Fortinet FortiGate-620B Скачать руководство пользователя страница 25 | Manualshive

Страница: 25 / 62

background image

Configuring

Configuring NAT mode

FortiGate-620B FortiOS 3.0 MR6 Install Guide
01-30006-83054-20081015

25

In the factory default configuration, entry number 1 in the Static Route list is
associated with a destination address of 0.0.0.0/0.0.0.0, which means any/all
destinations. This route is called the "static default route". If no other routes are
present in the routing table and a packet needs to be forwarded beyond the
FortiGate unit, the factory configured static default route causes the FortiGate unit
to forward the packet to the default gateway.

For an initial configuration, you must edit the factory configured static default route
to specify a different default gateway for the FortiGate unit. This will enable the
flow of data through the FortiGate unit.

For details on adding additional static routes, see the

FortiGate Administration

Guide

.

To modify the default gateway

config router static

edit <seq_num>

set gateway <gateway_IP>
set device <interface>

end

Adding firewall policies

Firewall policies enable traffic to flow through the FortiGate interfaces. Firewall
policies to define the FortiGate unit process the packets in a communication
session. You can configure the firewall policies to allow only specific traffic, users
and specific times when traffic is allowed.

For the initial installation, a single firewall policy that enables all traffic through will
enable you to verify your configuration is working. On lower-end units such a
default firewall policy is already in place. For the higher end FortiGate units, you
will need to add a firewall policy.

The following steps add two policies that allows all traffic through the FortiGate
unit, to enable you to continue testing the configuration on the network.

To add an outgoing traffic firewall policy

config firewall profile

edit <seq_num>

set srcintf <source_interface>
set srcaddr <source_IP>
set dstintf <destination_interface>
set dstaddr <destination_IP>
set schedule always
set service ANY
set action accept

end

To create an incoming traffic firewall policy, use the same commands with the
addresses reversed.

Note that these policies allow all traffic through. No protection profiles have been
applied. Ensure you create additional firewall policies to accommodate your
network requirements.

«
...
23
24
25
26
27
...
»

Содержание FortiGate-620B

Страница 1: ...www fortinet com FortiGate 620B FortiOS 3 0 MR6 I N S T A L L G U I D E ...

Страница 2: ...Prevention System DTPS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiAnalyzer FortiManager FortiOS FortiPartner FortiProtect FortiReporter FortiResponse FortiShield and FortiVoIP are trademarks of Fortinet Inc in the United States and or other count...

Страница 3: ... support 11 Installing 13 Environmental specifications 13 Cautions and warnings 14 Grounding 14 Rack mount instructions 14 Mounting 15 Plugging in the FortiGate 16 Connecting to the network 16 Turning off the FortiGate unit 16 Configuring 17 NAT vs Transparent mode 17 NAT mode 17 Transparent mode 18 Connecting to the FortiGate unit 18 Connecting to the web based manager 18 Connecting to the CLI 19...

Страница 4: ... 29 Backing up the configuration 29 Restoring a configuration 30 Additional configuration 30 Set the time and date 30 Set the Administrator password 30 Configure FortiGuard 31 Updating antivirus and IPS signatures 31 Advanced configuration 33 Protection profiles 33 Firewall policies 34 Configuring firewall policies 35 Antivirus options 35 AntiSpam options 36 Web filtering 37 Logging 38 AMC modules...

Страница 5: ...6 Upgrading the firmware 46 Reverting to a previous version 46 Backup and Restore from a USB key 47 Using the USB Auto Install 47 Using the CLI 48 Reverting to a previous version 49 Installing firmware from a system reboot using the CLI 50 Restoring the previous configuration 52 Backup and Restore from a USB key 52 Using the USB Auto Install 53 Additional CLI Commands for a USB key 53 Testing new ...

Страница 6: ...FortiGate 620B FortiOS 3 0 MR6 Install Guide 6 01 30006 83054 20081015 Contents ...

Страница 7: ...at Management System uses Fortinet s Dynamic Threat Prevention System DTPS technology which leverages breakthroughs in chip design networking security and content analysis The unique ASIC based architecture analyzes content and behavior in real time enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks Register your FortiGate u...

Страница 8: ...N security segmentation LACP configuration You can aggregate combine two or more physical interfaces to increase bandwidth and provide some link redundancy The FortiGate 620B has two NP2 acceleration processors 16 ports for each When creating hardware acceleration of LACP on the FortiGate 620B the members of the LACP must be within the same NP2 set For example you must select ports 1 to 8 or ports...

Страница 9: ...ocumentation are available from the Fortinet Technical Documentation web site at http docs forticare com The following FortiGate product documentation is available FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit Note Highlights useful additional information Caution Warns you about commands or procedures that could have unexpected or undesirabl...

Страница 10: ...feature and the clustering protocol FortiGate IPS User Guide Describes how to configure the FortiGate Intrusion Prevention System settings and how the FortiGate IPS deals with some common attacks FortiGate IPSec VPN User Guide Provides step by step instructions for configuring IPSec VPNs using the web based manager FortiGate SSL VPN User Guide Compares FortiGate IPSec VPN and FortiGate SSL VPN tec...

Страница 11: ...is document or any Fortinet technical documentation to techdoc fortinet com Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly configure easily and operate reliably in your network Please visit the Fortinet Technical Support web site at http support fortinet com to learn about the technical support se...

Страница 12: ...FortiGate 620B FortiOS 3 0 MR6 Install Guide 12 01 30006 83054 20081015 Customer service and technical support Introduction ...

Страница 13: ...sure that the appliance has at least 1 5 in 3 75 cm of clearance on each side to allow for adequate air flow and cooling This device complies with part FCC Class A Part 15 UL CUL C Tick CE and VCCI Operation is subject to the following two conditions This device may not cause harmful interference and This device must accept any interference received including interference that may cause undesired ...

Страница 14: ...nvironment may be greater than room ambient Therefore consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature Tma specified by the manufacturer Reduced Air Flow Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the equipment is not compromised Mechanical Loading Mount...

Страница 15: ...rtion of the FortiGate unit Ensure that the screws are tight and not loose The following photos illustrate how the brackets should be mounted Note that the screw configuration may vary depending on your FortiGate unit Figure 2 Installed mounting brackets 2 Position the FortiGate unit in the rack to allow for sufficient air flow 3 Line up the mounting bracket holes to the holes on the rack ensuring...

Страница 16: ... position indicated by the I Connecting to the network Using the supplied Ethernet cable connect one end of the cable to your router or modem whatever the connection is to the Internet Connect the other end to the FortiGate unit Connect to either the External WAN port or port 1 Connect additional cable to the Internal port or port 2 and your internal hub or switch Turning off the FortiGate unit Al...

Страница 17: ... mode and Transparent mode Both include the same robust network security features such as antispam antivirus VPN and firewall policies NAT mode In NAT Route mode the FortiGate unit is visible to the network Like a router all its interfaces are on different subnets In NAT mode each port is on a different subnet enabling you to have a single IP address available to the public Internet The FortiGate ...

Страница 18: ...s using the web based manger a GUI interface using a current web browser such as FireFox or Internet Explorer using the command line interface CLI a command line interface similar to DOS or UNIX commands using an SSH terminal or Telnet terminal Connecting to the web based manager To connect to the web based manager you require a computer with an Ethernet connection Microsoft Internet Explorer vers...

Страница 19: ...the FortiGate unit redirects the connection This is an informational message Select OK to continue logging in 4 Type admin in the Name field and select Login Connecting to the CLI To connect to the FortiGate CLI you require a computer with an available communications port a serial cable either a RJ 45 to DB 9 or null modem cable whichever was included in your FortiGate package terminal emulation s...

Страница 20: ...t gateway retrieved from the DHCP server The administrative distance specifies the relative priority of a route when there are multiple routes to the same destination A lower administrative distance indicates a more preferred route Retrieve default gateway from server Enable to retrieve a default gateway IP address from the DHCP server The default gateway is added to the static routing table Overr...

Страница 21: ... route is called the static default route If no other routes are present in the routing table and a packet needs to be forwarded beyond the FortiGate unit the factory configured static default route causes the FortiGate unit to forward the packet to the default gateway Initial PADT Timeout Initial PPPoE Active Discovery Terminate PADT timeout in seconds Use this timeout to shut down the PPPoE sess...

Страница 22: ...ortiGate interfaces Firewall policies define how the FortiGate unit processes the packets in a communication session You can configure the firewall policies to allow only specific traffic users and specific times when traffic is allowed For the initial installation a single firewall policy that enables all traffic through will enable you to verify your configuration is working On lower end units s...

Страница 23: ... Connecting to the CLI on page 19 before beginning Configure the interfaces When shipped the FortiGate unit has a default address of 192 168 1 99 and a netmask of 255 255 255 0 for either the Port 1 or Internal interface You need to configure this and other ports for use on your network To set an interface to use a static address config system interface edit interface_name set mode static set ip a...

Страница 24: ...server IP addresses are typically provided by your internet service provider To configure DNS server settings config system dns set autosvr enable disable set primary address_ip set secondary address_ip end Note if you set the autosvr to enable you do not have to configure the primary or secondary DNS server IP addresses Adding a default route and gateway A route provides the FortiGate unit with t...

Страница 25: ...flow through the FortiGate interfaces Firewall policies to define the FortiGate unit process the packets in a communication session You can configure the firewall policies to allow only specific traffic users and specific times when traffic is allowed For the initial installation a single firewall policy that enables all traffic through will enable you to verify your configuration is working On lo...

Страница 26: ...k address and the Default Gateway address The default gateway IP address is required to tell the FortiGate unit where to send network traffic to other networks 5 Select Apply Configure a DNS server A DNS server is a service that converts symbolic node names to IP addresses A domain name server DNS server implements the protocol In simple terms it acts as a phone book for the Internet A DNS server ...

Страница 27: ...rewall policy configuration is the same in NAT Route mode and Transparent mode Note that these policies allow all traffic through No protection profiles have been applied Ensure you create additional firewall policies to accommodate your network requirements Using the CLI After connecting to the CLI you can use the following procedures to complete the basic configuration of the FortiGate unit Ensu...

Страница 28: ... DNS server IP addresses Adding firewall policies Firewall policies enable traffic to flow through the FortiGate interfaces Firewall policies define the FortiGate unit process the packets in a communication session You can configure the firewall policies to allow only specific traffic users and specific times when traffic is allowed For the initial installation a single firewall policy that enable...

Страница 29: ...red and working correctly it is extremely important that you back up your configuration By backing up the configuration you ensure that if you need to reset the FortiGate unit for whatever reason you will be able to quickly return it to operation with minimal effort To back up the FortiGate configuration 1 Go to System Maintenance Backup Restore 2 Select to back up to your PC or to a USB key The U...

Страница 30: ...le not mandatory they will help in ensuring better control with the firewall Set the time and date For effective scheduling and logging the FortiGate system date and time must be accurate You can either manually set the system date and time or configure the FortiGate unit to automatically keep its time correct by synchronizing with a Network Time Protocol NTP server To set the date and time 1 Go t...

Страница 31: ...ered your FortiGate unit you can update antivirus and IPS signatures The FortiGuard Center enables you to receive push updates allow push update to a specific IP address and schedule updates for daily weekly or hourly intervals To update antivirus definitions and IPS signatures 1 Go to System Maintenance FortiGuard 2 Select the blue arrow for AntiVirus and IPS Options to expand the options 3 Selec...

Страница 32: ...FortiGate 620B FortiOS 3 0 MR6 Install Guide 32 01 30006 83054 20081015 Additional configuration Configuring ...

Страница 33: ...g spam filtering content archiving instant messaging filtering and access control P2P access and bandwidth control logging options for policies and configurations within the policies rate limiting for VoIP protocols Using protection profiles you can customize types and levels of protection for different firewall policies For example while traffic between internal and external addresses might need ...

Страница 34: ...he firewall action for the connection The action can be to allow the connection deny the connection require authentication before the connection is allowed or process the packet as an IPSec VPN connection You can configure each firewall policy to route connections or apply network address translation NAT to translate source and destination IP addresses and ports You also add protection profiles to...

Страница 35: ... you can apply FortiGate features such as virus scanning and authentication to the communication session accepted by the policy Add DENY policies to deny communication sessions Add IPSec encryption policies to enable IPSec tunnel mode VPN traffic and SSL VPN encryption policies to enable SSL VPN traffic Firewall encryption policies determine which types of IP traffic will be permitted during an IP...

Страница 36: ...o AntiVirus Config Grayware Antivirus settings are turned on in the protection profile In the protection profile you can enable antivirus options for specific services and which services will use the file patterns as a part of the antivirus process To configure antivirus protection profile settings go to Firewall Protection Profile Select edit for a profile and select the Anti Virus options For de...

Страница 37: ...es the email address of the message s sender to the email address list in sequence If a match is found the action associated with the email address is taken If no match is found the message is passed to the next enabled antispam filter To configure black white lists go to AntiSpam Black White List You enable antispam options for each mail service POP3 IMAP and SMTP in the protection profile To con...

Страница 38: ...s You need to have a FortiGuard subscription to take advantage of FortiGuard web filtering The FortiGate unit also enables you to override the FortiGuard filtering designation and you can add your own To customize your FortiGuard web filtering go to Web Filter FortiGuard Web Filter For details and configuration options for the web filtering features and settings see the FortiGate Administration Gu...

Страница 39: ...d dirt from entering the FortiGate unit Install the fillers on any AMC slots you do not have an AMC card installed To install the filler module 1 Pull the latch on the filler module to the extended position 2 Insert the module by applying moderate force to the front faceplate to slide the module into the slot The filler module should glide smoothly into the chassis If you encounter any resistance ...

Страница 40: ... latch to lock in the module 8 Power on the FortiGate unit Removing modules Should you need to remove a module shut down the FortiGate unit using proper shut down procedures To remove a module 1 Ensure the FortiGate unit is powered off before proceeding 2 To avoid any electrostatic discharge ESD when handling FortiGate modules install in a static free area 3 Pull the hot swap latch on the right ha...

Страница 41: ...mum log level Select a log level The FortiGate unit logs all messages at and above the logging severity level you select For example if you select Error the unit logs Error Critical Alert and Emergency level messages When log disk is full Select what the FortiGate unit should do when the log disk is full You can either select to overright the oldest logs or stop logging until you can remove or bac...

Страница 42: ...ork throughput for traffic with small packets such as VoIP latency sensitive traffic such as streaming multimedia traffic with long session lifetimes such as FTP IPSec VPN traffic active active HA load balanced traffic P2P traffic Eligible traffic processing is off loaded to the module This fast path processing leverages the additional hardware acceleration resources provided by the AMC modules In...

Страница 43: ...e To change the media type for the proper transceiver enter the following CLI command config system interface edit interface_number set mediatype sgmii sfp serdes sfp end For example config system interface edit AMC SW1 1 set mediatype sgmii sfp set speed auto next edit AMC SW1 2 set mediatype sgmii sfp set speed auto end Configure the speed You must also ensure the speed for the interface is corr...

Страница 44: ...FortiGate 620B FortiOS 3 0 MR6 Install Guide 44 01 30006 83054 20081015 Using the AMC modules AMC modules ...

Страница 45: ...patch release before upgrading the firmware Follow the steps below download and review the release notes for the patch release download the patch release back up the current configuration install the patch release using the procedure Testing new firmware before installing on page 54 test the patch release until you are satisfied that it applies to your configuration Installing a patch release with...

Страница 46: ... path and filename of the firmware image file or select Browse and locate the file 6 Select OK The FortiGate unit uploads the firmware image file upgrades to the new firmware version restarts and displays the FortiGate login This process takes a few minutes Reverting to a previous version The following procedures revert the FortiGate unit to its factory default configuration and deletes IPS custom...

Страница 47: ... the FortiGate unit must recognize that the key is installed in its USB port To backup configuration 1 Go to System Maintenance Backup and Restore 2 Select USB Disk from the backup configuration to list 3 Enter a file name for the configuration file 4 Select Backup To restore configuration 1 Go to System Maintenance Backup and Restore 2 Select USB Disk from the restore configuration from list 3 Se...

Страница 48: ...s included with the firmware release you are installing After you install new firmware make sure that antivirus and attack definitions are up to date You can also use the CLI command execute update now to update the antivirus and attack definitions For details see the FortiGate Administration Guide Before you begin ensure you have a TFTP server running and accessible to the FortiGate unit To upgra...

Страница 49: ...t messages Before beginning this procedure it is recommended that you back up the FortiGate unit system configuration using the command execute backup config back up the IPS custom signatures using the command execute backup ipsuserdefsig back up web content and email filtering lists If you are reverting to a previous FortiOS version for example reverting from FortiOS v3 0 to FortiOS v2 80 you mig...

Страница 50: ...mage from tftp server OK Check image OK This operation will downgrade the current firmware version Do you want to continue y n 7 Type y The FortiGate unit reverts to the old firmware version resets the configuration to factory defaults and restarts This process takes a few minutes 8 Reconnect to the CLI 9 To restore your previous configuration if needed use the command execute restore config name_...

Страница 51: ...ng message This operation will reboot the system Do you want to continue y n 7 Type y As the FortiGate unit starts a series of system startup messages appears When the following messages appears Press any key to display configuration menu Immediately press any key to interrupt the system startup If you successfully interrupt the startup process the following messages appears G Get firmware image f...

Страница 52: ...the previous configuration Change the internal interface address if required You can do this from the CLI using the following command config system interface edit interface set ip address_ip4mask set allowaccess ping https ssh telnet http end After changing the interface address you can access the FortiGate unit from the web based manager and restore the configuration Backup and Restore from a USB...

Страница 53: ...onfig system auto install set default config file filename set auto intall config enable disable set default image file filename set auto install image enable disable end 3 Enter the following command to see the new firmware installation settings get system status Additional CLI Commands for a USB key Use the following CLI commands when you want to delete a file from the FortiUSB key list what fil...

Страница 54: ... same subnet as the internal interface To test the new firmware image 1 Connect to the CLI using a RJ 45 to DB 9 or null modem cable 2 Make sure the TFTP server is running 3 Copy the new firmware image file to the root directory of the TFTP server 4 Make sure the internal interface is connected to the same integer as the TFTP server You can use the following command to ping the computer running th...

Страница 55: ...t make sure you do not use the IP address of another device on the network The following message appears Enter File Name image out 11 Enter the firmware image file name and press Enter The TFTP server uploads the firmware image file to the FortiGate unit and the following appears Save as Default firmware Backup firmware Run image without saving D B R 12 Type R The FortiGate image is installed to s...

Страница 56: ...FortiGate 620B FortiOS 3 0 MR6 Install Guide 56 01 30006 83054 20081015 Testing new firmware before installing FortiGate Firmware ...

Страница 57: ... document conventions 9 documentation 9 domain name server configure 26 domain name server configure 21 24 downloading firmware 45 E earthing 14 execute shutdown 16 F firewall policies 22 25 34 firmware backup and restore from USB 52 download 45 from system reboot 50 installing 50 re installing current version 52 restore from CLI 52 restoring previous config 52 revert from CLI 49 reverting with we...

Страница 58: ...ty certificate 19 shielded twisted pair 14 shut down 16 signatures update 31 static route 21 25 system reboot installing 50 T technical support 11 TFTP server 50 time and date 30 time zone 30 Transparent mode 18 switching to 26 typographic conventions 9 U unnumbered IP 20 update signatures 31 updating antivirus and IPS web based manager 31 upgrading firmware using the CLI 48 USB 52 auto install 47...

Страница 59: ...FortiGate 620B FortiOS 3 0 MR6 Install Guide 59 01 30006 83054 20081015 Index ...

Страница 60: ...FortiGate 620B FortiOS 3 0 MR6 Install Guide 60 01 30006 83054 20081015 Index ...

Страница 61: ...www fortinet com ...

Страница 62: ...www fortinet com ...

Отзывы:

Нет отзывов

Похожие инструкции для FortiGate-620B

Бренд: Watchguard Страницы: 8

CloudGen Series

Бренд: Barracuda Страницы: 4

ZyWALL 35 Series

Бренд: ZyXEL Communications Страницы: 872

Бренд: PaloAlto Networks Страницы: 30

FortiGate FortiGate-300A

Бренд: Fortinet Страницы: 392

Network VirusWall Enforcer 1200

Бренд: Trend Micro Страницы: 2

Бренд: Trend Micro Страницы: 236

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды