manualshive.com logo in svg

Fortinet FortiGate FortiGate-100A, Руководство администратора

Поделиться
Скачать
Fortinet FortiGate FortiGate-100A Скачать руководство пользователя страница 16

16

01-28006-0068-20041105

Fortinet Inc.

VLANs and virtual domains

Introduction

NAT/Route mode

In NAT/Route mode, the FortiGate unit is a Layer 3 device. This means that each of its 
interfaces is associated with a different IP subnet and that it appears to other devices 
as a router. This is how a firewall is normally deployed.

In NAT/Route mode, you can create NAT mode policies and Route mode policies.

• NAT mode policies use network address translation to hide the addresses in a 

more secure network from users in a less secure network.

• Route mode policies accept or deny connections between networks without 

performing address translation.

Transparent mode

In Transparent mode, the FortiGate unit does not change the Layer 3 topology. This 
means that all of its interfaces are on the same IP subnet and that it appears to other 
devices as a bridge. Typically, the FortiGate unit is deployed in Transparent mode to 
provide antivirus and content filtering behind an existing firewall solution.

Transparent mode provides the same basic firewall protection as NAT mode. The 
FortiGate unit passes or blocks the packets it receives according to firewall policies. 
The FortiGate unit can be inserted in the network at any point without having to make 
changes to your network or its components. However, some advanced firewall 
features are available only in NAT/Route mode.

VLANs and virtual domains

Fortigate Antivirus Firewalls support IEEE 802.1Q-compliant virtual LAN (VLAN) tags. 
Using VLAN technology, a single FortiGate unit can provide security services to, and 
control connections between, multiple security domains according to the VLAN IDs 
added to VLAN packets. The FortiGate unit can recognize VLAN IDs and apply 
security policies to secure network and IPSec VPN traffic between each security 
domain. The FortiGate unit can also apply authentication, content filtering, and 
antivirus protection to VLAN-tagged network and VPN traffic.

The FortiGate unit supports VLANs in NAT/Route and Transparent mode. In 
NAT/Route mode, you enter VLAN subinterfaces to receive and send VLAN packets.

FortiGate virtual domains provide multiple logical firewalls and routers in a single 
FortiGate unit. Using virtual domains, one FortiGate unit can provide exclusive firewall 
and routing services to multiple networks so that traffic from each network is 
effectively separated from every other network. 

You can develop and manage interfaces, VLAN subinterfaces, zones, firewall policies, 
routing, and VPN configuration for each virtual domain separately. For these 
configuration settings, each virtual domain is functionally similar to a single FortiGate 
unit. This separation simplifies configuration because you do not have to manage as 
many routes or firewall policies at one time.

Содержание FortiGate FortiGate-100A

Страница 1: ...on Guide INTERNAL DMZ 1 4 3 2 1 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN 1 WAN 2 PWR STATUS A DMZ 2 FortiGate 100A Administration Guide Version 2 80 MR6 5 November 2...

Страница 2: ...tion Guide Version 2 80 MR6 5 November 2004 01 28006 0068 20041105 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Complia...

Страница 3: ...tation 21 FortiManager documentation 22 FortiClient documentation 22 FortiMail documentation 22 FortiLog documentation 22 Customer service and technical support 23 System status 25 Console access 25 S...

Страница 4: ...arent mode VLAN list 69 Transparent mode VLAN settings 69 FortiGate IPv6 support 71 System DHCP 73 Service 73 DHCP service settings 74 Server 75 DHCP server settings 76 Exclude range 77 DHCP exclude r...

Страница 5: ...it 127 Shutdown 129 System virtual domain 131 Virtual domain properties 132 Exclusive virtual domain properties 132 Shared configuration settings 133 Administration and management 134 Virtual domains...

Страница 6: ...w Prefix list 156 New prefix list entry 157 Route map list 157 New Route map 158 Route map list entry 159 Key chain list 160 New key chain 160 Key chain list entry 161 Monitor 162 Routing monitor list...

Страница 7: ...dule options 211 Configuring one time schedules 212 Recurring schedule list 212 Recurring schedule options 213 Configuring recurring schedules 213 Virtual IP 214 Virtual IP list 215 Virtual IP options...

Страница 8: ...s 248 Configuring XAuth 249 Phase 2 250 Phase 2 list 250 Phase 2 basic settings 251 Phase 2 advanced options 252 Manual key 253 Manual key list 254 Manual key options 254 Concentrator 255 Concentrator...

Страница 9: ...S VPN 279 Manual key IPSec VPN 280 Adding firewall policies for IPSec VPN tunnels 280 Setting the encryption policy direction 280 Setting the source address for encrypted traffic 280 Setting the desti...

Страница 10: ...options 311 CLI configuration 312 heuristic 312 quarantine 313 service http 314 service ftp 315 service pop3 316 service imap 317 service smtp 318 Web filter 321 Content block 322 Web content block l...

Страница 11: ...the IP address list 338 RBL ORDBL 339 RBL ORDBL list 340 RBL ORDBL options 340 Configuring the RBL ORDBL list 340 Email address 341 Email address list 341 Email address options 341 Configuring the em...

Страница 12: ...Contents 12 01 28006 0068 20041105 Fortinet Inc CLI configuration 362 fortilog setting 362 syslogd setting 363 FortiGuard categories 367 FortiGate maximum values 373 Glossary 377 Index 381...

Страница 13: ...ces such as virus protection and content filtering network level services such as firewall intrusion detection VPN and traffic shaping The FortiGate Antivirus Firewall uses Fortinet s Accelerated Beha...

Страница 14: ...download quarantined files so that they can be virus scanned cleaned and forwarded to the intended recipient You can also configure the FortiGate unit to automatically delete quarantined files after...

Страница 15: ...r computer networks from Internet threats ICSA has granted FortiGate firewalls version 4 0 firewall certification providing assurance that FortiGate firewalls successfully screen and secure corporate...

Страница 16: ...onents However some advanced firewall features are available only in NAT Route mode VLANs and virtual domains Fortigate Antivirus Firewalls support IEEE 802 1Q compliant virtual LAN VLAN tags Using VL...

Страница 17: ...cluding IPSec VPN in NAT Route and Transparent mode IPSec ESP security in tunnel mode DES 3DES triple DES and AES hardware accelerated encryption HMAC MD5 and HMAC SHA1 authentication and data integri...

Страница 18: ...us scanning to all the FortiGate units in the HA cluster Secure installation configuration and management The first time you power on the FortiGate unit it is already configured with default IP addres...

Страница 19: ...traffic that was permitted by firewall policies report traffic that was denied by firewall policies report events such as configuration changes and other management events IPSec tunnel negotiation vi...

Страница 20: ...rtical bar and curly brackets to separate alternative mutually exclusive required keywords For example set opmode nat transparent You can enter set opmode nat or set opmode transparent Square brackets...

Страница 21: ...tection web content filtering and spam filtering and how to configure a VPN FortiGate online help Provides a context sensitive and searchable version of the Administration Guide in HTML format You can...

Страница 22: ...t software FortiMail documentation FortiMail Administration Guide Describes how to install configure and manage a FortiMail unit in gateway mode and server mode including how to configure the unit cre...

Страница 23: ...r your region For information about our priority support hotline live support see http support fortinet com When requesting technical support please provide the following information your name your co...

Страница 24: ...24 01 28006 0068 20041105 Fortinet Inc FortiLog documentation Introduction...

Страница 25: ...ion log This chapter includes Console access Status Session list Changing the FortiGate firmware Console access An alternative to the web based manager discussed in this manual is text based Console A...

Страница 26: ...profiles on page 111 Viewing system status Changing unit information Viewing system status Figure 2 System status System status Connect Select Connect to connect to the CLI Disconnect Select Disconne...

Страница 27: ...d version of the FortiGate Antivirus Definitions Attack Definitions The current installed version of the FortiGate Attack Definitions used by the Intrusion Prevention System IPS Serial Number The seri...

Страница 28: ...f the maximum network bandwidth that can be processed by the FortiGate unit History Select History to view a graphical representation of the last minute of CPU memory sessions and network usage This p...

Страница 29: ...st Name field and in the CLI prompt and is added to the SNMP System Name To update the firmware version For information on updating the firmware see Changing the FortiGate firmware on page 32 To updat...

Страница 30: ...it from the NAT Route mode to Transparent mode most of the configuration resets to Transparent mode factory defaults except for HA settings see HA on page 84 To change to Transparent mode 1 Go to Syst...

Страница 31: ...nsparent mode you may have to change the IP address of your computer to the same subnet as the interface configured for management access From IP Set source IP address for list filtering From Port Set...

Страница 32: ...rade to a new FortiOS firmware version or to a more recent build of the same firmware version Reverting to a previous firmware version Use the web based manager or CLI procedure to revert to a previou...

Страница 33: ...see Update center on page 118 Upgrading the firmware using the CLI To use the following procedure you must have a TFTP server that the FortiGate unit can connect to To upgrade the firmware using the C...

Страница 34: ...e FortiGate unit uploads the firmware image file upgrades to the new firmware version and restarts This process takes a few minutes 7 Reconnect to the CLI 8 To confirm that the new firmware image is s...

Страница 35: ...eb based manager 8 Go to System Status and check the Firmware Version to confirm that the firmware is successfully installed 9 Restore your configuration For information about restoring your configura...

Страница 36: ...le if the TFTP server s IP address is 192 168 1 168 execute ping 192 168 1 168 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit execute restore image...

Страница 37: ...ges from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to default settings You can use this procedure to upgrade to a new firmware vers...

Страница 38: ...ping 192 168 1 168 6 Enter the following command to restart the FortiGate unit execute reboot The FortiGate unit responds with the following message This operation will reboot the system Do you want...

Страница 39: ...1 188 10 Type an IP address that the FortiGate unit can use to connect to the TFTP server The IP address can be any IP address that is valid for the network that the interface is connected to Make su...

Страница 40: ...nstalling the firmware image from a system reboot and saving it to system memory After completing this procedure the FortiGate unit operates using the new firmware image with the current configuration...

Страница 41: ...ep 9 FortiGate unit running v3 x BIOS G Get firmware image from TFTP server F Format boot device Q Quit menu and continue to boot with default firmware H Display this list of options Enter G F Q or H...

Страница 42: ...been loaded from the CLI enter get system status You can test the new firmware image as required Installing and using a backup firmware image If the FortiGate unit is running BIOS version v3 x you ca...

Страница 43: ...7 Type G to get the new firmware image from the TFTP server The following message appears Enter TFTP server address 192 168 1 168 8 Type the address of the TFTP server and press Enter The following me...

Страница 44: ...ayed When the following message appears Press any key to enter configuration menu 3 Immediately press any key to interrupt the system startup If you successfully interrupt the startup process the foll...

Страница 45: ...the startup process the following message appears G Get firmware image from TFTP server F Format boot device B Boot with backup firmware and set as default Q Quit menu and continue to boot with defau...

Страница 46: ...46 01 28006 0068 20041105 Fortinet Inc Installing and using a backup firmware image System status...

Страница 47: ...to the FortiGate network configuration Interface Zone Management DNS Routing table Transparent Mode VLAN overview VLANs in NAT Route mode VLANs in Transparent mode FortiGate IPv6 support Interface In...

Страница 48: ...n2 If you have added VLAN subinterfaces they also appear in the name list below the physical interface that they have been added to See VLAN overview on page 63 IP The current IP address of the interf...

Страница 49: ...oE To add a secondary IP address To add a ping server to an interface To control administrative access to an interface To change the MTU size of the packets leaving an interface To configure traffic l...

Страница 50: ...unit to send the DHCP request Note Where you can enter both an IP address and a netmask in the same field you can use the short form of the netmask For example 192 168 1 100 255 255 255 0 can also be...

Страница 51: ...rwise this IP address can be the same as the IP address of another interface or can be any IP address Initial Disc Timeout Initial discovery timeout The time to wait before retrying to start a PPPoE d...

Страница 52: ...ss options Connect to server Enable Connect to Server so that the interface automatically attempts to connect to a PPPoE server Disable this option if you are configuring the interface offline Status...

Страница 53: ...t Log Config to configure logging locations and types For information about logging see Log Report on page 349 Configuring interfaces Use the following procedures to configure FortiGate interfaces and...

Страница 54: ...licies for the interface and then add the interface to the zone 1 Go to System Network Zone 2 Choose the zone to add the interface or VLAN subinterface to and select Edit 3 Select the names of the int...

Страница 55: ...The FortiGate unit attempts to contact the DHCP server from the interface to set the IP address netmask and optionally the default gateway IP address and DNS server IP addresses 7 Select Status to ref...

Страница 56: ...stem interface edit intf_str config secondaryip edit 0 set ip second_ip netmask_ip Optionally you can also configure management access and add a ping server to the secondary IP address set allowaccess...

Страница 57: ...ace on page 60 1 Go to System Network Interface 2 Choose an interface and select Edit 3 Select the Administrative Access methods for the interface 4 Select OK to save the changes To change the MTU siz...

Страница 58: ...irtual domain to which you want to add the zone 2 Go to System Network Zone 3 Select Create New 4 In the New Zone dialog box type a name for the zone Create New Select Create New to create a zone Name...

Страница 59: ...tual domain go to System Virtual Domain Current Virtual Domain and select the virtual domain in which to edit the zone 2 Go to System Network Zone 3 Select Edit to modify a zone 4 Select or deselect B...

Страница 60: ...ault value of 5 minutes see To set the system idle timeout on page 83 Figure 10 Management To configure the management interface 1 Go to System Network Management 2 Enter the Management IP Netmask 3 E...

Страница 61: ...that the FortiGate unit obtained automatically Figure 11 DNS To add DNS server IP addresses 1 Go to System Network DNS 2 Change the primary and secondary DNS server IP addresses as required 3 Select A...

Страница 62: ...te number IP The destination IP address for this route Mask The netmask for this route Gateway The IP address of the next hop router to which this route directs traffic Distance The the relative prefe...

Страница 63: ...dcast domain Devices in VLAN 1 can connect with other devices in VLAN 1 but cannot connect with devices in other VLANs The communication among devices on a VLAN is independent of the physical network...

Страница 64: ...ng VLAN trunks between an IEEE 802 1Q compliant switch or router and the FortiGate unit Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch and the external i...

Страница 65: ...N ID can be any number between 1 and 4096 Each VLAN subinterface must also be configured with its own IP address and netmask You add VLAN subinterfaces to the physical interface that receives VLAN tag...

Страница 66: ...AN packets See Address on page 198 3 Go to Firewall Policy 4 Add firewall policies as required VLANs in Transparent mode In Transparent mode the FortiGate unit can apply firewall policies and services...

Страница 67: ...on interface to the packet based on its destination MAC address The firewall policies for this source and destination VLAN subinterface pair are applied to the packet If the packet is accepted by the...

Страница 68: ...Transparent mode virtual domains and VLANs VLAN subinterfaces are added to and associated with virtual domains By default the FortiGate configuration includes one virtual domain named root and you ca...

Страница 69: ...face Virtual Domain Select a virtual domain to display the VLAN interfaces added to this virtual domain Name The name of the interface or VLAN subinterface Access The administrative access configurati...

Страница 70: ...le using a Dynamic DNS service DDNS If the FortiGate unit uses a dynamic IP address you can arrange with a DDNS service provider to use a domain name to provide redirection of traffic to your network...

Страница 71: ...t static routing periodic router advertisements and tunneling of IPv6 addressed traffic over an IPv4 addressed network All of these features must be configured through the Command Line Interface CLI S...

Страница 72: ...72 01 28006 0068 20041105 Fortinet Inc Transparent mode VLAN settings System network...

Страница 73: ...MAC binding Dynamic IP Service Go to System DHCP Service to configure the DHCP service provided by each FortiGate interface You can configure each interface to be a DHCP relay or a DHCP server or you...

Страница 74: ...rvice 2 Select Edit for the interface that you want to be a DHCP relay agent 3 Select DHCP Relay Agent 4 Set type to Regular 5 Enter the DHCP Server IP address 6 Select OK Interface The name of the in...

Страница 75: ...face See To configure a DHCP server for an interface on page 76 Server You can configure one or more DHCP servers for any FortiGate interface As a DHCP server the interface dynamically assigns IP addr...

Страница 76: ...and ending IP for the range of IP addresses that this DHCP server assigns to DHCP clients Network Mask Enter the netmask that the DHCP server assigns to DHCP clients Lease Time Select Unlimited for a...

Страница 77: ...connected subnets sends a DHCP request it is relayed to the FortiGate interface by the router using DHCP relay The FortiGate unit selects the DHCP server configuration with an IP range that matches th...

Страница 78: ...ess of the device When you add the MAC address and an IP address to the IP MAC binding list the DHCP server always assigns this IP address to the MAC address IP MAC binding pairs apply to all FortiGat...

Страница 79: ...g MAC addresses and the expiry time and date for these addresses To view the dynamic IP list 1 Go to System DHCP Dynamic IP 2 Select the interface for which you want to view the list Name Enter a name...

Страница 80: ...80 01 28006 0068 20041105 Fortinet Inc DHCP IP MAC binding settings System DHCP...

Страница 81: ...set the FortiGate system time For effective scheduling and logging the FortiGate system time must be accurate You can either manually set the FortiGate system time or you can configure the FortiGate...

Страница 82: ...Timeout settings including the idle timeout and authentication timeout The language displayed by the web based manager Dead gateway detection interval and failover detection Automatically adjust cloc...

Страница 83: ...hours To improve security keep the idle timeout at the default value of 5 minutes Auth Timeout Set the firewall user authentication timeout to control how long an authenticated connection can be idle...

Страница 84: ...on synchronize the cluster routing table and report individual cluster member status The units in the cluster are constantly communicating HA status information to make sure that the cluster is operat...

Страница 85: ...rithm to distribute virus scanning to all the FortiGate units in the HA cluster By default the FortiGate unit load balances virus scanning among all of the FortiGate units in the cluster Using the CLI...

Страница 86: ...uire the same virtual MAC address This virtual MAC address is set according to the group ID Table 3 lists the virtual MAC address set for each group ID If you have more than one HA cluster on the same...

Страница 87: ...mes the primary cluster unit Override Master Configure a cluster unit to always override the current primary cluster unit and become the primary cluster unit Enable override master for the cluster uni...

Страница 88: ...if the cluster interfaces are connected to a hub Traffic is distributed to cluster units based on the Source IP and Destination IP of the packet Least Connection Least connection load balancing If the...

Страница 89: ...the reliability of the cluster To optimize bandwidth use you can route most heartbeat traffic to interfaces that handle less network traffic You can also create a failover path by setting heartbeat p...

Страница 90: ...ssed by that interface to the same interface of another cluster unit in the cluster that still has a connection to the network This other cluster unit becomes the new primary cluster unit If you can r...

Страница 91: ...Gate unit a unique host name See To change FortiGate host name on page 29 Use host names to identify individual cluster units 4 Go to System Config HA 5 Select HA 6 Select the HA mode 7 Select a Group...

Страница 92: ...ter ethernet interfaces to communicate cluster session information synchronize the cluster configuration and report individual cluster member status The units in the cluster are constantly communicati...

Страница 93: ...as the other units in the cluster 2 If the cluster is running in Transparent mode change the operating mode of the new FortiGate unit to Transparent mode 3 Connect the new FortiGate unit to the cluste...

Страница 94: ...subordinate unit priority 1 weight 3 The next three connections are processed by the second subordinate unit priority 2 weight 3 The subordinate units process more connections than the primary unit a...

Страница 95: ...nd manage logs for individual cluster units To monitor cluster units for failover To manage individual cluster units To view the status of each cluster member 1 Connect to the cluster and log into the...

Страница 96: ...s on the Cluster Members list The host name and serial number of the primary cluster unit changes The new primary unit logs the following messages to the event log HA slave became master Detected HA m...

Страница 97: ...s in the cluster Each cluster unit is numbered starting at 1 The information displayed for each cluster unit includes the unit serial number and the host name of the unit 3 Complete the command with t...

Страница 98: ...t The system location description can be up to 35 characters long Contact Enter the contact information for the person responsible for this FortiGate unit The contact information can be up to 35 chara...

Страница 99: ...up to three SNMP communities Each community can have a different configuration for SNMP queries and traps Each community can be configured to monitor the FortiGate unit for a different set of events Y...

Страница 100: ...5 Add one or more SNMP communities IP Address The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit You can also set the IP address to 0 0 0...

Страница 101: ...lready compiled into your SNMP manager you do not have to compile them again Table 6 FortiGate MIBs MIB file name or RFC Description fortinet 2 80 mib The Fortinet MIB is a proprietary MIB that includ...

Страница 102: ...The trap message includes the name of the interface and the serial number of the FortiGate unit HA state HA state changes The trap message includes the previous state the new state and a flag indicati...

Страница 103: ...ck IdsSynFlood NIDS attack prevention detects and provides protection from a syn flood attack Port scan attack IdsPortScan NIDS attack prevention detects and provides protection from a port scan attac...

Страница 104: ...tering priority of the individual FortiGate unit in a cluster override The master override setting enable or disable for an individual FortiGate unit in a cluster autoSync Auto config synchronization...

Страница 105: ...ocal user Can be password LDAP or RADIUS state Whether the local user is enabled or disable Table 18 Virtual domains MIB field Description index The index number virtual domain added to the FortiGate...

Страница 106: ...t Figure 36 Replacement messages list To change a replacement message 1 Go to System Config Replacement Messages 2 Select the category of replacement message to edit by clicking on the blue triangle f...

Страница 107: ...d be a file that contained a virus or was blocked by antivirus file blocking QUARFILENAME can be used in virus and file block messages Quarantining is only available on FortiGate units with a local di...

Страница 108: ...h the file was removed EMAIL_TO The email address of the intended receiver of the message from which the file was removed NIDSEVENT The IPS attack message NIDSEVENT is added to alert email intrusion m...

Страница 109: ...w read only write only or both read and write access to the following FortiGate features This chapter describes Administrators Access profiles Administrators Use the admin account or an account with s...

Страница 110: ...nge Password icon The admin administrator account cannot be deleted Administrator Enter the login name for the administrator account Password Type a password for the administrator account For improved...

Страница 111: ...rator must connect only through the subnet or subnets you specify You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255 255...

Страница 112: ...under Access Control Allow Write All Select Allow Write All to give an administrator write privilege on all the items under Access Control System Configuration Allow or deny access to the system stat...

Страница 113: ...20041105 113 To configure an access profile 1 Go to System Admin Access Profile 2 Select Create New to add an access profile or select the edit icon to edit an existing access profile 3 Enter a name f...

Страница 114: ...114 01 28006 0068 20041105 Fortinet Inc Access profile options System administration...

Страница 115: ...spam filtering files to the management computer You can also restore system configuration VPN certificate web and spam filtering files from previously downloaded backup files Figure 44 Backup and res...

Страница 116: ...he system to its original configuration including resetting interface addresses This procedure does not change the firmware version or the antivirus or attack definitions Debug Log Download debug log...

Страница 117: ...le or select Browse and locate the file 4 Select OK If you restore the system configuration the FortiGate unit restarts loading the new system settings You should then reconnect to the web based manag...

Страница 118: ...P port 9443 To receive push updates the FDN must be able to route packets to the FortiGate unit using UDP port 9443 For information about configuring push updates see To enable push updates on page 12...

Страница 119: ...to the FortiGate unit to send push updates Push updates may not be available if you have not registered the FortiGate unit see To register a FortiGate unit on page 128 if there is a NAT device instal...

Страница 120: ...update attempt was successful and new updates were installed Other messages can indicate that the FortiGate was not able to connect to the FDN and other error conditions Allow Push Update Select this...

Страница 121: ...log indicating whether the update was successful or not To enable scheduled updates 1 Go to System Maintenance Update center 2 Select the Scheduled Update check box 3 Select one of the following to ch...

Страница 122: ...s config system autoupdate tunneling set address proxy address_ip set port proxy port set username username_str set password password_str set status enable end For example if the IP address of the pro...

Страница 123: ...the only method for obtaining updates The FortiGate unit might not receive the push notification Also when the FortiGate unit receives a push notification it makes only one attempt to connect to the...

Страница 124: ...e the FortiGate NAT device and the FortiGate unit on the internal network so that the FortiGate unit on the internal network can receive push updates 1 Add a port forwarding virtual IP to the FortiGat...

Страница 125: ...box 3 Select the Use override push check box 4 Set IP to the external IP address added to the virtual IP 5 Set Port to the external service port added to the virtual IP 6 Select Apply The FortiGate un...

Страница 126: ...n to register the FortiGate unit with FortiNet Contact Information Enter the contact information so that FortiNet support can reply to your bug report Items marked with an are required Bug Description...

Страница 127: ...ou or your organization purchased You can register multiple FortiGate units in a single session without re entering your contact information Once registration is completed Fortinet sends a Support Log...

Страница 128: ...nit and add the FortiCare Support Contract number to the registration information You can also register the FortiGate unit without purchasing a FortiCare Support Contract In that case when you purchas...

Страница 129: ...you can return to the previous page to enter the number If you do not have a FortiCare Support Contract you can select Continue to complete the registration If you have entered a support contract numb...

Страница 130: ...procedure to reset system settings to the values set at the factory This procedure does not change the firmware version or the antivirus or attack definitions 1 Go to System Maintenance Shutdown 2 Se...

Страница 131: ...nections between VLAN subinterfaces or zones in the virtual domain Packets never cross the virtual domain border The remainder of FortiGate functionality is shared between virtual domains This means t...

Страница 132: ...ttings Physical interfaces see To add physical interfaces to a virtual domain on page 136 VLAN subinterfaces see To add VLAN subinterfaces to a virtual domain on page 137 Zones see To add zones to a v...

Страница 133: ...ivirus Definitions and engine Attack Definitions and engine Serial Number Operation Mode Network configuration DNS settings DHCP configuration DHCP settings are applied per interface no matter which v...

Страница 134: ...virtual domain if you want these systems to communicate with network resources that can connect to a different virtual domain Virtual domains Go to System Virtual domain Virtual domains to view and a...

Страница 135: ...omain Name The virtual domain must not have the same name as a VLAN or zone 4 Select OK Selecting a virtual domain The following procedure applies to NAT Route and Transparent mode To select a virtual...

Страница 136: ...configure virtual domains Adding interfaces VLAN subinterfaces and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IP...

Страница 137: ...to move a VLAN subinterface from one virtual domain to another You cannot remove a VLAN subinterface from a virtual domain if firewall policies have been added for it Delete the firewall policies or...

Страница 138: ...nt virtual domain To configure the routing table for a virtual domain in Transparent mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above...

Страница 139: ...bove the table 3 Choose the virtual domain for which to configure firewall addresses 4 Select OK 5 Go to Firewall Address 6 Add new firewall addresses address ranges and address groups to the current...

Страница 140: ...or a virtual domain The following procedure applies to NAT Route and Transparent mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the...

Страница 141: ...ed You can decrease the distance value of a static route to indicate that the route is preferable compared to another static route that specifies a different gateway to the same destination network Ro...

Страница 142: ...0 1 Device Name of the interface connected to network 192 168 10 0 24 e g external Distance 10 The Gateway setting specifies the IP address of the next hop router interface to the FortiGate external i...

Страница 143: ...gs Destination IP mask 192 168 30 0 24 Gateway 192 168 10 2 Device dmz Distance 10 To route packets from Network_2 to Network_1 Router_2 must be configured to use the FortiGate dmz interface as its de...

Страница 144: ...he sequence number for this route IP The destination IP address for this route Mask The netmask for this route Gateway The IP address of the first next hop router to which this route directs traffic D...

Страница 145: ...outing list and attempts to match the packet with a policy The policy route supplies the next hop gateway as well as the FortiGate interface to be used by the traffic If no policy route matches the pa...

Страница 146: ...rotocol RIP supports both RIP version 1 as defined by RFC 1058 and RIP version 2 as defined by RFC 2453 RIP version 2 enables RIP messages to carry more information and to support simple authenticatio...

Страница 147: ...ss servers in the network should have the same RIP timer settings Update The time interval in seconds between RIP updates Garbage The time in seconds that must elapse after the timeout interval for a...

Страница 148: ...be used for the redistributed routes 4 Select a Route map name 5 Select Apply Networks list Identify the networks for which to send and receive RIP updates If a network is not specified interfaces in...

Страница 149: ...version 2 authentication RIP version send and receive for the specified interface and configure and enable split horizon Authentication is only available for RIP version 2 packets sent and received by...

Страница 150: ...etting the Receive Version here overrides the default RIP version for this interface Split Horizon Configure RIP to use either regular or poisoned reverse split horizon on this interface Select Regula...

Страница 151: ...prefix list If you do not specify an interface the filter will be applied to all interfaces in the current virtual domain You must configure the access list or prefix list that you want the distribute...

Страница 152: ...new distribute list Direction The direction for the filter Filter The type of filter and the filter name Interface The interface to use this filter on If no interface name is displayed this distribut...

Страница 153: ...nt virtual domain go to System Virtual Domain Virtual Domains and select the virtual domain Create New Add a new offset list Direction The direction for the offset list Access list The access list to...

Страница 154: ...exactly or to match the prefix and any more specific prefix The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list If it finds a match for th...

Страница 155: ...ected Match a network address enter the IP address and netmask that define the prefix for this access list entry 6 Select Exact match if required 7 Select OK Prefix list A prefix list is an enhanced v...

Страница 156: ...ure such as RIP or OSPF Figure 69 Prefix list New Prefix list Figure 70 Prefix list name configuration To add a prefix list name 1 Go to Router Router Objects Prefix List 2 Select Create New 3 Enter a...

Страница 157: ...r 8 Select OK Route map list Route maps are a specialized form of filter Route maps are similar to access lists but have enhanced matching criteria and in addition to permit or deny actions can be con...

Страница 158: ...iple match statements are defined in a rule all the match statements must match before the set statements can be used For a route map to take effect it must be called by another FortiGate routing feat...

Страница 159: ...eny to deny routes that match this entry Match The criteria to match Interface Match a route with the selected destination interface Address Match a route if the destination address is included in the...

Страница 160: ...tes from one key to the next according to the scheduled send and receive lifetimes The sending and receiving routers should have their system dates and times synchronized but overlapping the key lifet...

Страница 161: ...the required hour minute second year month and day to start using this key for received routing updates Key chain entry The key chain name and the ID number for this key chain entry Key The key passw...

Страница 162: ...rtiGate routing table Routing monitor list Figure 78 Routing monitor To filter the routing monitor display 1 Go to Router Monitor Routing Monitor 2 Select a type of route to display or select all to d...

Страница 163: ...et router info ospf database get router info ospf interface get router info protocols Show the current state of active routing protocols Command syntax get router info protocols Note You can configure...

Страница 164: ...a A router connected to more than one area is an area border router ABR Routing information is contained in a link state database Routing information is communicated between routers using link state a...

Страница 165: ...before entering the overflow state The lsas_integer must be the same on all routers attached to the OSPF area and the OSPF backbone The valid range for lsas_integer is 0 to 4294967294 10000 All models...

Страница 166: ...y supports RFC 1583 When RFC 1583 compatibility is enabled routers choose the path with the lowest cost Otherwise routers choose the lowest cost intra area path through a non backbone area disable All...

Страница 167: ...ust be a backbone area that all areas can connect to You can use a virtual link to connect areas that do not have a physical connection to the backbone Routers within an OSPF area maintain link state...

Страница 168: ...n for interfaces the authentication configured for the area is not used Authentication passwords or keys are defined per interface See config ospf interface on page 180 none All models default cost co...

Страница 169: ...SA You can set the translator role to always to ensure this FortiGate unit always acts as a translator if it is in a NSSA even if other routers in the NSSA are also acting as translators You can set t...

Страница 170: ...ix list on page 155 config filter list command syntax pattern config filter list edit id_integer set keyword variable end config filter list edit id_integer unset keyword end config filter list delete...

Страница 171: ...le shows how to display the configuration for area 15 1 1 1 config router ospf config area edit 15 1 1 1 show end config range Access the config range subcommand using the config area command Use the...

Страница 172: ...how to display the configuration for area 15 1 1 1 Note Only the prefix keyword is required All other keywords are optional range command keywords and variables Keywords and variables Description Defa...

Страница 173: ...link allows traffic from the area to transit a directly connected area to reach the backbone The transit area cannot be a stub area Virtual links can only be set up between two area border routers AB...

Страница 174: ...t authentication The authentication key must be the same on both ends of the virtual link The maximum length for the authentication key is 15 characters No default All models authentication must be se...

Страница 175: ...fig router ospf command retransmit interval seconds_integer The time in seconds to wait before sending a LSA retransmission The value for the retransmit interval must be greater than the expected roun...

Страница 176: ...distribute list edit id_integer unset keyword end config distribute list delete id_integer end config distribute list edit id_integer get end config distribute list edit id_integer show end Example T...

Страница 177: ...or distribute list 2 config router ospf config distribute list edit 2 show end config neighbor Access the config neighbor subcommand using the config router ospf command Use this command to manually c...

Страница 178: ...other keywords are optional neighbor command keywords and variables Keywords and variables Description Default Availability cost cost_integer Enter the cost to use for this neighbor The valid range fo...

Страница 179: ...d_integer end config network edit id_integer get end config network edit id_integer show end Example Use the following command to enable OSPF for the interfaces attached to networks specified by the I...

Страница 180: ...nterface command syntax pattern config ospf interface edit interface name_str set keyword variable end config ospf interface edit interface name_str unset keyword end config ospf interface delete inte...

Страница 181: ...outer is mistakenly added to the network If you configure authentication for the interface authentication for areas is not used All routers on the network must use the same authentication type none Al...

Страница 182: ...y without unsetting all of the keys The key ID and key must be the same on all neighboring routers The valid range for id_integer is 1 to 255 key_str is an alphanumeric string of up to 16 characters N...

Страница 183: ...riority router ID is used Point to point networks do not elect a DR or BDR therefore this setting has no effect on a point to point network The valid range for priority_integer is 0 to 255 1 All model...

Страница 184: ...ion key a2b3c4d5e end end This example shows how to display the settings for the OSPF interface configuration named test config router ospf config ospf interface edit test get end This example shows h...

Страница 185: ...outer ospf config summary address Access the config summary address subcommand using the config router ospf command redistribute command keywords and variables Keywords and variables Description Defau...

Страница 186: ...d get router ospf show router ospf Example This example shows how to summarize routes using the prefix 10 0 0 0 255 0 0 0 config router ospf config summary address edit 5 set prefix 10 0 0 0 255 0 0 0...

Страница 187: ...route that best matches the destination address of the packet If a match is not found the FortiGate unit routes the packet using the default route Command syntax pattern config router static6 edit seq...

Страница 188: ...0 60 set gateway 12AB 0 0 CD30 123 4567 89AB CDEF end This example shows how to display the list of IPV6 static route numbers get router static6 This example shows how to display the settings for IPV6...

Страница 189: ...t Each policy can be individually configured to route connections or apply network address translation NAT to translate source and destination IP addresses and ports You can add IP pools to use dynami...

Страница 190: ...ing firewall policies How policy matching works When the FortiGate unit receives a connection attempt at an interface it selects a policy list to search through for a policy that matches the connectio...

Страница 191: ...8 Schedule The schedule that controls when the policy should be active See Schedule on page 210 Service The service to which the policy applies See Service on page 202 Action The response to make when...

Страница 192: ...cy you must add it to the destination interface VLAN subinterface or zone For information about adding an address see Addresses on page x For NAT Route mode policies where the address on the destinati...

Страница 193: ...cy If you select NAT you can also select Dynamic IP Pool and Fixed Port NAT is not available in Transparent mode Dynamic IP Pool Select Dynamic IP Pool to translate the source address to an address ra...

Страница 194: ...user groups for authentication You can select Authentication for any service Users can authenticate with the firewall using HTTP Telnet or FTP For users to be able to authenticate you must add an HTT...

Страница 195: ...Serv capable routers sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header You can use the FortiGate DiffServ feature to change the DSCP...

Страница 196: ...hey have the results that you expect For information about arranging policies in a policy list see How policy matching works on page 190 To delete a policy 1 Go to Firewall Policy 2 Select the Delete...

Страница 197: ...to disable To enable a policy 1 Go to Firewall Policy 2 Select Enable Policy CLI configuration The natip keyword for the firewall policy command is used in encrypted VPN policies A natip address canno...

Страница 198: ...p options Configuring address groups firewall policy command keywords and variables Keywords and variables Description Default Availability natip address_ipv4mask Configure natip for a firewall policy...

Страница 199: ...subnet IP address 192 168 20 0 and Netmask 255 255 255 0 A single IP address for example IP Address 192 168 20 1 and Netmask 255 255 255 255 All possible IP addresses represented by IP Address 0 0 0...

Страница 200: ...add an address 1 Go to Firewall Address 2 Select Create New 3 Enter a name to identify the address 4 Enter the IP address and netmask or the IP address range 5 Select OK To edit an address Edit an ad...

Страница 201: ...icons and features Address group options Address group options are configurable when creating or editing an address group Figure 87 Address group options Address group has the following options Note I...

Страница 202: ...ress Group 2 Select the Delete icon beside the address group you want to delete 3 Select OK To edit an address group 1 Go to Firewall Address Group 2 Select the Edit icon beside the address group you...

Страница 203: ...cy Name The name of the predefined services Detail The protocol for each predefined service Table 21 FortiGate predefined services Service name Description Protocol Port ANY Match connections on any p...

Страница 204: ...on Union ITU that defines how audiovisual conferencing data is transmitted across networks tcp 1720 1503 HTTP HTTP is the protocol used by the word wide web for transferring data for web pages tcp 80...

Страница 205: ...nneling Protocol is a protocol that allows corporations to extend their own corporate network through private tunnels over the public Internet tcp 1723 QUAKE For connections used by the popular Quake...

Страница 206: ...nsfer protocol similar to FTP but with no security features udp 69 UDP All UDP ports udp 0 65535 UUCP Unix to Unix copy utility a simple file copying protocol udp 540 VDOLIVE For VDO Live streaming mu...

Страница 207: ...options are the same Source Port Specify the Source Port number range for the service by entering the low and high port numbers If the service uses one port number enter this number in both the low a...

Страница 208: ...Custom 2 Select Create New 3 Enter a name for the new custom ICMP service 4 Select ICMP as the Protocol Type 5 Enter the ICMP type number and code number for the service 6 Select OK You can now add t...

Страница 209: ...group can contain predefined services and custom services in any combination You cannot add service groups to another service group Figure 93 Sample service group list The service group list has the...

Страница 210: ...vice Group 2 Select the Edit icon beside the service group you want to modify 3 Make any required changes 4 Select OK Schedule Use schedules to control when policies are active or inactive You can cre...

Страница 211: ...vices on the Internet at all times You can add a one time schedule to block access to the Internet during a holiday period Figure 95 Sample one time schedule list The one time schedule list has the fo...

Страница 212: ...the one time schedule you want to modify 3 Modify the schedule as required 4 Select OK to save the changes Recurring schedule list You can create a recurring schedule that activates or deactivates pol...

Страница 213: ...edule Recurring schedules use a 24 hour clock 6 Select OK To delete a recurring schedule 1 Go to Firewall Schedule Recurring 2 Select the Delete icon beside the recurring schedule you want to delete 3...

Страница 214: ...add an external DMZ firewall policy and set Destination to the virtual IP You can create three types of virtual IPs This section describes Virtual IP list Virtual IP options Configuring virtual IPs No...

Страница 215: ...tatic NAT or port forwarding Figure 100 Virtual IP options static NAT Figure 101 Virtual IP options port forwarding Create New Select Create New to add a virtual IP Name The name of the virtual IP IP...

Страница 216: ...selected in step 4 However the external IP address must be routed to the selected interface The virtual IP address and the external IP address can be on different subnets 7 Enter the Map to IP addres...

Страница 217: ...ess must be routed to the external interface selected in step 4 The virtual IP address and the external IP address can be on different subnets 7 Enter the External Service Port number for which you wa...

Страница 218: ...o a PPTP server the external service port number should be 1723 the PPTP port See PPTP passthrough on page 262 for more information 8 Enter the Map to IP address to which to map the external IP addres...

Страница 219: ...nd select the IP pool to use when configuring a firewall policy You can enter an IP address range using the following formats x x x x x x x x for example 192 168 110 100 192 168 110 120 x x x x x for...

Страница 220: ...odify the IP pool as required 4 Select OK to save the changes IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the so...

Страница 221: ...nnection As a result connections to the Internet appear to be originating from any of the IP addresses in the IP pool Protection profile Use protection profiles to apply different protection settings...

Страница 222: ...ible if it is selected in a firewall policy or included in a user group Strict To apply maximum protection to HTTP FTP IMAP POP3 and SMTP traffic You may not wish to use the strict protection profile...

Страница 223: ...nable or disable virus scanning for viruses and worms for each protocol HTTP FTP IMAP POP3 SMTP Grayware if enabled in Antivirus Config Config is included with the Virus Scan Heuristic if enabled in t...

Страница 224: ...ords and patterns in the content block list Web URL Block Enable or disable web page filtering for HTTP traffic based on the URL block list Web Exempt List Enable or disable web page filtering for HTT...

Страница 225: ...pages to circumvent web category blocking Allow websites when a rating error occurs HTTP only Allow web pages that return a rating error from the web filtering service Category The FortiGuard web filt...

Страница 226: ...ows you to append a custom tag to the subject or header of email identified as spam For SMTP you can choose between tagged or discard Discard immediately drops the connection You can tag email by appe...

Страница 227: ...tection profile to a policy You can enable protection profiles for firewall policies with action set to allow or encrypt and with service set to ANY HTTP FTP IMAP POP3 SMTP or a service group that inc...

Страница 228: ...on profiles Use protection profiles to apply different protection settings for traffic controlled by firewall policies Command syntax pattern config firewall profile edit profilename_str set keyword v...

Страница 229: ...letes When downloading files from an FTP server the FortiGate unit sends 1 byte every 30 seconds to prevent the client from timing out during scanning and download If a virus is detected the FortiGate...

Страница 230: ...he FortiGate unit to simultaneously scan an email and send it to the SMTP server If the FortiGate unit detects a virus it terminates the server connection and returns an error message to the sender li...

Страница 231: ...profile command get firewall profile This example shows how to display the settings for the spammail profile get firewall profile spammail This example shows how to display the configuration for the f...

Страница 232: ...232 01 28006 0068 20041105 Fortinet Inc CLI configuration Firewall...

Страница 233: ...fy the user s credentials locally or using an external LDAP or RADIUS server Authentication expires if the user leaves the connection idle for longer than the authentication timeout period You need to...

Страница 234: ...Local Go to User Local to add local user names and configure authentication Local user list Figure 112 Local user list Local user options Figure 113 Local user options Create New Add a new local user...

Страница 235: ...er for authentication The default port for RADIUS traffic is 1812 If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port For more information see the config sys...

Страница 236: ...server name that you want to delete 3 Select OK LDAP If you have configured LDAP support and a user is required to authenticate using an LDAP server the FortiGate unit contacts the LDAP server for aut...

Страница 237: ...ist Figure 116 LDAP server list LDAP server options Figure 117 LDAP server configuration Create New Add a new LDAP server Server Name IP The domain name or IP address of the LDAP server Port The port...

Страница 238: ...P 2 Select Delete beside the LDAP server name that you want to delete 3 Select OK Common Name Identifier Enter the common name identifier for the LDAP server The common name identifier for most LDAP s...

Страница 239: ...g XAuth The FortiGate PPTP configuration Only users in the selected user group can use PPTP The FortiGate L2TP configuration Only users in the selected user group can use L2TP When you add user names...

Страница 240: ...lect an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list 7 To remove users RADIUS servers or LDAP servers from the user group select a us...

Страница 241: ...t keyword variable config user peer edit name_str unset keyword config user peer delete name_str get user peer name_str show user peer name_str Example This example shows how to add the branch_office...

Страница 242: ...onfig user peergrp delete name_str get user peergrp name_str show user peergrp name_str Example This example shows how to add peers to the peergrp EU_branches config user peergrp edit EU_branches set...

Страница 243: ...ide 01 28006 0068 20041105 243 get user peergrp EU_branches This example shows how to display the configuration for all the peers groups show user peergrp This example shows how to display the configu...

Страница 244: ...244 01 28006 0068 20041105 Fortinet Inc peergrp Users and authentication...

Страница 245: ...col L2TP This chapter contains information about the following VPN topics Phase 1 Phase 2 Manual key Concentrator Ping Generator Monitor PPTP L2TP Certificates CLI configuration Authenticating peers w...

Страница 246: ...igure Phase 1 list Figure 120 IPSec VPN Phase 1 list Create New Select Create New to add a Phase 1 configuration also called a remote gateway Gateway Name The names of the Phase 1 configurations remot...

Страница 247: ...d certain fields may become available or be removed IP Address If you select Static IP Address for Remote Gateway enter the IP address of the gateway or client Dynamic DNS If you select Dynamic DNS fo...

Страница 248: ...r certificate name of the remote client or peer for the remote client or peer to start a VPN session with the FortiGate unit Select Accept any peer ID to accept the local ID or peer ID of any remote c...

Страница 249: ...or authentication enter the distinguished name DN of the local certificate XAuth You can configure the FortiGate unit as an Extended Authentication XAuth client or an XAuth server For more information...

Страница 250: ...PAP between the XAuth client and the FortiGate unit and CHAP between the FortiGate unit and the authentication server Use CHAP whenever possible Use PAP if the authentication server does not support...

Страница 251: ...he peer identification process For information about how to create a Phase 1 Dialup User configuration see Dialup VPN on page 279 If the tunnel is to connect a static remote gateway select the name of...

Страница 252: ...g an encrypted session NULL Do not use a message digest MD5 Message Digest 5 the hash algorithm developed by RSA Data Security SHA1 Secure Hash Algorithm 1 which produces a 160 bit message digest To s...

Страница 253: ...autokey keep alive to keep the VPN connection open even if no data is being transferred DHCP IPSec If the tunnel will service remote dialup clients that broadcast a DHCP request when connecting to th...

Страница 254: ...a name for the VPN tunnel Local SPI The local Security Parameter Index SPI identifies the local manual key VPN peer Enter a hexadecimal number digits can be 0 to 9 a to f in the range bb8 to FFFFFFF T...

Страница 255: ...into two segments of 16 characters For AES192 enter a 48 character 24 byte hexadecimal number 0 9 A F Separate the number into three segments of 16 characters For AES256 enter a 64 character 32 byte...

Страница 256: ...ds through two tunnels simultaneously The ping interval is fixed at 40 seconds The source and destination IP addresses refer to the source and destination addresses of IP packets that are to be transp...

Страница 257: ...n about tunnel connections including addressing proxy IDs and status information To monitor a VPN tunnel 1 Go to VPN IPSEC Monitor You can establish or take down a VPN tunnel manually through the Moni...

Страница 258: ...another tunnel can be initiated Flush dialup tunnels icon Stop all dialup tunnels and stop the traffic passing through all dialup tunnels Dialup users may have to re connect to establish new VPN sess...

Страница 259: ...r group add a user name for each PPTP client You can add users to the FortiGate user database to authentication servers RADIUS or LDAP or to both See Users and authentication on page 233 2 Enable PPTP...

Страница 260: ...web server set the service to HTTP See To add a firewall policy on page 196 6 Configure the Windows clients See Configuring a Windows 2000 client for PPTP Configuring a Windows XP client for PPTP Enab...

Страница 261: ...d in the previous procedure 2 Enter your PPTP VPN User Name and Password 3 Select Connect 4 In the connect window enter the User Name and Password that you use to connect to your dialup network connec...

Страница 262: ...not the same as your VPN user name and password PPTP passthrough The FortiGate unit supports PPTP passthrough by configuring a port forwarding virtual IP to use port 1723 Normally PPTP passthrough re...

Страница 263: ...on to internal 4 For Address name Set Source to All Set Destination to PPTP_pass 5 Set Schedule as required 6 Set Service to ANY 7 Set action to ACCEPT 8 Select NAT 9 Select OK L2TP You can set up VPN...

Страница 264: ...ress is the L2TP range See To add an address on page 200 4 Add a destination address The destination address is the address to which the L2TP clients can connect For example if the destination address...

Страница 265: ...ation Address enter the address of the FortiGate unit to connect to and select Next 5 Set Connection Availability to Only for myself and select Next 6 Select Finish 7 In the Connect window select Prop...

Страница 266: ...filter that uses CA authentication Instead it checks for a local or active directory IPSec policy To connect to the L2TP VPN 1 Start the dialup connection that you configured in the previous procedur...

Страница 267: ...ptions are not selected File and Printer Sharing for Microsoft Networks Client for Microsoft Networks To disable IPSec 1 Select the Networking tab 2 Select Internet Protocol TCP IP properties 3 Double...

Страница 268: ...a private key a public key and some identifying information that has been digitally signed by a trusted third party known as a certificate authority CA Because CAs can be trusted the certificates iss...

Страница 269: ...to the X 509 standard To generate a certificate request 1 Go to VPN Certificates Local Certificates 2 Select Generate 3 Enter a Certificate Name Typically this is the name of the FortiGate unit being...

Страница 270: ...te units support all three key sizes 7 Select OK The request is generated and displayed in the Local Certificates list with a status of Pending 8 Select the Download button to download the request to...

Страница 271: ...ates Local Certificates Certificate Name Type a certificate name Subject Information Enter an ID type and the related information for the FortiGate unit being certified You can use one of the followin...

Страница 272: ...lders When a VPN peer is configured to authenticate using digital certificates it sends the Distinguished Name DN on its certificate to the remote peer This DN can be used to deny VPN access For examp...

Страница 273: ...before it can be selected here For more information see the config user chapter of the CLI Reference Guide 3 If you want to define the DN of the FortiGate unit select Advanced and from the Local ID l...

Страница 274: ...period of time expires whenever the local peer sends traffic to the remote VPN peer it will also send a DPD probe to determine the status of the link The dpd idleworry range is 1 to 300 To control th...

Страница 275: ..._GW set Type dynamic set proposal des md5 set authmethod psk set psksecret Qf2p3O93jIj2bz7E set mode aggressive set dpd enable set dpd idlecleanup 1000 set dpd idleworry 150 set dpd retrycount 5 set d...

Страница 276: ...to the intended destinations automatically Each IPSec VIP entry is identified by an integer An entry identifies the name of the FortiGate interface to the destination network and the IP address of a...

Страница 277: ...t out interface external next edit 2 set ip 192 168 12 2 set out interface external end This example shows how to display the settings for the vpn ipsec vip command get vpn ipsec vip This example show...

Страница 278: ...d to as adding a tunnel See Phase 2 on page 250 4 Add the firewall configuration required for the VPN See Adding firewall policies for IPSec VPN tunnels on page 280 Gateway to gateway VPN Using a peer...

Страница 279: ...Dynamic DNS VPN allows remote users or gateways with dynamic IP addresses to use VPN to connect to a private network In this case the gateway or client at the remote end of the VPN tunnel has a dynami...

Страница 280: ...ormation about firewall policies You can also use firewall policies for IPSec VPN to apply protection profiles to VPN traffic to log IPSec VPN traffic and to apply advanced features to IPSec VPN traff...

Страница 281: ...tion policy direction See Setting the encryption policy direction on page 280 3 Add the source and destination addresses See To add an address on page 200 4 Set Action to ENCRYPT 5 From the VPN tunnel...

Страница 282: ...virtual source interface Then create Internet access policies for VPN users For example if the virtual source interface is VLAN_21 and the wan 1 interface is connected to the Internet you would requi...

Страница 283: ...n to define the parameters used to authenticate the remote VPN peer 2 Set other phase 1 options as required See Phase 1 on page 246 3 Add the phase 2 configuration to define the parameters used to cre...

Страница 284: ...is the address of the spoke either a client on the Internet or a network located behind a gateway See To add an address on page 200 3 Add the concentrator configuration This step groups the tunnels to...

Страница 285: ...le VPN concentrator configuration To add a VPN concentrator configuration 1 Go to VPN IPSEC Concentrator 2 Select New to add a VPN concentrator 3 Enter the name of the new concentrator in the Concentr...

Страница 286: ...the address of the spoke either a client on the Internet or a network located behind a gateway See To add an address on page 200 4 Add a separate outbound encrypt policy for each remote VPN spoke Thes...

Страница 287: ...e between two VPN peers one peer can have multiple Internet connections while the other has only one Internet connection In the case of an asymmetrical configuration the level of redundancy varies fro...

Страница 288: ...ee VPN connections If the Internet connections are in the same zone add one VPN tunnel and add the remote gateways to it You can add up to three remote gateways If the Internet connections are in sepa...

Страница 289: ...e two sites have been coordinated to protect against ambiguous routing no two IP addresses are the same Setting up a configuration like this involves performing the following tasks at FortiGate_1 and...

Страница 290: ...heck the remote peer software configuration Check the FortiGate firewall configuration Configuration Error Correction Wrong remote network information Check the IP addresses of the remote gateway and...

Страница 291: ...rofile select edit or Create New and select IPS See Protection profile options on page 222 Protection profile configuration For information about adding protection profiles to firewall policies see To...

Страница 292: ...tion to an extensive list of predefined attack signatures you can also create your own custom attack signatures for the FortiGate unit See Adding custom signatures on page 297 Predefined Predefined si...

Страница 293: ...rs Action can be Pass Drop Reset Reset Client Reset Server Drop Session Clear Session or Pass Session See Table 24 Revision The revision number for individual signatures To show the signature group me...

Страница 294: ...Used for TCP connections only If you set this action for non TCP connection based attacks the action will behave as Clear Session If the Reset Client action is triggered before the TCP connection is...

Страница 295: ...of a signature 1 Go to IPS Signature Predefined 2 Select the blue triangle next to a signature group name to display the members of that group 3 Select the Reset icon for the signature you want to res...

Страница 296: ...ut If a session is idle for longer than this number of seconds the session will not be maintained by tcp_reassembler min_ttl A packet with a higher ttl number in its IP header than the number specifie...

Страница 297: ...ustom signatures from the custom signature group Reset to recommended settings Reset all the custom signatures to the recommended settings Name The custom signature names Revision The revision number...

Страница 298: ...ssions targeting a single destination in one second is over a threshold the destination is experiencing flooding Scan If the number of sessions from a single source in one second is over a threshold t...

Страница 299: ...t Reset Server Drop Session Clear Session or Pass Session Modify The Edit and Reset icons If you have changed the settings for an anomaly you can use the Reset icon to change the settings back to the...

Страница 300: ...is fully established it acts as Clear Session Reset Client The FortiGate unit drops the packet that triggered the anomaly sends a reset to the client and removes the session from the FortiGate session...

Страница 301: ...ig limit edit name_str unset keyword end config limit delete name_str Example Use the following command to configure the limit for the tcp_src_session anomaly config ips anomaly tcp_src_session config...

Страница 302: ...tures for attacks that your system is not vulnerable to for example web attacks when you are not running a web server For more information on FortiGate logging and alert email see Log Report on page 3...

Страница 303: ...otocol HTTP FTP IMAP POP3 SMTP View a read only list of current viruses File Block Antivirus File Block Enable or disable file blocking for each protocol Configure file patterns to block enable or dis...

Страница 304: ...otect Center at http www fortinet com FortiProtectCenter To set up automatic and push updates see Update center on page 118 This chapter describes File block Quarantine Config CLI configuration File b...

Страница 305: ...am information files pif Figure 151 Default file block list File block list has the following icons and features Create New Select Create New to add a new file pattern to the file block list Apply Sel...

Страница 306: ...s Quarantined files list Quarantined files list options AutoSubmit list AutoSubmit list options Configuring the AutoSubmit list Config Quarantined files list The quarantined files list displays inform...

Страница 307: ...3fc155d2 oversize exe Date The date and time that the file was quarantined in the format dd mm yyyy hh mm This value indicates the time that the first file was quarantined if the duplicate count incr...

Страница 308: ...options AutoSubmit list has the following icons and features Configuring the AutoSubmit list To add a file pattern to the AutoSubmit list 1 Go to Anti Virus Quarantine AutoSubmit 2 Select Create New F...

Страница 309: ...time limit in hours for which to keep files in quarantine The age limit is used to formulate the value in the TTL column of the quarantined files list When the limit is reached the TTL column display...

Страница 310: ...the FortiGate unit to receive automatic updates daily or whenever required To manually upload a virus list update see Changing unit information on page 29 To find out how to use the Fortinet Update C...

Страница 311: ...ult all new categories are disabled Grayware is enabled in a protection profile when Virus Scan is enabled Grayware options Grayware categories are populated with known executable files Each time the...

Страница 312: ...ookmarks start pages and menu options Plugin Select enable to block browser plugins Browser plugins can often be harmless Internet browsing tools that are installed and operate directly from the brows...

Страница 313: ...or the antivirus heuristic command show antivirus heuristic quarantine The quarantine command also allows configuration of heuristic related settings Table 26 antivirus heuristic command keywords and...

Страница 314: ...Description Default Availability drop_heuristic ftp http imap pop3 smtp Do not quarantine files found by heuristic scanning in traffic for the specified protocols imap smtp pop3 http ftp FortiGate mod...

Страница 315: ...Gate unit handles antivirus scanning of large files how the FortiGate unit handles the buffering and uploading of files to an FTP server and what ports the FortiGate unit virus scans for FTP traffic C...

Страница 316: ...ure how the FortiGate unit handles antivirus scanning of large files and what ports the FortiGate unit virus scans for POP3 traffic Command syntax pattern config antivirus service pop3 set keyword var...

Страница 317: ...command to configure how the FortiGate unit handles antivirus scanning of large files and what ports the FortiGate unit virus scans for IMAP traffic Command syntax pattern config antivirus service ima...

Страница 318: ...s command to configure how the FortiGate unit handles antivirus scanning of large files in SMTP traffic and what ports the FortiGate unit scans for SMTP Command syntax pattern config antivirus service...

Страница 319: ...SMTP traffic Adding more ports for scanning does not erase the default port 25 Use the unset command to remove all ports from the list config antivirus service smtp set port 465 end This example shows...

Страница 320: ...320 01 28006 0068 20041105 Fortinet Inc service smtp Antivirus...

Страница 321: ...anned words and patterns in the content block list for HTTP traffic Add words and patterns to block web pages containing those words or patterns Web URL Block Web Filter URL Block Enable or disable we...

Страница 322: ...nt block Control web content by blocking specific words or word patterns The FortiGate unit blocks web pages containing banned words and displays a replacement message instead You can use Perl regular...

Страница 323: ...the regular expression i For example bad language i will block all instances of bad language regardless of case Wildcard patterns are not case sensitive Note Enable Web filtering Web Content Block in...

Страница 324: ...ct phrase 4 Set the pattern type if required 5 Select the language character set 6 Select Enable 7 Select OK URL block You can block access to specific URLs by adding them to the URL block list You ca...

Страница 325: ...file must be separated by hard returns to upload correctly Figure 161 Sample Web URL block list Web URL block options Web URL block has the following icons and features Configuring the web URL block l...

Страница 326: ...block all pages with a URL that ends with badsite com add badsite com to the block list For example adding badsite com blocks access to www badsite com mail badsite com www finance badsite com and so...

Страница 327: ...n Block 3 Select Create New Figure 164 Adding a new pattern 4 Enter a pattern to add to the web pattern block list 5 Select Enable 6 Select OK URL exempt This section describes URL exempt list URL exe...

Страница 328: ...add a URL to the URL exempt list 1 Go to Web Filter URL Exempt 2 Select Create New Figure 166 Adding a new exempt URL 3 Enter the URL to add to the URL exempt list 4 Select Enable Note Enable Web fil...

Страница 329: ...Categories may be added to or updated as the Internet evolves Users can also choose to allow block or monitor entire groups of categories to make configuration simpler Blocked pages are replaced with...

Страница 330: ...on options If you have ordered FortiGuard through Fortinet technical support or are using the free 30 day trial you only need to enable the service to start configuring and using FortiGuard Figure 167...

Страница 331: ...on page 224 and FortiGuard categories on page 367 Once you select Apply the FortiGuard license type and expiration date appears on the configuration screen Web Filter Category Block Category block re...

Страница 332: ...eference Guide for descriptions of all webfilter catblock keywords Profile Select the profile for which you want to generate a report Report Type Select the time frame for which you want to generate t...

Страница 333: ...the configuration for the catblock settings show webfilter catblock If the show command returns you to the prompt the settings are at default Script filter You can configure the FortiGate unit to filt...

Страница 334: ...ptions for script filtering Note Enable Web filtering Web Script Filter in your firewall Protection Profile to activate the script filter settings Javascript Select Javascript to block all Javascript...

Страница 335: ...Enable or disable checking incoming IP addresses against the configured spam filter IP address list SMTP only Add to and edit IP addresses to the list You can configure the action to take as spam clea...

Страница 336: ...ers against the configured spam filter MIME header list Add to and edit MIME headers to the list with the option of using wildcards and regular expressions You can configure the action to take as spam...

Страница 337: ...es the IP address list from email captured by spam probes located around the world Spam probes are email addresses purposely configured to attract spam and identify known spam sources to create the an...

Страница 338: ...P addresses You can mark each IP address as clear spam or reject You can filter single IP addresses or a range of addresses at the network level by configuring an address and mask Figure 170 Sample IP...

Страница 339: ...rvers known as open relays which some spammers use to send unsolicited bulk email There are also several free and subscription servers available that provide reliable access to continually updated RBL...

Страница 340: ...RBL or ORDBL server 3 Enter the domain name of the RBL or ORDBL server you want to add 4 Select the action to take on email matched by the server 5 Select Enable 6 Select OK Create New Select Create...

Страница 341: ...from a domain such as sample net You can mark each email address as clear or spam Figure 174 Sample email address list Email address options Email address list has the following icons and features Co...

Страница 342: ...text html Content_Type image jpg The first part of the MIME header is called the header key or just header The second part is called the value Spammers will often insert comments into header values or...

Страница 343: ...1 Go to Spam Filter MIME headers Create New Select Create New to add a MIME header to the MIME headers list Total The number of items in the list The Page up Page down and Remove all entries icons He...

Страница 344: ...ns on page 346 This section describes Banned word list Banned word options Configuring the banned word list Banned word list You can add one or more banned words to sort email containing those words i...

Страница 345: ...from wildcard or regular expression See Using Perl regular expressions on page 346 Language The character set to which the banned word belongs Simplified Chinese Traditional Chinese French Japanese Ko...

Страница 346: ...o any single character It is similar to the character in wildcard match pattern As a result fortinet com not only matches fortinet com but also matches fortinetacom fortinetbcom fortinetccom and so on...

Страница 347: ...end of the string a b either of a and b abc abc the string abc at the beginning or at the end of the string ab 2 4 c an a followed by two three or four b s followed by a c ab 2 c an a followed by at...

Страница 348: ...cd perl B perl when not followed by a word boundary e g in perlert but not in perl stuff x tells the regular expression parser to ignore white space that is neither backslashed nor within a character...

Страница 349: ...on You can configure the FortiGate unit to send alert email to up to three recipients when selected events occur It is not necessary for an event to be logged to trigger an alert email The FortiGate u...

Страница 350: ...28 52 device_id APS3012803033139 log_id 0101023002 type event subtype ipsec pri notice loc_ip 172 16 81 2 loc_port 500 rem_ip 172 16 81 1 rem_port 500 out_if dmz vpn_tunnel ToDmz action negotiate ini...

Страница 351: ...s full the FortiGate unit begins to overwrite the oldest messages All log entries are deleted when the FortiGate unit restarts Syslog A remote computer running a syslog server WebTrends A remote compu...

Страница 352: ...g file is started Roll log policy The policy to follow for saving the current log and starting a new active log Overwritten deletes the oldest log entry when the disk is full Block traffic stops all n...

Страница 353: ...ve the logging severity level you select For example if you select Error the unit logs Error Critical Alert and Emergency level messages See Table 36 Logging severity levels on page 352 Facility Facil...

Страница 354: ...lert email Test Select Test to send a test alert email to the configured recipients Level The FortiGate unit sends alert email for all messages at and above the logging severity level you select Emerg...

Страница 355: ...alert email 7 Select Apply Log filter options For each logging location you enable you can create a customized log filter based on the log types described in the following sections Information The in...

Страница 356: ...routing gateway has been added You can apply the following filters Policy allowed traffic The FortiGate unit logs all traffic that is allowed according to the firewall policy settings Policy violatio...

Страница 357: ...ate unit logs all pattern update events such as antivirus and IPS pattern updates and update failures Virus infected The FortiGate unit logs all virus infections Filename blocked The FortiGate unit lo...

Страница 358: ...nterface 2 Select the Edit icon for an interface 3 Select Log 4 Select OK 5 Repeat steps 1 through 4 for each interface for which you want to enable logging 6 Make sure you enable traffic logs for a l...

Страница 359: ...ges Searching log messages Figure 184 Sample list of logs stored on the FortiGate disk Viewing log messages You can view log messages saved to the memory buffer Figure 185 Viewing log messages The fol...

Страница 360: ...lines in the log Search Type a search word and select Go Advanced Search Select to search log messages by date time and keywords Column settings button Select to choose columns for log display Raw or...

Страница 361: ...e fields list and then select Move Up or Move Down as necessary 5 Select OK Searching log messages There are two ways to search log messages a simple keyword search or an advanced search that enables...

Страница 362: ...tting unset keyword get log fortilog setting show log fortilog setting all of the following The message must contain all of the keywords any of the following The message must contain at least one of t...

Страница 363: ...ate unit to send logs to a remote computer running a syslog server Command syntax pattern config log syslogd setting set keyword variable psksecret str_psk Enter the pre shared key for the IPSec VPN t...

Страница 364: ...audit auth authpriv clock cron daemon ftp kernel local0 local1 local2 local3 local4 local5 local6 local7 lpr mail news ntp syslog user uucp Enter the facility type Also known as message category faci...

Страница 365: ...lay the configuration for logging to a remote syslog server show log syslogd setting If the show command returns you to the prompt the settings are at default Table 37 Facility types Facility type Des...

Страница 366: ...366 01 28006 0068 20041105 Fortinet Inc syslogd setting Log Report...

Страница 367: ...sites that provide information about or promote the cultivation preparation or use of marijuana 2 Cult or Occult Sites that provide information about or promote religions not specified in Traditional...

Страница 368: ...y with no pornographic intent 9 Advocacy Groups Sites that promote change or reform in public policy public opinion social practice economic activities and relationships 10 Alcohol and Tobacco Sites t...

Страница 369: ...scussion groups message boards and list servers includes blogs and mail magazines Digital post cards Sites for sending viewing digital post cards 22 Pay to Surf Sites that pay users to view Web sites...

Страница 370: ...nformation about or cater to gay lesbian or bisexual lifestyles including those that support online shopping but excluding those that are sexually or issue oriented 33 Health Sites that provide inform...

Страница 371: ...ns devoted to professional advancement or workers interests Service and Philanthropic Organizations Sites sponsored by or that support or offer information about organizations devoted to doing good as...

Страница 372: ...ated business firms including sites supporting the sale of hardware software peripherals and services 53 Military Organizations Military Sites sponsored by branches or agencies of the armed services O...

Страница 373: ...32 32 32 32 32 32 system interface ip6 prefix list 32 32 32 32 32 32 32 32 32 32 32 32 32 system ipv6_tunnel 4 4 4 4 4 4 4 4 4 4 4 4 4 system accprofile 8 8 8 16 16 16 16 16 64 64 64 64 64 system adm...

Страница 374: ...500 500 500 500 500 500 firewall service group member 300 300 300 300 300 300 300 300 300 300 300 300 300 firewall schedule onetime 256 500 256 256 256 256 256 256 256 256 256 256 256 firewall schedu...

Страница 375: ...stem memory and performance considerations ips anomaly limit 100 100 100 100 100 100 100 100 100 100 100 100 100 ips custom 32 32 32 32 32 32 32 32 32 32 32 32 32 log trafficfilter rule 50 50 50 50 50...

Страница 376: ...100 100 100 100 router ospf network 100 100 100 100 100 100 100 100 100 100 100 100 100 router ospf neighbor 10 10 10 10 10 10 10 10 10 10 10 10 10 router ospf passive interface 100 100 100 100 100 10...

Страница 377: ...ages are formatted and transmitted and what actions Web servers and browsers should take in response to various commands HTTPS The SSL protocol for transmitting private documents over the Internet usi...

Страница 378: ...o the specified address and waiting for a reply POP3 Post Office Protocol A protocol used to transfer e mail from a mail server to a mail client across the Internet Most e mail clients use POP PPP Poi...

Страница 379: ...networks TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent UDP User Datagram Protocol A connectionless protocol that like TC...

Страница 380: ...380 01 28006 0068 20041105 Fortinet Inc Glossary...

Страница 381: ...bandwidth guaranteed 195 196 maximum 195 196 banned word spam 344 bindtoif 276 browsing the Internet through a VPN tunnel 253 281 C CA certificates 271 Certificate Name 248 271 CLI 18 upgrading the fi...

Страница 382: ...258 Dynamic DNS VPN 279 dynamic IP pool IP pool 199 234 235 237 239 dynamic port forwarding 214 218 E Email address 341 Enable perfect forward secrecy PFS 252 Enable replay detection 252 Encryption 24...

Страница 383: ...nitor active sessions 96 CPU usage 96 intrusion detected 96 memory usage 96 monitor 96 network utilization 96 total bytes 96 total packets 96 up time 96 virus detected 96 heartbeat failover 84 heartbe...

Страница 384: ...itor 96 metric 185 metric type 185 MIB FortiGate 101 MIME headers 342 Mode 246 247 mode HA 86 Transparent 16 monitor HA monitor 96 IPSec VPN 257 monitor priorities HA 90 mtu 182 MTU size 53 definition...

Страница 385: ...erver 122 push updates 122 push update configuring 123 external IP address changes 123 management IP address changes 124 through a NAT device 124 through a proxy server 122 Q Quarantine 306 Quarantine...

Страница 386: ...interval 82 synchronize with NTP server 82 Syslog logging settings 353 system configuration 81 system date and time setting 81 system options changing 82 T tag 185 186 TCP custom service 206 207 tech...

Страница 387: ...ring introduction 14 Web filter 321 367 content block 322 Web pattern block 326 Web script filter options 334 Web URL block list 325 web based manager introduction 18 language 83 timeout 83 WebTrends...

Страница 388: ...388 01 28006 0068 20041105 Fortinet Inc Index...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды