using FortiGuard Figure 169 Category block configuration You can configure the following options to enable and help maintain FortiGuard web filtering Enable Service FortiGuard Select to enable FortiGuard web filtering Status Select Check...

Страница 331: ... 224 and FortiGuard categories on page 367 Once you select Apply the FortiGuard license type and expiration date appears on the configuration screen Web Filter Category Block Category block reports You can generate a text and pie chart format report on web filtering for any profile The FortiGate unit maintains statistics for allowed blocked and monitored web pages for each category You can view re...

Страница 332: ...e Guide for descriptions of all webfilter catblock keywords Profile Select the profile for which you want to generate a report Report Type Select the time frame for which you want to generate the report Choose from hour day or all historical statistics Report Range Select the time range 24 hour clock or day range from six days ago to today for which you want the report For example if you select re...

Страница 333: ...guration for the catblock settings show webfilter catblock If the show command returns you to the prompt the settings are at default Script filter You can configure the FortiGate unit to filter certain web scripts You can filter Java applets cookies and ActiveX controls from web pages catblock command keywords and variables Keywords and variables Description Default Availability ftgd_hostname url_...

Страница 334: ...s for script filtering Note Enable Web filtering Web Script Filter in your firewall Protection Profile to activate the script filter settings Javascript Select Javascript to block all Javascript based pages or applications Cookies Select Cookies to block web sites from placing cookies on individual computers ActiveX Select ActiveX to block all ActiveX applications ...

Страница 335: ...nable or disable checking incoming IP addresses against the configured spam filter IP address list SMTP only Add to and edit IP addresses to the list You can configure the action to take as spam clear or reject for each IP address You can place an IP address anywhere in the list The filter checks each IP address in sequence SMTP only RBL ORDBL check Spam Filter RBL ORDBL Enable or disable checking...

Страница 336: ...ders against the configured spam filter MIME header list Add to and edit MIME headers to the list with the option of using wildcards and regular expressions You can configure the action to take as spam or clear for each MIME header Banned word check Spam Filter Banned Word Enable or disable checking source email against the configured spam filter banned word list Add to and edit banned words to th...

Страница 337: ...es the IP address list from email captured by spam probes located around the world Spam probes are email addresses purposely configured to attract spam and identify known spam sources to create the antispam IP address list FortiShield combines IP address checks with other spam filter techniques in a two pass process On the first pass FortiShield checks the SMTP mail server source address against t...

Страница 338: ...e the FortiGate unit to filter email from specific IP addresses You can mark each IP address as clear spam or reject You can filter single IP addresses or a range of addresses at the network level by configuring an address and mask Figure 172 Sample IP address list IP address options IP address list has the following icons and features Create New Select Create New to add an IP address to the IP ad...

Страница 339: ... reported spam source addresses and ORDBLs keep track of unsecured third party SMTP servers known as open relays which some spammers use to send unsolicited bulk email There are also several free and subscription servers available that provide reliable access to continually updated RBLs and ORDBLs Check with the service you are using to confirm the correct domain name for connecting to the server ...

Страница 340: ...ilter RBL ORDBL 2 Select Create New Figure 175 Adding an RBL or ORDBL server 3 Enter the domain name of the RBL or ORDBL server you want to add 4 Select the action to take on email matched by the server Create New Select Create New to add a server to the RBL ORDBL list Total The number of items in the list The Page up Page down and Remove all entries icons RBL Server The current list of servers Se...

Страница 341: ...ess list The FortiGate unit can filter email from specific senders or all email from a domain such as sample net You can mark each email address as clear or spam Figure 176 Sample email address list Email address options Email address list has the following icons and features Create New Select Create New to add an email address to the email address list Total The number of items in the list The Pa...

Страница 342: ...ples of MIME headers include X mailer outgluck X Distribution bulk Content_Type text html Content_Type image jpg The first part of the MIME header is called the header key or just header The second part is called the value Spammers will often insert comments into header values or leave them blank These malformed headers can fool some spam and virus filters You can use the MIME headers list to mark...

Страница 343: ... Select Create New Note MIME header entries are case sensitive Create New Select Create New to add a MIME header to the MIME headers list Total The number of items in the list The Page up Page down and Remove all entries icons Header The list of MIME headers keys Value The list of MIME header values for each key Pattern Type The pattern type used in the MIME header list entry Choose from wildcard ...

Страница 344: ...346 This section describes Banned word list Banned word options Configuring the banned word list Banned word list You can add one or more banned words to sort email containing those words in the email subject body or both Words can be marked as spam or clear Banned words can be one word or a phrase up to 127 characters long If you enter a single word the FortiGate unit blocks all email that contai...

Страница 345: ... wildcard or regular expression See Using Perl regular expressions on page 346 Language The character set to which the banned word belongs Simplified Chinese Traditional Chinese French Japanese Korean Thai or Western Where The location which the FortiGate unit searches for the banned word subject body or all Action The selected action to take on email with banned words The Delete and Edit View ico...

Страница 346: ...o any single character It is similar to the character in wildcard match pattern As a result fortinet com not only matches fortinet com but also matches fortinetacom fortinetbcom fortinetccom and so on To match a special character such as and use the escape character For example To mach fortinet com the regular expression should be fortinet com In Perl regular expressions means match 0 or more time...

Страница 347: ...end of the string a b either of a and b abc abc the string abc at the beginning or at the end of the string ab 2 4 c an a followed by two three or four b s followed by a c ab 2 c an a followed by at least two b s followed by a c ab c an a followed by any number zero or more of b s followed by a c ab c an a followed by one or more b s followed by a c ab c an a followed by an optional b followed by ...

Страница 348: ...abcd perl B perl when not followed by a word boundary e g in perlert but not in perl stuff x tells the regular expression parser to ignore white space that is neither backslashed nor within a character class You can use this to break up your regular expression into slightly more readable parts x used to add regexps within other text If the first character in a pattern is forward slash the is treat...

Страница 349: ...n You can configure the FortiGate unit to send alert email to up to three recipients when selected events occur It is not necessary for an event to be logged to trigger an alert email The FortiGate unit will collect and send log messages in alert emails according to the level and time intervals you configure in the alert email options All collected messages are assembled in one alert email which i...

Страница 350: ... 52 device_id APS3012803033139 log_id 0101023002 type event subtype ipsec pri notice loc_ip 172 16 81 2 loc_port 500 rem_ip 172 16 81 1 rem_port 500 out_if dmz vpn_tunnel ToDmz action negotiate init local mode stage 112 dir inbound status success msg Initiator tunnel 172 16 81 1 transform ESP_3DES HMAC_SHA1 Message meets Alert condition 2004 04 27 13 28 54 device_id APS3012803033139 log_id 0101023...

Страница 351: ...ll the FortiGate unit begins to overwrite the oldest messages All log entries are deleted when the FortiGate unit restarts Syslog A remote computer running a syslog server WebTrends A remote computer running a NetIQ WebTrends firewall reporting server FortiGate log formats comply with WebTrends Enhanced Log Format WELF and are compatible with NetIQ WebTrends Security Reporting Center 2 0 and Firew...

Страница 352: ...le is started Roll log policy The policy to follow for saving the current log and starting a new active log Overwritten deletes the oldest log entry when the disk is full Block traffic stops all network traffic when the disk is full Do not log stops logging messages when the disk is full Level The FortiGate unit logs all messages at and above the logging severity level you select For example if yo...

Страница 353: ...he logging severity level you select For example if you select Error the unit logs Error Critical Alert and Emergency level messages See Table 36 Logging severity levels on page 352 Facility Facility indicates the source of a log message By default FortiGate reports Facility as local7 You might want to change Facility to distinguish log messages from different FortiGate units Enable CSV Format If ...

Страница 354: ... email Test Select Test to send a test alert email to the configured recipients Level The FortiGate unit sends alert email for all messages at and above the logging severity level you select Emergency The interval to wait before sending an alert e mail for emergency level log messages Alert The interval to wait before sending an alert e mail for alert level log messages Critical The interval to wa...

Страница 355: ...rt email 7 Select Apply Log filter options For each logging location you enable you can create a customized log filter based on the log types described in the following sections Information The interval to wait before sending an alert e mail for information level log messages Apply Select Apply to activate any additions or changes to configuration Note If more than one log message is collected bef...

Страница 356: ...such as when a configuration has changed or a routing gateway has been added You can apply the following filters Policy allowed traffic The FortiGate unit logs all traffic that is allowed according to the firewall policy settings Policy violation traffic The FortiGate unit logs all traffic that violates the firewall policy settings Note You can enable traffic logging for specific interfaces or fir...

Страница 357: ...rewall authentication event The FortiGate unit logs all firewall related events such as user authentication Pattern update event The FortiGate unit logs all pattern update events such as antivirus and IPS pattern updates and update failures Virus infected The FortiGate unit logs all virus infections Filename blocked The FortiGate unit logs all instances of blocked files File oversized The FortiGat...

Страница 358: ...traffic log 1 Go to System Network Interface 2 Select the Edit icon for an interface 3 Select Log 4 Select OK 5 Repeat steps 1 through 4 for each interface for which you want to enable logging 6 Make sure you enable traffic logs for a logging location and set the logging severity level to Notification or lower Attack Signature The FortiGate unit logs all detected and prevented attacks based on the...

Страница 359: ... traffic logging for a firewall policy All connections accepted by the firewall policy are recorded in the traffic log 1 Go to Firewall Policy 2 Select the Edit icon for a policy 3 Select Log Traffic 4 Select OK 5 Make sure you enable traffic log under Log Filter for a logging location and set the logging severity level to Notification or lower ...

Страница 360: ... table describes the features and icons you can use to navigate and search the logs when viewing logs through the web based manager Type The location of the log messages memory Go to previous page icon View to the previous page in the log file Go to next page icon View to the next page in the log file View per page Select the number of log messages displayed on each page Line Type the line number ...

Страница 361: ...t needed unless the log contains information not available in any of the other more specific columns Column settings button Select to choose columns for log display Raw or Formatted Select Raw to switch to an unformatted log message display Select Formatted to switch to a log message display organized into columns Available fields The fields that you can add to the log message display Right arrow ...

Страница 362: ...log messages There are two ways to search log messages a simple keyword search or an advanced search that enables you to use multiple keywords and specify a time range To perform a simple keyword search 1 Display the log messages you want to search For more information see Viewing log messages on page 360 2 In the Search field type a keyword and select Go The log message list shows only the logs c...

Страница 363: ...variable config log fortilog setting unset keyword get log fortilog setting show log fortilog setting all of the following The message must contain all of the keywords any of the following The message must contain at least one of the keywords none of the following The message must contain none of the keywords Note The command keywords for fortilog setting that are not represented in the web based ...

Страница 364: ...to send logs to a remote computer running a syslog server Command syntax pattern config log syslogd setting set keyword variable psksecret str_psk Enter the pre shared key for the IPSec VPN tunnel to a FortiLog unit You can create an IPSec VPN tunnel if one or more FortiGate units are sending log messages to a FortiLog unit across the Internet Using an IPSec VPN tunnel means that all log messages ...

Страница 365: ...cility alert audit auth authpriv clock cron daemon ftp kernel local0 local1 local2 local3 local4 local5 local6 local7 lpr mail news ntp syslog user uucp Enter the facility type Also known as message category facility indicates from which part of the system a log message originated Facility can also be used to route messages to different files Facility types are described in Table 37 local7 All mod...

Страница 366: ...nfiguration for logging to a remote syslog server show log syslogd setting If the show command returns you to the prompt the settings are at default Table 37 Facility types Facility type Description alert audit auth security authorization messages authpriv security authorization messages private clock clock daemon cron cron daemon performing scheduled commands daemon system daemons running backgro...

Страница 367: ...sites that provide information about or promote the cultivation preparation or use of marijuana 2 Cult or Occult Sites that provide information about or promote religions not specified in Traditional Religions or other unconventional cultic or folkloric beliefs and practices Sites that promote or offer methods means of instruction or other resources to affect or influence real events through the u...

Страница 368: ...ty with no pornographic intent 9 Advocacy Groups Sites that promote change or reform in public policy public opinion social practice economic activities and relationships 10 Alcohol and Tobacco Sites that provide information about promote or support the sale of alcoholic beverages or tobacco products or associated paraphernalia 11 Gambling Sites that provide information about or promote gambling o...

Страница 369: ...scussion groups message boards and list servers includes blogs and mail magazines Digital post cards Sites for sending viewing digital post cards 22 Pay to Surf Sites that pay users to view Web sites advertisements or email 23 Web based Email Sites that host Web based email Potentially Bandwidth Consuming 24 File Sharing and Storage Peer to Peer File Sharing Sites that provide client software to e...

Страница 370: ...information about or cater to gay lesbian or bisexual lifestyles including those that support online shopping but excluding those that are sexually or issue oriented 33 Health Sites that provide information or advice on personal health or medical services procedures or devices but not drugs Includes self help groups 34 Job Search Sites that offer information about or support the seeking of employm...

Страница 371: ...ns devoted to professional advancement or workers interests Service and Philanthropic Organizations Sites sponsored by or that support or offer information about organizations devoted to doing good as their primary activity Social and Affiliation Organizations Sites sponsored by or that support or offer information about organizations devoted chiefly to socializing or common interests other than p...

Страница 372: ...lated business firms including sites supporting the sale of hardware software peripherals and services 53 Military Organizations Military Sites sponsored by branches or agencies of the armed services Others 54 Dynamic Content Dynamic Content URLs that are generated dynamically by a Web server 55 Miscellaneous Content Delivery Networks Commercial hosts that deliver content to subscribing Web sites ...

Страница 373: ...32 32 32 32 32 32 system interface ip6 prefix list 32 32 32 32 32 32 32 32 32 32 32 32 32 system ipv6_tunnel 4 4 4 4 4 4 4 4 4 4 4 4 4 system accprofile 8 8 8 16 16 16 16 16 64 64 64 64 64 system admin 8 8 8 64 64 64 64 64 256 256 256 256 256 system snmp community 3 3 3 3 3 3 3 3 3 3 3 3 3 system snmp community hosts 8 8 8 8 8 8 8 8 8 8 8 8 8 system session_ttl port 512 512 512 512 512 512 512 512...

Страница 374: ...0 500 500 500 500 500 500 firewall service group member 300 300 300 300 300 300 300 300 300 300 300 300 300 firewall schedule onetime 256 500 256 256 256 256 256 256 256 256 256 256 256 firewall schedule recurring 256 500 256 256 256 256 256 256 256 256 256 256 256 firewall ippool 50 50 50 50 50 50 50 50 50 50 50 50 50 firewall profile 32 32 32 32 32 32 32 32 32 256 256 256 256 firewall vip 500 50...

Страница 375: ...stem memory and performance considerations ips anomaly limit 100 100 100 100 100 100 100 100 100 100 100 100 100 ips custom 32 32 32 32 32 32 32 32 32 32 32 32 32 log trafficfilter rule 50 50 50 50 50 50 50 50 50 50 50 50 50 router access list 32 32 32 100 100 100 100 100 100 100 100 100 100 router access list rule 20 20 20 20 20 20 20 20 20 20 20 20 20 router prefix list 32 32 32 100 100 100 100 ...

Страница 376: ... 100 100 100 100 router ospf network 100 100 100 100 100 100 100 100 100 100 100 100 100 router ospf neighbor 10 10 10 10 10 10 10 10 10 10 10 10 10 router ospf passive interface 100 100 100 100 100 100 100 100 100 100 100 100 100 router ospf redistribute 100 100 100 100 100 100 100 100 100 100 100 100 100 router ospf summary address 10 10 10 10 10 10 10 10 10 10 10 10 10 router ospf distribute li...

Страница 377: ...ges are formatted and transmitted and what actions Web servers and browsers should take in response to various commands HTTPS The SSL protocol for transmitting private documents over the Internet using a Web browser Internal interface The FortiGate interface that is connected to an internal private network Internet A collection of networks connected together that span the entire globe using the NF...

Страница 378: ...to the specified address and waiting for a reply POP3 Post Office Protocol A protocol used to transfer e mail from a mail server to a mail client across the Internet Most e mail clients use POP PPP Point to Point Protocol A TCP IP protocol that provides host to network and router to router connections PPTP Point to Point Tunneling Protocol A Windows based technology for creating VPNs PPTP is suppo...

Страница 379: ... networks TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent UDP User Datagram Protocol A connectionless protocol that like TCP runs on top of IP networks Unlike TCP UDP provides very few error recovery services offering instead a direct way to send and receive datagrams over an IP network It is used primarily for broadcasti...

Страница 380: ...380 01 28006 0002 20041105 Fortinet Inc Glossary ...

Страница 381: ...guration 116 backup mode modem 59 61 bandwidth guaranteed 195 196 maximum 195 196 banned word spam 344 bindtoif 276 browsing the Internet through a VPN tunnel 253 281 C CA certificates 271 Certificate Name 248 271 CLI 19 upgrading the firmware 33 35 cluster managing an HA cluster 94 cluster ID HA 95 cluster members HA 86 command line interface 19 Concentrator 251 255 Concentrator list 255 Concentr...

Страница 382: ... interface 48 dynamic DNS monitor 257 258 Dynamic DNS VPN 279 dynamic IP pool IP pool 199 234 236 237 239 dynamic port forwarding 214 218 E Email address 341 Enable perfect forward secrecy PFS 252 Enable replay detection 252 Encryption 249 for FortiLog unit 351 Encryption Algorithm 246 254 Encryption Key 255 Exempt URL options 328 expire system status 31 F facility 365 fail open 302 failover monit...

Страница 383: ...s of each cluster member 95 HA cluster configuring 90 HA monitor active sessions 96 CPU usage 96 intrusion detected 96 memory usage 96 monitor 96 network utilization 96 total bytes 96 total packets 96 up time 96 virus detected 96 heartbeat failover 84 heartbeat device IP addresses HA 89 hello interval 174 182 High Availability 86 high availability introduction 18 http 230 HTTPS 19 204 377 hub HA s...

Страница 384: ...6 Memory logging settings 353 memory usage HA monitor 96 metric 185 metric type 185 MIB FortiGate 101 MIME headers 342 Mode 246 247 mode HA 86 Transparent 16 modem adding firewall policies 63 backup mode 59 61 configuring settings 60 connecting to FortiGate unit 59 standalone mode 59 62 monitor HA monitor 96 IPSec VPN 257 monitor priorities HA 90 mtu 182 MTU size 49 definition 378 mtu ignore 182 N...

Страница 385: ...it 351 priorities of heartbeat device HA 88 priority 178 183 profile 228 276 protection 221 protection profile 221 protocol 176 service 203 system status 31 Proxy ID Destination 258 259 Proxy ID Source 258 259 proxy server 122 push updates 122 push update configuring 123 external IP address changes 123 management IP address changes 124 through a NAT device 124 through a proxy server 122 Q Quaranti...

Страница 386: ...alone mode 85 modem 59 62 static IP monitor 257 258 static NAT virtual IP 214 Status 251 status 183 185 257 364 365 HA monitor 95 interface 44 70 stub type 169 Subject Information 271 subnet definition 379 subnet address definition 379 substitute 172 substitute status 172 syn interval 82 synchronize with NTP server 82 Syslog logging settings 353 system configuration 81 system date and time setting...

Страница 387: ...ntroduction 17 VPN certificates restore 117 upload 117 VPN concentrator adding 285 VPN Tunnel Name 254 VPNs 245 W web content filtering introduction 14 Web filter 321 367 content block 322 Web pattern block 326 Web script filter options 334 Web URL block list 325 web based manager introduction 19 language 83 timeout 83 WebTrends logging settings 353 weighted round robin HA schedule 88 weighted rou...

Страница 388: ...388 01 28006 0002 20041105 Fortinet Inc Index ...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды