Fortinet FortiGate FortiGate-50 Скачать руководство пользователя страница 141

Страница: 141 / 240

Firewall configuration

Content profiles

FortiGate-50 Installation and Configuration Guide

141

Default content profiles

The FortiGate unit has the following four default content profiles under

Firewall >

Content Profile

. You can use these existing content profiles or create your own:

Adding a content profile

If the default content profiles do not provide the protection that you require, you can
create new content profiles customized to your requirements.

Go to

Firewall > Content Profile

Select New.

Type a Profile Name.

Enable antivirus protection options.

Enable Web filtering options.

Enable Email filter protection options.

Strict

To apply maximum content protection to HTTP, FTP, IMAP, POP3, and

SMTP content traffic. You would not use the strict content profile under

normal circumstances, but it is available if you are having extreme problems

with viruses and require maximum content screening protection.

Scan

Use the scan content profile to apply antivirus scanning to HTTP, FTP, IMAP,

POP3, and SMTP content traffic.

Web

Apply antivirus scanning and Web content blocking to HTTP content traffic.

You can add this content profile to firewall policies that control HTTP traffic.

Unfiltered

Use the unfiltered content profile if you do not want to apply any content

protection to content traffic. You can add this content profile to firewall

policies for connections between highly trusted or highly secure networks

where content does not need to be protected.

Anti Virus Scan

Scan web, FTP, and email traffic for viruses and worms. See

“Antivirus

scanning” on page 204

File Block

Delete files with blocked file patterns even if they do not contain

viruses. You should only enable file blocking when a virus has been

found that is so new that virus scanning does not detect it. See

“File

blocking” on page 205

Note:

If both virus Scan and File Block are enabled, the FortiGate unit blocks files that match

enabled file patterns before they are scanned for viruses.

Web URL Block

Block unwanted web pages and web sites. This option adds Fortinet

URL blocking (see

“URL blocking” on page 209

) and Cerberian URL

filtering (see

“Using the Cerberian web filter” on page 212

) to HTTP

traffic accepted by a policy.

Web Content Block

Block web pages that contain unwanted words or phrases. See

“Content blocking” on page 208

Web Script Filter

Remove scripts from web pages. See

“Script filtering” on page 214

Web Exempt List

Exempt URLs from web filtering and virus scanning. See

“Exempt

URL list” on page 215

Email Block List

Add a subject tag to email from unwanted addresses. See

“Email

block list” on page 219

Email Exempt List

Exempt sender address patterns from email filtering. See

“Email

exempt list” on page 219

Содержание FortiGate FortiGate-50

Страница 1: ...FortiGate 50 Installation and Configuration Guide INTERNAL EXTERNAL POWER STATUS FortiGate User Manual Volume 1 Version 2 50 MR2 18 August 2003...

Страница 2: ...t prior written permission of Fortinet Inc FortiGate 50 Installation and Configuration Guide Version 2 50 MR2 18 August 2003 Trademarks Products mentioned in this document are trademarks or registered...

Страница 3: ...e network configuration 23 Factory default Transparent mode network configuration 24 Factory default firewall configuration 24 Factory default content profiles 25 Planning your FortiGate configuration...

Страница 4: ...ng your FortiGate 45 Configuring virus and attack definition updates 45 Transparent mode configuration examples 46 Default routes and static routes 46 Example default route to an external network 47 E...

Страница 5: ...inet support password 84 Viewing the list of registered FortiGate units 84 Registering a new FortiGate unit 85 Adding or changing a FortiCare Support Contract number 85 Changing your Fortinet support...

Страница 6: ...105 Configuring SNMP 106 Configuring the FortiGate unit for SNMP monitoring 106 Configuring FortiGate SNMP support 106 FortiGate MIBs 107 FortiGate traps 108 Customizing replacement messages 108 Cust...

Страница 7: ...ets going through the firewall 137 Configuring IP MAC binding for packets going to the firewall 138 Adding IP MAC addresses 138 Viewing the dynamic IP MAC list 139 Enabling IP MAC binding 139 Content...

Страница 8: ...ss 169 Adding a destination address 169 Adding an encrypt policy 169 IPSec VPN concentrators 171 VPN concentrator hub general configuration steps 171 Adding a VPN concentrator 173 VPN spoke general co...

Страница 9: ...ack log 200 Reducing the number of NIDS attack log and email messages 201 Antivirus protection 203 General configuration steps 203 Antivirus scanning 204 File blocking 205 Blocking files in firewall t...

Страница 10: ...Adding a subject tag 220 Logging and reporting 221 Recording logs 221 Recording logs on a remote computer 221 Recording logs on a NetIQ WebTrends server 222 Filtering log messages 222 Configuring tra...

Страница 11: ...oute mode In NAT Route mode the FortiGate 50 is installed as a privacy barrier between the internal network and the Internet The firewall provides network address translation NAT to protect the intern...

Страница 12: ...twork System configuration describes system administration tasks available from the System Config web based manager pages This chapter describes setting system time adding and changed administrative u...

Страница 13: ...tes an ASCII string variable keyword xxx_integer indicates an integer variable keyword xxx_ip indicates an IP address variable keyword vertical bar and curly brackets to separate alternative mutually...

Страница 14: ...uration information for FortiGate PPTP and L2TP VPN and VPN configuration examples Volume 3 FortiGate Content Protection Guide Describes how to configure antivirus protection web content filtering and...

Страница 15: ...is available from the following addresses For information on Fortinet telephone support see http support fortinet com When requesting technical support please provide the following information Your n...

Страница 16: ...16 Fortinet Inc Customer service and technical support Introduction...

Страница 17: ...e following If you are going to operate the FortiGate unit in NAT Route mode go to NAT Route mode installation on page 33 If you are going to operate the FortiGate unit in Transparent mode go to Trans...

Страница 18: ...arance on each side to allow for adequate air flow and cooling Dimensions 8 63 x 6 13 x 1 38 in 21 9 x 15 6 x 3 5 cm Weight 1 5 lb 0 68 kg Power requirements DC input voltage 5 V DC input current 3 A...

Страница 19: ...e FortiGate 50 unit is starting up and remains lit when the system is up and running Table 1 FortiGate 50 LED indicators LED State Description Power Green The FortiGate unit is powered on Off The Fort...

Страница 20: ...he management computer to obtain an IP address automatically using DHCP The FortiGate DHCP server assigns the management computer an IP address in the range 192 168 1 1 to 192 168 1 254 2 Using the cr...

Страница 21: ...null modem cable included in your FortiGate package terminal emulation software such as HyperTerminal for Windows To connect to the CLI 1 Connect the null modem cable to the communications port of you...

Страница 22: ...d then configure the FortiGate unit onto your network in Transparent mode Once the network configuration is complete you can perform additional configuration tasks such as setting system time configur...

Страница 23: ...nfiguration When the FortiGate unit is first powered on it is running in NAT Route mode and has the basic network configuration listed in Table 3 This configuration allows you to connect to the FortiG...

Страница 24: ...presents all of the IP addresses on the external network Mask 0 0 0 0 Recurring Schedule Always The schedule is valid at all times This means that the firewall policy is valid at all times Firewall Po...

Страница 25: ...can be added to NAT Route mode and Transparent mode policies Traffic Shaping Traffic shaping is not selected The policy does not apply traffic shaping to the traffic controlled by the policy You can...

Страница 26: ...file to apply antivirus scanning to HTTP FTP IMAP POP3 and SMTP content traffic Table 6 Strict content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan File Block Web URL Block Web Content Block...

Страница 27: ...ewall policies for connections between highly trusted or highly secure networks where content does not need to be protected Table 8 Web content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan F...

Страница 28: ...n address and service In NAT mode the FortiGate performs network address translation before the packet is sent to the destination network In route mode no translation takes place By default the FortiG...

Страница 29: ...P addresses for the computers on your internal network You can also configure the FortiGate to allow Internet access to your internal Web FTP or email servers If you are configuring the FortiGate unit...

Страница 30: ...500 500 IP MAC binding 50 100 1000 1000 2000 2000 2000 5000 5000 5000 5000 Route 500 500 500 500 500 500 500 500 500 500 500 Policy route gateway 500 500 500 500 500 500 500 500 500 500 500 Admin use...

Страница 31: ...ortiGate unit is operating you can proceed to configure it to connect to networks If you are going to operate the FortiGate unit in NAT Route mode go to NAT Route mode installation on page 33 If you a...

Страница 32: ...32 Fortinet Inc Next steps Getting started...

Страница 33: ...ation If the factory default settings in Table 11 are compatible with your requirements all you need to do is configure your internal network and then connect the FortiGate unit Table 11 FortiGate uni...

Страница 34: ...mation in the rest of this chapter to change the default configuration as required Preparing to configure NAT Route mode Use Table 12 to gather the information that you need to customize NAT Route mod...

Страница 35: ...up wizard to change the IP address of the internal interface you must reconnect to the web based manager using a new IP address Browse to https followed by the new IP address of the internal interface...

Страница 36: ...of the external interface to the external IP address and netmask that you recorded in Table 12 on page 34 To set the manual IP address and netmask enter set system interface external static ip IP add...

Страница 37: ...ou can connect the FortiGate unit between your internal network and the Internet There are two 10 100 BaseTX connectors on the FortiGate 50 Internal for connecting to your internal network External fo...

Страница 38: ...ting the date and time For effective scheduling and logging the FortiGate system date and time should be accurate You can either manually set the system date and time or you can configure the FortiGat...

Страница 39: ...gistering FortiGate units on page 81 Configuring virus and attack definition updates You can go to System Update to configure the FortiGate unit to automatically check to see if new versions of the vi...

Страница 40: ...40 Fortinet Inc Completing the configuration NAT Route mode installation...

Страница 41: ...rks Completing the configuration Transparent mode configuration examples Preparing to configure Transparent mode Use Table 14 to gather the information that you need to customize Transparent mode sett...

Страница 42: ...Select Easy Setup Wizard the middle button in upper right corner of the web based manager 2 Use the information that you gathered in Table 14 on page 41 to fill in the wizard fields Select the Next bu...

Страница 43: ...onfiguring the Transparent mode management IP address 1 Log into the CLI if you are not already logged in 2 Set the management IP address and netmask to the IP address and netmask that you recorded in...

Страница 44: ...2 Connect the External interface to the Internet Connect to the public switch or router provided by your Internet Service Provider Figure 6 FortiGate 50 network connections In Transparent mode the For...

Страница 45: ...es Registering your FortiGate After purchasing and installing a new FortiGate unit you can register the unit by going to System Update Support or using a web browser to connect to http support fortine...

Страница 46: ...o enter one or more static routes in addition to the default route This section describes Default routes and static routes Example default route to an external network Example static route to an exter...

Страница 47: ...ch these destinations the FortiGate unit must connect to the upstream router leading to the external network To facilitate this connection you must enter a single default route that points to the upst...

Страница 48: ...Transparent Mode set system opmode transparent 2 Add the Management IP address and Netmask set system management ip 192 168 1 1 255 255 255 0 3 Add the default route to the external network set system...

Страница 49: ...eneral configuration steps 1 Set the FortiGate unit to operate in Transparent mode 2 Configure the Management IP address and Netmask of the FortiGate unit 3 Configure the static route to the FortiResp...

Страница 50: ...dd the static route to the FortiResponse server Destination IP 24 102 233 5 Mask 255 255 255 0 Gateway 192 168 1 2 Select OK Select New to add the default route to the external network Destination IP...

Страница 51: ...xt hop default gateway To reach the management computer you need to enter a single static route that leads directly to it This route will point to the internal router as the next hop No route is requi...

Страница 52: ...w to add the static route to the management computer Destination IP 172 16 1 11 Mask 255 255 255 0 Gateway 192 168 1 3 Select OK Select New to add the default route to the external network Destination...

Страница 53: ...efinition updates Manual attack definition updates Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT Route...

Страница 54: ...re recent build of the same firmware version Revert to a previous firmware version Use the web based manager or CLI procedure to revert to a previous firmware version This procedure reverts your Forti...

Страница 55: ...must have a TFTP server that you can connect to from the FortiGate unit 1 Make sure that the TFTP server is running 2 Copy the new firmware image file to the root directory of the TFTP server 3 Log i...

Страница 56: ...een updated enter the following command to display the antivirus engine virus and attack definitions version contract expiry and last update attempt information get system objver Revert to a previous...

Страница 57: ...b content lists email filtering lists and changes to replacement messages Before running this procedure you can Backup the FortiGate unit configuration using the command execute backup config Backup t...

Страница 58: ...uild045 FORTINET out 192 168 1 168 The FortiGate unit uploads the firmware image file Once the file has been uploaded a message similar to the following is displayed Get image from tftp server OK This...

Страница 59: ...s configuration from the backup configuration file To install firmware from a system reboot 1 Connect to the CLI using the null modem cable and FortiGate console port 2 Make sure that the TFTP server...

Страница 60: ...mware image from TFTP server F Format boot device B Boot with backup firmware and set as default Q Quit menu and continue to boot with default firmware H Display this list of options Enter G F B Q or...

Страница 61: ...o restore web content and email filtering lists see the FortiGate Content Protection Guide If you are reverting to a previous firmware version for example reverting from FortiOS v2 50 to FortiOS v2 36...

Страница 62: ...rs FortiGate unit running v2 x BIOS Press Any Key To Download Boot Image FortiGate unit running v3 x BIOS Press any key to enter configuration menu 7 Immediately press any key to interrupt the system...

Страница 63: ...nitions You can use the following procedure to update the antivirus definitions manually 1 Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use...

Страница 64: ...e 6 Go to System Status to confirm that the Attack Definitions Version information has been updated Displaying the FortiGate serial number 1 Go to System Status The serial number is displayed in the S...

Страница 65: ...on or the antivirus or attack definitions 1 Go to System Status 2 Select Restore Factory Defaults 3 Select OK to confirm The FortiGate unit restarts with the configuration that it had when it was firs...

Страница 66: ...to System Status 2 Select Change to NAT Mode 3 Select NAT Route in the operation mode list 4 Select OK The FortiGate unit changes operation mode 5 To reconnect to the web based manager you must conne...

Страница 67: ...ually Viewing CPU and memory status Viewing sessions and network status Viewing virus and intrusions status Viewing CPU and memory status Current CPU and memory status indicates how close the FortiGat...

Страница 68: ...paring CPU and memory usage with session and network status you can see how much demand network traffic is placing on system resources Sessions displays the total number of sessions being processed by...

Страница 69: ...when the NIDS detects a network based attack 1 Go to System Status Monitor 2 Select Virus Intrusions Virus and intrusions status is displayed The display includes bar graphs of the number viruses and...

Страница 70: ...top 16 2 To page through the list of sessions select Page Up or Page Down 3 Select Refresh to update the session list 4 If you have logged in as an administrative user with read and write privileges...

Страница 71: ...er the FortiGate unit on the Fortinet Support web page This chapter describes Updating antivirus and attack definitions Registering FortiGate units Updating registration information Registering a Fort...

Страница 72: ...te external interface using UDP port 9443 To configure push updates see Configuring push updates on page 75 The FDN is a world wide network of FortiResponse Distribution Servers FDSs When your FortiGa...

Страница 73: ...unit and your network so that the FortiGate unit can connect to the Internet and to the FDN For example you may need to add routes to the FortiGate routing table or configure your network to allow the...

Страница 74: ...d attack definitions Update log messages are recorded on the FortiGate Event log 1 Go to Log Report Log Setting 2 Select Config Policy for the type of logs that the FortiGate unit is configured to rec...

Страница 75: ...dure the FortiGate unit must be able to connect to the FDN or to an override FortiResponse server 1 Go to System Update 2 Select Update Now to update the antivirus and attack definitions If the connec...

Страница 76: ...s Enabling push updates is not recommended as the only method for obtaining updates The push notification may not be received by the FortiGate unit Also when the FortiGate unit receives a push notific...

Страница 77: ...port forwarding virtual IP This virtual IP maps the IP address of the external interface of the FortiGate NAT device and a custom port to the IP address of the FortiGate unit on the internal network T...

Страница 78: ...e internal network To configure the FortiGate NAT device 1 Go to Firewall Virtual IP 2 Select New 3 Add a name for the virtual IP 4 Select the External interface that the FDN connects to For the examp...

Страница 79: ...rnal to internal firewall policy 2 Configure the policy with the following settings 3 Select OK Configure the FortiGate unit with an override push IP and port To configure the FortiGate unit on the in...

Страница 80: ...er name and password required for the proxy server to the autoupdate configuration The full syntax for enabling updates through a proxy server is set system autouopdate tunneling enable address proxy...

Страница 81: ...itional FortiGate units Add or change FortiCare Support Contract numbers for each FortiGate unit View and change registration information Download virus and attack definitions updates Download firmwar...

Страница 82: ...rmation including First and last name Company name Email address Your Fortinet support login user name and password will be sent to this email address Address Contact phone number A security question...

Страница 83: ...nit product information 7 Select Finish If you have not entered a FortiCare Support Contract number SCN you can return to the previous page to enter the number If you do not have a FortiCare Support C...

Страница 84: ...security question and answer contact Fortinet tech support 1 Go to System Update Support 2 Select Support Login 3 Enter your Fortinet support user name 4 Select Forgot your password 5 Enter your email...

Страница 85: ...e Serial Number of the FortiGate unit 7 If you have purchased a FortiCare Support Contract for this FortiGate unit enter the support contract number 8 Select Finish The list of FortiGate products that...

Страница 86: ...or security question 1 Go to System Update Support and select Support Login 2 Enter your Fortinet support user name and password 3 Select Login 4 Select My Profile 5 Select Edit Profile 6 Make the re...

Страница 87: ...t is still protected by hardware coverage you can return the FortiGate unit that is not functioning to your reseller or distributor The RMA is recorded and you will receive a replacement unit Fortinet...

Страница 88: ...88 Fortinet Inc Registering a FortiGate unit after an RMA Virus and attack definitions updates and registration...

Страница 89: ...ing procedures to configure interfaces Viewing the interface list Bringing up an interface Changing an interface static IP address Adding a secondary IP address to an interface Adding a ping server to...

Страница 90: ...the interface that you want to bring up Changing an interface static IP address Use the following procedure to change the static IP address of any FortiGate interface You can also use this procedure t...

Страница 91: ...interface for which to configure management access 3 Select the management Access methods for the interface Configuring management access for an interface connected to the Internet allows remote admi...

Страница 92: ...with a static IP address 1 Go to System Network Interface 2 For the external interface select Modify 3 Set Addressing mode to Manual 4 Change the IP address and Netmask as required 5 Select OK to sav...

Страница 93: ...ateway IP address When the FortiGate unit gets this information from the PPPoE server the new addresses and netmask are displayed in the external IP address and netmask fields If the PPPoE connection...

Страница 94: ...each interface By default in Transparent mode you manage the FortiGate unit by connecting to the internal or dmz interface However you can configure the management interface so that you can manage the...

Страница 95: ...nges Configuring routing This section describes how to configure FortiGate routing You can configure routing to add static routes from the FortiGate unit to local routers Using policy routing you can...

Страница 96: ...add one or two gateways to a route If you add one gateway the FortiGate unit routes the traffic to that gateway You can add a second gateway to route traffic to the second gateway if the first gatewa...

Страница 97: ...lects the interface according to rules If the Gateway 2 IP address is on the same subnet as a FortiGate interface the system sends the traffic to that interface If the Gateway 2 IP address is not on t...

Страница 98: ...stem Network Routing Table 2 Choose a route to move and select Move to to change its order in the routing table 3 Type a number in the Move to field to specify where in the routing table to move the r...

Страница 99: ...ternal network If the FortiGate unit is operating in NAT Route mode you can configure it to be the DHCP server for your internal network 1 Go to System Network DHCP 2 Select Enable DHCP 3 Configure DH...

Страница 100: ...onding MAC addresses and the expiry time and date for these addresses The FortiGate unit adds these addresses to the dynamic IP MAC list and if IP MAC binding is enabled the addresses in the dynamic I...

Страница 101: ...information on NTP and to find the IP address of an NTP server that you can use see http www ntp org To set the date and time 1 Go to System Config Time 2 Select Refresh to display the current FortiGa...

Страница 102: ...web based manager options On the System Config Options page you can Set the system idle timeout Set the authentication timeout Select the language for the web base manager Modify the dead gateway dete...

Страница 103: ...Chinese Japanese Korean or Traditional Chinese To modify the Dead Gateway Detection settings Modify dead gateway detection to control how the FortiGate unit confirms connectivity with a ping server ad...

Страница 104: ...on from which the administrator can log into the web based manager If you want the administrator to be able to access the FortiGate unit from any address set the trusted host to 0 0 0 0 and the netmas...

Страница 105: ...6 characters long the system displays a warning message but still accepts the password 5 Select OK 6 To edit the settings of an administrator account select Edit 7 Optionally type a Trusted Host IP a...

Страница 106: ...cally set to the FortiGate host name To change the System Name see Changing the FortiGate host name on page 54 System Location Describe the physical location of the FortiGate unit The system location...

Страница 107: ...community string functions like a password that is sent with SNMP traps The default trap community string is public Change the trap community string to the one accepted by your trap receivers The trap...

Страница 108: ...that includes detailed FortiGate system configuration information Add this MIB to your SNMP manager to monitor all FortiGate configuration settings RFC1213 mib The RFC 1213 MIB is the standard MIB II...

Страница 109: ...nd add and edit the replacement message sections as required 1 Go to System Config Replacement Messages 2 For the replacement message you want to customize select Modify 3 In the Message setup dialog...

Страница 110: ...ection End BLOCKED Quarantine Used when quarantine is enabled permitted for all scan services and block services for email only Section Start QUARANTINE Allowed Tag QUARFILE NAME The name of the file...

Страница 111: ...P address of the email server that sent the email containing the blocked file For HTTP this is the IP address of web page that sent the blocked file DEST_IP The IP address of the computer that would h...

Страница 112: ...112 Fortinet Inc Customizing replacement messages System configuration...

Страница 113: ...wall can process connections differently depending on the time of day or the day of the week month or year Each policy can be individually configured to route connections or to apply network address t...

Страница 114: ...e interfaces To add policies between interfaces the interfaces must include addresses By default the FortiGate unit is configured with two firewall addresses Internal_All added to the internal interfa...

Страница 115: ...ring and email filtering to web file transfer and email services The FortiGate unit includes the following default content profiles Strict to apply maximum content protection to HTTP FTP IMAP POP3 and...

Страница 116: ...or address group that matches the source address of the packet Before you can add this address to a policy you must add it to the source interface To add an address see Addresses on page 122 Destinati...

Страница 117: ...you can also configure NAT and Authentication for the policy DENY Deny the connection The only other policy option that you can configure is log traffic to log the connections denied by this policy EN...

Страница 118: ...r FTP policy that is configured for authentication When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password Allow inbound Select...

Страница 119: ...make sure that users can use DNS through the firewall without authentication If DNS is not available users cannot connect to a web FTP or Telnet server using a domain name Anti Virus Web filter Enabl...

Страница 120: ...ling policies Policy matching in detail When the FortiGate unit receives a connection attempt at an interface it must select a policy list to search through for a policy that matches the connection at...

Страница 121: ...y list to move the policy and select OK Enabling and disabling policies You can enable and disable policies in the policy list to control whether the policy is active or not The FortiGate unit matches...

Страница 122: ...5 255 255 All possible IP addresses represented by IP Address 0 0 0 0 and Netmask 0 0 0 0 This section describes Adding addresses Editing addresses Deleting addresses Organizing addresses into address...

Страница 123: ...s and netmask You cannot edit the address name To change the address name you must delete the address entry and then add the address again with a new name 1 Go to Firewall Address 2 Select the interfa...

Страница 124: ...ess groups cannot have the same names as individual addresses If an address group is included in a policy it cannot be deleted unless it is first removed from the policy 1 Go to Firewall Address Group...

Страница 125: ...apsulating the packets of the protocol within GRE packets 47 AH Authentication Header AH provides source host authentication and data integrity but not secrecy This protocol is used for authentication...

Страница 126: ...ormation directories tcp 389 NetMeeting NetMeeting allows users to teleconference using the Internet as the transmission medium tcp 1720 NFS Network File System allows network users to access shared f...

Страница 127: ...5 SNMP Simple Network Management Protocol is a set of protocols for managing complex networks tcp 161 162 udp 161 162 SSH SSH service for secure connections to computers for remote management tcp 22 u...

Страница 128: ...ervices in the group A service group can contain predefined services and custom services in any combination You cannot add service groups to another service group 1 Go to Firewall Service Group 2 Sele...

Страница 129: ...can create a one time schedule that activates or deactivates a policy for a specified period of time For example your firewall might be configured with the default policy that allows access to all se...

Страница 130: ...ique to create recurring schedules that run from one day to the next You can also create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time 1 Go to Firewa...

Страница 131: ...ween an address on the source network and the real address on the destination network This mapping is called a virtual IP For example if the computer hosting your web server is located on your interna...

Страница 132: ...ake sure Type is set to Static NAT 6 In the External IP Address field enter the external IP address to be mapped to an address on the destination network For example if the virtual IP provides access...

Страница 133: ...t for this external interface using PPPoE or DHCP For example if the virtual IP provides access from the Internet to a server on your internal network the External IP Address must be a static IP addre...

Страница 134: ...interface must match the interface connected to the network with the Map to IP address 3 Use the following information to configure the policy Source Select the source address from which users can acc...

Страница 135: ...her addresses on the same network as the interface for which you are adding the IP pool You can add multiple IP pools to any interface but only the first IP pool is used by the Firewall This section d...

Страница 136: ...irewall can support is limited by the number of IP addresses in the IP pool IP pools and dynamic NAT You can use IP pools for dynamic NAT For example your organization may have purchased a range of In...

Страница 137: ...scribes Configuring IP MAC binding for packets going through the firewall Configuring IP MAC binding for packets going to the firewall Adding IP MAC addresses Viewing the dynamic IP MAC list Enabling...

Страница 138: ...r is connecting to the FortiGate unit for management 1 Go to Firewall IP MAC Binding Setting 2 Select Enable IP MAC binding going to the firewall 3 Go to Firewall IP MAC Binding Static IP MAC 4 Select...

Страница 139: ...wed 5 Select Enable to enable IP MAC binding for the IP MAC pair 6 Select OK to save the IP MAC binding pair Viewing the dynamic IP MAC list 1 Go to Firewall IP MAC Binding Dynamic IP MAC Enabling IP...

Страница 140: ...il for POP3 SMTP and IMAP policies Using content profiles you can build up protection configurations that can be easily applied to different types of Firewall policies This allows you to customize dif...

Страница 141: ...want to apply any content protection to content traffic You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not n...

Страница 142: ...policies to which to add a content profile For example to enable network protection for files downloaded by internal network users from the web select an internal to external policy list Email Content...

Страница 143: ...Guide 143 3 Select New to add a new policy or choose a policy and select Edit 4 Select Anti Virus Web filter 5 Select a content profile 6 Configure the remaining policy settings if required 7 Select...

Страница 144: ...144 Fortinet Inc Content profiles Firewall configuration...

Страница 145: ...IPSec dialup user phase 1 configurations XAuth functionality for Phase 1 IPSec VPN configurations PPTP L2TP When a user enters a user name and password the FortiGate unit searches the internal user da...

Страница 146: ...3 Enter the user name The user name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Select one o...

Страница 147: ...o try to connect to other RADIUS servers added to the FortiGate RADIUS configuration 6 Select OK Figure 17 Adding a user name Deleting user names from the internal database You cannot delete user name...

Страница 148: ...to User RADIUS 2 Select New to add a new RADIUS server 3 Enter the name of the RADIUS server You can enter any name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the sp...

Страница 149: ...ion of password expiration that is available from some LDAP servers FortiGate LDAP support does not supply information to the user about why authentication failed LDAP user authentication is supported...

Страница 150: ...llowing base distinguished name ou marketing dc fortinet dc com where ou is organization unit and dc is domain component You can also specify multiple instances of the same field in the distinguished...

Страница 151: ...e selected user group can use PPTP The FortiGate L2TP configuration Only users in the selected user group can use L2TP When you add user names RADIUS servers and LDAP servers to a user group the order...

Страница 152: ...elect the right arrow to add the RADIUS server to the Members list 6 To add an LDAP server to the user group select an LDAP server from the Available Users list and select the right arrow to add the L...

Страница 153: ...lic network Instead of being sent in its original format the data frames are encapsulated within an additional header and then routed between tunnel endpoints Upon arrival at the destination endpoint...

Страница 154: ...r The peers do not actually send the key to each other Instead as part of the security negotiation process they use it in combination with a Diffie Hellman group to create a session key The session ke...

Страница 155: ...for a manual key VPN Adding a manual key VPN tunnel General configuration steps for a manual key VPN A manual key VPN configuration consists of a manual key VPN tunnel the source and destination addr...

Страница 156: ...Key Each two character combination entered in hexadecimal format represents one byte Use the same authentication key at both ends of the tunnel 11 Select a concentrator if you want the tunnel to be pa...

Страница 157: ...he tunnel See Configuring encrypt policies on page 168 Adding a phase 1 configuration for an AutoIKE VPN When you add a phase 1 configuration you define the terms by which the FortiGate unit and a rem...

Страница 158: ...ellman groups to propose for phase 1 As a general rule the VPN peers should use the same DH Group settings 8 Enter the Keylife The keylife is the amount of time in seconds before the phase 1 encryptio...

Страница 159: ...ific VPN peer or a group of VPN peers with a shared user name ID and password pre shared key Also add the peer ID Also add the peer ID Accept peer ID in dialup group Select to authenticate each remote...

Страница 160: ...e DPD between the local and remote peers Short Idle Set the time in seconds that a link must remain unused before the local VPN peer considers it to be idle After this period of time expires whenever...

Страница 161: ...etween the local VPN peer the FortiGate unit and the remote VPN peer the VPN gateway or client To add a phase 2 configuration 1 Go to VPN IPSEC Phase 2 2 Select New to add a new phase 2 configuration...

Страница 162: ...life expires 8 Select the DH Group s The VPN peers must use the same DH Group settings 9 Enter the Keylife The keylife causes the phase 2 key to expire after a specified amount of time after a specifi...

Страница 163: ...ter to the certificate authority and from the certificate authority to your local computer Obtaining a signed local certificate Obtaining a CA certificate Obtaining a signed local certificate The sign...

Страница 164: ...ertified Domain Name For Domain name enter the fully qualified domain name of the FortiGate unit being certified Do not include the protocol specification http or any port number or path names E Mail...

Страница 165: ...VPN Local Certificates 2 Select Download to download the local certificate to the management computer 3 Select Save 4 Name the file and save it in a directory on the management computer Requesting the...

Страница 166: ...you connect to the CA web server and download the signed local certificate to the management computer Do this after receiving notification from the CA that it has signed the certificate request To ret...

Страница 167: ...mote VPN peer The remote VPN peer obtains the CA certificate in order to validate the digital certificate that it receives from the FortiGate unit Retrieving a CA certificate Connect to the CA web ser...

Страница 168: ...can configure the encrypt policy for services such as DNS FTP and POP3 and to allow connections according to a predefined schedule by the time of the day or the day of the week month or year You can...

Страница 169: ...n FortiGate models 3 Select New to add an address 4 Enter the Address Name IP Address and NetMask for a single computer or for an entire subnetwork on an internal interface of the remote VPN peer 5 Se...

Страница 170: ...cal hosts to see the IP addresses of remote hosts hosts located on the network behind the remote VPN gateway Outbound NAT The FortiGate unit translates the source address of outgoing packets to the IP...

Страница 171: ...peer is a FortiGate unit functioning as the hub or concentrator it requires a VPN configuration connecting it to each spoke AutoIKE phase 1 and 2 settings or manual key settings plus encrypt policies...

Страница 172: ...a client on the Internet or a network located behind a gateway See Adding a source address on page 169 3 Add the concentrator configuration This step groups the tunnels together on the FortiGate unit...

Страница 173: ...add a VPN concentrator 3 Enter the name of the new concentrator in the Concentrator Name field 4 To add tunnels to the VPN concentrator select a VPN tunnel from the Available Tunnels list and select t...

Страница 174: ...addresses for each remote VPN spoke The destination address is the address of the spoke either a client on the Internet or a network located behind a gateway See Adding a destination address on page 1...

Страница 175: ...rs one can have multiple Internet connections while the other has only one Internet connection Of course with an asymmetrical configuration the level redundancy will vary from one end of the VPN to th...

Страница 176: ...ake sure that the remote VPN peer Remote Gateway has a static IP address See Adding a phase 1 configuration for an AutoIKE VPN on page 157 2 Add the phase 2 parameters VPN tunnel for up to three VPN c...

Страница 177: ...s the tunnel time out To view VPN tunnel status 1 Go to VPN IPSEC AutoIKE Key The Status column displays the status of each tunnel If Status is Up the tunnel is active If Status is Down the tunnel is...

Страница 178: ...al peer Figure 28 Dialup Monitor Testing a VPN To confirm that a VPN between two networks has been configured correctly use the ping command from one internal network to connect to a computer on the o...

Страница 179: ...onfiguration changes to the client computer and the FortiGate unit This chapter provides an overview of how to configure FortiGate PPTP and L2TP VPN For a complete description of FortiGate PPTP and L2...

Страница 180: ...to User Local 2 Add and configure PPTP users See Adding user names and configuring authentication on page 146 3 Go to User User Group 4 Add and configure PPTP user groups See Configuring user groups...

Страница 181: ...address group 1 Go to Firewall Address Group 2 Add a new address group to the interface to which PPTP clients connect 3 Enter a Group Name to identify the address group The name can contain numbers 0...

Страница 182: ...4 Set Destination to the address to which PPTP users can connect 5 Set Service to match the traffic type inside the PPTP VPN tunnel For example if PPTP users can access a web server select HTTP 6 Set...

Страница 183: ...PPTP VPN 1 Start the dialup connection that you configured in the previous procedure 2 Enter your PPTP VPN User Name and Password 3 Select Connect Configuring a Windows 2000 client for PPTP Use the f...

Страница 184: ...r workplace and select Next 4 Select Virtual Private Network Connection and select Next 5 Name the connection and select Next 6 If the Public Network dialog box appears choose the appropriate initial...

Страница 185: ...evious procedure 3 Enter your PPTP VPN User Name and Password 4 Select Connect 5 In the connect window enter the User Name and Password that you use to connect to your dialup network connection This u...

Страница 186: ...to User Local 2 Add and configure L2TP users See Adding user names and configuring authentication on page 146 3 Go to User User Group 4 Add and configure L2TP user groups See Configuring user groups...

Страница 187: ...an address group 1 Go to Firewall Address Group 2 Add a new address group to the interface to which L2TP clients connect 3 Enter a Group Name to identify the address group The name can contain number...

Страница 188: ...wall policy Add a policy which specifies the source and destination addresses and sets the service for the policy to the traffic type inside the L2TP VPN tunnel 1 Go to Firewall Policy 2 Select New to...

Страница 189: ...ption is selected 10 Select the Networking tab 11 Set VPN server type to Layer 2 Tunneling Protocol L2TP 12 Save your changes and continue with the following procedure Disabling IPSec 1 Select the Net...

Страница 190: ...e User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password Configuring a Windows XP client for L2...

Страница 191: ...Y_LOCAL_MACHINE System CurrentControlSet Services Rasman Parameters 8 Add the following registry value to this key Value Name ProhibitIpSec Data Type REG_DWORD Value 1 9 Save your changes and restart...

Страница 192: ...N connection that you configured in the previous procedure 3 Enter your L2TP VPN User Name and Password 4 Select Connect 5 In the connect window enter the User Name and Password that you use to connec...

Страница 193: ...ks Logging attacks Detecting attacks The NIDS Detection module detects a wide variety of suspicious network traffic and network based attacks Use the following procedures to configure the general NIDS...

Страница 194: ...ke sure that they have not been changed in transit The NIDS can run checksum verification on IP TCP UDP and ICMP traffic For maximum detection you can turn on checksum verification for all types of tr...

Страница 195: ...ature list 1 Go to NIDS Detection Signature List 2 Select View Details to display the members of a signature group Select a signature and copy its attack ID 3 Open a web browser and enter this URL htt...

Страница 196: ...cate specific attack signatures by ID number and name 3 Uncheck the Enable check box 4 Select OK 5 Repeat steps 2 to 4 for each NIDS attack signature group that you want to disable Select Check All to...

Страница 197: ...e text file as well as a name for the text file Preventing attacks NIDS attack prevention protects the FortiGate unit and the networks connected to it from common TCP ICMP UDP and IP attacks You can e...

Страница 198: ...attack prevention signature list 4 Select Uncheck All to disable all signatures in the NIDS attack prevention signature list 5 Select Reset to Default Values to enable only the default NIDS attack pr...

Страница 199: ...ue units Default threshold value Minimum threshold value Maximum threshold value synflood Maximum number of SYN segments received per second 200 30 3000 portscan Maximum number of SYN segments receive...

Страница 200: ...attack log Use the following procedure to log attack messages to the attack log 1 Go to Log Report Log Setting 2 Select Config Policy for the log locations you have set 3 Select Attack Log 4 Select At...

Страница 201: ...is compared with the previous messages If the new message is not a duplicate the FortiGate unit sends it immediately and puts a copy in the queue If the new message is a duplicate the FortiGate unit...

Страница 202: ...202 Fortinet Inc Logging attacks Network Intrusion Detection System NIDS...

Страница 203: ...i Virus Web filter option in firewall policies that allow web HTTP FTP and email IMAP POP3 and SMTP connections through the FortiGate unit Select a content profile that provides the antivirus protecti...

Страница 204: ...g and Microsoft Office files containing macros are scanned for macro viruses FortiGate virus scanning does not scan the following file types cdimage floppy image ace bzip2 Tar Gzip Bzip2 If a file is...

Страница 205: ...tgz and zip dynamic link libraries dll HTML application hta Microsoft Office files doc ppt xl Microsoft Works files wps Visual Basic files vb screen saver files scr Blocking files in firewall traffic...

Страница 206: ...sage that is forwarded to the receiver It is recommend that you disable the fragmenting of email messages in the client email software To exempt fragmented emails from automatic antivirus blocking you...

Страница 207: ...onfiguration steps Content blocking URL blocking Using the Cerberian web filter Script filtering Exempt URL list General configuration steps Configuring web filtering involves the following general st...

Страница 208: ...set that you choose 4 Type a banned word or phrase If you type a single word for example banned the FortiGate unit blocks all web pages that contain that word If you type a phrase for example banned p...

Страница 209: ...b filter You can configure the FortiGate unit to block all pages on a website by adding the top level URL or IP address You can also block individual pages on a website by including the full path and...

Страница 210: ...You can enter multiple URLs and patterns and then select Check All to enable all items in the URL block list Each page of the URL block list displays 100 URLs 6 Use Page Up and Page Down to navigate t...

Страница 211: ...sts available at http www squidguard org blacklist as a starting point for creating your own URL block list Three times per week the squidGuard robot searches the web for new URLs to add to the blackl...

Страница 212: ...key on the FortiGate unit Before you can use the Cerberian web filter you must install a license key The license key determines the number of end users allowed to use Cerberian web filtering through t...

Страница 213: ...rs who are not assigned alias names on the FortiGate unit All the users who are not assigned to any other user groups The Cerberian web filter groups the web pages into 53 categories The default polic...

Страница 214: ...ActiveX scripts from the HTML web pages Enabling the script filter Selecting script filter options Enabling the script filter 1 Go to Firewall Content Profile 2 Select the content profile for which y...

Страница 215: ...exempts access to the main page of this example website You can also add IP addresses for example 122 63 44 67 index html exempts access to the main web page at this address Do not include http in th...

Страница 216: ...216 Fortinet Inc Exempt URL list Web filtering...

Страница 217: ...uration steps Configuring email filtering involves the following general steps 1 Select email filter options in a new or existing content profile See Adding a content profile on page 141 2 Select the...

Страница 218: ...phrase for example banned phrase the FortiGate unit tags email that contains both words When this phrase appears on the banned word list the FortiGate unit inserts plus signs in place of spaces for e...

Страница 219: ...ubdomain name For example mail abccompany com To tag email from an entire organization category type the top level domain name For example type com to tag email sent from all organizations that use co...

Страница 220: ...other special characters are not allowed 4 Select Enable to exempt the address pattern 5 Select OK to add the address pattern to the email exempt list You can enter multiple patterns and then select...

Страница 221: ...r more of a computer running a syslog server a computer running a WebTrends firewall reporting server the console For information about filtering the log types and activities that the FortiGate unit r...

Страница 222: ...tIQ Security Reporting Center 2 0 and Firewall Suite 4 1 See the Security Reporting Center and Firewall Suite documentation for more information To record logs on a NetIQ WebTrends server 1 Go to Log...

Страница 223: ...g Management events include changes to the system configuration as well as administrator and user logins and logouts Activity events include system activities such as VPN tunnel establishment and HA f...

Страница 224: ...traffic logging Configuring traffic filter settings Adding traffic filter entries Enabling traffic logging You can enable logging on any interface and firewall policy Enabling traffic logging for an i...

Страница 225: ...ing Traffic Filter 2 Select New 3 Configure the traffic filter for the type of traffic that you want to record on the traffic log Resolve IP Select Resolve IP if you want traffic log messages to list...

Страница 226: ...lert email Enabling alert email Adding alert email addresses Because the FortiGate unit uses the SMTP server name to connect to the mail server it must be able to look up this name on your DNS server...

Страница 227: ...configure the FortiGate unit to send alert email in response to virus incidents intrusion attempts and critical firewall or VPN events or violations If you have configured logging to a local disk you...

Страница 228: ...228 Fortinet Inc Configuring alert email Logging and reporting...

Страница 229: ...ssages are formatted and transmitted and what actions Web servers and browsers should take in response to various commands HTTPS The SSL protocol for transmitting private documents over the Internet u...

Страница 230: ...fied address and waiting for a reply POP3 Post Office Protocol A protocol used to transfer e mail from a mail server to a mail client across the Internet Most e mail clients use POP PPP Point to Point...

Страница 231: ...works TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent UDP User Datagram Protocol A connectionless protocol that like TCP ru...

Страница 232: ...232 Fortinet Inc Glossary...

Страница 233: ...w outbound encrypt policy 118 allow traffic IP MAC binding 138 Anti Virus Web filter policy 119 antivirus definition updates manual 63 antivirus definitions updating 71 antivirus updates 73 configurin...

Страница 234: ...les default 141 cookies blocking 214 critical firewall events alert email 227 critical VPN events alert email 227 custom service 127 customer service 15 D date and time setting example 102 109 date se...

Страница 235: ...l policy accept 117 Comments 120 deny 117 guaranteed bandwidth 118 Log Traffic 120 maximum bandwidth 118 firewall setup wizard 35 42 starting 35 42 firmware changing 54 installing 59 re installing cur...

Страница 236: ...based manager 103 LDAP example configuration 150 LDAP server adding server address 149 deleting 150 lease duration DHCP 23 99 log setting filtering log entries 74 222 traffic filter 225 Log Traffic f...

Страница 237: ...117 Anti Virus Web filter 119 arranging in policy list 120 Comments 120 deny 117 disabling 121 enabling 121 enabling authentication 151 fixed port 117 guaranteed bandwidth 118 Log Traffic 120 matching...

Страница 238: ...91 routing 230 adding static routes 96 configuring 95 configuring routing table 98 policy 98 routing table 230 adding default route 96 adding routes 96 adding routes Transparent mode 97 configuring 9...

Страница 239: ...zone 101 timeout firewall authentication 103 idle 102 IPSec VPN 177 178 web based manager 102 to IP system status 70 to port system status 70 traffic configuring global settings 224 225 filtering 224...

Страница 240: ...ew 203 VPN configuring L2TP gateway 186 configuring PPTP gateway 180 186 L2TP configuration 186 PPTP configuration 180 Tunnel 118 viewing dialup connection status 177 VPN events enabling alert email 2...

Результаты поиска

Содержание FortiGate FortiGate-50

Отзывы:

Похожие инструкции для FortiGate FortiGate-50

Бренды по названию

Популярные бренды

Fortinet FortiGate FortiGate-50, Руководство по установке и настройке

Результаты поиска

Содержание FortiGate FortiGate-50

Отзывы:

Похожие инструкции для FortiGate FortiGate-50

Бренды по названию

Популярные бренды