manualshive.com logo in svg

Fortinet FortiGate FortiGate-5020, Руководство администратора

Fortinet FortiGate-5020 - устройство безопасности сети с высокой производительностью. Установочное руководство и другие руководства доступны для загрузки бесплатно на manualshive.com. Получите все необходимые инструкции по установке и использованию этого продукта.

Поделиться
Скачать
background image

Firewall 

Policy

FortiGate-5000 series Administration Guide

01-28008-0013-20050204

 203

Schedule

Select a schedule that controls when the policy is available to be matched with 
connections. See 

“Schedule” on page 221

.

Service

Select the name of a service or service group that matches the service or protocol of 
the packets to be matched with this policy. You can select from a wide range of 
predefined services or add custom services and service groups. See 

“Service” on 

page 213

.

Action

Select how you want the firewall to respond when the policy matches a connection 
attempt.

VPN Tunnel

Select a VPN tunnel for an ENCRYPT policy. You can select an AutoIKE key or 
Manual Key tunnel.

NAT

Select NAT to enable Network Address Translation for the policy. NAT translates the 
source address and port of packets accepted by the policy. If you select NAT, you can 
also select Dynamic IP Pool and Fixed Port. NAT is not available in Transparent 
mode.

ACCEPT

Accept connections matched by the policy. You can also configure NAT, 

protection profiles, log traffic, traffic shaping, authentication, and differentiated 

services. You can also add a comment to the policy.

DENY

Select deny to reject connections matched by the policy. The only other policy 

options that you can configure are log traffic (to log the connections denied by 

this policy) and differentiated services. You can also add a comment to the 

policy.

ENCRYPT

Select encrypt to make this policy an IPSec VPN policy. An IPSec VPN policy 

causes the FortiGate unit to accept IPSec packets. When encrypt is selected 

the VPN Tunnel Options appear. You can also configure protection profiles, log 

traffic, traffic shaping, and differentiated services. You can also add a comment 

to the policy. You cannot configure NAT or add authentication to an encrypt 

policy. For more information, see 

“Adding firewall policies for IPSec VPN 

tunnels” on page 276

.

Allow Inbound

Select Allow inbound so that traffic from the remote network or host can start 

the IPSec VPN tunnel.

Allow outbound

Select Allow outbound if traffic from the local network can start the tunnel.

Inbound NAT

Select Inbound NAT to translate the source address of incoming packets to 

the FortiGate internal IP address.

Outbound NAT

Select Outbound NAT to translate the source address of outgoing packets to 

the FortiGate external IP address.

Содержание FortiGate FortiGate-5020

Страница 1: ...8 PWR ACC STA IPM CONSOLE USB 1 2 3 4 5 6 7 8 PWR ACC STA IPM CONSOLE USB 1 2 3 4 5 6 7 8 1 2 2 3 4 5 MANAGEMENT SYSTEM E1 ZRE LED MODE 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 E2 OK CLK INT EXT FLT HOT SWAP RESET FLT CONSOLE E T H O R S 2 3 2 Z R E 0 Z R E 1 Z R E 2 MANAGEMENT SYSTEM E1 ZRE LED MODE 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 E2 OK CLK INT EXT FLT HOT SWAP RESET FLT CONSOLE E T H O R S 2 ...

Страница 2: ...istration Guide Version 2 80 MR8 4 February 2005 01 28008 0013 20050204 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS CAUTION RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS For technical support please visit ht...

Страница 3: ...ntation 21 Fortinet Knowledge Center 22 Comments on Fortinet technical documentation 22 Related documentation 22 FortiManager documentation 22 FortiClient documentation 23 FortiMail documentation 23 FortiLog documentation 23 Customer service and technical support 24 Web based manager 25 Button bar features 26 Contact Customer Support 26 Online Help 27 Easy Setup Wizard 27 Console Access 28 Logout ...

Страница 4: ...ent 67 DNS 68 Routing table Transparent Mode 69 Routing table list 69 Transparent mode route settings 70 VLAN overview 70 FortiGate units and VLANs 71 VLANs in NAT Route mode 71 Rules for VLAN IDs 72 Rules for VLAN IP addresses 72 Adding VLAN subinterfaces 73 VLANs in Transparent mode 74 Rules for VLAN IDs 76 Transparent mode virtual domains and VLANs 76 Transparent mode VLAN list 76 Transparent m...

Страница 5: ...ent messages 116 FortiManager 117 System Admin 119 Administrators 121 Administrators list 121 Administrators options 121 Access profiles 123 Access profile list 123 Access profile options 124 System Maintenance 125 Backup and restore 125 Backing up and Restoring 126 Update center 128 Updating antivirus and attack definitions 130 Enabling push updates 133 Support 135 Sending a bug report 136 Regist...

Страница 6: ... Router 151 Static 151 Static route list 153 Static route options 154 Policy 155 Policy route list 155 Policy route options 156 RIP 156 General 157 Networks list 158 Networks options 159 Interface list 159 Interface options 160 Distribute list 161 Distribute list options 162 Offset list 163 Offset list options 163 Router objects 164 Access list 164 New access list 165 New access list entry 165 Pre...

Страница 7: ...ss list 210 Address options 210 Configuring addresses 211 Address group list 212 Address group options 212 Configuring address groups 213 Service 213 Predefined service list 214 Custom service list 217 Custom service options 217 Configuring custom services 219 Service group list 220 Service group options 220 Configuring service groups 221 Schedule 221 One time schedule list 222 One time schedule o...

Страница 8: ...I configuration 240 User 243 Setting authentication timeout 244 Local 244 Local user list 244 Local user options 244 RADIUS 245 RADIUS server list 245 RADIUS server options 246 LDAP 246 LDAP server list 247 LDAP server options 247 User group 249 User group list 249 User group options 250 CLI configuration 251 peer 251 peergrp 252 VPN 255 Phase 1 256 Phase 1 list 256 Phase 1 basic settings 257 Phas...

Страница 9: ...ate request 273 Importing signed certificates 274 CA certificate list 275 Importing CA certificates 275 VPN configuration procedures 276 IPSec configuration procedures 276 PPTP configuration procedures 278 L2TP configuration procedures 278 CLI configuration 279 ipsec phase1 279 ipsec phase2 281 ipsec vip 281 IPS 285 Signature 286 Predefined 286 Custom 290 Anomaly 292 Anomaly CLI configuration 295 ...

Страница 10: ...antivirus quarantine 309 config antivirus service http 310 config antivirus service ftp 311 config antivirus service pop3 313 config antivirus service imap 315 config antivirus service smtp 316 Web filter 319 Content block 321 Web content block list 321 Web content block options 321 Configuring the web content block list 322 URL block 322 Web URL block list 323 Web URL block options 323 Configurin...

Страница 11: ... Spam filtering 335 FortiShield options 337 Configuring the FortiShield cache 337 FortiShield CLI configuration 338 IP address 339 IP address list 339 IP address options 339 Configuring the IP address list 339 DNSBL ORDBL 340 DNSBL ORDBL list 341 DNSBL ORDBL options 341 Configuring the DNSBL ORDBL list 341 Email address 342 Email address list 342 Email address options 342 Configuring the email add...

Страница 12: ...ert E mail options 356 Log filter options 357 Configuring log filters 360 Enabling traffic logging 360 Log access 361 Disk log file access 361 Viewing log messages 362 Searching log messages 365 CLI configuration 366 fortilog setting 366 syslogd setting 367 FortiGuard categories 371 Glossary 377 Index 383 ...

Страница 13: ...ustomer service and technical support About FortiGate Antivirus Firewalls The FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include application level services such as virus protection and content filtering network level services such as firewall intrusion detection VPN and traffic shaping The FortiGate Antivirus Firewall ...

Страница 14: ...OP3 and IMAP content as it passes through the FortiGate unit FortiGate antivirus protection uses pattern matching and heuristics to find viruses If a virus is found antivirus protection removes the file containing the virus from the content stream and forwards a replacement message to the intended recipient For extra protection you can configure antivirus protection to block specified file types f...

Страница 15: ... a web site without denying access to it completely To prevent unintentionally blocking legitimate web pages you can add URLs to an exempt list that overrides the URL blocking and content blocking lists The exempt list also exempts web traffic this address from virus scanning Web content filtering also includes a script filter feature that can block unsecure web content such as Java applets cookie...

Страница 16: ...ices individually or in groups require users to authenticate before gaining access include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy include logging to track connections for individual policies include Network Address Translation NAT mode and Route mode policies include mixed NAT and Route mode policies The FortiGate firewall can operate in NAT Route...

Страница 17: ...ceive and send VLAN packets FortiGate virtual domains provide multiple logical firewalls and routers in a single FortiGate unit Using virtual domains one FortiGate unit can provide exclusive firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network You can develop and manage interfaces VLAN subinterfaces zones firewall po...

Страница 18: ...can connect to an IPSec VPN tunnel VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another through the FortiGate unit IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network High availability Fortinet achieves high availability HA using redundant hardware and the FortiGate Clustering Protocol FGCP Each FortiGate unit in...

Страница 19: ...d manager supports multiple languages You can configure the FortiGate unit for HTTP and HTTPS administration from any FortiGate interface You can use the web based manager to configure most FortiGate settings You can also use the web based manager to monitor the status of the FortiGate unit Configuration changes made using the web based manager are effective immediately without resetting the firew...

Страница 20: ...ls can also save logs to an optional internal hard drive If a hard drive is not installed you can configure most FortiGate units to log the most recent events and attacks detected by the IPS to the system memory Document conventions This guide uses the following conventions to describe CLI command syntax Angle brackets to indicate variables For example execute restore config filename_str You enter...

Страница 21: ...et allowaccess https ping ssh set allowaccess snmp In most cases to make changes to lists that contain options separated by spaces you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove FortiGate documentation Information about FortiGate products is available from the following guides FortiGate QuickStart Guide Provides basic ...

Страница 22: ...onfigure VPNs using the web based manager Fortinet Knowledge Center The most recent Fortinet technical documentation is available from the Fortinet Knowledge Center The knowledge center contains short how to articles FAQs technical notes product and feature guides and much more Visit the Fortinet Knowledge Center at http kc forticare com Comments on Fortinet technical documentation Please send inf...

Страница 23: ...and policies configure antispam and antivirus filters create user accounts and set up logging and reporting FortiMail online help Provides a searchable version of the Administration Guide in HTML format You can access online help from the web based manager as you work FortiMail Web Mail Online Help Describes how to use the FortiMail web based email client including how to send and receive email ho...

Страница 24: ...your region For information about our priority support hotline live support see http support fortinet com When requesting technical support please provide the following information your name your company s name and location your email address your telephone number your support contract number if applicable the product name and model number the product serial number if applicable the software or fi...

Страница 25: ... any FortiGate interface Figure 1 Web based manager screen You can use the web based manager to configure most FortiGate settings You can also use the web based manager to monitor the status of the FortiGate unit Configuration changes made using the web based manager are effective immediately without resetting the firewall or interrupting service Once you are satisfied with a configuration you can...

Страница 26: ...pport The Contact Customer Support button opens the Fortinet support web page in a new browser window From this page you can Register your FortiGate unit Product Registration Fortinet will email you your username and password to log in to the customer support center Log in to the Customer Support Center Visit the FortiProtect Center Download virus and attack definition updates Find out about train...

Страница 27: ...iew other parts of the help system as you like The help system includes a navigation pane with table of contents index and a text search function Easy Setup Wizard The FortiGate setup wizard provides an easy way to configure basic initial settings for the FortiGate unit The wizard walks through the configuration of a new administrator password FortiGate interfaces DHCP server settings internal ser...

Страница 28: ... computer must have Java version 1 3 or higher installed For information on how to use the CLI see the FortiGate CLI Reference Guide Figure 4 Console access Logout The Logout button immediately logs you out of the web based manager Log out before you close the browser window If you simply close the browser or leave the web based manager you remain logged in until the idle timeout default 5 minutes...

Страница 29: ... to System Network Interface Figure 5 Parts of the web based manager Web based manager menu The menu provides access to configuration options for all major features of the FortiGate unit Tabs Menu Page Button bar Status bar System Configure system facilities such as network interfaces virtual domains DHCP services time and set system options Router Configure the router Firewall Configure firewall ...

Страница 30: ...ing item Icons The web based manager has icons in addition to buttons to enable you to interact with the system There are tooltips to assist you in understanding the function of the icon Pause the mouse pointer over the icon to view the tooltip The following table describes the icons that you will see in the web based manager Antivirus Configure antivirus protection Web Filter Configure web filter...

Страница 31: ...y one virtual domain For information about virtual domains see System Virtual Domain on page 141 Download or Backup Download a log file or back up a configuration file Edit Edit a configuration This icon appears in lists where you have write permission on the page Go Do a search Insert Policy before Create a new policy to precede the current one Move to Move item in list Next page View next page o...

Страница 32: ...he same order as the web based manager menu There is a chapter for each item in the System menu followed by a chapter for each of the remaining top level menu items System Status System Network System DHCP System Config System Admin System Maintenance System Virtual Domain Router Firewall User VPN IPS Antivirus Web filter Spam filter Log Report FortiGuard categories ...

Страница 33: ...s the system dashboard for a snap shot of the current operating status of the FortiGate unit All FortiGate administrators with read access to system configuration can view system status information On HA clusters the Status page shows the status of the primary unit To view status information for all members of the cluster go to System Config HA and select Cluster Members For more information see H...

Страница 34: ...t the selected automatic refresh interval Refresh Select to manually update the system status display UP Time The time in days hours and minutes since the FortiGate unit was last started System Time The current time according to the FortiGate unit internal clock Log Disk Displays hard disk capacity and free space if the FortiGate unit contains a hard disk or Not Available if no hard disk is instal...

Страница 35: ...l number is specific to the FortiGate unit and does not change with firmware upgrades Operation Mode The operation mode of the current FortiGate unit Time The time at which the recent virus was detected Src Dst The source and destination addresses of the virus Service The service from which the virus was delivered HTTP FTP IMAP POP3 or SMTP Virus Detected The name of the virus detected Reset Selec...

Страница 36: ...only CPU usage for management processes for example for HTTPS connections to the web based manager is excluded Active Sessions The number of communications sessions being processed by the FortiGate unit Network Utilization The total network bandwidth being used through all FortiGate interfaces and the percentage of the maximum network bandwidth that can be processed by the FortiGate unit History S...

Страница 37: ...n the New Name field type a new host name 4 Select OK The new host name is displayed in the Host Name field and in the CLI prompt and is added to the SNMP System Name To update the firmware version For information on updating the firmware see Changing the FortiGate firmware on page 40 To update the antivirus definitions manually 1 Download the latest antivirus definitions update file from Fortinet...

Страница 38: ...o copy the attack definitions update file to the FortiGate unit The FortiGate unit updates the attack definitions This takes about 1 minute 6 Go to System Status Status to confirm that the Attack Definitions Version information has updated To change to Transparent mode After you change the FortiGate unit from the NAT Route mode to Transparent mode most of the configuration resets to Transparent mo...

Страница 39: ...nications sessions currently being processed by the FortiGate unit You can use the session list to view current sessions Figure 10 Sample session list Note If the management IP address was on a different subnet in Transparent mode you may have to change the IP address of your computer to the same subnet as the interface configured for management access From IP Set source IP address for list filter...

Страница 40: ...in system configuration read and write privileges and the FortiGate admin user can change the FortiGate firmware After you download a FortiGate firmware image from Fortinet you can use the procedures listed in Table 1 to install the firmware image on your FortiGate unit Protocol The service protocol of the connection for example udp tcp or icmp From IP The source IP address of the connection From ...

Страница 41: ...are version To use this procedure you must connect to the CLI using the FortiGate console port and a null modem cable This procedure reverts the FortiGate unit to its factory default configuration Testing a new firmware image before installing it Use this procedure to test a new firmware image before installing it To use this procedure you must connect to the CLI using the FortiGate console port a...

Страница 42: ...lowing command to copy the firmware image from the TFTP server to the FortiGate unit execute restore image name_str tftp_ipv4 Where name_str is the name of the firmware image file and tftp_ip is the IP address of the TFTP server For example if the firmware image file name is FGT_300 v280 build183 FORTINET out and the IP address of the TFTP server is 192 168 1 168 enter execute restore image FGT_30...

Страница 43: ...rting to a previous FortiOS version for example reverting from FortiOS v2 80 to FortiOS v2 50 you might not be able to restore the previous configuration from the backup configuration file To revert to a previous firmware version using the web based manager 1 Copy the firmware image file to the management computer 2 Log into the FortiGate web based manager 3 Go to System Status 4 Under Unit Inform...

Страница 44: ... FortiOS version for example reverting from FortiOS v2 80 to FortiOS v2 50 you might not be able to restore your previous configuration from the backup configuration file To use the following procedure you must have a TFTP server that the FortiGate unit can connect to To revert to a previous firmware version using the CLI 1 Make sure that the TFTP server is running 2 Copy the firmware image file t...

Страница 45: ... you want to continue y n 7 Type y The FortiGate unit reverts to the old firmware version resets the configuration to factory defaults and restarts This process takes a few minutes 8 Reconnect to the CLI 9 To confirm that the new firmware image has been loaded enter get system status 10 To restore your previous configuration if needed use the command execute restore config name_str tftp_ipv4 11 Up...

Страница 46: ...t directory of the TFTP server 4 Make sure that port8 is connected to the same network as the TFTP server This is the default interface for TFTP server firmware downloads 5 To confirm that the FortiGate unit can connect to the TFTP server use the following command to ping the computer running the TFTP server For example if the IP address of the TFTP server is 192 168 1 168 enter execute ping 192 1...

Страница 47: ...are H Display this list of options Enter G F B Q or H 8 Type G to get the new firmware image from the TFTP server The following message appears Enter image download port number 8 9 Type the number of the interface that connects to the same network as the TFTP server The default interface is port8 To accept the default interface press Enter The following message appears Enter TFTP server address 19...

Страница 48: ...ation see Backup and restore on page 125 To restore IPS custom signatures see Backing up and restoring custom signature files on page 291 To restore web content filtering lists see Backup and restore on page 125 To restore email filtering lists see Backup and restore on page 125 To update the virus and attack definitions to the most recent version see Updating antivirus and attack definitions on p...

Страница 49: ...lowing command to restart the FortiGate unit execute reboot 6 As the FortiGate unit reboots press any key to interrupt the system startup As the FortiGate units starts a series of system startup messages are displayed When one of the following messages appears FortiGate unit running v2 x BIOS Press Any Key To Download Boot Image FortiGate unit running v3 x BIOS Press any key to display configurati...

Страница 50: ...er address 192 168 1 168 10 Type the address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1 188 11 Type an IP address that can be used by the FortiGate unit to connect to the FTP server The IP address must be on the same network as the TFTP server but make sure you do not use the IP address of another device on this network The following message appe...

Страница 51: ...you can connect to from the FortiGate as described in the procedure Installing firmware images from a system reboot using the CLI on page 45 To install a backup firmware image 1 Connect to the CLI using the null modem cable and FortiGate console port 2 Make sure that the TFTP server is running 3 Copy the new firmware image file to the root directory of your TFTP server 4 To confirm that the FortiG...

Страница 52: ...age file name and press Enter The TFTP server uploads the firmware image file to the FortiGate unit and the following message is displayed Save as Default firmware Backup firmware Run image without saving D B R 11 Type B The FortiGate unit saves the backup firmware image and restarts When the FortiGate unit restarts it is running the previously installed firmware version Switching to the backup fi...

Страница 53: ...e configuration is set to factory default Switching back to the default firmware image Use this procedure to switch the FortiGate unit to operating with the backup firmware image that had been running as the default firmware image When you switch to this backup firmware image the configuration saved with this firmware image is restored To switch back to the default firmware image 1 Connect to the ...

Страница 54: ...TP server F Format boot device B Boot with backup firmware and set as default Q Quit menu and continue to boot with default firmware H Display this list of options Enter G F B Q or H 4 Type B to load the backup firmware image The FortiGate unit loads the backup firmware image and restarts When the FortiGate unit restarts it is running the backup firmware version with a restored configuration ...

Страница 55: ...d zones to the FortiGate network configuration Interface Zone Management DNS Routing table Transparent Mode VLAN overview VLANs in NAT Route mode VLANs in Transparent mode FortiGate IPv6 support Interface In NAT Route mode go to System Network Interface to configure FortiGate interfaces and to add and configure VLAN subinterfaces For information about VLANs in NAT Route mode see VLANs in NAT Route...

Страница 56: ...rk for example port1 port2 and portx If you have added VLAN subinterfaces they also appear in the name list below the physical interface that they have been added to See VLAN overview on page 70 IP The current IP address of the interface Netmask The netmask of the interface Access The administrative access configuration for the interface See To control administrative access to an interface on page...

Страница 57: ... for dynamic DNS services To add a secondary IP address To add a ping server to an interface To control administrative access to an interface To change the MTU size of the packets leaving an interface To configure traffic logging for connections to an interface Name The name of the Interface Interface Select the name of the physical interface to add the VLAN subinterface to All VLAN subinterfaces ...

Страница 58: ... to send the DHCP request Note Where you can enter both an IP address and a netmask in the same field you can use the short form of the netmask For example 192 168 1 100 255 255 255 0 can also be entered as 192 168 1 100 24 Distance Enter the administrative distance for the default gateway retrieved from the DHCP server The administrative distance an integer from 1 255 specifies the relative prior...

Страница 59: ...erwise this IP address can be the same as the IP address of another interface or can be any IP address Initial Disc Timeout Initial discovery timeout The time to wait before retrying to start a PPPoE discovery Set Initial Disc to 0 to disable Initial PADT timeout Initial PPPoE Active Discovery Terminate PADT timeout in seconds Use this timeout to shut down the PPPoE session if it is idle for this ...

Страница 60: ...s options Connect to server Enable Connect to Server so that the interface automatically attempts to connect to a PPPoE server Disable this option if you are configuring the interface offline Status Displays PPPoE status messages as the FortiGate unit connects to the PPPoE server and gets addressing information Select Status to refresh the addressing mode status message initializing No activity co...

Страница 61: ...er Go to Log Report Log Config to configure logging locations and types For information about logging see Log Report on page 351 Configuring interfaces Use the following procedures to configure FortiGate interfaces and VLAN subinterfaces To bring down an interface that is administratively up To add interfaces to a zone To add an interface to a virtual domain To change the static IP address of an i...

Страница 62: ... a zone on page 67 You cannot add an interface to a zone if you have added firewall policies for the interface Delete firewall policies for the interface and then add the interface to the zone 1 Go to System Network Zone 2 Choose the zone to add the interface or VLAN subinterface to and select Edit 3 Select the names of the interfaces or VLAN subinterfaces to add to the zone 4 Select OK to save th...

Страница 63: ...es from the DHCP server 5 Select the Connect to Server check box if you want the FortiGate unit to connect to the DHCP server 6 Select Apply The FortiGate unit attempts to contact the DHCP server from the interface to set the IP address netmask and optionally the default gateway IP address and DNS server IP addresses 7 Select Status to refresh the addressing mode status message 8 Select OK To conf...

Страница 64: ... following commands config system interface edit intf_str config secondaryip edit 0 set ip second_ip netmask_ip Optionally you can also configure management access and add a ping server to the secondary IP address set allowaccess ping https ssh snmp http telnet set gwdetect enable Save the changes end To configure support for dynamic DNS services 1 Go to System Network Interface 2 Select the inter...

Страница 65: ...n from the Internet Use secure administrative user passwords Change these passwords regularly Enable secure administrative access to this interface using only HTTPS or SSH Do not change the system idle timeout from the default value of 5 minutes see To set the system idle timeout on page 89 To configure administrative access in Transparent mode see To configure the management interface on page 68 ...

Страница 66: ...mains to your FortiGate configuration make sure you are configuring the correct virtual domain before adding or editing zones Figure 14 Zone list Zone settings Figure 15 Zone options Create New Select Create New to create a zone Name The names of the zones that you have added Block intra zone traffic Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between i...

Страница 67: ...ystem Network Zone 3 Select Delete to remove a zone from the list 4 Select OK to delete the zone To edit a zone 1 If you have added a virtual domain go to System Virtual Domain Current Virtual Domain and select the virtual domain in which to edit the zone 2 Go to System Network Zone 3 Select Edit to modify a zone 4 Select or deselect Block intra zone traffic 5 Select the names of the interfaces or...

Страница 68: ... value of 5 minutes see To set the system idle timeout on page 89 Figure 16 Management To configure the management interface 1 Go to System Network Management 2 Enter the Management IP Netmask 3 Enter the Default Gateway 4 Select the Management Virtual Domain 5 Select Apply The FortiGate unit displays the following message Management IP address was changed Click here to redirect 6 Click on the mes...

Страница 69: ... local routers Routing table list Figure 18 Routing table Primary DNS Server Enter the primary DNS server IP address Secondary DNS Server Enter the secondary DNS server IP address Create New Select Create New to add a new route Route number IP The destination IP address for this route Mask The netmask for this route Gateway The IP address of the next hop router to which this route directs traffic ...

Страница 70: ...same VLAN A VLAN segregates devices logically instead of physically Each VLAN is treated as a broadcast domain Devices in VLAN 1 can connect with other devices in VLAN 1 but cannot connect with devices in other VLANs The communication among devices on a VLAN is independent of the physical network A VLAN segregates devices by adding 802 1Q VLAN tags to all of the packets sent and received by the de...

Страница 71: ...omains Traffic from each security domain is given a different VLAN ID The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between security domains The FortiGate unit can also apply authentication protection profiles and other firewall policy features for network and VPN traffic that is allowed to pass between security domains VLANs in NAT R...

Страница 72: ... interfaces There is no internal connection or link between two VLAN subinterfaces with same VLAN ID Their relationship is the same as the relationship between any two FortiGate network interfaces Rules for VLAN IP addresses IP addresses of all FortiGate interfaces cannot overlap That is the IP addresses of all interfaces must be on different subnets This rule applies to both physical interfaces a...

Страница 73: ...LAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface 6 Select the virtual domain to which to add this VLAN subinterface See System Virtual Domain on page 141 for information about virtual domains 7 Select the name of a zone if you want this VLAN subinterface to belong to a zone You can only select a zone that has been added to the virtual domain selected in the p...

Страница 74: ... FortiGate Internal and external interface you would add a VLAN subinterface to the internal interface and another VLAN subinterface to the external interface If these VLAN subinterfaces have the same VLAN IDs the FortiGate unit applies firewall policies to the traffic on this VLAN If these VLAN subinterfaces have different VLAN IDs or if you add more than two VLAN subinterfaces you can also use f...

Страница 75: ...ontent filtering and other services to each VLAN Figure 23 FortiGate unit in Transparent mode VLAN1 VLAN1 VLAN2 VLAN2 VLAN3 VLAN3 root virtual domain New virtual domain Internal External VLAN1 VLAN3 VLAN2 VLAN Switch or router VLAN Switch or router VLAN trunk VLAN1 VLAN2 VLAN3 VLAN trunk FortiGate unit VLAN1 VLAN3 VLAN2 Internet VLAN switch FortiGate unit operating in Transparent mode POWER VLAN s...

Страница 76: ... Figure 24 Sample Transparent mode VLAN list Transparent mode VLAN settings VLAN settings displays the current configuration of a selected FortiGate interface or VLAN subinterface Use VLAN settings to configure a new VLAN subinterface or to change the configuration of a FortiGate interface or VLAN subinterface Create New Select Create New to add a VLAN subinterface to a FortiGate interface Virtual...

Страница 77: ...LAN subinterface 5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface 6 Select the virtual domain to which to add this VLAN subinterface See System Virtual Domain on page 141 for information about virtual domains 7 Enable or disable using a Dynamic DNS service DDNS If the FortiGate unit uses a dynamic IP address you can arrange with a DDNS service pr...

Страница 78: ...th an IPv4 and an IPv6 address to any interface on a FortiGate unit The interface functions as two interfaces one for IPv4 addressed packets and another for IPv6 addressed packets FortiGate units support static routing periodic router advertisements and tunneling of IPv6 addressed traffic over an IPv4 addressed network All of these features must be configured through the Command Line Interface CLI...

Страница 79: ...n interface cannot provide both functions at the same time This section describes Service Server Exclude range IP MAC binding Dynamic IP Service Go to System DHCP Service to configure the DHCP service provided by each FortiGate interface You can configure each interface to be a DHCP relay or a DHCP server or you can turn off DHCP services Figure 26 DHCP service list Note To configure DHCP server o...

Страница 80: ... 3 Select DHCP Relay Agent Interface List of FortiGate interfaces Service The DHCP service provided by the interface none DHCP Relay or DHCP Server Edit View icon Select to view or modify the DHCP service configuration for an interface Interface The name of the interface None No DHCP services provided by the interface DHCP Relay Agent Select to configure the interface to be a DHCP relay agent Type...

Страница 81: ...ver configuration for this interface See To configure a DHCP server for an interface on page 83 Server You can configure one or more DHCP servers for any FortiGate interface As a DHCP server the interface dynamically assigns IP addresses to hosts on a network connected to the interface You can add more than one DHCP server to a single interface to be able to provide DHCP services to multiple netwo...

Страница 82: ...r assigns to DHCP clients Lease Time Select Unlimited for an unlimited lease time or enter the interval in days hours and minutes after which a DHCP client must ask the DHCP server for new settings The lease time can range from 5 minutes to 100 days DNS Server Enter the IP addresses of up to 3 DNS servers that the DHCP server assigns to DHCP clients WINS Server Add the IP addresses of one or two W...

Страница 83: ...nfiguration using DHCP The IP range of each DHCP server must match the subnet addresses 2 Configure the routers for DHCP relay 3 Add multiple DHCP servers to the interface one for each subnet When a computer on one of the connected subnets sends a DHCP request it is relayed to the FortiGate interface by the router using DHCP relay The FortiGate unit selects the DHCP server configuration with an IP...

Страница 84: ...ss and an IP address to the IP MAC binding list the DHCP server always assigns this IP address to the MAC address IP MAC binding pairs apply to all FortiGate DHCP servers Figure 32 IP MAC binding list Starting IP The starting IP of the exclude range Ending IP The ending IP of the exclude range Delete Delete an exclude range Edit View icon View or modify an exclude range Starting IP Enter the start...

Страница 85: ...se addresses To view the dynamic IP list 1 Go to System DHCP Dynamic IP 2 Select the interface for which you want to view the list Delete icon Delete an IP MAC binding pair Edit View icon View or modify an IP MAC binding pair Name Enter a name for the IP MAC address pair IP Address Enter the IP address for the IP and MAC address pair The IP address must be within the configured IP range MAC Addres...

Страница 86: ...86 01 28008 0013 20050204 Fortinet Inc Dynamic IP System DHCP ...

Страница 87: ... Time to set the FortiGate system time For effective scheduling and logging the FortiGate system time must be accurate You can either manually set the FortiGate system time or you can configure the FortiGate unit to automatically keep its system time correct by synchronizing with a Network Time Protocol NTP server Figure 34 System time System Time The current FortiGate system date and time Refresh...

Страница 88: ...tions Timeout settings including the idle timeout and authentication timeout The language displayed by the web based manager Dead gateway detection interval and failover detection Automatically adjust clock for daylight saving changes Select the Automatically adjust clock for daylight saving changes check box if you want the FortiGate system clock to be adjusted automatically when your time zone c...

Страница 89: ...minutes 8 hours To improve security keep the idle timeout at the default value of 5 minutes Auth Timeout Set the firewall user authentication timeout to control how long an authenticated connection can be idle before the user must authenticate again The maximum authtimeout is 480 minutes 8 hours The default Auth Timeout is 15 minutes For more information see Setting authentication timeout on page ...

Страница 90: ...normal security services such as firewalling VPN IPS virus scanning web filtering and spam filtering services Inside the cluster the individual FortiGate units are called cluster units These cluster units share state and configuration information If one cluster unit fails the other units in the cluster automatically replace that unit taking over the work that the failed unit was doing The cluster ...

Страница 91: ... device failover and HA heartbeat failover HA modes FortiGate units can be configured to operate in active passive A P or active active A A HA mode Active active and active passive clusters can run in either NAT Route or Transparent mode An active passive A P HA cluster also referred to as failover HA consists of a primary unit that processes traffic and one or more subordinate units The subordina...

Страница 92: ...h to operating in HA mode Also if you are operating a FortiGate HA cluster you cannot change a FortiGate interface in the cluster to be configured dynamically using DHCP or PPPoE Configuring a FortiGate interface to be a DHCP server or a DHCP relay agent is not affect by HA operation For information about DHCP server and relay see System DHCP on page 79 PPTP and L2TP are supported in HA mode You c...

Страница 93: ...t Cluster Members to view the status of all FortiGate units in the cluster Status information includes the cluster ID status up time weight and monitor information For more information see To view the status of each cluster member on page 103 Mode All members of the HA cluster must be set to the same HA mode For more information about HA mode see HA modes on page 91 Active Active Load balancing an...

Страница 94: ...ity During HA negotiation the unit with the highest unit priority becomes the primary unit The unit priority range is 0 to 255 The default unit priority is 128 You can use the unit priority to control the order in which cluster units become the primary unit when a cluster unit fails For example if you have three FortiGate units in a cluster you can set the unit priorities as shown in Table 4 Clust...

Страница 95: ...s If you have more than one FortiGate HA cluster on the same network each cluster must have a different password Schedule If you are configuring an active active cluster select a load balancing schedule None No load balancing Select None when the cluster interfaces are connected to load balancing switches Hub Load balancing if the cluster interfaces are connected to a hub Traffic is distributed to...

Страница 96: ... priority handles all HA heartbeat traffic If this interface fails or becomes disconnected the interface with the next highest priority handles all HA heartbeat traffic The cluster units use the ethernet interfaces configured with HA heartbeat priorities for HA heartbeat communication The HA heartbeat communicates cluster session information synchronizes the cluster configuration synchronizes the ...

Страница 97: ...assigned the IP address 10 0 0 1 and the subordinate unit heartbeat device interface is assigned the IP address 10 0 0 2 A third cluster unit would be assigned the IP address 10 0 0 3 and so on For best results isolate each heartbeat device on its own network Heartbeat packets contain sensitive information about the cluster configuration Also heartbeat packets may use a considerable amount of netw...

Страница 98: ...If a low priority interface fails on one cluster unit and a high priority interface fails on another cluster unit a unit in the cluster with a working connection to the high priority interface would if it becomes necessary to negotiate a new primary unit be selected instead of a unit with a working connection to the low priority interface Configuring an HA cluster Managing an HA cluster Configurin...

Страница 99: ...ortiGate unit interfaces see Group ID on page 94 To be able to reconnect sooner you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit 13 If you are configuring a NAT Route mode cluster power off the FortiGate unit and then repeat this procedure for all the FortiGate units in the cluster Once all of the units are configured continue with To connec...

Страница 100: ...er into your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluster Also starting the cluster interrupts network traffic until the individual cluster units are functioning and the cluster completes negotiation Cluster negotiation normally takes just a few seconds During system startup and negotiation all net...

Страница 101: ...d robin weights By default in active active HA mode the weighted round robin schedule assigns the same weight to each cluster unit From the CLI you can use the following command to configure a weight value for each cluster unit config system ha set weight priority id_integer weight_integer end The weight value sets the maximum number of connections that are sent to a cluster unit before a connecti...

Страница 102: ...zation you manage the HA cluster instead of managing the individual cluster units You manage the cluster by connecting to the web based manager using any cluster interface configured for HTTPS administrative access You can also manage the cluster by connecting to the CLI using any cluster interface configured for SSH administrative access You can also use SNMP to manage the cluster by configuring ...

Страница 103: ...into the web based manager 2 Go to System Config HA 3 Select Cluster Members A list of cluster members appears The list includes the cluster ID of each cluster member as well as status information for each cluster member Figure 38 Example cluster members list active active cluster Refresh every Select to control how often the web based manager updates the system status display Go Select to set the...

Страница 104: ...wer FortiGate units The failed primary unit no longer appears on the Cluster Members list The host name and serial number of the primary cluster unit changes The new primary unit logs the following messages to the event log HA slave became master Detected HA member dead CPU Usage The current CPU status of each cluster unit The web based manager displays CPU usage for core processes only CPU usage ...

Страница 105: ... cluster Each cluster unit is numbered starting at 1 The information displayed for each cluster unit includes the unit serial number and the host name of the unit 3 Complete the command with the number of the subordinate unit to log into For example to log into subordinate unit 1 enter the following command execute ha manage 1 Press Enter to connect to and log into the CLI of the selected subordin...

Страница 106: ... system location description can be up to 35 characters long Contact Enter the contact information for the person responsible for this FortiGate unit The contact information can be up to 35 characters long Apply Save changes made to the description location and contact information Create New Select Create New to add a new SNMP community Communities The list of SNMP communities added to the FortiGa...

Страница 107: ...managers can connect to the FortiGate unit to view system information and receive SNMP traps You can add up to three SNMP communities Each community can have a different configuration for SNMP queries and traps Each community can be configured to monitor the FortiGate unit for a different set of events You can also add the IP addresses of up to 8 SNMP managers to each community Figure 40 SNMP comm...

Страница 108: ...manager can use this SNMP community Interface Optionally select the name of the interface that this SNMP manager uses to connect to the FortiGate unit You only have to select the interface if the SNMP manager is not on the same subnet as the FortiGate unit This can occur if the SNMP manager is on the Internet or behind a router Add Select Add to add more SNMP managers You can add up to 8 SNMP mana...

Страница 109: ...ct OK FortiGate MIBs The FortiGate SNMP agent supports FortiGate proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs RFC support includes support for the parts of RFC 2665 Ethernet like MIB and the parts of RFC 1213 MIB II that apply to FortiGate unit configuration The FortiGate MIBs are listed in Table 7 You can obtain these MIB files from Fortinet technical support To be able to comm...

Страница 110: ...aps see FortiGate traps on page 110 RFC 1213 MIB II The FortiGate SNMP agent supports MIB II groups with the following exceptions No support for the EGP group from MIB II RFC 1213 section 3 11 and 6 10 Protocol statistics returned for MIB II groups IP ICMP TCP UDP etc do not accurately capture all FortiGate traffic activity More accurate information can be obtained from the information reported by...

Страница 111: ... interface the new IP address of the interface and the serial number of the FortiGate unit This trap can be used to track interface IP address changes for interfaces configured with dynamic IP addresses set using DHCP or PPPoE Table 10 FortiGate VPN traps Trap message Description VPN tunnel is up VpnTunnelUp An IPSec VPN tunnel starts up and begins processing network traffic VPN tunnel down VpnTun...

Страница 112: ...mary unit switch HaSwitch The different unit in the HA cluster became the primary unit Table 15 System MIB fields MIB field Description model FortiGate model number for example 400 for the FortiGate 400 serial FortiGate unit serial number version The firmware version currently running on the FortiGate unit versionAv The antivirus definition version installed on the FortiGate unit versionNids The a...

Страница 113: ...mber of packets processed by the FortiGate unit byteCount The number of bytes processed by the FortiGate unit idsCount The number of attacks detected by the IPS running on the FortiGate unit in the last 20 hours avCount The number of viruses detected by the antivirus system running on the FortiGate unit in the last 20 hours Table 17 Administrator accounts MIB field Description index The index numb...

Страница 114: ...d Description index The index number virtual domain added to the FortiGate unit name The name of the virtual domain added to the FortiGate unit Each FortiGate unit includes at least one virtual domain named root auth The authentication type of for the local user Can be password LDAP or RADIUS state Whether the local user is enabled or disable Table 20 Active IP sessions MIB field Description index...

Страница 115: ... replacement message that you want to change select Edit 4 Edit the content of the message Name The type of replacement message You can change messages added to email web pages in http traffic messages that are displayed to ftp users alert mail messages messages added to smtp email and messages added to web pages blocked by web filter category blocking Description Description of the replacement me...

Страница 116: ...us file blocking QUARFILENAME can be used in virus and file block messages Quarantining is only available on FortiGate units with a local disk URL The URL of a web page This can be a web page that is blocked by web filter content or URL blocking URL can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked CR...

Страница 117: ...mail address of the intended receiver of the message from which the file was removed NIDSEVENT The IPS attack message NIDSEVENT is added to alert email intrusion messages SERVICE The name of the web filtering service CATEGORY The name of the content category of the web site FORTINET The Fortinet logo Table 21 Replacement message tags Continued Tag Description Enable FortiManager Enable secure IPSe...

Страница 118: ...118 01 28008 0013 20050204 Fortinet Inc FortiManager System Config ...

Страница 119: ...es that each access control category controls Read access enables the administrator to view the web based manager page The administrator needs write access to change the settings on the page The access profile has a similar effect on administrator access to CLI commands The following table shows which commands are available in each access control category with read and write permission If the get ...

Страница 120: ...og Report get alertemail get log execute enter config alertemail config log execute enter Security Policy get antivirus get firewall get ips get spamfilter get vpn get webfilter execute enter execute vpn config antivirus config firewall config ips config spamfilter config vpn config webfilter execute enter execute vpn Auth Users get user execute enter config user exec enter Admin Users get system ...

Страница 121: ...ist Administrators options Figure 46 Administrator account configuration Create New Add an administrator account Name The login name for an administrator account Trusted hosts The trusted host IP address and netmask from which the administrator can log in Permission The permission profile for the administrator Edit or View icon Select to edit or view the administrator account Delete icon Select to...

Страница 122: ...rity of your network by further restricting administrative access In addition to knowing the password an administrator must connect only through the subnet or subnets you specify You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255 255 255 255 Administrator Enter the login name for the administrator account Password Type...

Страница 123: ...ile You can create access profiles that deny access or allow read only or both read and write access to FortiGate features When an administrator has only read access to a feature the administrator can access the web based manager page for that feature but cannot make changes to the configuration There are no Create or Apply buttons and lists display only the View icon instead of icons for Edit Del...

Страница 124: ...ssage features To allow an administrator to modify these features enable both Read and Write Log Report Select Read to allow an administrator to view log setting log access and alert email features To allow an administrator to modify these features enable both Read and Write Security Policy Select Read to allow an administrator to view the firewall VPN IPS and antivirus features To allow an admini...

Страница 125: ... web and spam filtering files to the management computer You can also restore system configuration VPN certificate web and spam filtering files from previously downloaded backup files Figure 50 Backup and restore list Category The list of files that can be backed up and restored Latest Backup The date and time of the last backup The Restore Upload Backup and Reset to factory default icons All Conf...

Страница 126: ...system to its original configuration including resetting interface addresses This procedure does not change the firmware version or the antivirus or attack definitions Debug Log Download debug log Web Filtering Web Content Block Restore or back up the Web Content Block list Web URL Block List Restore or back up the Web URL Block list Web URL Exempt List Restore or back up the Web URL Exempt list S...

Страница 127: ...file or select Browse and locate the file 4 Select OK If you restore the system configuration the FortiGate unit restarts loading the new system settings You should then reconnect to the web based manager and review your configuration to confirm that the uploaded system settings have taken effect 5 Select Return This step does not apply if you restore the system configuration To back up VPN certif...

Страница 128: ...t 9443 To receive push updates the FDN must be able to route packets to the FortiGate unit using UDP port 9443 For information about configuring push updates see To enable push updates on page 133 The FDN is a world wide network of FortiProtect Distribution Servers FDSs When the FortiGate unit connects to the FDN it connects to the nearest FDS To do this all FortiGate units are programmed with a l...

Страница 129: ...ot registered the FortiGate unit see To register a FortiGate unit on page 138 if there is a NAT device installed between the FortiGate unit and the FDN see Enabling push updates through a NAT device on page 134 or if your FortiGate unit connects to the Internet using a proxy server see To enable scheduled updates through a proxy server on page 132 Refresh When you select Refresh the FortiGate unit...

Страница 130: ...an indicate that the FortiGate was not able to connect to the FDN and other error conditions Allow Push Update Select this check box to allow automatic updates of the FortiGate unit Use override push IP Select this check box and enter the override IP address and port number Override push IP addresses and ports are used when there is a NAT device between the FortiGate Unit and the FDN The FortiGate...

Страница 131: ...pdate check box 3 Select one of the following to check for and download updates 4 Select Apply The FortiGate unit starts the next scheduled update according to the new update schedule Whenever the FortiGate unit runs a scheduled update the event is recorded in the FortiGate event log To add an override server If you cannot connect to the FDN or if your organization provides antivirus and attack up...

Страница 132: ... proxy server is config system autoupdate tunneling set address proxy address_ip set port proxy port set username username_str set password password_str set status enable end For example if the IP address of the proxy server is 67 35 50 34 its port is 8080 the user name is proxy_user and the password is proxy_pwd enter the following command config system autoupdate tunneling set address 67 35 50 3...

Страница 133: ...s the only method for obtaining updates The FortiGate unit might not receive the push notification Also when the FortiGate unit receives a push notification it makes only one attempt to connect to the FDN and download updates To enable push updates 1 Go to System Maintenance Update center 2 Select Allow Push Update 3 Select Apply Push updates when FortiGate IP addresses change The SETUP message th...

Страница 134: ...he FortiGate NAT device and the FortiGate unit on the internal network so that the FortiGate unit on the internal network can receive push updates 1 Add a port forwarding virtual IP to the FortiGate NAT device 2 Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP 3 Configure the FortiGate unit on the internal network with an override push IP and port To a...

Страница 135: ...x 3 Select the Use override push check box 4 Set IP to the external IP address added to the virtual IP 5 Set Port to the external service port added to the virtual IP 6 Select Apply The FortiGate unit sends the override push IP address and port to the FDN The FDN now uses this IP address and port for push updates to the FortiGate unit on the internal network If the external IP address or external ...

Страница 136: ...ion of the problem you have encountered with the FortiGate unit Send diagnostic information Send diagnostic information about the FortiGate unit including its current configuration to Fortinet for analysis Send email by default mail relay Submit the bug report using the default mail relay Test Test the default mail relay Send email by customized mail relay Submit the bug report using a customized ...

Страница 137: ...ou or your organization purchased You can register multiple FortiGate units in a single session without re entering your contact information Once registration is completed Fortinet sends a Support Login user name and password to your email address You can use this user name and password to log on to the Fortinet support web site to View your list of registered FortiGate units Register additional F...

Страница 138: ... each of the FortiGate models covered by the service contract To register a FortiGate unit Before registering a FortiGate unit you require the following information Your contact information including First and last name Company name Email address Your Fortinet support login user name and password will be sent to this email address Address Contact phone number A security question and an answer to t...

Страница 139: ...ou can try entering it again A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit 9 Your Fortinet support user name and password is sent to the email address provided with your contact information Shutdown You can use the Maintenance page to log out restart and shut down the FortiGate unit Figure...

Страница 140: ... the antivirus or attack definitions 1 Go to System Maintenance Shutdown 2 Select Reset to factory default 3 Select Apply The FortiGate unit restarts with the configuration that it had when it was first powered on 4 Reconnect to the web based manager and review the system configuration to confirm that it has been reset to the default settings Caution This procedure deletes all changes that you hav...

Страница 141: ...ts never cross the virtual domain border The remainder of FortiGate functionality is shared between virtual domains This means that there is one IPS configuration one antivirus configuration one web filter configuration one protection profile configuration and so on shared by all virtual domains As well virtual domains share firmware versions antivirus and attack databases and user databases For a...

Страница 142: ...gs Physical interfaces see To add physical interfaces to a virtual domain on page 146 VLAN subinterfaces see To add VLAN subinterfaces to a virtual domain on page 147 Zones see To add zones to a virtual domain on page 147 Management IP Transparent mode see To select a management virtual domain and add a management IP on page 146 Routing configuration Router configuration in NAT Route mode see To c...

Страница 143: ...Antivirus Definitions and engine Attack Definitions and engine Serial Number Operation Mode Network configuration DNS settings DHCP configuration DHCP settings are applied per interface no matter which virtual domain the interface has been added to System Config Time Options HA SNMP v1 v2c Replacement messages FortiManager configuration System Admin Administrators Access profiles System Maintenanc...

Страница 144: ...al domain if you want these systems to communicate with network resources that can connect to a different virtual domain Virtual domains Go to System Virtual domain Virtual domains to view and add virtual domains Figure 55 Virtual domain list Create New Add a new virtual domain Current The name of the current virtual domain Select Change to choose a different domain The default virtual domain is r...

Страница 145: ...domain Name The virtual domain must not have the same name as a VLAN or zone 4 Select OK Selecting a virtual domain The following procedure applies to NAT Route and Transparent mode To select a virtual domain to configure 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the table 3 Choose the virtual domain to configure 4 Select OK The f...

Страница 146: ...onfigure virtual domains Adding interfaces VLAN subinterfaces and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtual domain Adding interfaces VLAN subinterfaces and zones to a virtual domain To add physical interfaces to a virtual domain A virtual domain must contain at least two interfaces These...

Страница 147: ... procedure describes how to move a VLAN subinterface from one virtual domain to another You cannot remove a VLAN subinterface from a virtual domain if firewall policies have been added for it Delete the firewall policies or remove the VLAN subinterface from the firewall policies first If the VLAN subinterface has been added to a zone it is removed from the zone when you move it to a different virt...

Страница 148: ...ion for the current virtual domain To configure the routing table for a virtual domain in Transparent mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the table 3 Choose the virtual domain for which to configure routing 4 Select OK 5 Go to System Network Routing Table 6 Configure the routing table for the current virtual domain as r...

Страница 149: ...e table 3 Choose the virtual domain for which to configure firewall addresses 4 Select OK 5 Go to Firewall Address 6 Add new firewall addresses address ranges and address groups to the current virtual domain See Address on page 209 To add IP pools to a virtual domain The following procedure applies to NAT Route mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the curren...

Страница 150: ...irtual domain The following procedure applies to NAT Route and Transparent mode 1 Go to System Virtual domain Virtual domains 2 Select Change following the current virtual domain name above the table 3 Choose the virtual domain for which to configure VPN 4 Select OK 5 Go to VPN 6 Configure IPSec VPN PPTP L2TP and certificates as required See VPN on page 255 ...

Страница 151: ... be routed You can decrease the distance value of a static route to indicate that the route is preferable compared to another static route that specifies a different gateway to the same destination network Routes having lower administrative distances are preferable and are selected first when two or more routes to the same destination network are available The FortiGate unit routes packets using a...

Страница 152: ...68 10 1 Device Name of the interface connected to network 192 168 10 0 24 e g external Distance 10 The Gateway setting specifies the IP address of the next hop router interface to the FortiGate external interface The interface behind the router 192 168 10 1 is the default gateway for FortiGate_1 In some cases there may be routers behind the FortiGate unit If the destination IP address of a packet ...

Страница 153: ...s Destination IP mask 192 168 30 0 24 Gateway 192 168 10 2 Device dmz Distance 10 To route packets from Network_2 to Network_1 Router_2 must be configured to use the FortiGate dmz interface as its default gateway On the FortiGate unit you would create a new static route with these settings Destination IP mask 192 168 20 0 24 Gateway 192 168 10 1 Device internal Distance 10 Static route list Figure...

Страница 154: ...eway The IP address of the first next hop router to which this route directs traffic Device The name of the FortiGate interface through which to route traffic Distance The administrative distance for the route Delete Edit and Move to icons Delete edit or move a static route in the list Destination IP Mask Enter the destination IP address and netmask for this route The value 0 0 0 0 0 0 0 0 is rese...

Страница 155: ...or source interface The FortiGate unit starts at the top of the policy routing list and attempts to match the packet with a policy The policy route supplies the next hop gateway as well as the FortiGate interface to be used by the traffic If no policy route matches the packet the FortiGate unit routes the packet using the regular routing table Policy route list Figure 61 Policy routes Create New A...

Страница 156: ...RIP supports both RIP version 1 as defined by RFC 1058 and RIP version 2 as defined by RFC 2453 RIP version 2 enables RIP messages to carry more information and to support simple authentication and subnet masks Protocol Match packets that have this protocol number Incoming Interface Match packets that are received on this interface Source Address Mask Match packets that have this source IP address...

Страница 157: ...cess servers in the network should have the same RIP timer settings Update The time interval in seconds between RIP updates Garbage The time in seconds that must elapse after the timeout interval for a route expires before RIP deletes the route If RIP receives an update for the route after the timeout timer expires but before the garbage timer expires then the entry is switched back to reachable T...

Страница 158: ...tributed routes 4 Select a Route map name 5 Select Apply Networks list Identify the networks for which to send and receive RIP updates If a network is not specified interfaces in that network will not be advertised in RIP updates Figure 64 RIP Networks list Route map Enter the name of the route map to use for the redistributed connected routes For information on how to configure route maps see Rou...

Страница 159: ...tication RIP version send and receive for the specified interface and configure and enable split horizon Authentication is only available for RIP version 2 packets sent and received by an interface Set authentication to None if Send Version or Receive Version are set to 1 or 1 2 Figure 66 RIP interface list Create New Add a new RIP interface Interface The FortiGate interface name Send Version The ...

Страница 160: ... the Receive Version here overrides the default RIP version for this interface Split Horizon Configure RIP to use either regular or poisoned reverse split horizon on this interface Select Regular to prevent RIP from sending updates for a route back out the interface from which it received that route Select Poisoned reverse to send updates with routes learned on an interface back out the same inter...

Страница 161: ...erface the filter will be applied to all interfaces in the current virtual domain You must configure the access list or prefix list that you want the distribute list to use before you configure the distribute list For more information on configuring access lists and prefix lists see Access list on page 164 and Prefix list on page 166 Figure 68 RIP Distribute list Password Enter a password key to u...

Страница 162: ...ter The type of filter and the filter name Interface The interface to use this filter on If no interface name is displayed this distribute list is used for all interfaces Enable The status of this distribute list Delete and Edit icons Delete or edit a RIP distribute list Direction Set the direction for the filter Select In to filter incoming packets Select Out to filter outgoing packets prefix lis...

Страница 163: ... a new offset list Direction The direction for the offset list Access list The access list to use for this offset list Offset The offset number to add to the metric for this offset list Interface The interface to match for this offset list Enable The status of this offset list Delete and Edit icons Delete or edit a RIP offset list Direction Select In to apply the offset to the metrics of incoming ...

Страница 164: ...ix IP address and netmask the action to take for this prefix permit or deny and whether to match the prefix exactly or to match the prefix and any more specific prefix The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list If it finds a match for the prefix it takes the action specified for that prefix If no match is found the default acti...

Страница 165: ...ntry to edit that entry 3 Select Permit or Deny for the Action to take for the prefix in this access list entry 4 Select either Match any or Match a network address 5 If you selected Match a network address enter the IP address and netmask that define the prefix for this access list entry 6 Select Exact match if required 7 Select OK list Entry The access list name and the number of this entry Acti...

Страница 166: ...x If no match is found the default action is deny For a prefix list to take effect it must be called by another FortiGate routing feature such as RIP or OSPF Figure 75 Prefix list New Prefix list Figure 76 Prefix list name configuration To add a prefix list name 1 Go to Router Router Objects Prefix List 2 Select Create New 3 Enter a name for the prefix list 4 Select OK Create New Add a new prefix ...

Страница 167: ...er 8 Select OK Route map list Route maps are a specialized form of filter Route maps are similar to access lists but have enhanced matching criteria and in addition to permit or deny actions can be configured to make changes as defined by set statements list Entry The prefix list name and the number of this entry Action Set the action to take for this prefix to Permit or Deny Prefix Select Match a...

Страница 168: ...tatements are defined in a rule all the match statements must match before the set statements can be used For a route map to take effect it must be called by another FortiGate routing feature such as RIP Figure 78 Route map list New Route map Figure 79 Route map name configuration To add a route map name 1 Go to Router Router Objects Route map 2 Select Create New 3 Enter a name for the route map 4...

Страница 169: ...Deny to deny routes that match this entry Match The criteria to match Interface Match a route with the selected destination interface Address Match a route if the destination address is included in the selected access list or prefix list Next hop Match a route that has a next hop router address included in the selected access list or prefix list Metric Match a route with the specified metric The m...

Страница 170: ... from one key to the next according to the scheduled send and receive lifetimes The sending and receiving routers should have their system dates and times synchronized but overlapping the key lifetimes ensures that a key is always available even if there is some difference in the system times See System time on page 87 for information on setting the FortiGate system date and time Figure 81 Key cha...

Страница 171: ...time select the required hour minute second year month and day to start using this key for received routing updates Key chain entry The key chain name and the ID number for this key chain entry Key The key password can be up to 35 characters long Accept Lifetime Set the time period during which the key can be received Send Lifetime Set the time period during which the key can be sent Start For bot...

Страница 172: ...te routing table Routing monitor list Figure 84 Routing monitor To filter the routing monitor display 1 Go to Router Monitor Routing Monitor 2 Select a type of route to display or select all to display routes of all types For example select Connected to display all the directly connected routes or select RIP to display all the routes learned from RIP Type FIlter the display to show routes of the s...

Страница 173: ... ospf interface get router info protocols Show the current state of active routing protocols Command syntax get router info protocols Note You can configure Type Network and Gateway filters individually or in any combination router info ospf command keywords and variables Keywords Description Availability border routers Show OSPF routing table entries that have an Area Border Router ABR or Autonom...

Страница 174: ... connected to more than one area is an area border router ABR Routing information is contained in a link state database Routing information is communicated between routers using link state advertisements LSAs More information on OSPF can be found in RFC 2328 Command syntax pattern config router ospf set keyword variable end config router ospf unset keyword end get router ospf show router ospf The ...

Страница 175: ...e entering the overflow state The lsas_integer must be the same on all routers attached to the OSPF area and the OSPF backbone The valid range for lsas_integer is 0 to 4294967294 10000 All models database overflow time to recover seconds_integer Enter the time in seconds after which the FortiGate unit will attempt to leave the overflow state If seconds_integer is set to 0 the FortiGate unit will n...

Страница 176: ... RFC 1583 compatibility is enabled routers choose the path with the lowest cost Otherwise routers choose the lowest cost intra area path through a non backbone area disable All models router id address_ipv4 Set the router ID The router ID is a unique number in IP address dotted decimal format that is used to identify an OSPF router to other OSPF routers The router ID should not be changed while OS...

Страница 177: ...ked together by area border routers ABRs There must be a backbone area that all areas can connect to You can use a virtual link to connect areas that do not have a physical connection to the backbone Routers within an OSPF area maintain link state databases for their own areas config area command syntax pattern config area edit id_ipv4 set keyword variable end config area edit id_ipv4 unset keywor...

Страница 178: ...igure authentication for interfaces the authentication configured for the area is not used Authentication passwords or keys are defined per interface See config ospf interface on page 190 none All models default cost cost_integer Enter the metric to use for the summary default route in a stub area or not so stubby area NSSA A lower default cost indicates a more preferred route The valid range for ...

Страница 179: ...e NSSA You can set the translator role to always to ensure this FortiGate unit always acts as a translator if it is in a NSSA even if other routers in the NSSA are also acting as translators You can set the translator role to candidate to have this FortiGate unit participate in the process for electing a translator for a NSSA You can set the translator role to never to ensure this FortiGate unit n...

Страница 180: ...refix list on page 166 config filter list command syntax pattern config filter list edit id_integer set keyword variable end config filter list edit id_integer unset keyword end config filter list delete id_integer end config filter list edit id_integer get end config filter list edit id_integer show end Note Both keywords are required filter list command keywords and variables Keywords and variab...

Страница 181: ...xample shows how to display the configuration for area 15 1 1 1 config router ospf config area edit 15 1 1 1 show end config range Access the config range subcommand using the config area command Use the area range command to summarize routes at an area boundary If the network numbers in an area are contiguous the ABR advertises a summary route that includes all the networks within the area that a...

Страница 182: ...1 1 get end Note Only the prefix keyword is required All other keywords are optional range command keywords and variables Keywords and variables Description Default Availability advertise disable enable Enable or disable advertising the specified range enable All models prefix address_ipv4mask Specify the range of addresses to summarize 0 0 0 0 0 0 0 0 All models substitute address_ipv4mask Enter ...

Страница 183: ...ct connection to the backbone A virtual link allows traffic from the area to transit a directly connected area to reach the backbone The transit area cannot be a stub area Virtual links can only be set up between two area border routers ABRs config virtual link command syntax pattern config virtual link edit name_str set keyword variable end config virtual link edit name_str unset keyword end conf...

Страница 184: ...y password_str Enter the password to use for text authentication The authentication key must be the same on both ends of the virtual link The maximum length for the authentication key is 15 characters No default All models authentication must be set to text dead interval seconds_integer The time in seconds to wait for a hello packet before declaring a router down The value of the dead interval sho...

Страница 185: ...d 0 0 0 0 All models retransmit interval seconds_integer The time in seconds to wait before sending a LSA retransmission The value for the retransmit interval must be greater than the expected round trip delay for a packet The valid range for seconds_integer is 1 to 65535 5 All models transmit delay seconds_integer The estimated time in seconds required to send a link state update packet on this v...

Страница 186: ...ge 164 config distribute list command syntax pattern config distribute list edit id_integer set keyword variable end config distribute list edit id_integer unset keyword end config distribute list delete id_integer end config distribute list edit id_integer get end config distribute list edit id_integer show end Note Both keywords are required distribute list command keywords and variables Keyword...

Страница 187: ...config distribute list edit 2 get end This example shows how to display the configuration for distribute list 2 config router ospf config distribute list edit 2 show end config neighbor Access the config neighbor subcommand using the config router ospf command Use this command to manually configure an OSPF neighbor on nonbroadcast networks OSPF packets are unicast to the specified neighbor address...

Страница 188: ...mmand keywords and variables Keywords and variables Description Default Availability cost cost_integer Enter the cost to use for this neighbor The valid range for cost_integer is 1 to 65535 10 All models ip address_ipv4 Enter the IP address of the neighbor 0 0 0 0 All models poll interval seconds_integer Enter the time in seconds between hello packets sent to the neighbor in the down state The val...

Страница 189: ... keyword can define one or multiple interfaces config network command syntax pattern config network edit id_integer set keyword variable end config network edit id_integer unset keyword end config network delete id_integer end config network edit id_integer get end config network edit id_integer show end network command keywords and variables Keywords and variables Description Default Availability...

Страница 190: ...how to display the configuration for network 2 config router ospf config network edit 2 show end config ospf interface Access the config ospf interface subcommand using the config router ospf command Use this command to change interface related OSPF settings config ospf interface command syntax pattern config ospf interface edit interface name_str set keyword variable end config ospf interface edi...

Страница 191: ...t as plain text If you select md5 the authentication key is used to generate an MD5 hash Both text mode and MD5 mode only guarantee the authenticity of the update packet not the confidentiality of the routing information in the packet In text mode the key is sent in clear text over the network Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured...

Страница 192: ...of the interface to associate with this OSPF configuration null All models ip address_ipv4 Enter the IP address of the interface named by the interface keyword It is possible to apply different OSPF configurations for different IP addresses defined on the same interface The IP address 0 0 0 0 is not allowed 0 0 0 0 All models md5 key id_integer key_str Enter the key ID and password to use for MD5 ...

Страница 193: ...pecify the non broadcast keyword you must also configure neighbors using config neighbor on page 187 broadcast All models priority priority_integer Set the router priority for this interface Router priority is used during the election of a designated router DR and backup designated router BDR An interface with router priority set to 0 can not be elected DR or BDR The interface with the highest rou...

Страница 194: ...edit test get end This example shows how to display the configuration for the OSPF interface configuration named test config router ospf config ospf interface edit test show end status disable enable Enable or disable OSPF on this interface enable All models transmit delay seconds_integer The estimated time in seconds required to send a link state update packet on this interface OSPF increments th...

Страница 195: ... config redistribute rip set metric 3 set routemap rtmp2 set status enable end end This example shows how to display the OSPF settings get router ospf redistribute command keywords and variables Keywords and variables Description Default Availability metric metric_integer Enter the metric to be used for the redistributed routes The metric_integer range is from 1 to 16777214 10 All models metric ty...

Страница 196: ...nfig summary address command syntax pattern config summary address edit id_integer set keyword variable end config summary address edit id_integer unset keyword end config summary address delete id_integer end get router ospf show router ospf Note Only the prefix keyword is required All other keywords are optional summary address command keywords and variables Keywords and variables Description De...

Страница 197: ... routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses The gateways are the next hop routers to which to route traffic that matches the destination addresses in the route The FortiGate unit assigns routes using a best match algorithm To select a route for a packet the FortiGate unit searches through the routing table for a route that best matche...

Страница 198: ...tic route configuration show router static6 This example shows how to display the configuration for IPV6 static route 2 show router static6 2 static6 command keywords and variables Keywords and variables Description Default Availability device interface name_str The name of the FortiGate interface through which to route traffic null All models NAT Route mode only dst destination address_ipv6mask T...

Страница 199: ...PN packet Each policy can be individually configured to route connections or apply network address translation NAT to translate source and destination IP addresses and ports You can add IP pools to use dynamic NAT when the firewall translates source addresses You can use policies to configure port address translation PAT through the FortiGate You can add protection profiles to firewall policies to...

Страница 200: ...he FortiGate unit receives a connection attempt at an interface it selects a policy list to search through for a policy that matches the connection attempt The FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt The FortiGate unit then starts at the top of the selected policy list and searches down the list for the first policy that matche...

Страница 201: ...n the policy should be active See Schedule on page 221 Service The service to which the policy applies See Service on page 213 Action The response to make when the policy matches a connection attempt Enable Enable or disable the policy Enabling the policy makes it available for the firewall to match it to incoming connections source destination n Policy list headings indicating the traffic to whic...

Страница 202: ... For NAT Route mode policies where the address on the destination network is hidden from the source network using NAT the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address See Virtual IP on page 225 Source Select the name of the source interface or zone for the policy The source interface or zone receives the packets to be matched ...

Страница 203: ...thentication and differentiated services You can also add a comment to the policy DENY Select deny to reject connections matched by the policy The only other policy options that you can configure are log traffic to log the connections denied by this policy and differentiated services You can also add a comment to the policy ENCRYPT Select encrypt to make this policy an IPSec VPN policy An IPSec VP...

Страница 204: ...When configuring a firewall policy select Advanced to configure advanced firewall policies Dynamic IP Pool Select Dynamic IP Pool to translate the source address to an address randomly selected from an IP Pool An IP Pool can be a single IP address or an IP address range An IP pool list appears if IP Pool addresses have been added to the destination interface or zone Select ANY IP Pool to cause the...

Страница 205: ... groups for authentication You can select Authentication for any service Users can authenticate with the firewall using HTTP Telnet or FTP For users to be able to authenticate you must add an HTTP Telnet or FTP policy that is configured for authentication When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password If you want use...

Страница 206: ...ry hop Routers that can understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header You can use the FortiGate Differentiated Services feature to change the DSCP Differentiated Services Code Point value for all packets accepted by a policy The network uses these DSCP values to classify mark shape and police ...

Страница 207: ...tination addresses 5 Configure the policy For information about configuring the policy see Policy options on page 202 6 Select OK to add the policy 7 Arrange policies in the policy list so that they have the results that you expect For information about arranging policies in a policy list see How policy matching works on page 200 To delete a policy 1 Go to Firewall Policy 2 Select the Delete icon ...

Страница 208: ...he Enable check box beside the policy you want to disable To enable a policy 1 Go to Firewall Policy 2 Select Enable Policy CLI configuration The natip keyword for the firewall policy command is used in encrypted VPN policies A natip address cannot be added using the web based manager You can configure complete firewall policies using from the CLI See the FortiGate CLI Reference Guide for descript...

Страница 209: ...bility http_retry_count retry_integer Define the number of times to retry establishing an HTTP connection when the connection fails 0 All models natip address_ipv4mask Configure natip for a firewall policy with action set to encrypt and with outbound NAT enabled Specify the IP address and subnet mask to translate the source address of outgoing packets Set natip for peer to peer VPNs to control out...

Страница 210: ...s representing an IP address and subnet mask or an IP address range Figure 91 Address options Address has the following options Create New Select Create New to add a firewall address Name The name of the firewall address Address The IP address and mask or IP address range of the firewall The Delete and Edit View icons Address Name Enter a name to identify the firewall address Addresses address gro...

Страница 211: ...t should be 255 0 0 0 The netmask for a class B subnet should be 255 255 0 0 The netmask for a class C subnet should be 255 255 255 0 The netmask for all addresses should be 0 0 0 0 An IP Range address represents A range of IP addresses in a subnet for example 192 168 20 1 to 192 168 20 10 Configuring addresses To add an address 1 Go to Firewall Address 2 Select Create New 3 Enter a name to identi...

Страница 212: ... configure policies For example if you add three addresses and then configure them in an address group you can configure a single policy using all three addresses Figure 92 Sample address group list The address group list has the following icons and features Address group options Address group options are configurable when creating or editing an address group Figure 93 Address group options Note I...

Страница 213: ... group you want to delete 3 Select OK To edit an address group 1 Go to Firewall Address Group 2 Select the Edit icon beside the address group you want to modify 3 Make any required changes 4 Select OK Service Use services to determine the types of communication accepted or denied by the firewall You can add any of the predefined services to a policy You can also create custom services and add serv...

Страница 214: ... the predefined services Detail The protocol for each predefined service Table 24 FortiGate predefined services Service name Description Protocol Port ANY Match connections on any port A connection that uses any of the predefined services is allowed through the firewall all all GRE Generic Routing Encapsulation A protocol that allows an arbitrary network protocol to be transmitted over any other a...

Страница 215: ...munication Union ITU that defines how audiovisual conferencing data is transmitted across networks tcp 1720 1503 HTTP HTTP is the protocol used by the word wide web for transferring data for web pages tcp 80 HTTPS HTTP with secure socket layer SSL service for secure communication with web servers tcp 443 IKE IKE is the protocol to obtain authenticated keying material for use with ISAKMP for IPSEC ...

Страница 216: ...s a protocol that allows corporations to extend their own corporate network through private tunnels over the public Internet tcp 1723 QUAKE For connections used by the popular Quake multi player computer game udp 26000 27000 27910 27960 RAUDIO For streaming real audio multimedia traffic udp 7070 RLOGIN Rlogin service for remotely logging into a server tcp 513 RIP Routing Information Protocol is a ...

Страница 217: ...e file transfer protocol similar to FTP but with no security features udp 69 UDP All UDP ports udp 0 65535 UUCP Unix to Unix copy utility a simple file copying protocol udp 540 VDOLIVE For VDO Live streaming multimedia traffic tcp 7000 7010 WAIS Wide Area Information Server is an Internet search protocol tcp 210 WINFRAME For WinFrame communications between computers running Windows NT tcp 1494 X W...

Страница 218: ...ame Source Port Specify the Source Port number range for the service by entering the low and high port numbers If the service uses one port number enter this number in both the low and high fields Destination Port Specify the Destination Port number range for the service by entering the low and high port numbers If the service uses one port number enter this number in both the low and high fields ...

Страница 219: ...ervice Custom 2 Select Create New 3 Enter a name for the new custom ICMP service 4 Select ICMP as the Protocol Type 5 Enter the ICMP type number and code number for the service 6 Select OK You can now add this custom service to a policy To add a custom IP service 1 Go to Firewall Service Custom 2 Select Create New 3 Enter a name for the new custom IP service 4 Select IP as the Protocol Type 5 Ente...

Страница 220: ...in predefined services and custom services in any combination You cannot add service groups to another service group Figure 99 Sample service group list The service group list has the following icons and features Service group options Service group options are configurable when creating or editing a service group Figure 100 Service group options Note To change the custom service name you must dele...

Страница 221: ...all Service Group 2 Select the Edit icon beside the service group you want to modify 3 Make any required changes 4 Select OK Schedule Use schedules to control when policies are active or inactive You can create one time schedules and recurring schedules You can use one time schedules to create policies that are effective once for the period of time specified in the schedule Recurring schedules rep...

Страница 222: ...et at all times You can add a one time schedule to block access to the Internet during a holiday period Figure 101 Sample one time schedule list The one time schedule list has the following icons and features One time schedule options Figure 102 One time schedule options One time schedule has the following options Create New Select Create New to add a one time schedule Name The name of the one tim...

Страница 223: ...side the one time schedule you want to modify 3 Modify the schedule as required 4 Select OK to save the changes Recurring schedule list You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week For example you might want to prevent game play during working hours by creating a recurring schedule Figure 103 Sample recurr...

Страница 224: ...edules use a 24 hour clock 6 Select OK To delete a recurring schedule 1 Go to Firewall Schedule Recurring 2 Select the Delete icon beside the recurring schedule you want to delete 3 Select OK Create New Select Create New to add a recurring schedule Name The name of the recurring schedule Day The initials of the days of the week on which the schedule is active Start The start time of the recurring ...

Страница 225: ...o the web server you must then add a port2 port3 firewall policy and set Destination to the virtual IP You can create three types of virtual IPs This section describes Virtual IP list Virtual IP options Configuring virtual IPs Note To change the one time schedule name you must delete the schedule and add it with a new name Static NAT Used to translate an address on a source network to a hidden add...

Страница 226: ...port forwarding Figure 106 Virtual IP options static NAT Figure 107 Virtual IP options port forwarding Create New Select Create New to add a virtual IP Name The name of the virtual IP IP The external IP address mapped to an address on the destination network Service Port The external port number of the service from the IP Map to IP The real IP address on the destination network Map to Port The por...

Страница 227: ...p 4 However the external IP address must be routed to the selected interface The virtual IP address and the external IP address can be on different subnets 7 Enter the Map to IP address to which to map the external IP address For example the IP address of a web server on an internal network 8 Select OK You can now add the virtual IP to firewall policies Name Enter the name to identify the virtual ...

Страница 228: ...configure port forwarding The external service port number must match the destination port of the packets to be forwarded For example if the virtual IP provides access from the Internet to a web server the external service port number is 80 the HTTP port 8 Enter the Map to IP address to which to map the external IP address For example the IP address of a web server on an internal network 9 Enter t...

Страница 229: ...sthrough access from the Internet to a PPTP server the external service port number should be 1723 the PPTP port 8 Enter the Map to IP address to which to map the external IP address For example the IP address of a PPTP server on an internal network 9 Enter the Map to Port number to be added to packets when they are forwarded If you do not want to translate the port enter the same number as the Ex...

Страница 230: ...and select the IP pool to use when configuring a firewall policy You can enter an IP address range using the following formats x x x x x x x x for example 192 168 110 100 192 168 110 120 x x x x x for example 192 168 110 100 120 This section describes IP pool list IP pool options Configuring IP pools IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT IP pool list Figure 1...

Страница 231: ...de it 3 Modify the IP pool as required 4 Select OK to save the changes IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection NAT translates source ports to keep track of connections for a particular service You can select fixed port for NAT policies to prevent source port...

Страница 232: ...ear to be originating from any of the IP addresses in the IP pool Protection profile Use protection profiles to apply different protection settings for traffic that is controlled by firewall policies You can use protection profiles to Configure antivirus protection for HTTP FTP IMAP POP3 and SMTP policies Configure web filtering for HTTP policies Configure web category filtering for HTTP policies ...

Страница 233: ...e the strict protection profile under normal circumstances but it is available if you have extreme problems with viruses and require maximum screening Scan To apply virus scanning to HTTP FTP IMAP POP3 and SMTP traffic Quarantine is also selected for all content services On FortiGate models with a hard disk if antivirus scanning finds a virus in a file the file is quarantined on the FortiGate hard...

Страница 234: ...figuring web category filtering options on page 236 Spam Filtering See Configuring spam filtering options on page 237 IPS See Configuring IPS options on page 238 Content Archive See Configuring content archive options on page 238 Virus Scan Enable or disable virus scanning for viruses and worms for each protocol HTTP FTP IMAP POP3 SMTP Grayware if enabled in Antivirus Config Grayware is included w...

Страница 235: ... file sizes than the original attachment The most common encoding base64 translates 3 bytes of binary data into 4 bytes of base64 data So a file may be blocked or logged as oversized even if the attachment is several megabytes less than the configured oversize threshold Add signature to outgoing emails Create and enable a signature to append to outgoing email SMTP only Web Content Block Enable or ...

Страница 236: ... 5xx HTTP errors If the error is allowed through then malicious or objectionable sites could use these common error pages to circumvent web category blocking Rate images by URL blocked images will be replaced with blanks HTTP only Enable using FortiGuard to rate images based on the image URL Images that should be blocked are replaced with a blank image on the original web page FortiGuard has ratin...

Страница 237: ...o see if any of them is listed Typically Spam messages contain URL links to advertisements also called spamvertizing If a URL match is found FortiShield terminates the session If FortiShield does not find a match the mail server sends the email to the recipient See FortiShield on page 335 for more information about this service IP address BWL check Black white list check Enable or disable checking...

Страница 238: ...g any spam action in the event log Append to Choose to append the tag to the subject or MIME header of the email identified as spam Append with Enter a word or phrase tag to append to email identified as spam The maximum length is 63 characters Note Some popular email clients cannot filter messages based on the MIME header Check your email client features before deciding how to tag spam IPS Signat...

Страница 239: ...ct OK To add a protection profile to a policy You can enable protection profiles for firewall policies with action set to allow or encrypt and with service set to ANY HTTP FTP IMAP POP3 SMTP or a service group that includes these services 1 Go to Firewall Policy 2 Select a policy list to which you want to add a protection profile For example to enable network protection for files downloaded from t...

Страница 240: ...policies Command syntax pattern config firewall profile edit profilename_str set keyword variable end config firewall profile edit profilename_str unset keyword end config firewall profile delete profilename_str end get firewall profile profilename_str show firewall profile profilename_str Note This guide only describes Command Line Interface CLI commands keywords or variables in bold that are not...

Страница 241: ...ing and downloading large files When splice is disabled for ftp the FortiGate unit buffers the file for scanning before uploading it to the FTP server If the file is clean the FortiGate unit will allow the upload to continue Enter all the actions you want this profile to use Use a space to separate the options you enter If you want to remove an option from the list or add an option to the list you...

Страница 242: ...ns an error message to the sender listing the virus name and infected file name In this mode the SMTP server is not able to deliver the email if it was sent with an infected attachment Throughput is higher when splice is enabled When splice is disabled the FortiGate unit scans the email first If the FortiGate unit detects a virus it removes the infected attachment adds a customizable message and s...

Страница 243: ... the user s credentials locally or using an external LDAP or RADIUS server Authentication expires if the user leaves the connection idle for longer than the authentication timeout period You need to determine the number and membership of your user groups appropriate to your authentication needs To set up user groups 1 If external authentication is needed configure RADIUS or LDAP servers See RADIUS...

Страница 244: ...ocal Go to User Local to add local user names and configure authentication Local user list Figure 118 Local user list Local user options Figure 119 Local user options Create New Add a new local username User Name The local user name Type The authentication type to use for this user The Delete and Edit icons User Name Enter the user name Disable Select Disable to prevent this user from authenticati...

Страница 245: ...ntication The default port for RADIUS traffic is 1812 If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port For more information see the config system global command entry in the FortiGate CLI Reference Guide RADIUS server list Figure 120 RADIUS server list LDAP Select LDAP to require the user to authenticate to an LDAP server Select the name of the LDAP se...

Страница 246: ...ou want to delete 3 Select OK LDAP If you have configured LDAP support and a user is required to authenticate using an LDAP server the FortiGate unit contacts the LDAP server for authentication To authenticate with the FortiGate unit the user enters a user name and password The FortiGate unit sends this user name and password to the LDAP server If the LDAP server can authenticate the user the user...

Страница 247: ... server configuration Create New Add a new LDAP server Server Name IP The domain name or IP address of the LDAP server Port The port used to communicate with the LDAP server Common Name Identifier The common name identifier for the LDAP server 20 characters maximum The common name identifier for most LDAP servers is cn However some servers use other common name identifiers such as uid Distinguishe...

Страница 248: ... beside the LDAP server name that you want to delete 3 Select OK Common Name Identifier Enter the common name identifier for the LDAP server The common name identifier for most LDAP servers is cn However some servers use other common name identifiers such as uid Distinguished Name Enter the distinguished name used to look up entries on the LDAP server Enter the base distinguished name for the serv...

Страница 249: ...The FortiGate PPTP configuration Only users in the selected user group can use PPTP The FortiGate L2TP configuration Only users in the selected user group can use L2TP When you add user names RADIUS servers and LDAP servers to a user group the order in which they are added determines the order in which the FortiGate unit checks for authentication If user names are first then the FortiGate unit che...

Страница 250: ... RADIUS server to the Members list 6 To add an LDAP server to the user group select an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list 7 To remove users RADIUS servers or LDAP servers from the user group select a user RADIUS server or LDAP server from the Members list and select the left arrow to remove the name RADIUS server or LDAP ...

Страница 251: ...how to use CLI commands see the FortiGate CLI Reference Guide peer Use this command to add or edit the peer certificate information Command syntax pattern config user peer edit name_str set keyword variable config user peer edit name_str unset keyword config user peer delete name_str get user peer name_str show user peer name_str radius command keywords and variables Keywords and variables Descrip...

Страница 252: ... the configuration for the peer branch_office show user peer branch_office peergrp Use this command to add or edit a peer group Command syntax pattern config user peergrp edit name_str set keyword variable config user peergrp edit name_str unset keyword config user peergrp delete name_str get user peergrp name_str show user peergrp name_str radius command keywords and variables Keywords and variab...

Страница 253: ...alencia_branch Cardiff_branch end This example shows how to display the list of configured peer groups get user peergrp This example shows how to display the settings for the peergrp EU_branches get user peergrp EU_branches This example shows how to display the configuration for all the peers groups show user peergrp This example shows how to display the configuration for the peergrp EU_branches s...

Страница 254: ...254 01 28008 0013 20050204 Fortinet Inc CLI configuration User ...

Страница 255: ...e following protocols to authenticate and encrypt traffic Internet Protocol Security IPSec Point to Point Tunneling Protocol PPTP Layer Two Tunneling Protocol L2TP This chapter contains information about the following VPN topics Phase 1 Phase 2 Manual key Concentrator Ping Generator Monitor PPTP L2TP Certificates VPN configuration procedures CLI configuration ...

Страница 256: ...nal advanced phase 1 settings can be selected to ensure the smooth operation of phase 1 negotiations To configure phase 1 settings 1 Go to VPN IPSEC Phase 1 2 Follow the general guidelines in these sections Phase 1 list on page 256 Phase 1 basic settings on page 257 Phase 1 advanced settings on page 259 For information about how to choose the correct phase 1 settings for your particular situation ...

Страница 257: ...re dialup clients with dynamic IP addresses will be connecting to the FortiGate unit select Dialup User If a remote peer that has a domain name and subscribes to a dynamic DNS service will be connecting to the FortiGate unit select Dynamic DNS and type the domain name of the remote peer into the Dynamic DNS field IP Address If Static IP Address is selected type the IP address of the remote peer Dy...

Страница 258: ... be identical to the value in the Local ID field of the phase 1 remote gateway configuration on the remote peer To grant access to selected remote peers or clients based on a peer ID select Accept this peer ID and type the identifier This value must be identical to the value in the Local ID field of the phase 1 remote gateway configuration on the remote peer or client To grant access to dialup use...

Страница 259: ...ssage digests to check the authenticity of messages during phase 1 negotiations MD5 Message Digest 5 the hash algorithm developed by RSA Data Security SHA1 Secure Hash Algorithm 1 which produces a 160 bit message digest To specify a third combination use the add button beside the fields for the second combination DH Group Select one or more Diffie Hellman groups from DH group 1 2 and 5 When using ...

Страница 260: ...ver you must first create user groups to identify the remote peers and dialup clients that need access to the network behind the FortiGate unit You must also configure the FortiGate unit to forward authentication requests to an external RADIUS or LDAP authentication server For information about these topics see the Users and Authentication chapter of the FortiGate Administration Guide Select a Ser...

Страница 261: ...Timeout If the tunnel is processing VPN traffic the Timeout value specifies amount of time left before the next phase 2 key exchange When the phase 2 key expires a new key is generated without interrupting service Delete and Edit icons Delete or edit a phase 2 configuration Tunnel Name Type a name to identify the tunnel configuration Remote Gateway Select the phase 1 configuration to assign to thi...

Страница 262: ...t block algorithm that uses a 56 bit key 3DES Triple DES in which plain text is encrypted three times by three keys AES128 A 128 bit block algorithm that uses a 128 bit key AES192 A 128 bit block algorithm that uses a 192 bit key AES256 A 128 bit block algorithm that uses a 256 bit key You can select either of the following message digests to check the authenticity of messages during an encrypted ...

Страница 263: ...ning when the phase 2 key expires Seconds KBytes or Both If you select both the key expires when either the time has passed or the number of KB have been processed The range is from 120 to 172800 seconds or from 5120 to 2147483648 KB Autokey Keep Alive Enable the option if you want the tunnel to remain active when no data is being processed DHCP IPSec If the FortiGate unit will relay DHCP requests...

Страница 264: ...key options Caution If you are not familiar with the security policies SAs selectors and SA databases for your particular installation do not attempt the following procedure without qualified assistance Create New Select Create New to create a new manual key configuration Remote Gateway The IP address of the remote peer or client Encryption Algorithm The names of the encryption algorithms used in ...

Страница 265: ...algorithm that uses a 192 bit key AES256 A 128 bit block algorithm that uses a 256 bit key Encryption Key If you selected DES type a 16 character hexadecimal number 0 9 a f 3DES type a 48 character hexadecimal number 0 9 a f separated into three segments of 16 characters AES128 type a 32 character hexadecimal number 0 9 a f separated into two segments of 16 characters AES192 type a 48 character he...

Страница 266: ...oncentrator 2 Follow the guidelines in these sections Concentrator list on page 266 Concentrator options on page 267 Concentrator list Figure 134 IPSec VPN concentrator list Authentication Key If you selected MD5 type a 32 character hexadecimal number 0 9 a f separated into two segments of 16 characters SHA1 type 40 character hexadecimal number 0 9 a f separated into one segment of 16 characters a...

Страница 267: ...nds The source and destination IP addresses refer to the source and destination addresses of IP packets that are to be transported through the VPN tunnel When source and destination addresses of 0 0 0 0 are entered no ping traffic is generated between the source and destination To configure the ping generator 1 Go to VPN IPSEC Ping Generator 2 Select Enable 3 In the Source IP 1 field type the priv...

Страница 268: ...ure 136 Ping generator Monitor You can use the monitor to view activity on IPSec VPN tunnels and start or stop those tunnels The display provides a list of addresses proxy IDs and timeout information for all active tunnels To view active tunnels 1 Go to VPN IPSEC Monitor To interpret the display see the following sections Dialup monitor on page 269 Static IP and dynamic DNS monitor on page 269 Ena...

Страница 269: ...rt and stop individual tunnels from the list Flush dialup tunnels icon Stop all dialup tunnels and stop the traffic passing through all dialup tunnels Dialup users may have to reconnect to establish new VPN sessions Name The name of the tunnel Remote gateway The IP address and UDP port of the remote gateway Username The peer ID certificate name or XAuth user name of the dialup client if a peer ID ...

Страница 270: ...ess from a reserved range of IP addresses to the client PPTP interface The PPTP client uses the assigned IP address as its source address for the duration of the connection Name The name of the tunnel Remote gateway The IP address and UDP port of the remote gateway For dynamic DNS tunnels the IP address is updated dynamically Timeout The time before the next key exchange The time is calculated by ...

Страница 271: ...cifies the range of addresses reserved for remote clients When a remote client connects to the FortiGate unit the client is assigned an IP address from this range Afterward the FortiGate unit uses the assigned address to communicate with the remote client Figure 140 L2TP range Enable PPTP You must add a user group before you can select the option Starting IP Type the starting address in the range ...

Страница 272: ...rting CA certificates on page 275 For detailed information and step by step procedures related to obtaining and installing digital certificates see the FortiGate VPN Guide Local certificate list Figure 141 Certificate list Ending IP Type the ending address in the range of reserved IP addresses User Group Select the name of the L2TP user group that you defined Disable L2TP Select the option to disa...

Страница 273: ... to generate the request The generated request includes information such as the FortiGate unit s public static IP address domain name or email address To generate a certificate request 1 Go to VPN Certificates Local Certificates 2 Select Generate Figure 143 Generating a certificate signing request Delete icon Delete a certificate from the FortiGate configuration Download icon Select to save a copy...

Страница 274: ...h a dialup client use an email address For Host IP enter the public IP address of the FortiGate unit being certified For Domain name enter the fully qualified domain name of the FortiGate unit being certified Do not include the protocol specification http or any port number or path names For E mail enter the email address of the owner of the FortiGate unit being certified Typically email addresses...

Страница 275: ...cates CA Certificates 2 Select Import Figure 146 Importing a CA certificate 3 Browse to the location on the management PC where the certificate has been saved select the certificate and then select OK 4 Select OK Import Select to import a CA root certificate See Importing CA certificates on page 275 Name The names of existing CA root certificates The FortiGate unit assigns unique names CA_Cert_1 C...

Страница 276: ...re to be transported through the VPN tunnel and create the firewall encryption policy which defines the scope of permitted services between the IP source and destination addresses See Adding firewall policies for IPSec VPN tunnels on page 276 Adding firewall policies for IPSec VPN tunnels Firewall policies control all IP traffic passing between a source address and a destination address A firewall...

Страница 277: ...ation Guide 4 Select OK Interface Zone Source Select the local interface to the internal private network Destination Select the local interface to the external public network Address Name Source Select the name that corresponds to the local network server s or host s from which IP packets may originate Destination Select the name that corresponds to the remote network server s or host s to which I...

Страница 278: ...nit to an external PPTP server instead you must 1 Create a PPTP user group containing one user for each PPTP client See User on page 243 2 Enable PPTP on the FortiGate unit and specify the range of addresses that can be assigned to PPTP clients when they connect See PPTP range on page 270 3 Configure PPTP pass through on the FortiGate unit 4 Configure the PPTP clients To perform Steps 3 and 4 see ...

Страница 279: ...scription Default Availability dpd idlecleanup seconds_integer The DPD long idle setting when dpd is set to enable Set the time in seconds that a link must remain unused before the local VPN peer pro actively probes its state After this period of time expires the local peer will send a DPD probe to determine the status of the link even if there is no traffic between the local peer and the remote p...

Страница 280: ...worry 150 set dpd retrycount 5 set dpd retryinterval 30 end dpd retrycount retry_integer The DPD retry count when dpd is set to enable Set the number of times that the local VPN peer sends a DPD probe before it considers the link to be dead and tears down the security association SA The dpd retrycount range is 0 to 10 To avoid false negatives due to congestion or other transient failures set the r...

Страница 281: ...ify the IP addresses that can be accessed at the remote end of the VPN tunnel You must configure IPSec virtual IP VIP addresses at both ends of the IPSec VPN tunnel Adding an IPSec VIP entry to the VIP table enables a FortiGate unit to respond to ARP requests destined for remote servers and route traffic to the intended destinations automatically Each IPSec VIP entry is identified by an integer An...

Страница 282: ... VPN tunnel config vpn ipsec vip edit 1 set ip 192 168 12 1 set out interface external next edit 2 set ip 192 168 12 2 set out interface external end Note The interface to the destination network must be associated with a VPN tunnel through a firewall encryption policy action must be set to encrypt The policy determines which VPN tunnel will be selected to forward traffic to the destination When y...

Страница 283: ...entry in the FortiGate unit s virtual IP VIP table the FortiGate unit responds with its own MAC address and forwards traffic to the correct destination at the other end of the VPN tunnel afterward Consider the following example which shows two physically separate networks The IP addresses of the computers on both networks are in the 192 168 12 0 24 range but no two IP addresses are the same An IPS...

Страница 284: ...iGate units define the gateway tunnel on which to transmit VPN traffic to the remote location see Phase 1 on page 256 and Phase 2 on page 260 2 On both FortiGate units define the firewall encrypt policy that is needed to select and enable communication through the defined VPN gateway tunnel see Adding firewall policies for IPSec VPN tunnels on page 276 3 Using CLI commands to configure the local F...

Страница 285: ...ion Profile select edit or Create New and select IPS See Protection profile options on page 234 Protection profile configuration For information about adding protection profiles to firewall policies see To add a protection profile to a policy on page 239 IPS updates and information FortiProtect services are a valuable customer resource and include automatic updates of virus and IPS attack engines ...

Страница 286: ...ition to an extensive list of predefined attack signatures you can also create your own custom attack signatures for the FortiGate unit See Adding custom signatures on page 291 Predefined Predefined signatures are arranged into groups based on the type of attack By default all signature groups are enabled while some signatures within groups are not Check the default settings to ensure they meet th...

Страница 287: ...embers Action can be Pass Drop Reset Reset Client Reset Server Drop Session Clear Session or Pass Session See Table 27 Revision The revision number for individual signatures To show the signature group members click on the blue triangle Modify The Configure and Reset icons Reset only appears when the default settings have been modified Selecting Reset restores the default settings Table 27 Actions...

Страница 288: ... Used for TCP connections only If you set this action for non TCP connection based attacks the action will behave as Clear Session If the Reset Client action is triggered before the TCP connection is fully established it acts as Clear Session Reset Server The FortiGate unit drops the packet that triggered the signature sends a reset to the server and removes the session from the FortiGate session ...

Страница 289: ...ngs of a signature 1 Go to IPS Signature Predefined 2 Select the blue triangle next to a signature group name to display the members of that group 3 Select the Reset icon for the signature you want to restore to recommended settings The Reset icon is displayed only if the settings for the signature have been changed from recommended settings 4 Select OK Configuring parameters for dissector signatu...

Страница 290: ... number of seconds the session will not be maintained by tcp_reassembler min_ttl A packet with a higher ttl number in its IP header than the number specified here is not processed by tcp_reassembler port_list A comma separated list of ports The dissector can decode these TCP ports bad_flag_list A comma separated list of bad TCP flags reassembly_ direction Valid settings are from server from client...

Страница 291: ...page 126 Reset to recommended settings Reset all the custom signatures to the recommended settings Name The custom signature names Revision The revision number for each custom signature The revision number is a number you assign to the signature when you create or revise it Enable The status of each custom signature A white check mark in a green circle indicates the signature is enabled A white X ...

Страница 292: ...sessions targeting a single destination in one second is over a threshold the destination is experiencing flooding Scan If the number of sessions from a single source in one second is over a threshold the source is scanning Source session limit If the number of concurrent sessions from a single source is over a threshold the source session limit is reached Destination session limit If the number o...

Страница 293: ...Client Reset Server Drop Session Clear Session or Pass Session Modify The Edit and Reset icons If you have changed the settings for an anomaly you can use the Reset icon to change the settings back to the recommended settings Name The anomaly name Enable Select the Enable box to enable the anomaly or clear the Enable box to disable the anomaly Logging Select the Logging box to enable logging for t...

Страница 294: ... is fully established it acts as Clear Session Reset Client The FortiGate unit drops the packet that triggered the anomaly sends a reset to the client and removes the session from the FortiGate session table Used for TCP connections only If you set this action for non TCP connection based attacks the action will behave as Clear Session If the Reset Client action is triggered before the TCP connect...

Страница 295: ...imit edit name_str unset keyword end config limit delete name_str Example Use the following command to configure the limit for the tcp_src_session anomaly config ips anomaly tcp_src_session config limit edit subnet1 set ipaddress 1 1 1 0 255 255 255 0 set threshold 300 end end Note This guide only covers Command Line Interface CLI commands that are not represented in the web based manager For comp...

Страница 296: ...ng signatures for attacks that your system is not vulnerable to for example web attacks when you are not running a web server For more information on FortiGate logging and alert email see Log Report on page 351 Default fail open setting If for any reason the IPS should cease to function it will fail open by default This means that crucial network traffic will not be blocked and the Firewall will c...

Страница 297: ...tion Profile antivirus options Antivirus setting Virus Scan Antivirus Config Virus List Enable or disable virus scanning for each protocol HTTP FTP IMAP POP3 SMTP View a read only list of current viruses File Block Antivirus File Block Enable or disable file blocking for each protocol Configure file patterns to block enable or disable blocking for each protocol Quarantine Antivirus Quarantine Enab...

Страница 298: ...block Quarantine Config CLI configuration File block Configure file blocking to remove all files that are a potential threat and to prevent active computer virus attacks You can block files by name by extension or any other pattern giving you the flexibility to block potentially harmful content For standard operation you can choose to disable file blocking in the Protection Profile and enable it o...

Страница 299: ...e New Select Create New to add a new file pattern to the file block list Apply Select Apply to apply any changes to the file block configuration Pattern The current list of blocked file patterns You can create a pattern by using or wildcard characters Check All Select a check box beside a file pattern to enable blocking that pattern for all types of traffic Select a check box beside a service HTTP...

Страница 300: ... so they will automatically be uploaded to Fortinet for analysis This section describes Quarantined files list Quarantined files list options AutoSubmit list AutoSubmit list options Configuring the AutoSubmit list Config Quarantined files list The quarantined files list displays information about each file that is quarantined because of virus infection or file blocking You can sort the files by an...

Страница 301: ...55d2 oversize exe Date The date and time that the file was quarantined in the format dd mm yyyy hh mm This value indicates the time that the first file was quarantined if the duplicate count increases Service The service from which the file was quarantined HTTP FTP IMAP POP3 SMTP Status The reason the file was quarantined infected heuristics or blocked Status Description Specific information relat...

Страница 302: ...tions AutoSubmit list has the following icons and features Configuring the AutoSubmit list To add a file pattern to the AutoSubmit list 1 Go to Anti Virus Quarantine AutoSubmit 2 Select Create New Figure 161 Adding a file pattern 3 Enter the file pattern or file name you want to automatically upload to Fortinet for analysis 4 Select Enable 5 Select OK Create New Select Create New to add a new file...

Страница 303: ...mit The time limit in hours for which to keep files in quarantine The age limit is used to formulate the value in the TTL column of the quarantined files list When the limit is reached the TTL column displays EXP and the file is deleted although a record is maintained in the quarantined files list Entering an age limit of 0 zero means files are stored on disk indefinitely depending on low disk spa...

Страница 304: ...8 Figure 163 Virus list partial Config Oversize threshold configuration refers to the size limits you can apply to scan files and email in memory The maximum file size allowed in memory is usually 10 of the FortiGate RAM size For example a FortiGate unit with 256 MB of RAM could have a memory oversize threshold range of 1 to 25 MB The range for each FortiGate unit is displayed in the web based man...

Страница 305: ...without the user s consent or knowledge Grayware programs are generally considered an annoyance but these programs can cause system performance problems or be used for malicious means The FortiGate unit scans for known grayware executable programs in each category you enable The category list and contents are added or updated whenever your FortiGate unit receives a virus update package New categor...

Страница 306: ...d including passwords chat and instant messages Hijacker Select enable to block browser hijacking programs Browser hijacking occurs when a spyware type program changes web browser settings including favorites or bookmarks start pages and menu options Plugin Select enable to block browser plugins Browser plugins can often be harmless Internet browsing tools that are installed and operate directly f...

Страница 307: ...le Command syntax pattern config system global set keyword variable end config system global unset keyword end get system global show system global Example This example shows how to set av_failopen to use one shot and bypass the antivirus system when memory is low config system global set av_failopen one shot end Note This guide only covers Command Line Interface CLI commands that are not represen...

Страница 308: ...anning config system global set optimize antivirus end config antivirus heuristic The FortiGate heuristic antivirus engine performs tests on files to detect virus like behavior or known virus indicators Heuristic scanning is performed last after file blocking and virus scanning have found no matches In this way heuristic scanning may detect new viruses but may also produce some false positive resu...

Страница 309: ... settings Command syntax pattern config antivirus quarantine set keyword variable end config antivirus quarantine unset keyword end get antivirus quarantine show antivirus quarantine Table 29 antivirus heuristic command keywords and variables Keywords and variables Description Default Availability mode pass block disable Enter pass to enable heuristics but pass detected files to the recipient Susp...

Страница 310: ...istic scanning in traffic for the specified protocols No default FortiGate models numbered 200 and higher antivirus service http command keywords and variables Keywords and variables Description Default Availability memfilesizelimit MB_integer Set the maximum file size in megabytes that can be buffered to memory for virus scanning The maximum file size allowed is 10 of the FortiGate RAM size For e...

Страница 311: ...nable antivirus scanning on ports 70 80 and 443 for HTTP traffic config antivirus service http set memfilesizelimit 12 set uncompsizelimit 15 set port 70 set port 80 set port 443 end This example shows how to display the antivirus HTTP traffic settings get antivirus service http This example shows how to display the configuration for antivirus HTTP traffic show antivirus service http config antivi...

Страница 312: ...ion profile Note For email scanning the memfilesizelimit refers to the final size of the email after encoding by the email client including attachments Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than the original attachment The most common encoding base64 translates 3 bytes of binary data into 4 bytes of base64 data So a file may be b...

Страница 313: ...compsizelimit 100 set port 20 21 end This example shows how to display the antivirus FTP traffic settings get antivirus service ftp This example shows how to display the configuration for antivirus FTP traffic show antivirus service ftp config antivirus service pop3 Use this command to configure how the FortiGate unit handles antivirus scanning of large files in POP3 traffic and what ports the For...

Страница 314: ...ed to memory for virus scanning The maximum file size allowed is 10 of the FortiGate RAM size For example a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Note For email scanning the memfilesizelimit refers to the final size of the email after encoding by the email client including attachments Email clients may use a variety of encoding types and some encoding type...

Страница 315: ...mple a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Note For email scanning the memfilesizelimit refers to the final size of the email after encoding by the email client including attachments Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than the original attachment The most common encoding base64 trans...

Страница 316: ... to display the antivirus IMAP traffic settings get antivirus service imap This example shows how to display the configuration for antivirus IMAP traffic show antivirus service imap config antivirus service smtp Use this command to configure how the FortiGate unit handles antivirus scanning of large files in SMTP traffic what ports the FortiGate unit scans for SMTP and how the FortiGate unit handl...

Страница 317: ...n be buffered to memory for virus scanning The maximum file size allowed is 10 of the FortiGate RAM size For example a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Note For email scanning the memfilesizelimit refers to the final size of the email after encoding by the email client including attachments Email clients may use a variety of encoding types and some en...

Страница 318: ...318 01 28008 0013 20050204 Fortinet Inc CLI configuration Antivirus ...

Страница 319: ...le or disable web page filtering for HTTP traffic based on the URL block list Add URLs and URL patterns to block web pages from specific sources Web Exempt List Web Filter URL Exempt Enable or disable web page filtering for HTTP traffic based on the URL exempt list Exempt URLs are not scanned for viruses Add URLs to exempt them from web and virus filtering Web Script Filter Web Filter Script Filte...

Страница 320: ...sks The FortiGate unit performs web filtering in the order the filters appear in the web based manager menu content block URL block URL exempt category block FortiGuard and script filter This chapter describes Content block URL block URL exempt Category block Script filter Category Action FortiGuard web filtering service provides many categories by which to filter web traffic You can set the actio...

Страница 321: ... following icons and features Note Perl regular expression patterns are case sensitive for Web Filter content block To make a word or phrase case insensitive use the regular expression i For example bad language i blocks all instances of bad language regardless of case Wildcard patterns are not case sensitive Note Enable Web filtering Web Content Block in your firewall Protection Profile to activa...

Страница 322: ...et the pattern type if required 5 Select the language character set 6 Select Enable 7 Select OK URL block You can block access to specific URLs by adding them to the URL block list You can also add patterns using text and regular expressions or wildcard characters to block URLs The FortiGate unit blocks web pages matching any specified URLs or patterns and displays a replacement message instead Ba...

Страница 323: ...ts in a text file and upload them to the FortiGate unit by selecting the Upload URL block list icon URLs in a text file must be separated by hard returns to upload correctly Figure 168 Sample Web URL block list Web URL block options Web URL block has the following icons and features Note URL blocking does not block access to other services that users can access with a web browser For example URL b...

Страница 324: ...ist For example adding badsite com blocks access to www badsite com mail badsite com www finance badsite com and so on 5 Select Enable 6 Select OK Web pattern block list In addition to blocking specific or partial URLs you can block all URLs that match patterns you create using text and regular expressions or wildcard characters For example badsite matches badsite com badsite org badsite net and s...

Страница 325: ...lock 3 Select Create New Figure 171 Adding a new pattern 4 Enter a pattern to add to the web pattern block list 5 Select Enable 6 Select OK URL exempt This section describes URL exempt list URL exempt list options Configuring URL exempt Create New Select Create New to add a new pattern to the web pattern block list Pattern The current list of blocked patterns Select the check box to enable all the...

Страница 326: ...RL to the URL exempt list 1 Go to Web Filter URL Exempt 2 Select Create New Figure 173 Adding a new exempt URL 3 Enter the URL to add to the URL exempt list 4 Select Enable 5 Select OK Note Enable Web filtering Web Exempt List in your firewall Protection Profile to activate the URL exempt settings Create New Select Create New to add a URL to the URL exempt list total The number of URLs in the URL ...

Страница 327: ...ies may be added to or updated as the Internet evolves Users can also choose to allow block or monitor entire groups of categories to make configuration simpler Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy FortiGuard ratings are performed by a combination of proprietary methods including text analysis exploitation of th...

Страница 328: ...ice to start configuring and using FortiGuard Figure 174 Category block configuration You can configure the following options to enable and help maintain FortiGuard web filtering Enable Service FortiGuard Select to enable FortiGuard web filtering Status Select Check Status to test the connection to the FortiGuard server Status should change from a flashing red yellow indicator to a solid green ind...

Страница 329: ...tegory blocking and configure categories for any firewall protection profile you create See Configuring web category filtering options on page 236 and FortiGuard categories on page 371 Once you select Apply the FortiGuard license type and expiration date appears on the configuration screen Web Filter Category Block Category block reports You can generate a text and pie chart format report on web f...

Страница 330: ...r descriptions of all webfilter catblock keywords Profile Select the profile for which you want to generate a report Report Type Select the time frame for which you want to generate the report Choose from hour day or all historical statistics Report Range Select the time range 24 hour clock or day range from six days ago to today for which you want the report For example if you select report type ...

Страница 331: ...webfilter catblock This example shows how to display the configuration for the catblock settings show webfilter catblock If the show command returns you to the prompt the settings are at default Script filter You can configure the FortiGate unit to filter certain web scripts You can filter Java applets cookies and ActiveX controls from web pages Figure 176 Script filtering options catblock command...

Страница 332: ...ome web pages from functioning and displaying correctly Note Enable Web filtering Web Script Filter in your firewall Protection Profile to activate the script filter settings Javascript Select Javascript to block all Javascript based pages or applications Cookies Select Cookies to block web sites from placing cookies on individual computers ActiveX Select ActiveX to block all ActiveX applications ...

Страница 333: ...SBL server that provides spam IP address and URL blacklists Fortinet keeps the FortiShield IP and URLs up to date as new spam source are found Enable FortiShield check the status of the FortiShield server view the license type and expiry date and configure the cache IP address BWL check Spam Filter IP Address Black white list check Enable or disable checking incoming IP addresses against the confi...

Страница 334: ...ders against the configured spam filter MIME header list Add to and edit MIME headers to the list with the option of using wildcards and regular expressions You can configure the action to take as spam or clear for each MIME header Banned word check Spam Filter Banned Word Enable or disable checking source email against the configured spam filter banned word list Add to and edit banned words to th...

Страница 335: ... on page 114 The order of spam filter operations may vary between SMTP and IMAP or POP3 traffic because some filters only apply to SMTP traffic IP address and HELO DNS lookup Also filters that require a query to a server and a reply FortiShield and DNSBL ORDBL are run simultaneously To avoid delays queries are sent while other filters are running The first reply to trigger a spam action will take ...

Страница 336: ... tagged or dropped according to the configuration in the firewall protection profile Both FortiShield antispam processes are completely automated and configured by Fortinet With constant monitoring and dynamic updates FortiShield is always current You can enable or disable FortiShield in a firewall protection profile See Configuring spam filtering options on page 237 FortiShield Service Points For...

Страница 337: ...eld for any firewall protection profile you create See Configuring spam filtering options on page 237 Once you select Apply the FortiShield license type and expiration date appears on the configuration screen Spam Filter FortiShield Enable Service Select to enable the FortiShield service Status Select Check Status to test the connection to the FortiShield server Status should change from a flashin...

Страница 338: ...ishield Example This example shows how to change the FortiShield Service Point name config spamfilter fortishield set hostname shield example net end This example shows how to display the FortiShield settings get spamfilter fortishield This example shows how to display the configuration for the FortiShield settings show spamfilter fortishield If the show command returns you to the prompt the setti...

Страница 339: ...ic IP addresses You can mark each IP address as clear spam or reject You can filter single IP addresses or a range of addresses at the network level by configuring an address and mask Figure 178 Sample IP address list IP address options IP address list has the following icons and features Configuring the IP address list To add an IP address to the IP address list 1 Go to Spam Filter IP Address 2 S...

Страница 340: ...some spammers use to send unsolicited bulk email There are also several free and subscription servers available that provide reliable access to continually updated DNSBLs and ORDBLs Check with the service you are using to confirm the correct domain name for connecting to the server The FortiGate unit communicates with DNSBL servers using UDP through port 53 The FortiGate unit compares the IP addre...

Страница 341: ...ure 181 Adding an DNSBL or ORDBL server 3 Enter the domain name of the DNSBL or ORDBL server you want to add 4 Select the action to take on email matched by the server 5 Select Enable 6 Select OK Create New Select Create New to add a server to the DNSBL ORDBL list Total The number of items in the list The Page up Page down and Remove all entries icons DNSBL Server The current list of servers Selec...

Страница 342: ...n such as sample net You can mark each email address as clear or spam Figure 182 Sample email address list Email address options Email address list has the following icons and features Configuring the email address list To add an email address or domain to the list 1 Go to Spam Filter E mail Address 2 Select Create New Create New Select Create New to add an email address to the email address list ...

Страница 343: ...Type text html Content_Type image jpg The first part of the MIME header is called the header key or just header The second part is called the value Spammers will often insert comments into header values or leave them blank These malformed headers can fool some spam and virus filters You can use the MIME headers list to mark email from certain bulk mail programs or with certain types of content tha...

Страница 344: ...to add a MIME header to the MIME headers list Total The number of items in the list The Page up Page down and Remove all entries icons Header The list of MIME headers keys Value The list of MIME header values for each key Pattern Type The pattern type used in the MIME header list entry Choose from wildcard or regular expression See Using Perl regular expressions on page 347 Action The action to ta...

Страница 345: ... The FortiGate unit searches for banned words in email messages If a match is found the corresponding protection profile action is taken If no match is found the email is passed to the recipient You can use Perl regular expressions or wildcards to add banned word patterns to the list See Using Perl regular expressions on page 347 This section describes Banned word list Banned word options Configur...

Страница 346: ... icons and features When you select Create New or Edit you can configure the following settings for the banned word Create new Select Create New to add a word or phrase to the banned word list Total The number of items in the list The Page up Page down and Remove all entries icons Pattern The list of banned words Select the check box to enable all the banned words in the list Pattern Type The patt...

Страница 347: ...ns See http www perldoc com perl5 8 0 pod perlre html for detailed information about using Perl regular expressions Pattern Enter the word or phrase you want to include in the banned word list Pattern Type Select the pattern type for the banned word Choose from wildcard or regular expression See Using Perl regular expressions on page 347 Language Select the character set for the banned word Choose...

Страница 348: ...pression test not only matches the word test but also matches any word that contains the test such as atest mytest testimony atestb The notation b specifies the word boundary To match exactly the word test the expression should be btest b Case sensitivity Regular expression pattern matching is case sensitive in the Web and Spam filters To make a word or phrase case insensitive use the regular expr...

Страница 349: ...less of case w a word a nonempty sequence of alphanumeric characters and low lines underscores such as foo and 12bar8 and foo_1 100 s mk the strings 100 and mk optionally separated by any amount of white space spaces tabs newlines abc b abc when followed by a word boundary e g in abc but not in abcd perl B perl when not followed by a word boundary e g in perlert but not in perl stuff x tells the r...

Страница 350: ...350 01 28008 0013 20050204 Fortinet Inc Using Perl regular expressions Spam filter ...

Страница 351: ...everity level and log format Log filters define the types of log messages saved to each location You can configure the FortiGate unit to send alert email to up to three recipients when selected events occur It is not necessary for an event to be logged to trigger an alert email The FortiGate unit will collect and send log messages in alert emails according to the level and time intervals you confi...

Страница 352: ...139 log_id 0101023002 type event subtype ipsec pri notice loc_ip 172 16 81 2 loc_port 500 rem_ip 172 16 81 1 rem_port 500 out_if dmz vpn_tunnel ToDmz action negotiate init local mode stage 112 dir inbound status success msg Initiator tunnel 172 16 81 1 transform ESP_3DES HMAC_SHA1 Message meets Alert condition 2004 04 27 13 28 54 device_id APS3012803033139 log_id 0101023004 type event subtype ipse...

Страница 353: ...gins to overwrite the oldest messages All log entries are deleted when the FortiGate unit restarts Syslog A remote computer running a syslog server WebTrends A remote computer running a NetIQ WebTrends firewall reporting server FortiGate log formats comply with WebTrends Enhanced Log Format WELF and are compatible with NetIQ WebTrends Security Reporting Center 2 0 and Firewall Suite 4 1 IP The IP ...

Страница 354: ... that corresponds to the specified Roll Log Frequency minute hour or day Roll log day The day of the week when the log should be saved and a new log started At midnight on the specified day the current log file is saved and a new active log file is started Roll log policy The policy to follow for saving the current log and starting a new active log Overwritten deletes the oldest log entry when the...

Страница 355: ...erity level you select For example if you select Error the unit logs Error Critical Alert and Emergency level messages See Table 33 Logging severity levels on page 354 Name IP The domain name or IP address of the syslog server that stores the logs Port The port number for communication with the syslog server Level The FortiGate unit logs all messages at and above the logging severity level you sel...

Страница 356: ... to enable SMTP authentication SMTP Server The name address of the SMTP server for email SMTP User The SMTP user name Password The SMTP password Email To Enter one to three email recipients for alert email Test Select Test to send a test alert email to the configured recipients Level The FortiGate unit sends alert email for all messages at and above the logging severity level you select Emergency ...

Страница 357: ... each logging location you enable you can create a customized log filter based on the log types described in the following sections Notification The interval to wait before sending an alert e mail for notification level log messages Information The interval to wait before sending an alert e mail for information level log messages Apply Select Apply to activate any additions or changes to configura...

Страница 358: ...such as when a configuration has changed or a routing gateway has been added You can apply the following filters Policy allowed traffic The FortiGate unit logs all traffic that is allowed according to the firewall policy settings Policy violation traffic The FortiGate unit logs all traffic that violates the firewall policy settings Note You can enable traffic logging for specific interfaces or fir...

Страница 359: ...r authentication Pattern update event The FortiGate unit logs all pattern update events such as antivirus and IPS pattern updates and update failures Virus infected The FortiGate unit logs all virus infections Filename blocked The FortiGate unit logs all instances of blocked files File oversized The FortiGate unit logs all instances of oversized files Content block The FortiGate unit logs all inst...

Страница 360: ... 5 Repeat steps 1 through 4 for each interface for which you want to enable logging 6 Make sure you enable traffic logs for a logging location and set the logging severity level to Notification or lower To enable traffic logging for a firewall policy You can enable traffic logging for a firewall policy All connections accepted by the firewall policy are recorded in the traffic log 1 Go to Firewall...

Страница 361: ... FortiGate disk The following table describes the column headings and the icons you can use to view and manage the log files when accessing logs saved to the disk To access log files on the FortiGate disk 1 Go to Log Report Log Access 2 Select the log type you wish to access Note FortiGate units do not save some types of logs to memory You can view these log messages with Log Access only if your F...

Страница 362: ... the log file to your computer To view and search log messages on the FortiGate disk 1 Go to Log Report Log Access 2 Select the log type you wish to access 3 Select Disk from the Type list 4 Select the View icon for the disk file you want to display For detailed information about searching logs see Searching log messages on page 365 Viewing log messages You can view and navigate log messages saved...

Страница 363: ... change the displayed columns or see the raw log messages go to the previous or next log page or search the log by selecting the corresponding icon Choosing columns You can customize your log messages display using the Column Settings window The column settings apply only when the formatted not raw display is selected Go to next page icon View to the next page in the log file View per page Select ...

Страница 364: ...nd select the left arrow button 4 To change the position of a column select the field in the Show these fields list and then select Move Up or Move Down as necessary 5 Select OK Available fields The fields that you can add to the log message display Right arrow button Select to move selected fields from Available fields list to Show these fields list Left arrow button Select to move selected field...

Страница 365: ...ord To perform an advanced search 1 Display the log messages you want to search For more information see Viewing log messages on page 362 2 Select Advanced Search The Log Search window is displayed Figure 195 Search for log messages 3 If you want to search for log messages in a particular date range select the From and To dates 4 Select one of the following options 5 In the Keywords field type the...

Страница 366: ...iption Default Availability encrypt enable disable Enter enable to enable encrypted communication with the FortiLog unit disable All models localid str_id Enter the local ID for an IPSec VPN tunnel to a FortiLog unit You can create an IPSec VPN tunnel if one or more FortiGate units are sending log messages to a FortiLog unit across the Internet Using an IPSec VPN tunnel means that all log messages...

Страница 367: ... to the prompt the settings are at default syslogd setting Use this command to configure log settings for logging to a remote syslog server You can configure the FortiGate unit to send logs to a remote computer running a syslog server Command syntax pattern config log syslogd setting set keyword variable config log syslogd setting unset keyword get log syslogd setting show log syslogd setting Note...

Страница 368: ...og server that stores the logs No default All models status disable enable Enter enable to enable logging to a remote syslog server disable All models Table 34 Facility types Facility type Description alert alert messages audit audit messages auth security authorization messages authpriv security authorization messages private clock clock daemon cron cron daemon performing scheduled commands daemo...

Страница 369: ...he facility type to user config log syslogd setting set status enable set server 220 210 200 190 set port 601 set facility user end This example shows how to display the log setting for logging to a remote syslog server get log syslogd setting This example shows how to display the configuration for logging to a remote syslog server show log syslogd setting If the show command returns you to the pr...

Страница 370: ...370 01 28008 0013 20050204 Fortinet Inc CLI configuration Log Report ...

Страница 371: ...buse and sites that provide information about or promote the cultivation preparation or use of marijuana 2 Cult or Occult Sites that provide information about or promote religions not specified in Traditional Religions or other unconventional cultic or folkloric beliefs and practices Sites that promote or offer methods means of instruction or other resources to affect or influence real events thro...

Страница 372: ...ty with no pornographic intent 9 Advocacy Groups Sites that promote change or reform in public policy public opinion social practice economic activities and relationships 10 Alcohol and Tobacco Sites that provide information about promote or support the sale of alcoholic beverages or tobacco products or associated paraphernalia 11 Gambling Sites that provide information about or promote gambling o...

Страница 373: ...s discussion groups message boards and list servers includes blogs and mail magazines Digital post cards Sites for sending viewing digital post cards 22 Pay to Surf Sites that pay users to view Web sites advertisements or email 23 Web based Email Sites that host Web based email Potentially Bandwidth Consuming 24 File Sharing and Storage Peer to Peer File Sharing Sites that provide client software ...

Страница 374: ...information about or cater to gay lesbian or bisexual lifestyles including those that support online shopping but excluding those that are sexually or issue oriented 33 Health Sites that provide information or advice on personal health or medical services procedures or devices but not drugs Includes self help groups 34 Job Search Sites that offer information about or support the seeking of employm...

Страница 375: ...tions devoted to professional advancement or workers interests Service and Philanthropic Organizations Sites sponsored by or that support or offer information about organizations devoted to doing good as their primary activity Social and Affiliation Organizations Sites sponsored by or that support or offer information about organizations devoted chiefly to socializing or common interests other tha...

Страница 376: ...lated business firms including sites supporting the sale of hardware software peripherals and services 53 Military Organizations Military Sites sponsored by branches or agencies of the armed services Others 54 Dynamic Content Dynamic Content URLs that are generated dynamically by a Web server 55 Miscellaneous Content Delivery Networks Commercial hosts that deliver content to subscribing Web sites ...

Страница 377: ...hed firewall connections and all IPSec VPN sessions are maintained by the other FortiGate units in the HA cluster DHCP Dynamic Host Configuration Protocol An Internet protocol that assigns IP addresses to network clients usually when the client connects to the Internet Diffie Hellman An algorithm for establishing a shared secret key over an insecure medium See Diffie Hellman group Diffie Hellman g...

Страница 378: ...g properly heartbeat device An ethernet network interface in a cluster that is used by the FGCP for heartbeat communications among cluster units heartbeat failover If an interface functioning as a heartbeat device fails the heartbeat is transferred to another interface also configured as an HA heartbeat device high availability The ability that a cluster has to maintain a connection when there is ...

Страница 379: ...nd point an IP address or port number of a connection MAC address Media Access Control address A layer 2 hardware address that uniquely identifies a network node main mode A way to hide the identities of VPN peers from passive eavesdroppers during IPSec phase 1 negotiations See also aggressive mode MB Megabyte A unit of storage 1 048 576 bytes MIB Management Information Base A database of objects ...

Страница 380: ... cluster The FortiGate firmware uses the term master to refer to the primary cluster unit protocol A standard format for transmitting data The protocol determines the type of error checking to be used the data compression method if any how the sending device indicates that it has finished sending a message and how the receiving device indicates that it has received a message RADIUS Remote Authenti...

Страница 381: ...rack of cluster connections keep their configurations and routing tables synchronized with the primary unit and process network traffic assigned to them by the primary unit In an active passive cluster subordinate units do not process network traffic However active passive subordinate units track cluster connections and keep their configurations and routing tables synchronized with the primary uni...

Страница 382: ...382 01 28008 0013 20050204 Fortinet Inc Glossary ...

Страница 383: ...irewall 209 firewall address group 212 firewall address options 210 list 210 See also firewall address 209 address group 212 adding 213 create new 212 deleting 213 editing 213 list 212 options 212 address name firewall address 210 firewall policy 202 Address Name Policy 277 administrator account netmask 122 trusted host 122 advanced firewall policy 204 advertise 182 196 adware grayware category 30...

Страница 384: ...ver 132 ANY service 214 AOL service 215 append to protection profile 238 append with protection profile 238 archive content meta information protection profile 238 area 189 attack updates scheduling 131 through a proxy server 132 authentication 178 184 191 enabling 249 firewall policy 205 timeout 89 Authentication Algorithm 264 Authentication Algorithm Manual Key 265 Authentication Key Manual Key ...

Страница 385: ...fig distribute list 186 config interface 190 config limit 295 config neighbor 187 config network 189 config offset list 196 config redistribute 195 configuration backup 126 FortiGuard 328 reset to factory default 140 restore 126 configure antivirus heuristic antivirus 308 configuring manual key IPSec VPN 264 connecting a FortiGate HA cluster 100 conserve mode antivirus 307 contact information SNMP...

Страница 386: ...180 disable firewall policy 208 Disk logging settings 354 disk space quarantine 303 display content meta information on the system dashboard protection profile 238 dissector signature IPS 289 distance 176 DNS service 215 DNSBL adding a server to the DNSBL and ORDBL list 341 Spam filter 340 DNSBL list Spam filter 341 DNSBL options Spam filter 341 DNSBL server Spam filter DNSBL and ORDBL 341 downloa...

Страница 387: ...27 external service port virtual IP 227 F facility 368 fail open 296 failopen antivirus 307 failover HA 90 monitoring cluster units 104 FDN FortiProtect Distribution Network 128 FDS FortiProtect Distribution Server 128 FGCP HA 91 file block adding a filename or pattern to the list 300 antivirus 298 default list of patterns 299 pattern 299 protection profile 234 file block list antivirus 299 config...

Страница 388: ...in the policy list 208 comments 207 configuring 207 create new 201 deleting 207 deny action 203 dest 201 destination address name 202 destination interface zone 202 differentiated services 206 DiffServ 206 disabling 208 dynamic IP pool NAT option 204 editing 207 enable 201 enabling 208 encrypt action 203 fixed port NAT option 204 guaranteed bandwidth 206 207 ID 201 inbound NAT 203 insert policy be...

Страница 389: ...IP pool 231 fixed port NAT option firewall policy 204 flooding anomaly type 292 FortiGate Clustering Protocol HA 91 FortiGuard 327 cache 328 categories 327 371 changing the host name 330 CLI configuration 330 configuration 328 configuration options 328 configuring 329 enable service 328 generating a report 330 licensing 328 ratings 327 report allowed 330 report blocked 330 report category 330 repo...

Страница 390: ...ation 98 configure weighted round robin weights 101 configuring and HA cluster 98 connect a FortiGate HA cluster 100 default heartbeat device configuration 97 device failover 91 DHCP 92 failover 90 FGCP 91 group ID 94 HA monitor 103 heartbeat device IP addresses 97 heartbeat failover 91 hub schedule 95 introduction 18 IP schedule 96 IP Port schedule 96 L2TP 92 least connection schedule 95 link fai...

Страница 391: ...ule 95 I ICMP 216 ICMP custom service 218 adding 219 code 218 protocol type 218 type 218 ICMP_ANY service 216 ID firewall policy 201 idle timeout web based manager 89 IKE service 215 IMAP memfilesizelimit 315 service 215 uncompsizelimit 315 inbound NAT firewall policy 203 INFO_ADDRESS service 216 INFO_REQUEST service 216 insert policy before firewall policy 201 Interface IP pool 231 interface 173 ...

Страница 392: ...38 IPS See also intrusion prevention system 285 IPS signature protection profile 238 ipsec vip 281 IPSec VPN authentication for user group 249 Internet browsing 263 monitor 268 ping generator 267 remote gateway 249 IPv6 78 IRC service 215 J Javascript 332 joke grayware category 306 K Keepalive Frequency 260 Key Size 274 Key Type 274 Keylife 260 263 keylog grayware category 306 L L2TP 249 configuri...

Страница 393: ...MIME headers list Spam filter 344 MIME headers options Spam filter 344 misc grayware category 306 Mode 256 257 mode HA 91 93 Transparent 16 monitor HA 103 HA cluster members 103 IPSec VPN 268 monitor priorities HA 98 move to firewall policy 201 mtu 192 MTU size 61 mtu ignore 193 N name IP pool 231 NAT encrypt policy 203 firewall policy 203 inbound 203 introduction 16 outbound 203 push update 134 N...

Страница 394: ...1 Proposal Phase 1 259 P2 Proposal Phase 2 262 P2P grayware category 306 pass predefined signature action 287 pass fragmented emails protection profile 235 pass sessiondrop predefined signature action 288 passive interface 176 password HA 95 pattern 325 added to the web pattern block list 325 adding to the file block list 300 default list of file block patterns 299 file block 299 Spam filter banne...

Страница 395: ...203 protection profile 204 reverse reply DSCP value 207 schedule 201 203 service 201 203 source 201 source address name 202 source interface zone 202 traffic priority 206 traffic shaping 206 VPN tunnel 203 policy routing 155 poll interval 188 pool IP pool 229 POP3 memfilesizelimit 314 service 216 uncompsizelimit 314 port 311 312 314 315 317 368 port forward dynamic 225 port forwarding virtual IP 2...

Страница 396: ...profile 233 URL FortiShield check 237 virus scan 234 web default protection profile 233 web category options 236 web content block 235 web exempt list 235 web filtering options 235 web resume download block 235 web script filter 235 web URL block 235 protection profile configuration web filter 320 protocol 186 service 214 system status 40 virtual IP 227 protocol number 219 protocol type 218 219 pr...

Страница 397: ...330 reporting 20 reset predefined signature action 287 reset client predefined signature action 288 reset server predefined signature action 288 restarting 128 restore custom IPS signature 291 restore configuration 126 retransmit interval 185 193 return email DNS check protection profile 237 reverse reply DSCP value firewall policy 207 reverting firmware to an older version 45 RFC 2474 206 2475 20...

Страница 398: ...E 217 WAIS 217 WINFRAME 217 X WINDOWS 217 service ftp 311 service group 220 adding 221 create new 220 deleting 221 editing 221 list 220 options 220 service imap 315 service point FortiGuard 327 service points FortiShield 336 service pop3 313 service port virtual IP 226 service smtp 316 Service Policy 277 set time 88 shortcut 179 signature adding custom IPS signatures 291 custom IPS signatures 290 ...

Страница 399: ...schedule 224 start IP IP pool 230 static IP monitor 268 269 static NAT virtual IP 225 adding 227 Status 261 status 173 194 195 268 366 368 FortiShield 337 HA cluster members 103 interface 56 76 quarantine files list 301 status description quarantine files list 301 stop one time schedule 222 recurring schedule 224 store_heuristic 310 Strict default protection profile 233 stub type 179 Subject Infor...

Страница 400: ...ster members 103 update push 133 updates virus list 298 upgrade firmware 41 upgrading firmware using the CLI 42 44 firmware using the web based manager 41 43 upload status quarantine files list 301 Uploading a local certificate 274 URL block add a URL to the web filter block list 324 web filter 322 URL exempt configuring 326 list 326 options 326 web filter 325 URL FortiShield check protection prof...

Страница 401: ...ering introduction 15 web exempt list protection profile 235 web filter 319 add a URL to the web URL block list 324 category block 327 configuring the web content block list 322 configuring the web URL block list 324 content block 321 order of operations 320 protection profile configuration 320 script filter 331 URL block 322 URL exempt 325 326 URL exempt options 326 web content block list 321 web...

Страница 402: ...402 01 28008 0013 20050204 Fortinet Inc Index ...

Отзывы:

Нет отзывов

Похожие инструкции для FortiGate FortiGate-5020

Tiger Technology Tiger Box 4U24 Assembly Manual preview
Tiger Box 4U24
Бренд: Tiger Technology Страницы: 23
OSS EB3450 User Manual preview
EB3450
Бренд: OSS Страницы: 92
Sony RB1G Service Manual preview
RB1G
Бренд: Sony Страницы: 479
3Com CoreBuilder 9000 Command Reference Manual preview
CoreBuilder 9000
Бренд: 3Com Страницы: 784
InWin Cobra IW-RS212-07 User Manual preview
Cobra IW-RS212-07
Бренд: InWin Страницы: 29
StorCase Technology InfoStation User Manual preview
InfoStation
Бренд: StorCase Technology Страницы: 49
Artesyn Embedded Technology Centellis 2000 Series Installation And Use Manual preview
Centellis 2000 Series
Бренд: Artesyn Embedded Technology Страницы: 60
ZyXEL Communications IES-5000 Series Specifications preview
IES-5000 Series
Бренд: ZyXEL Communications Страницы: 4

Бренды по названию

Популярные бренды

Загрузить еще бренды