background image

Advanced configuration 

Antivirus options

FortiGate-800 and FortiGate-800F FortiOS 3.0 MR6 Install Guide
01-30006-0455-20080910

33

Configuring firewall policies

To add or edit a firewall policy go to 

Firewall > Policy

 and select Edit on an 

existing policy, or select Create New to add a policy.

The 

source and destination Interface/Zone

 match the firewall policy with the 

source and destination of a communication session. The Address Name matches 
the source and destination address of the communication session.

Schedule

 defines when the firewall policy is enabled. While most policies are 

always on, you can configure a firewall policy so that it is only on at specific times 
of the day. For example, you may want to block news and entertainment sites 
most of the day, except during lunch or after work, enabling your employees to 
only view those sites during non-working times.

Service

 matches the firewall policy with the service used by a communication 

session. This enables you to configure a policy for general web surfing and a 
different policy specifically for other traffic such as SMTP mail or FTP uploads and 
downloads.

Action

 defines how the FortiGate unit processes traffic. Specify an action to 

accept or deny traffic or configure a firewall encryption policy.

• Add ACCEPT policies that accept communication sessions. Using an accept 

policy, you can apply FortiGate features such as virus scanning and 
authentication to the communication session accepted by the policy.

• Add DENY policies to deny communication sessions.
• Add IPSec encryption policies to enable IPSec tunnel mode VPN traffic and 

SSL VPN encryption policies to enable SSL VPN traffic. Firewall encryption 
policies determine which types of IP traffic will be permitted during an IPSec or 
SSL VPN session.

Select 

Protection Profile

 to include apply a protection profile to the firewall policy 

for scanning of traffic passing through the FortiGate unit.

For details on the firewall policies features and settings, see the 

FortiGate 

Administration Guide

 or the FortiGate Online Help.

Antivirus options

The FortiGate unit’s antivirus configuration prevents malicious files from entering 
and infecting your network environment.

The FortiGate unit uses a number of processes to scan files to ensure unwanted 
files and potential attackers do not get through. The FortiGate unit scans using 
these antivirus options:

• File pattern - The FortiGate will check the file against the file pattern setting 

you have configured. You can set which file names or file types the FortiGate 
unit looks for in the incoming traffic.

• Virus scan - The virus definitions are kept up to date through the FortiNet 

Distribution Network. The list is updated on a regular basis so you do not have 
to wait for a firmware upgrade. Note that you must register the FortiGate unit to 
and purchase FortiGuard services to use virus scanning through the FDN.

Содержание FortiGate 800/800F

Страница 1: ...www fortinet com FortiGate 800 and FortiGate 800F FortiOS 3 0 MR6 I N S T A L L G U I D E...

Страница 2: ...c Threat Prevention System DTPS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion...

Страница 3: ...talling 11 Environmental specifications 11 Cautions and warnings 12 Grounding 12 Rack mount instructions 12 Mounting 13 Plugging in the FortiGate 14 Connecting to the network 14 Turning off the FortiG...

Страница 4: ...nfiguration 27 Backing up the configuration 27 Restoring a configuration 28 Additional configuration 28 Set the time and date 28 Set the Administrator password 28 Configure FortiGuard 29 Updating anti...

Страница 5: ...006 0455 20080910 5 Installing firmware from a system reboot using the CLI 42 Restoring the previous configuration 44 Backup and Restore from a USB key 44 Using the USB Auto Install 45 Additional CLI...

Страница 6: ...FortiGate 800 and FortiGate 800F FortiOS 3 0 MR6 Install Guide 6 01 30006 0455 20080910 Contents...

Страница 7: ...ed Threat Management System uses Fortinet s Dynamic Threat Prevention System DTPS technology which leverages breakthroughs in chip design networking security and content analysis The unique ASIC based...

Страница 8: ...how to install and configure your FortiGate unit onto your network This document also includes how to install and upgrade new firmware versions on your FortiGate unit This document contains the follo...

Страница 9: ...rotection web content filtering and spam filtering and how to configure a VPN FortiGate online help Provides a context sensitive and searchable version of the Administration Guide in HTML format You c...

Страница 10: ...PN User Guide Explains how to configure a PPTP VPN using the web based manager FortiGate Certificate Management User Guide Contains procedures for managing digital certificates including generating ce...

Страница 11: ...n make sure that the appliance has at least 1 5 in 3 75 cm of clearance on each side to allow for adequate air flow and cooling This device complies with part FCC Class A Part 15 UL CUL C Tick CE and...

Страница 12: ...e rack environment may be greater than room ambient Therefore consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature Tma specified...

Страница 13: ...front portion of the FortiGate unit Ensure that the screws are tight and not loose The following photos illustrate how the brackets should be mounted Note that the screw configuration may vary dependi...

Страница 14: ...o the on position indicated by the I Connecting to the network Using the supplied Ethernet cable connect one end of the cable to your router or modem whatever the connection is to the Internet Connect...

Страница 15: ...T Route mode and Transparent mode Both include the same robust network security features such as antispam antivirus VPN and firewall policies NAT mode In NAT Route mode the FortiGate unit is visible t...

Страница 16: ...ese tasks using the web based manger a GUI interface using a current web browser such as FireFox or Internet Explorer using the command line interface CLI a command line interface similar to DOS or UN...

Страница 17: ...because the FortiGate unit redirects the connection This is an informational message Select OK to continue logging in 4 Type admin in the Name field and select Login Connecting to the CLI To connect t...

Страница 18: ...e default gateway retrieved from the DHCP server The administrative distance specifies the relative priority of a route when there are multiple routes to the same destination A lower administrative di...

Страница 19: ...ns This route is called the static default route If no other routes are present in the routing table and a packet needs to be forwarded beyond the FortiGate unit the factory configured static default...

Страница 20: ...h the FortiGate interfaces Firewall policies define how the FortiGate unit processes the packets in a communication session You can configure the firewall policies to allow only specific traffic users...

Страница 21: ...section Connecting to the CLI on page 17 before beginning Configure the interfaces When shipped the FortiGate unit has a default address of 192 168 1 99 and a netmask of 255 255 255 0 for either the...

Страница 22: ...et DNS server IP addresses are typically provided by your internet service provider To configure DNS server settings config system dns set autosvr enable disable set primary address_ip set secondary a...

Страница 23: ...ffic to flow through the FortiGate interfaces Firewall policies to define the FortiGate unit process the packets in a communication session You can configure the firewall policies to allow only specif...

Страница 24: ...Netmask address and the Default Gateway address The default gateway IP address is required to tell the FortiGate unit where to send network traffic to other networks 5 Select Apply Configure a DNS se...

Страница 25: ...ct OK Firewall policy configuration is the same in NAT Route mode and Transparent mode Note that these policies allow all traffic through No protection profiles have been applied Ensure you create add...

Страница 26: ...econdary DNS server IP addresses Adding firewall policies Firewall policies enable traffic to flow through the FortiGate interfaces Firewall policies define the FortiGate unit process the packets in a...

Страница 27: ...configured and working correctly it is extremely important that you back up your configuration By backing up the configuration you ensure that if you need to reset the FortiGate unit for whatever rea...

Страница 28: ...tion While not mandatory they will help in ensuring better control with the firewall Set the time and date For effective scheduling and logging the FortiGate system date and time must be accurate You...

Страница 29: ...registered your FortiGate unit you can update antivirus and IPS signatures The FortiGuard Center enables you to receive push updates allow push update to a specific IP address and schedule updates fo...

Страница 30: ...FortiGate 800 and FortiGate 800F FortiOS 3 0 MR6 Install Guide 30 01 30006 0455 20080910 Additional configuration Configuring...

Страница 31: ...filtering spam filtering content archiving instant messaging filtering and access control P2P access and bandwidth control logging options for policies and configurations within the policies rate limi...

Страница 32: ...rects the firewall action for the connection The action can be to allow the connection deny the connection require authentication before the connection is allowed or process the packet as an IPSec VPN...

Страница 33: ...policy you can apply FortiGate features such as virus scanning and authentication to the communication session accepted by the policy Add DENY policies to deny communication sessions Add IPSec encryp...

Страница 34: ...ng go to AntiVirus Config Grayware Antivirus settings are turned on in the protection profile In the protection profile you can enable antivirus options for specific services and which services will u...

Страница 35: ...t compares the email address of the message s sender to the email address list in sequence If a match is found the action associated with the email address is taken If no match is found the message is...

Страница 36: ...evolves You need to have a FortiGuard subscription to take advantage of FortiGuard web filtering The FortiGate unit also enables you to override the FortiGuard filtering designation and you can add y...

Страница 37: ...ing the patch release before upgrading the firmware Follow the steps below download and review the release notes for the patch release download the patch release back up the current configuration inst...

Страница 38: ...ype the path and filename of the firmware image file or select Browse and locate the file 6 Select OK The FortiGate unit uploads the firmware image file upgrades to the new firmware version restarts a...

Страница 39: ...g since the FortiGate unit must recognize that the key is installed in its USB port To backup configuration 1 Go to System Maintenance Backup and Restore 2 Select USB Disk from the backup configuratio...

Страница 40: ...finitions included with the firmware release you are installing After you install new firmware make sure that antivirus and attack definitions are up to date You can also use the CLI command execute u...

Страница 41: ...lacement messages Before beginning this procedure it is recommended that you back up the FortiGate unit system configuration using the command execute backup config back up the IPS custom signatures u...

Страница 42: ...s Get image from tftp server OK Check image OK This operation will downgrade the current firmware version Do you want to continue y n 7 Type y The FortiGate unit reverts to the old firmware version re...

Страница 43: ...following message This operation will reboot the system Do you want to continue y n 7 Type y As the FortiGate unit starts a series of system startup messages appears When the following messages appea...

Страница 44: ...storing the previous configuration Change the internal interface address if required You can do this from the CLI using the following command config system interface edit interface set ip address_ip4m...

Страница 45: ...ommand config system auto install set default config file filename set auto intall config enable disable set default image file filename set auto install image enable disable end 3 Enter the following...

Страница 46: ...e on the same subnet as the internal interface To test the new firmware image 1 Connect to the CLI using a RJ 45 to DB 9 or null modem cable 2 Make sure the TFTP server is running 3 Copy the new firmw...

Страница 47: ...rver but make sure you do not use the IP address of another device on the network The following message appears Enter File Name image out 11 Enter the firmware image file name and press Enter The TFTP...

Страница 48: ...FortiGate 800 and FortiGate 800F FortiOS 3 0 MR6 Install Guide 48 01 30006 0455 20080910 Testing new firmware before installing FortiGate Firmware...

Страница 49: ...rride 18 document conventions 8 documentation 9 domain name server configure 24 domain name server configure 19 22 downloading firmware 37 E earthing 12 execute shutdown 14 F firewall policies 20 23 3...

Страница 50: ...security certificate 17 shielded twisted pair 12 shut down 14 signatures update 29 static route 19 23 system reboot installing 42 T technical support 10 TFTP server 42 time and date 28 time zone 28 T...

Страница 51: ...FortiGate 800 and FortiGate 800F FortiOS 3 0 MR6 Install Guide 51 01 30006 0455 20080910 Index...

Страница 52: ...FortiGate 800 and FortiGate 800F FortiOS 3 0 MR6 Install Guide 52 01 30006 0455 20080910 Index...

Страница 53: ...www fortinet com...

Страница 54: ...www fortinet com...

Отзывы: