Fortinet FortiGate 60R Скачать руководство пользователя страница 214

Страница: 214 / 270

214

Fortinet Inc.

Configuring L2TP

PPTP and L2TP VPN

Adding a destination address

Add an address to which L2TP users can connect.

Go to

Firewall > Address

Select the internal interface or the DMZ interface. (Methods will differ slightly between
FortiGate models.)

Select New to add an address.

Enter the Address Name, IP Address, and NetMask for a single computer or for an
entire subnetwork on an internal interface of the local VPN peer.

Select OK to save the source address.

Adding a firewall policy

Add a policy which specifies the source and destination addresses and sets the
service for the policy to the traffic type inside the L2TP VPN tunnel.

Go to

Firewall > Policy

Select New to add a new policy.

Set Source to the group that matches the L2TP address range.

Set Destination to the address to which L2TP users can connect.

Set Service to match the traffic type inside the L2TP VPN tunnel.
For example, if L2TP users can access a web server, select HTTP.

Set Action to ACCEPT.

Select NAT if address translation is required.
You can also configure traffic shaping, logging, and antivirus and web filter settings for
L2TP policies.

Select OK to save the firewall policy.

Содержание FortiGate 60R

Страница 1: ...60R Installation and Configuration Guide INTERNAL DMZ 4 3 2 1 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN1 WAN2 PWR STATUS FortiGate User Manual Volume 1 Version 2 50 MR2 18 Au...

Страница 2: ...t prior written permission of Fortinet Inc FortiGate 60R Installation and Configuration Guide Version 2 50 MR2 18 August 2003 Trademarks Products mentioned in this document are trademarks or registere...

Страница 3: ...0 NIDS 21 Antivirus 21 Web Filter 21 Email filter 21 Logging and Reporting 21 About this document 22 Document conventions 23 Fortinet documentation 24 Comments on Fortinet technical documentation 24 C...

Страница 4: ...our networks 49 Completing the configuration 50 Configuring the DMZ interface 50 Configuring the WAN2 interface 50 Setting the date and time 50 Changing antivirus protection 50 Registering your FortiG...

Страница 5: ...Manual virus definition updates 81 Manual attack definition updates 82 Displaying the FortiGate serial number 82 Displaying the FortiGate up time 82 Backing up system settings 82 Restoring system sett...

Страница 6: ...ding a secondary IP address to an interface 108 Adding a ping server to an interface 109 Controlling management access to an interface 109 Configuring traffic logging for connections to an interface 1...

Страница 7: ...support 132 FortiGate MIBs 133 FortiGate traps 134 Customizing replacement messages 134 Customizing replacement messages 135 Customizing alert emails 136 Firewall configuration 139 Default firewall co...

Страница 8: ...ng the dynamic IP MAC list 166 Enabling IP MAC binding 166 Content profiles 167 Default content profiles 168 Adding a content profile 168 Adding a content profile to a policy 169 Users and authenticat...

Страница 9: ...an encrypt policy 195 IPSec VPN concentrators 197 VPN concentrator hub general configuration steps 197 Adding a VPN concentrator 199 VPN spoke general configuration steps 200 Redundant IPSec VPNs 201...

Страница 10: ...ng the number of NIDS attack log and email messages 227 Antivirus protection 229 General configuration steps 229 Antivirus scanning 230 File blocking 231 Blocking files in firewall traffic 231 Adding...

Страница 11: ...and reporting 247 Recording logs 247 Recording logs on a remote computer 248 Recording logs on a NetIQ WebTrends server 248 Recording logs in system memory 249 Filtering log messages 249 Configuring t...

Страница 12: ...Contents 12 Fortinet Inc...

Страница 13: ...hip design networking security and content analysis The unique ASIC based architecture analyzes content and behavior in real time enabling key applications to be deployed right at the network edge whe...

Страница 14: ...g FortiGate web content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content If a match is found between a URL on the URL block list or if a web page...

Страница 15: ...protected networks and to allow controlled access to internal networks FortiGate policies include a complete range of options that control all incoming and outgoing network traffic control encrypted...

Страница 16: ...nable and disable prevention attack signatures and customize attack signature thresholds and other parameters To notify system administrators of the attack the NIDS records the attack and any suspicio...

Страница 17: ...onnect to the web based manager set the operating mode and use the setup wizard to customize FortiGate IP addresses for your network and the FortiGate unit is set to protect your network You can then...

Страница 18: ...a secure SSH connection to connect to the CLI from any network connected to the FortiGate including the Internet The CLI supports the same configuration and monitoring functionality as the web based m...

Страница 19: ...the NIDS to shared system memory What s new in Version 2 50 This section presents a brief summary of some of the new features in FortiOS v2 50 System administration Improved graphical FortiGate system...

Страница 20: ...Customizing replacement messages on page 134 Firewall The firewall default configuration has changed See Default firewall configuration on page 140 Add virtual IPs to all interfaces See Virtual IPs on...

Страница 21: ...d files Web Filter See the FortiGate Content Protection Guide for a complete description of FortiGate web filtering functionality New features include Cerberian URL Filtering Email filter See the Fort...

Страница 22: ...IP2 implementation and how to configure RIP settings System configuration describes system administration tasks available from the System Config web based manager pages This chapter describes setting...

Страница 23: ...tes an ASCII string variable keyword xxx_integer indicates an integer variable keyword xxx_ip indicates an IP address variable keyword vertical bar and curly brackets to separate alternative mutually...

Страница 24: ...uration information for FortiGate PPTP and L2TP VPN and VPN configuration examples Volume 3 FortiGate Content Protection Guide Describes how to configure antivirus protection web content filtering and...

Страница 25: ...t is available from the following addresses For information on Fortinet telephone support see http support fortinet com When requesting technical support please provide the following information Your...

Страница 26: ...26 Fortinet Inc Customer service and technical support Introduction...

Страница 27: ...he following If you are going to operate the FortiGate unit in NAT Route mode go to NAT Route mode installation on page 43 If you are going to operate the FortiGate unit in Transparent mode go to Tran...

Страница 28: ...63 x 6 13 x 1 38 in 21 9 x 15 6 x 3 5 cm Weight 1 5 lb 0 68 kg INTERNAL DMZ 4 3 2 1 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN1 WAN2 PWR STATUS Power LED Status LED Internal I...

Страница 29: ...ter to the power cable 3 Connect the power cable to a power outlet The FortiGate 60 unit starts up The Power and Status lights light Table 1 FortiGate 60 LED indicators LED State Description Power Gre...

Страница 30: ...nagement computer to obtain an IP address automatically using DHCP The FortiGate DHCP server assigns the management computer an IP address in the range 192 168 1 1 to 192 168 1 254 2 Using the etherne...

Страница 31: ...ectly to the communications port on the computer to which you have connected the null modem cable and select OK 5 Select the following port settings and select OK 6 Press Enter to connect to the Forti...

Страница 32: ...ction web content filtering and email filtering to the network traffic controlled by firewall policies Factory Default DHCP configuration Factory default NAT Route mode network configuration Factory d...

Страница 33: ...rent mode network configuration If you switch the FortiGate unit to Transparent mode it has the default network configuration listed in Table 4 Table 3 Factory default NAT Route mode network configura...

Страница 34: ...or all services Action ACCEPT The policy action ACCEPT means that the policy allows connections NAT NAT is selected for the NAT Route mode default policy so that the policy applies network address tra...

Страница 35: ...of protection for different firewall policies For example while traffic between internal and external addresses might need strict protection traffic between trusted internal addresses might need moder...

Страница 36: ...t control HTTP traffic Table 7 Scan content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan File Block Web URL Block Web Content Block Web Script Filter Web Exempt List Email Block List Email E...

Страница 37: ...select The FortiGate unit can be configured in either of two modes NAT Route mode the default or Transparent mode NAT Route mode In NAT Route mode the unit is visible to the network Like a router all...

Страница 38: ...private and public networks In this configuration you would create NAT mode policies to control traffic flowing between the internal private network and the external public network usually the Interne...

Страница 39: ...ddress The Setup Wizard also prompts you to choose either a manual static or a dynamic DHCP or PPPoE address for the WAN1 interface Using the wizard you can also add DNS server IP addresses and a defa...

Страница 40: ...00 1000 1000 1000 1000 1000 1000 User group 100 100 100 100 100 100 100 100 100 100 100 Group members 300 300 300 300 300 300 300 300 300 300 300 Virtual IPs 500 500 500 500 500 500 500 500 500 500 50...

Страница 41: ...FortiGate unit is operating you can proceed to configure it to connect to networks If you are going to operate the FortiGate unit in NAT Route mode go to NAT Route mode installation on page 43 If you...

Страница 42: ...42 Fortinet Inc Next steps Getting started...

Страница 43: ...anging its factory default configuration If the factory default settings in Table 11 are compatible with your requirements all you need to do is configure your internal network and then connect the Fo...

Страница 44: ...change the default configuration as required Preparing to configure NAT Route mode Use Table 12 to gather the information that you need to customize NAT Route mode settings Table 12 NAT Route mode se...

Страница 45: ...E User name Password If your ISP supplies you with an IP address using PPPoE record your PPPoE user name and password WAN2 interface DHCP If your Internet Service Provider ISP supplies you with an IP...

Страница 46: ...tion of your FortiGate unit and you can proceed to Connecting the FortiGate unit to your networks on page 48 Using the command line interface As an alternative to using the setup wizard you can config...

Страница 47: ...age 44 To set the manual IP address and netmask enter set system interface wan2 mode static ip IP address netmask Example set system interface wan2 mode static ip 34 3 21 35 255 255 255 0 To set the W...

Страница 48: ...rt for connecting to a DMZ network To connect the FortiGate unit 1 Connect the Internal interface connectors to PCs and other network devices in your internal network The Internal interface functions...

Страница 49: ...directly to your internal network to the IP address of the FortiGate internal interface For your DMZ network change the default gateway address of all computers and routers connected directly to your...

Страница 50: ...he web based manager 1 Log into the web based manager 2 Go to System Network Interface 3 For the wan2 interface select Modify 4 Change the IP address and Netmask as required 5 Select Apply Setting the...

Страница 51: ...nit uses HTTPS on port 8890 to check for updates The FortiGate WAN1 interface must have a path to the FortiResponse Distribution Network FDN using port 8890 To configure automatic virus and attack upd...

Страница 52: ...trol different traffic patterns Configuring Ping servers Destination based routing examples Policy routing examples Firewall policy example Figure 7 Example multiple Internet connection configuration...

Страница 53: ...ing examples This section describes the following destination based routing examples Primary and backup links to the Internet Load sharing Load sharing and primary and secondary connections Primary an...

Страница 54: ...ources However they may also connect to services such as email provided by their ISPs You can combine the routes described in the previous examples to provide users with a primary and backup connectio...

Страница 55: ...is route to the bottom of the list If there are only 3 routes type 3 Select OK Adding the routes using the CLI 1 Add the route for connections to the network of ISP2 set system route number 1 dst 100...

Страница 56: ...subnets to different external networks If the FortiGate unit provides internet access for multiple internal subnets you can use policy routing to control the route that traffic from each network takes...

Страница 57: ...terface If you add a similar policy to the internal to WAN2 policy list this policy will allow all traffic from the internal network to connect to the Internet through the WAN2 interface With both of...

Страница 58: ...ernet connection For example in the topology shown in Figure 7 on page 52 the organization might want its mail server to only be able to connect to the SMTP mail server of ISP1 To do this you add a si...

Страница 59: ...orks Completing the configuration Transparent mode configuration examples Preparing to configure Transparent mode Use Table 18 to gather the information that you need to customize Transparent mode set...

Страница 60: ...tps followed by the Transparent mode management IP address The default FortiGate Transparent mode management IP address is 10 10 10 1 Starting the setup wizard 1 Select Easy Setup Wizard the middle bu...

Страница 61: ...nsparent mode Enter get system status The CLI displays the status of the FortiGate unit The last line shows the current operation mode Operation mode Transparent Configuring the Transparent mode manag...

Страница 62: ...he Internet DMZ and WAN2 which can be connected to networks To connect the FortiGate unit running in Transparent mode 1 Connect the Internal interface connectors to PCs and other network devices in yo...

Страница 63: ...nfigure the FortiGate unit to automatically keep its date and time correct by synchronizing with a Network Time Protocol NTP server To set the FortiGate system date and time see Setting system date an...

Страница 64: ...irus and definitions updates Also the unit must have sufficient route information to reach the management computer The FortiResponse Distribution Network FDN a DNS server A route is required whenever...

Страница 65: ...it must connect to the upstream router leading to the external network To facilitate this connection you must enter a single default route that points to the upstream router as the next hop default ga...

Страница 66: ...Netmask IP 192 168 1 1 Mask 255 255 255 0 Select Apply 3 Go to System Network Routing Select New to add the default route to the external network Destination IP 0 0 0 0 Mask 0 0 0 0 Gateway 192 168 1...

Страница 67: ...navailable perhaps because the IP address of the FortiResponse server changes the FortiGate unit will still be able to receive antivirus and NIDS updates from the FDN using the default route Figure 10...

Страница 68: ...dd the static route to the FortiResponse server Destination IP 24 102 233 5 Mask 255 255 255 0 Gateway 192 168 1 2 Select OK Select New to add the default route to the external network Destination IP...

Страница 69: ...ext hop default gateway To reach the management computer you need to enter a single static route that leads directly to it This route will point to the internal router as the next hop No route is requ...

Страница 70: ...w to add the static route to the management computer Destination IP 172 16 1 11 Mask 255 255 255 0 Gateway 192 168 1 3 Select OK Select New to add the default route to the external network Destination...

Страница 71: ...definition updates Manual attack definition updates Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT Rout...

Страница 72: ...re recent build of the same firmware version Revert to a previous firmware version Use the web based manager or CLI procedure to revert to a previous firmware version This procedure reverts your Forti...

Страница 73: ...must have a TFTP server that you can connect to from the FortiGate unit 1 Make sure that the TFTP server is running 2 Copy the new firmware image file to the root directory of the TFTP server 3 Log i...

Страница 74: ...een updated enter the following command to display the antivirus engine virus and attack definitions version contract expiry and last update attempt information get system objver Revert to a previous...

Страница 75: ...eb content lists email filtering lists and changes to replacement messages Before running this procedure you can Backup the FortiGate unit configuration using the command execute backup config Backup...

Страница 76: ...uild045 FORTINET out 192 168 1 168 The FortiGate unit uploads the firmware image file Once the file has been uploaded a message similar to the following is displayed Get image from tftp server OK This...

Страница 77: ...36 you may not be able to restore your previous configuration from the backup configuration file To install firmware from a system reboot 1 Connect to the CLI using the null modem cable and FortiGate...

Страница 78: ...mware image from TFTP server F Format boot device B Boot with backup firmware and set as default Q Quit menu and continue to boot with default firmware H Display this list of options Enter G F B Q or...

Страница 79: ...To restore web content and email filtering lists see the FortiGate Content Protection Guide If you are reverting to a previous firmware version for example reverting from FortiOS v2 50 to FortiOS v2 3...

Страница 80: ...Key To Download Boot Image FortiGate unit running v3 x BIOS Press any key to enter configuration menu 6 Immediately press any key to interrupt the system startup I If you successfully interrupt the st...

Страница 81: ...initions You can use the following procedure to update the antivirus definitions manually 1 Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use...

Страница 82: ...e 6 Go to System Status to confirm that the Attack Definitions Version information has been updated Displaying the FortiGate serial number 1 Go to System Status The serial number is displayed in the S...

Страница 83: ...ion or the antivirus or attack definitions 1 Go to System Status 2 Select Restore Factory Defaults 3 Select OK to confirm The FortiGate unit restarts with the configuration that it had when it was fir...

Страница 84: ...to System Status 2 Select Change to NAT Mode 3 Select NAT Route in the operation mode list 4 Select OK The FortiGate unit changes operation mode 5 To reconnect to the web based manager you must conne...

Страница 85: ...nually Viewing CPU and memory status Viewing sessions and network status Viewing virus and intrusions status Viewing CPU and memory status Current CPU and memory status indicates how close the FortiGa...

Страница 86: ...paring CPU and memory usage with session and network status you can see how much demand network traffic is placing on system resources Sessions displays the total number of sessions being processed by...

Страница 87: ...when the NIDS detects a network based attack 1 Go to System Status Monitor 2 Select Virus Intrusions Virus and intrusions status is displayed The display includes bar graphs of the number viruses and...

Страница 88: ...top 16 2 To page through the list of sessions select Page Up or Page Down 3 Select Refresh to update the session list 4 If you have logged in as an administrative user with read and write privileges...

Страница 89: ...ter the FortiGate unit on the Fortinet Support web page This chapter describes Updating antivirus and attack definitions Registering FortiGate units Updating registration information Registering a For...

Страница 90: ...te WAN1 interface using UDP port 9443 To configure push updates see Configuring push updates on page 93 The FDN is a world wide network of FortiResponse Distribution Servers FDSs When your FortiGate u...

Страница 91: ...unit and your network so that the FortiGate unit can connect to the Internet and to the FDN For example you may need to add routes to the FortiGate routing table or configure your network to allow the...

Страница 92: ...d attack definitions Update log messages are recorded on the FortiGate Event log 1 Go to Log Report Log Setting 2 Select Config Policy for the type of logs that the FortiGate unit is configured to rec...

Страница 93: ...dure the FortiGate unit must be able to connect to the FDN or to an override FortiResponse server 1 Go to System Update 2 Select Update Now to update the antivirus and attack definitions If the connec...

Страница 94: ...updates Enabling push updates is not recommended as the only method for obtaining updates The push notification may not be received by the FortiGate unit Also when the FortiGate unit receives a push n...

Страница 95: ...port forwarding virtual IP This virtual IP maps the IP address of the external interface of the FortiGate NAT device and a custom port to the IP address of the FortiGate unit on the internal network T...

Страница 96: ...e internal network To configure the FortiGate NAT device 1 Go to Firewall Virtual IP 2 Select New 3 Add a name for the virtual IP 4 Select the External interface that the FDN connects to For the examp...

Страница 97: ...ernal to internal firewall policy 2 Configure the policy with the following settings 3 Select OK Configure the FortiGate unit with an override push IP and port To configure the FortiGate unit on the i...

Страница 98: ...er name and password required for the proxy server to the autoupdate configuration The full syntax for enabling updates through a proxy server is set system autouopdate tunneling enable address proxy...

Страница 99: ...ditional FortiGate units Add or change FortiCare Support Contract numbers for each FortiGate unit View and change registration information Download virus and attack definitions updates Download firmwa...

Страница 100: ...rmation including First and last name Company name Email address Your Fortinet support login user name and password will be sent to this email address Address Contact phone number A security question...

Страница 101: ...unit product information 7 Select Finish If you have not entered a FortiCare Support Contract number SCN you can return to the previous page to enter the number If you do not have a FortiCare Support...

Страница 102: ...security question and answer contact Fortinet tech support 1 Go to System Update Support 2 Select Support Login 3 Enter your Fortinet support user name 4 Select Forgot your password 5 Enter your emai...

Страница 103: ...he Serial Number of the FortiGate unit 7 If you have purchased a FortiCare Support Contract for this FortiGate unit enter the support contract number 8 Select Finish The list of FortiGate products tha...

Страница 104: ...or security question 1 Go to System Update Support and select Support Login 2 Enter your Fortinet support user name and password 3 Select Login 4 Select My Profile 5 Select Edit Profile 6 Make the re...

Страница 105: ...it is still protected by hardware coverage you can return the FortiGate unit that is not functioning to your reseller or distributor The RMA is recorded and you will receive a replacement unit Fortine...

Страница 106: ...106 Fortinet Inc Registering a FortiGate unit after an RMA Virus and attack definitions updates and registration...

Страница 107: ...ures to configure interfaces Viewing the interface list Bringing up an interface Changing an interface static IP address Adding a secondary IP address to an interface Adding a ping server to an interf...

Страница 108: ...the interface that you want to bring up Changing an interface static IP address Use the following procedure to change the static IP address of any FortiGate interface You can also use this procedure...

Страница 109: ...he interface for which to configure management access 3 Select the management Access methods for the interface Configuring management access for an interface connected to the Internet allows remote ad...

Страница 110: ...static IP address 1 Go to System Network Interface 2 For the wan1 or wan2 interface select Modify 3 Set Addressing mode to Manual 4 Change the IP address and Netmask as required 5 Select OK to save y...

Страница 111: ...the FortiGate default gateway IP address When the FortiGate unit gets this information from the PPPoE server the new addresses and netmask are displayed in the wan1 or wan2 IP address and netmask fiel...

Страница 112: ...g to the internal or dmz interface However you can configure the management interface so that you can manage the FortiGate unit by connecting to any interface 5 Select Apply to save your changes Note...

Страница 113: ...anges Configuring routing This section describes how to configure FortiGate routing You can configure routing to add static routes from the FortiGate unit to local routers Using policy routing you can...

Страница 114: ...add one or two gateways to a route If you add one gateway the FortiGate unit routes the traffic to that gateway You can add a second gateway to route traffic to the second gateway if the first gatewa...

Страница 115: ...elects the interface according to rules If the Gateway 2 IP address is on the same subnet as a FortiGate interface the system sends the traffic to that interface If the Gateway 2 IP address is not on...

Страница 116: ...ystem Network Routing Table 2 Choose a route to move and select Move to to change its order in the routing table 3 Type a number in the Move to field to specify where in the routing table to move the...

Страница 117: ...nternal network If the FortiGate unit is operating in NAT Route mode you can configure it to be the DHCP server for your internal network 1 Go to System Network DHCP 2 Select Enable DHCP 3 Configure D...

Страница 118: ...onding MAC addresses and the expiry time and date for these addresses The FortiGate unit adds these addresses to the dynamic IP MAC list and if IP MAC binding is enabled the addresses in the dynamic I...

Страница 119: ...ure limits the maximum diameter of RIP network to 15 hops RIP uses a split horizon to prevent temporary routing loops caused by network topology changes The premise of a split horizon is that it is ne...

Страница 120: ...nly have to change these timers to troubleshoot problems with your RIP configuration Default Metric Change the default metric that is applied to routes with incompatible metrics The default metric ass...

Страница 121: ...ddown The time interval in seconds during which routing information regarding better paths is suppressed Holddown should be at least three times the value of Update A route enters into a holddown stat...

Страница 122: ...lect Modify for the interface for which to configure RIP settings 3 Configure the following RIP settings RIP1 Send This interface can send RIP1 routing broadcasts to routers on its network The routing...

Страница 123: ...nterface All routes sent from this interface will have this metric added to their current metric value You can change interface metrics to give higher priorities to some interfaces For example if you...

Страница 124: ...n filter multiple routes After creating RIP filters and filter lists you can configure the neighbors filter or routes filter by selecting a filter or filter list for each of these filter types If you...

Страница 125: ...ame for the RIP filter Each RIP filter and RIP filter list must have unique name The name can be 15 characters long and can contain upper and lower case letters numbers and special characters The name...

Страница 126: ...er 4 Select Apply Routes received from neighbors are filtered using the selected RIP filter or RIP filter list Adding a routes filter You can select a single RIP filter or a RIP filter list to be the...

Страница 127: ...information on NTP and to find the IP address of an NTP server that you can use see http www ntp org To set the date and time 1 Go to System Config Time 2 Select Refresh to display the current FortiG...

Страница 128: ...web based manager options On the System Config Options page you can Set the system idle timeout Set the authentication timeout Select the language for the web base manager Modify the dead gateway dete...

Страница 129: ...Chinese Japanese Korean or Traditional Chinese To modify the Dead Gateway Detection settings Modify dead gateway detection to control how the FortiGate unit confirms connectivity with a ping server ad...

Страница 130: ...on from which the administrator can log into the web based manager If you want the administrator to be able to access the FortiGate unit from any address set the trusted host to 0 0 0 0 and the netmas...

Страница 131: ...n 6 characters long the system displays a warning message but still accepts the password 5 Select OK 6 To edit the settings of an administrator account select Edit 7 Optionally type a Trusted Host IP...

Страница 132: ...ically set to the FortiGate host name To change the System Name see Changing the FortiGate host name on page 72 System Location Describe the physical location of the FortiGate unit The system location...

Страница 133: ...community string functions like a password that is sent with SNMP traps The default trap community string is public Change the trap community string to the one accepted by your trap receivers The trap...

Страница 134: ...that includes detailed FortiGate system configuration information Add this MIB to your SNMP manager to monitor all FortiGate configuration settings RFC1213 mib The RFC 1213 MIB is the standard MIB II...

Страница 135: ...and add and edit the replacement message sections as required 1 Go to System Config Replacement Messages 2 For the replacement message you want to customize select Modify 3 In the Message setup dialog...

Страница 136: ...ection End BLOCKED Quarantine Used when quarantine is enabled permitted for all scan services and block services for email only Section Start QUARANTINE Allowed Tag QUARFILE NAME The name of the file...

Страница 137: ...IP address of the email server that sent the email containing the blocked file For HTTP this is the IP address of web page that sent the blocked file DEST_IP The IP address of the computer that would...

Страница 138: ...138 Fortinet Inc Customizing replacement messages System configuration...

Страница 139: ...ewall can process connections differently depending on the time of day or the day of the week month or year Each policy can be individually configured to route connections or to apply network address...

Страница 140: ...erfaces and between the networks connected to these interfaces By default you can add policies for connections that include the internal WAN1 and DMZ interfaces If you want to add policies that includ...

Страница 141: ...ned services For more information about services see Services on page 151 Schedules Policies can also control connections based on the time of day or day of the week when the firewall receives the con...

Страница 142: ...ew to add a new policy You can also select Insert Policy before on a policy in the list to add the new policy above a specific policy 4 Configure the policy See Firewall policy options on page 143 for...

Страница 143: ...e policy is available to be matched with connections See Schedules on page 155 Service Select a service that matches the service port number of the packet You can select from a wide range of predefine...

Страница 144: ...dynamic IP pool address range to the destination interface of the policy If you do not select Dynamic IP Pool a policy with Fixed Port selected can only allow one connection at a time for this port o...

Страница 145: ...ed to enter a firewall username and password If you want users to authenticate to use other services for example POP3 or IMAP you can create a service group that includes the services for which you wa...

Страница 146: ...ffic Select Log Traffic to write messages to the traffic log whenever the policy processes a connection For more information about logging see Logging and reporting on page 247 Comments Optionally add...

Страница 147: ...t was received The first policy that matches is applied to the connection attempt If no policy matches the connection is dropped The default policy accepts all connection attempts from the internal ne...

Страница 148: ...to disable Enabling a policy Enable a policy that has been disabled so that the firewall can match connections with the policy 1 Go to Firewall Policy 2 Select the policy list containing the policy t...

Страница 149: ...e computer for example 192 45 46 45 The IP address of a subnetwork for example 192 168 1 0 for a class C subnet 0 0 0 0 to represent all possible IP addresses 5 Enter the NetMask The netmask should co...

Страница 150: ...make it easier to add policies For example if you add three addresses and then add them to an address group you only have to add one policy using the address group rather than a separate policy for e...

Страница 151: ...s Providing access to custom services Grouping services Predefined services The FortiGate predefined firewall services are listed in Table 5 You can add these services to any policy Table 5 FortiGate...

Страница 152: ...s a hierarchically structured list of files tcp 70 H323 H 323 multimedia protocol H 323 is a standard approved by the International Telecommunication Union ITU that defines how audiovisual conferencin...

Страница 153: ...ugh private tunnels over the public Internet tcp 1723 QUAKE For connections used by the popular Quake multi player computer game udp 26000 27000 27910 27960 RAUDIO For streaming real audio multimedia...

Страница 154: ...an now add this custom service to a policy Grouping services To make it easier to add policies you can create groups of services and then add one policy to provide or block access for all the services...

Страница 155: ...me schedules to create policies that are effective once for the period of time specified in the schedule Recurring schedules repeat weekly You can use recurring schedules to create policies that are e...

Страница 156: ...net use outside of working hours by creating a recurring schedule If you create a recurring schedule with a stop time that occurs before the start time the schedule will start at the start time and fi...

Страница 157: ...tab corresponding to the type of policy to add 3 Select New to add a policy or select Edit to edit a policy to change its schedule 4 Configure the policy as required 5 Add a schedule by selecting it...

Страница 158: ...2 Select New to add a virtual IP 3 Enter a Name for the virtual IP The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters a...

Страница 159: ...r DHCP you can enter 0 0 0 0 for the External IP Address The FortiGate unit substitutes the IP address set for this external interface using PPPoE or DHCP Figure 12 Adding a static NAT virtual IP 7 In...

Страница 160: ...the External Interface selected in step 4 7 Enter the External Service Port number for which to configure port forwarding The external service port number must match the destination port of the packet...

Страница 161: ...ce must match the interface connected to the network with the Map to IP address 3 Use the following information to configure the policy Source Select the source address from which users can access the...

Страница 162: ...addresses on the same network as the interface for which you are adding the IP pool You can add multiple IP pools to any interface but only the first IP pool is used by the Firewall This section descr...

Страница 163: ...nections that the firewall can support is limited by the number of IP addresses in the IP pool IP pools and dynamic NAT You can use IP pools for dynamic NAT For example your organization may have purc...

Страница 164: ...g IP MAC binding for packets going through the firewall Configuring IP MAC binding for packets going to the firewall Adding IP MAC addresses Viewing the dynamic IP MAC list Enabling IP MAC binding Con...

Страница 165: ...hen an administrator is connecting to the FortiGate unit for management 1 Go to Firewall IP MAC Binding Setting 2 Select Enable IP MAC binding going to the firewall 3 Go to Firewall IP MAC Binding Sta...

Страница 166: ...e to enable IP MAC binding for the IP MAC pair 6 Select OK to save the IP MAC binding pair Viewing the dynamic IP MAC list 1 Go to Firewall IP MAC Binding Dynamic IP MAC Enabling IP MAC binding 1 Go t...

Страница 167: ...sing fragmented email for POP3 SMTP and IMAP policies Using content profiles you can build up protection configurations that can be easily applied to different types of Firewall policies This allows y...

Страница 168: ...ion to content traffic You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected Anti Virus Sca...

Страница 169: ...list that contains policies to which to add a content profile For example to enable network protection for files downloaded by internal network users from the web select an internal to external policy...

Страница 170: ...t New to add a new policy or choose a policy and select Edit 4 Select Anti Virus Web filter 5 Select a content profile 6 Configure the remaining policy settings if required 7 Select OK 8 Repeat this p...

Страница 171: ...IPSec dialup user phase 1 configurations XAuth functionality for Phase 1 IPSec VPN configurations PPTP L2TP When a user enters a user name and password the FortiGate unit searches the internal user d...

Страница 172: ...3 Enter the user name The user name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Select one o...

Страница 173: ...o try to connect to other RADIUS servers added to the FortiGate RADIUS configuration 6 Select OK Figure 17 Adding a user name Deleting user names from the internal database You cannot delete user name...

Страница 174: ...to User RADIUS 2 Select New to add a new RADIUS server 3 Enter the name of the RADIUS server You can enter any name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the sp...

Страница 175: ...tion of password expiration that is available from some LDAP servers FortiGate LDAP support does not supply information to the user about why authentication failed LDAP user authentication is supporte...

Страница 176: ...llowing base distinguished name ou marketing dc fortinet dc com where ou is organization unit and dc is domain component You can also specify multiple instances of the same field in the distinguished...

Страница 177: ...he selected user group can use PPTP The FortiGate L2TP configuration Only users in the selected user group can use L2TP When you add user names RADIUS servers and LDAP servers to a user group the orde...

Страница 178: ...elect the right arrow to add the RADIUS server to the Members list 6 To add an LDAP server to the user group select an LDAP server from the Available Users list and select the right arrow to add the L...

Страница 179: ...blic network Instead of being sent in its original format the data frames are encapsulated within an additional header and then routed between tunnel endpoints Upon arrival at the destination endpoint...

Страница 180: ...r The peers do not actually send the key to each other Instead as part of the security negotiation process they use it in combination with a Diffie Hellman group to create a session key The session ke...

Страница 181: ...s for a manual key VPN Adding a manual key VPN tunnel General configuration steps for a manual key VPN A manual key VPN configuration consists of a manual key VPN tunnel the source and destination add...

Страница 182: ...Key Each two character combination entered in hexadecimal format represents one byte Use the same authentication key at both ends of the tunnel 11 Select a concentrator if you want the tunnel to be pa...

Страница 183: ...the tunnel See Configuring encrypt policies on page 194 Adding a phase 1 configuration for an AutoIKE VPN When you add a phase 1 configuration you define the terms by which the FortiGate unit and a re...

Страница 184: ...ellman groups to propose for phase 1 As a general rule the VPN peers should use the same DH Group settings 8 Enter the Keylife The keylife is the amount of time in seconds before the phase 1 encryptio...

Страница 185: ...ific VPN peer or a group of VPN peers with a shared user name ID and password pre shared key Also add the peer ID Also add the peer ID Accept peer ID in dialup group Select to authenticate each remote...

Страница 186: ...e DPD between the local and remote peers Short Idle Set the time in seconds that a link must remain unused before the local VPN peer considers it to be idle After this period of time expires whenever...

Страница 187: ...between the local VPN peer the FortiGate unit and the remote VPN peer the VPN gateway or client To add a phase 2 configuration 1 Go to VPN IPSEC Phase 2 2 Select New to add a new phase 2 configuration...

Страница 188: ...life expires 8 Select the DH Group s The VPN peers must use the same DH Group settings 9 Enter the Keylife The keylife causes the phase 2 key to expire after a specified amount of time after a specifi...

Страница 189: ...ter to the certificate authority and from the certificate authority to your local computer Obtaining a signed local certificate Obtaining a CA certificate Obtaining a signed local certificate The sign...

Страница 190: ...ertified Domain Name For Domain name enter the fully qualified domain name of the FortiGate unit being certified Do not include the protocol specification http or any port number or path names E Mail...

Страница 191: ...VPN Local Certificates 2 Select Download to download the local certificate to the management computer 3 Select Save 4 Name the file and save it in a directory on the management computer Requesting th...

Страница 192: ...you connect to the CA web server and download the signed local certificate to the management computer Do this after receiving notification from the CA that it has signed the certificate request To ret...

Страница 193: ...emote VPN peer The remote VPN peer obtains the CA certificate in order to validate the digital certificate that it receives from the FortiGate unit Retrieving a CA certificate Connect to the CA web se...

Страница 194: ...can configure the encrypt policy for services such as DNS FTP and POP3 and to allow connections according to a predefined schedule by the time of the day or the day of the week month or year You can...

Страница 195: ...ew to add an address 4 Enter the Address Name IP Address and NetMask for a single computer or for an entire subnetwork on an internal interface of the remote VPN peer 5 Select OK to save the source ad...

Страница 196: ...cal hosts to see the IP addresses of remote hosts hosts located on the network behind the remote VPN gateway Outbound NAT The FortiGate unit translates the source address of outgoing packets to the IP...

Страница 197: ...peer is a FortiGate unit functioning as the hub or concentrator it requires a VPN configuration connecting it to each spoke AutoIKE phase 1 and 2 settings or manual key settings plus encrypt policies...

Страница 198: ...a client on the Internet or a network located behind a gateway See Adding a source address on page 195 3 Add the concentrator configuration This step groups the tunnels together on the FortiGate unit...

Страница 199: ...add a VPN concentrator 3 Enter the name of the new concentrator in the Concentrator Name field 4 To add tunnels to the VPN concentrator select a VPN tunnel from the Available Tunnels list and select...

Страница 200: ...addresses for each remote VPN spoke The destination address is the address of the spoke either a client on the Internet or a network located behind a gateway See Adding a destination address on page 1...

Страница 201: ...rs one can have multiple Internet connections while the other has only one Internet connection Of course with an asymmetrical configuration the level redundancy will vary from one end of the VPN to th...

Страница 202: ...ake sure that the remote VPN peer Remote Gateway has a static IP address See Adding a phase 1 configuration for an AutoIKE VPN on page 183 2 Add the phase 2 parameters VPN tunnel for up to three VPN c...

Страница 203: ...s the tunnel time out To view VPN tunnel status 1 Go to VPN IPSEC AutoIKE Key The Status column displays the status of each tunnel If Status is Up the tunnel is active If Status is Down the tunnel is...

Страница 204: ...al peer Figure 28 Dialup Monitor Testing a VPN To confirm that a VPN between two networks has been configured correctly use the ping command from one internal network to connect to a computer on the o...

Страница 205: ...configuration changes to the client computer and the FortiGate unit This chapter provides an overview of how to configure FortiGate PPTP and L2TP VPN For a complete description of FortiGate PPTP and L...

Страница 206: ...to User Local 2 Add and configure PPTP users See Adding user names and configuring authentication on page 172 3 Go to User User Group 4 Add and configure PPTP user groups See Configuring user groups...

Страница 207: ...address group 1 Go to Firewall Address Group 2 Add a new address group to the interface to which PPTP clients connect 3 Enter a Group Name to identify the address group The name can contain numbers 0...

Страница 208: ...4 Set Destination to the address to which PPTP users can connect 5 Set Service to match the traffic type inside the PPTP VPN tunnel For example if PPTP users can access a web server select HTTP 6 Set...

Страница 209: ...PPTP VPN 1 Start the dialup connection that you configured in the previous procedure 2 Enter your PPTP VPN User Name and Password 3 Select Connect Configuring a Windows 2000 client for PPTP Use the f...

Страница 210: ...r workplace and select Next 4 Select Virtual Private Network Connection and select Next 5 Name the connection and select Next 6 If the Public Network dialog box appears choose the appropriate initial...

Страница 211: ...evious procedure 3 Enter your PPTP VPN User Name and Password 4 Select Connect 5 In the connect window enter the User Name and Password that you use to connect to your dialup network connection This u...

Страница 212: ...to User Local 2 Add and configure L2TP users See Adding user names and configuring authentication on page 172 3 Go to User User Group 4 Add and configure L2TP user groups See Configuring user groups...

Страница 213: ...an address group 1 Go to Firewall Address Group 2 Add a new address group to the interface to which L2TP clients connect 3 Enter a Group Name to identify the address group The name can contain number...

Страница 214: ...wall policy Add a policy which specifies the source and destination addresses and sets the service for the policy to the traffic type inside the L2TP VPN tunnel 1 Go to Firewall Policy 2 Select New to...

Страница 215: ...ption is selected 10 Select the Networking tab 11 Set VPN server type to Layer 2 Tunneling Protocol L2TP 12 Save your changes and continue with the following procedure Disabling IPSec 1 Select the Net...

Страница 216: ...e User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password Configuring a Windows XP client for L2...

Страница 217: ...EY_LOCAL_MACHINE System CurrentControlSet Services Rasman Parameters 8 Add the following registry value to this key Value Name ProhibitIpSec Data Type REG_DWORD Value 1 9 Save your changes and restart...

Страница 218: ...N connection that you configured in the previous procedure 3 Enter your L2TP VPN User Name and Password 4 Select Connect 5 In the connect window enter the User Name and Password that you use to connec...

Страница 219: ...cks Logging attacks Detecting attacks The NIDS Detection module detects a wide variety of suspicious network traffic and network based attacks Use the following procedures to configure the general NID...

Страница 220: ...e that they have not been changed in transit The NIDS can run checksum verification on IP TCP UDP and ICMP traffic For maximum detection you can turn on checksum verification for all types of traffic...

Страница 221: ...nature list 1 Go to NIDS Detection Signature List 2 Select View Details to display the members of a signature group Select a signature and copy its attack ID 3 Open a web browser and enter this URL ht...

Страница 222: ...cate specific attack signatures by ID number and name 3 Uncheck the Enable check box 4 Select OK 5 Repeat steps 2 to 4 for each NIDS attack signature group that you want to disable Select Check All to...

Страница 223: ...he text file as well as a name for the text file Preventing attacks NIDS attack prevention protects the FortiGate unit and the networks connected to it from common TCP ICMP UDP and IP attacks You can...

Страница 224: ...attack prevention signature list 4 Select Uncheck All to disable all signatures in the NIDS attack prevention signature list 5 Select Reset to Default Values to enable only the default NIDS attack pr...

Страница 225: ...lue units Default threshold value Minimum threshold value Maximum threshold value synflood Maximum number of SYN segments received per second 200 30 3000 portscan Maximum number of SYN segments receiv...

Страница 226: ...attack log Use the following procedure to log attack messages to the attack log 1 Go to Log Report Log Setting 2 Select Config Policy for the log locations you have set 3 Select Attack Log 4 Select At...

Страница 227: ...e is compared with the previous messages If the new message is not a duplicate the FortiGate unit sends it immediately and puts a copy in the queue If the new message is a duplicate the FortiGate unit...

Страница 228: ...228 Fortinet Inc Logging attacks Network Intrusion Detection System NIDS...

Страница 229: ...ti Virus Web filter option in firewall policies that allow web HTTP FTP and email IMAP POP3 and SMTP connections through the FortiGate unit Select a content profile that provides the antivirus protect...

Страница 230: ...g and Microsoft Office files containing macros are scanned for macro viruses FortiGate virus scanning does not scan the following file types cdimage floppy image ace bzip2 Tar Gzip Bzip2 If a file is...

Страница 231: ...tgz and zip dynamic link libraries dll HTML application hta Microsoft Office files doc ppt xl Microsoft Works files wps Visual Basic files vb screen saver files scr Blocking files in firewall traffic...

Страница 232: ...sage that is forwarded to the receiver It is recommend that you disable the fragmenting of email messages in the client email software To exempt fragmented emails from automatic antivirus blocking you...

Страница 233: ...configuration steps Content blocking URL blocking Using the Cerberian web filter Script filtering Exempt URL list General configuration steps Configuring web filtering involves the following general s...

Страница 234: ...set that you choose 4 Type a banned word or phrase If you type a single word for example banned the FortiGate unit blocks all web pages that contain that word If you type a phrase for example banned p...

Страница 235: ...eb filter You can configure the FortiGate unit to block all pages on a website by adding the top level URL or IP address You can also block individual pages on a website by including the full path and...

Страница 236: ...You can enter multiple URLs and patterns and then select Check All to enable all items in the URL block list Each page of the URL block list displays 100 URLs 6 Use Page Up and Page Down to navigate t...

Страница 237: ...ists available at http www squidguard org blacklist as a starting point for creating your own URL block list Three times per week the squidGuard robot searches the web for new URLs to add to the black...

Страница 238: ...key on the FortiGate unit Before you can use the Cerberian web filter you must install a license key The license key determines the number of end users allowed to use Cerberian web filtering through t...

Страница 239: ...rs who are not assigned alias names on the FortiGate unit All the users who are not assigned to any other user groups The Cerberian web filter groups the web pages into 53 categories The default polic...

Страница 240: ...ActiveX scripts from the HTML web pages Enabling the script filter Selecting script filter options Enabling the script filter 1 Go to Firewall Content Profile 2 Select the content profile for which y...

Страница 241: ...exempts access to the main page of this example website You can also add IP addresses for example 122 63 44 67 index html exempts access to the main web page at this address Do not include http in th...

Страница 242: ...242 Fortinet Inc Exempt URL list Web filtering...

Страница 243: ...guration steps Configuring email filtering involves the following general steps 1 Select email filter options in a new or existing content profile See Adding a content profile on page 168 2 Select the...

Страница 244: ...phrase for example banned phrase the FortiGate unit tags email that contains both words When this phrase appears on the banned word list the FortiGate unit inserts plus signs in place of spaces for e...

Страница 245: ...ubdomain name For example mail abccompany com To tag email from an entire organization category type the top level domain name For example type com to tag email sent from all organizations that use co...

Страница 246: ...other special characters are not allowed 4 Select Enable to exempt the address pattern 5 Select OK to add the address pattern to the email exempt list You can enter multiple patterns and then select...

Страница 247: ...a WebTrends firewall reporting server the console You can also configure logging to record event attack antivirus web filter and email filter logs to the FortiGate system memory if your FortiGate unit...

Страница 248: ...251 7 Select Apply Recording logs on a NetIQ WebTrends server Use the following procedure to configure the FortiGate unit to record logs on a remote NetIQ WebTrends firewall reporting server for stor...

Страница 249: ...ypes of logs and events to record use the procedures in Filtering log messages on page 249 5 Select Apply Filtering log messages You can configure which logs to record and which message categories to...

Страница 250: ...rus Log Web Filtering Log Attack Log Email Filter Log or Update in step 3 5 Select OK Figure 43 Example log filter configuration Email Filter Log Record activity events such as detection of email that...

Страница 251: ...c to be filtered This section describes Enabling traffic logging Configuring traffic filter settings Adding traffic filter entries Enabling traffic logging Enabling traffic logging for an interface If...

Страница 252: ...2 Select New 3 Configure the traffic filter for the type of traffic that you want to record on the traffic log Resolve IP Select Resolve IP if you want traffic log messages to list the IP address and...

Страница 253: ...Use the following procedure to view log messages saved in system memory 1 Go to Log Report Logging 2 Select Event Log Attack Log Antivirus Log Web Filter Log or Email Filter Log The web based manager...

Страница 254: ...s and other firewall or VPN events or violations After you set up the email addresses you can test the settings by sending test email Adding alert email addresses Testing alert email Enabling alert em...

Страница 255: ...ncidents intrusion attempts and critical firewall or VPN events or violations If you have configured logging to a local disk you can enable sending an alert email when the hard disk is almost full Use...

Страница 256: ...256 Fortinet Inc Configuring alert email Logging and reporting...

Страница 257: ...essages are formatted and transmitted and what actions Web servers and browsers should take in response to various commands HTTPS The SSL protocol for transmitting private documents over the Internet...

Страница 258: ...fied address and waiting for a reply POP3 Post Office Protocol A protocol used to transfer e mail from a mail server to a mail client across the Internet Most e mail clients use POP PPP Point to Point...

Страница 259: ...works TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent UDP User Datagram Protocol A connectionless protocol that like TCP ru...

Страница 260: ...260 Fortinet Inc Glossary...

Страница 261: ...icy 144 allow outbound encrypt policy 144 allow traffic IP MAC binding 165 Anti Virus Web filter policy 145 antivirus definition updates manual 81 antivirus definitions updating 89 antivirus updates 9...

Страница 262: ...content profiles default 168 cookies blocking 240 critical firewall events alert email 255 critical VPN events alert email 255 custom service 154 customer service 25 D date and time setting example 1...

Страница 263: ...255 firewall policy accept 143 Comments 146 deny 143 guaranteed bandwidth 144 Log Traffic 146 maximum bandwidth 144 firewall setup wizard 18 46 60 starting 46 60 firmware changing 72 installing 77 re...

Страница 264: ...nfiguring Windows XP client 216 network configuration 212 L2TP gateway configuring 212 language web based manager 129 LDAP example configuration 176 LDAP server adding server address 175 deleting 176...

Страница 265: ...king 232 P password adding 172 changing administrator account 131 Fortinet support 104 recovering a lost Fortinet support 102 PAT 159 permission administrator account 131 policy accept 143 Anti Virus...

Страница 266: ...version 77 RIP configuring 119 filters 124 interface configuration 122 neighbors 123 settings 120 RMA registering a FortiGate unit 105 route adding default 114 adding to routing table 114 adding to ro...

Страница 267: ...28 synchronize with NTP server 127 system configuration 127 system date and time setting 127 system location SNMP 132 system name SNMP 132 system settings backing up 82 restoring 83 restoring to facto...

Страница 268: ...tatic NAT 158 virus definition updates downloading 104 105 virus definitions updating 89 93 virus incidents enabling alert email 255 virus list displaying 232 viewing 232 virus log 249 virus protectio...

Страница 269: ...Index FortiGate 60R Installation and Configuration Guide 269 wizard firewall setup 46 60 starting 46 60 worm list displaying 232 worm protection 232...

Страница 270: ...270 Fortinet Inc Index...

Результаты поиска

Содержание FortiGate 60R

Отзывы:

Похожие инструкции для FortiGate 60R

Бренды по названию

Популярные бренды

Fortinet FortiGate 60R, Руководство по установке и настройке

Результаты поиска

Содержание FortiGate 60R

Отзывы:

Похожие инструкции для FortiGate 60R

Бренды по названию

Популярные бренды