background image

FortiGate-1000A/AFA2 FortiOS 3.0 MR6 Install Guide

34

01-30006-0461-20080131

Firewall policies

Advanced configuration

The best way to begin creating your own protection profile is to open a predefined 
profile. This way you can see how a profile is set up, and then modify it suit your 
requirements. You access Protection profile options by going to 

Firewall > 

Protection Profile

, and selecting Edit for one of the predefined profiles.

Protection profiles are used by the firewall policies to determine how network and 
Internet traffic is controlled, scanned and when necessary, rejected. The 
Protection Profiles can be considered the rules of the firewall policy. Because of 
this, you should take some time to review the various options to consider what you 
want the firewall policies to do. If, after setting the protection profile and firewall 
policies, traffic is not flowing or flowing too much, verify your profile settings.

The number of options and configuration for the protection profile is too vast for 
this document. For details on each protection profile feature and setting, see the 

FortiGate Administration Guide

 or the FortiGate Online Help.

Firewall policies

Firewall policies are instructions the FortiGate unit uses to decide what to do with 
a connection request. When the firewall receives a connection request, it analyzes 
it to extract its source address, destination address, and port number.

For the connection through the FortiGate unit to be successful, the source 
address, destination address, and service of the connection must match a firewall 
policy. The policy directs the firewall action for the connection. The action can be 
to allow the connection, deny the connection, require authentication before the 
connection is allowed, or process the packet as an IPSec VPN connection.

You can configure each firewall policy to route connections or apply network 
address translation (NAT) to translate source and destination IP addresses and 
ports. You also add protection profiles to firewall policies to apply different 
protection settings for the traffic controlled by firewall policies.

The FortiGate unit matches firewall policies by searching from the top of the 
firewall policy list and moving down until it finds the first match, then performs the 
required address translation, blocking and so on described by the protection 
profile, then passes on the packet information. This is important, because once 
the FortiGate unit finds a match to a policy, it will not continue down the list. You 
need to arrange policies in the policy list from more specific to more general.

For example, if you have two policies, one that blocks specific URLs or IP 
addresses, and another general policy that lets traffic through. If you put the 
general policy at the top, the FortiGate unit will act on the general policy, figuring 
the policy has been matched and potentially let the URLs or IPs you wanted 
blocked through.

Web

Apply virus scanning and web content blocking to HTTP traffic.

Unfiltered

Apply no scanning, blocking or IPS. Use the unfiltered content profile if no 

content protection for content traffic is required. Add this protection profile to 

firewall policies for connections between highly trusted or highly secure 

networks where content does not need to be protected.

Note: 

No traffic will flow through a 

FortiGate

 unit until at least one firewall policy is added.

Содержание FortiGate FortiGate-1000A

Страница 1: ...www fortinet com FortiGate 1000A AFA2 FortiOS 3 0 MR6 I N S T A L L G U I D E...

Страница 2: ...t Prevention System DTPS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGu...

Страница 3: ...11 Environmental specifications 11 Cautions and warnings 12 Grounding 12 Rack mount instructions 12 Mounting 12 Plugging in the FortiGate 14 Connecting to the network 15 Turning off the FortiGate uni...

Страница 4: ...ation 29 Backing up the configuration 29 Restoring a configuration 30 Additional configuration 30 Set the time and date 30 Set the Administrator password 30 Configure FortiGuard 31 Updating antivirus...

Страница 5: ...461 20080131 3 Installing firmware from a system reboot using the CLI 44 Restoring the previous configuration 46 Backup and Restore from a USB key 46 Using the USB Auto Install 46 Additional CLI Comma...

Страница 6: ...FortiGate 1000A AFA2 FortiOS 3 0 MR6 Install Guide 4 01 30006 0461 20080131 Contents...

Страница 7: ...eat Management System uses Fortinet s Dynamic Threat Prevention System DTPS technology which leverages breakthroughs in chip design networking security and content analysis The unique ASIC based archi...

Страница 8: ...es The FortiGate 1000AFA2 offers 10 tri speed ports two Small Form factor Pluggable SFP FortiAccel ASIC accelerated ports which use hardware acceleration for line rate performance of all packet sizes...

Страница 9: ...FortiGate unit FortiGate Administration Guide Provides basic information about how to configure a FortiGate unit including how to define FortiGate protection profiles and firewall policies how to app...

Страница 10: ...tep by step instructions for configuring IPSec VPNs using the web based manager FortiGate SSL VPN User Guide Compares FortiGate IPSec VPN and FortiGate SSL VPN technology and describes how to configur...

Страница 11: ...ice and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly configure easily and operate reliably in your network Please vis...

Страница 12: ...FortiGate 1000A AFA2 FortiOS 3 0 MR6 Install Guide 10 01 30006 0461 20080131 Customer service and technical support Introduction...

Страница 13: ...sure that the appliance has at least 1 5 in 3 75 cm of clearance on each side to allow for adequate air flow and cooling This device complies with part FCC Class A Part 15 UL CUL C Tick CE and VCCI O...

Страница 14: ...mperature of the rack environment may be greater than room ambient Therefore consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature...

Страница 15: ...ts should be mounted Note that the screw configuration may vary depending on your FortiGate unit Figure 1 Installed mounting brackets 2 Position the FortiGate unit in the rack to allow for sufficient...

Страница 16: ...nnect the power cables to power outlets Each power cable should be connected to a different power source If one power source fails the other may still be operative After a few seconds SYSTEM STARTING...

Страница 17: ...al WAN port or port 1 Connect additional cable to the Internal port or port 2 and your internal hub or switch Turning off the FortiGate unit Always shut down the FortiGate operating system properly be...

Страница 18: ...FortiGate 1000A AFA2 FortiOS 3 0 MR6 Install Guide 16 01 30006 0461 20080131 Turning off the FortiGate unit Installing...

Страница 19: ...e mode and Transparent mode Both include the same robust network security features such as antispam antivirus VPN and firewall policies NAT mode In NAT Route mode the FortiGate unit is visible to the...

Страница 20: ...sks using the web based manger a GUI interface using a current web browser such as FireFox or Internet Explorer using the command line interface CLI a command line interface similar to DOS or UNIX com...

Страница 21: ...e the FortiGate unit redirects the connection This is an informational message Select OK to continue logging in 4 Type admin in the Name field and select Login Connecting to the CLI To connect to the...

Страница 22: ...ult gateway retrieved from the DHCP server The administrative distance specifies the relative priority of a route when there are multiple routes to the same destination A lower administrative distance...

Страница 23: ...s route is called the static default route If no other routes are present in the routing table and a packet needs to be forwarded beyond the FortiGate unit the factory configured static default route...

Страница 24: ...FortiGate interfaces Firewall policies define how the FortiGate unit processes the packets in a communication session You can configure the firewall policies to allow only specific traffic users and s...

Страница 25: ...on Connecting to the CLI on page 19 before beginning Configure the interfaces When shipped the FortiGate unit has a default address of 192 168 1 99 and a netmask of 255 255 255 0 for either the Port 1...

Страница 26: ...t the autosvr to enable you do not have to configure the primary or secondary DNS server IP addresses Adding a default route and gateway A route provides the FortiGate unit with the information it nee...

Страница 27: ...to verify your configuration is working On lower end units such a default firewall policy is already in place For the higher end FortiGate units you will need to add a firewall policy The following s...

Страница 28: ...phone book for the Internet A DNS server matches domain names with the computer IP address This enables you to use readable locations such as fortinet com when browsing the Internet DNS server IP add...

Страница 29: ...to the CLI you can use the following procedures to complete the basic configuration of the FortiGate unit Ensure you read the section Connecting to the CLI on page 19 before beginning Switching to Tr...

Страница 30: ...Gate unit process the packets in a communication session You can configure the firewall policies to allow only specific traffic users and specific times when traffic is allowed For the initial install...

Страница 31: ...By backing up the configuration you ensure that if you need to reset the FortiGate unit for whatever reason you will be able to quickly return it to operation with minimal effort To back up the FortiG...

Страница 32: ...hile not mandatory they will help in ensuring better control with the firewall Set the time and date For effective scheduling and logging the FortiGate system date and time must be accurate You can ei...

Страница 33: ...tered your FortiGate unit you can update antivirus and IPS signatures The FortiGuard Center enables you to receive push updates allow push update to a specific IP address and schedule updates for dail...

Страница 34: ...FortiGate 1000A AFA2 FortiOS 3 0 MR6 Install Guide 32 01 30006 0461 20080131 Additional configuration Configuring...

Страница 35: ...ing spam filtering content archiving instant messaging filtering and access control P2P access and bandwidth control logging options for policies and configurations within the policies rate limiting f...

Страница 36: ...the firewall action for the connection The action can be to allow the connection deny the connection require authentication before the connection is allowed or process the packet as an IPSec VPN conne...

Страница 37: ...y you can apply FortiGate features such as virus scanning and authentication to the communication session accepted by the policy Add DENY policies to deny communication sessions Add IPSec encryption p...

Страница 38: ...to AntiVirus Config Grayware Antivirus settings are turned on in the protection profile In the protection profile you can enable antivirus options for specific services and which services will use the...

Страница 39: ...ares the email address of the message s sender to the email address list in sequence If a match is found the action associated with the email address is taken If no match is found the message is passe...

Страница 40: ...es You need to have a FortiGuard subscription to take advantage of FortiGuard web filtering The FortiGate unit also enables you to override the FortiGuard filtering designation and you can add your ow...

Страница 41: ...system reboot using the CLI Testing new firmware before installing Downloading firmware Firmware images for all FortiGate units is available on the Fortinet Customer Support web site You must register...

Страница 42: ...be able to restore the previous configuration from the backup configuration file To revert to a previous firmware version 1 Copy the firmware image file to the management computer 2 Log into the Fort...

Страница 43: ...your system settings before shutting down or rebooting your FortiGate unit To configure the USB Auto Install 1 Go to System Maintenance Backup and Restore 2 Select the blue arrow to expand the Advanc...

Страница 44: ...the FortiGate unit can connect to the TFTP server You can use the following command to ping the computer running the TFTP server For example if the IP address of the TFTP server is 192 168 1 168 exec...

Страница 45: ...ake sure the FortiGate unit can connect to the TFTP server You can use the following command to ping the computer running the TFTP server For example if the TFTP server s IP address is 192 168 1 168 e...

Страница 46: ...are To use this procedure you must connect to the CLI using the FortiGate console port and a RJ 45 to DB 9 or null modem cable This procedure reverts the FortiGate unit to its factory default configur...

Страница 47: ...TP server F Format boot device Q Quit menu and continue to boot with default firmware H Display this list of options Enter G F Q or H 8 Type G to get to the new firmware image form the TFTP server The...

Страница 48: ...s USB port To backup configuration using the CLI 1 Log into the CLI 2 Enter the following command to backup the configuration files exec backup config usb filename 3 Enter the following command to che...

Страница 49: ...using the new firmware image with the current configuration This new firmware image is not permanently installed The next time the FortiGate unit restarts it operates with the originally installed fir...

Страница 50: ...sages appears Press any key to display configuration menu 7 Immediately press any key to interrupt the system startup If you successfully interrupt the startup process the following messages appears G...

Страница 51: ...d the following appears Save as Default firmware Backup firmware Run image without saving D B R 12 Type R The FortiGate image is installed to system memory and the FortiGate unit starts running the ne...

Страница 52: ...FortiGate 1000A AFA2 FortiOS 3 0 MR6 Install Guide 50 01 30006 0461 20080131 Testing new firmware before installing FortiGate Firmware...

Страница 53: ...20 document conventions 7 documentation 7 domain name server configure 26 domain name server configure 21 24 downloading firmware 39 E earthing 12 execute shutdown 15 F firewall policies 22 25 34 firm...

Страница 54: ...ity certificate 19 shielded twisted pair 12 shut down 15 signatures update 31 static route 21 24 system reboot installing 44 T technical support 9 TFTP server 44 time and date 30 time zone 30 Transpar...

Страница 55: ...FortiGate 1000A AFA2 FortiOS 3 0 MR6 Install Guide 3 01 30006 0461 20080131 Index...

Страница 56: ...FortiGate 1000A AFA2 FortiOS 3 0 MR6 Install Guide 4 01 30006 0461 20080131 Index...

Страница 57: ...www fortinet com...

Страница 58: ...www fortinet com...

Отзывы: