manualshive.com logo in svg

Fortinet Gate 60D, Руководство администратора

"Fortinet Gate 60D" - это надежное решение для безопасности сети. Административное руководство доступно для скачивания бесплатно на manualshive.com. Откройте мануал, чтобы получить подробную информацию о настройке и управлении продуктом. Легкая загрузка и пользовательский интерфейс делают процесс управления безопасностью удобным и эффективным.

Поделиться
Скачать
background image

WAN optimization and web caching 

SSL offloading for WAN optimization and web caching

FortiGate Version 4.0 Administration Guide
01-400-89802-20090424

625

http://docs.fortinet.com/

 • 

Feedback

A number of SSL offloading configurations are possible. This section includes two.

Example configuration: SSL offloading for a WAN optimization tunnel

In this example, clients on a client network use https://192.168.10.20 to browse to a web 
server. A WAN optimization rule with 

Auto-Detect

 set to 

Off

 on the client side FortiGate 

unit accepts sessions from the clients with source addresses on the 172.20.120.0 network 
and with a destination address of 192.168.10.0 and with a destination port of 443. In this 
rule 

Enable secure tunnel

 is selected so that the tunnel is encrypted.

The server side FortiGate unit includes an SSL server configuration with 

ip

 set to 

192.168.10.20 and 

port

 to 443. The server side FortiGate unit also includes the web 

server CA.

Figure 421: SSL offloading WAN optimization configuration

When the client side FortiGate unit accepts an HTTPS connection for 192.168.10.20 the 
SSL server configuration provides the information that the client side FortiGate unit needs 
to decrypt the traffic and send it in clear text across a WAN optimization tunnel to the 
server side FortiGate unit. The server side FortiGate unit then forwards the clear text 
packets to the web server.

The web server CA is not downloaded from the server side to the client side FortiGate 
unit. Instead the client side FortiGate unit proxies the SSL parameters from the client side 
to the server side which returns an SSL key and other required information to the client 
side FortiGate unit so that the client FortiGate unit can decrypt and encrypt HTTPS traffic.

To configure the client side FortiGate unit

1

Go to 

WAN Opt. & Cache > Peer

 and enter a 

Local Host ID

 for the server side 

FortiGate unit.

Note: 

In this peer-to-peer configuration you do not need to add a WAN optimization rule to 

the server side FortiGate unit as long as the server side FortiGate unit includes the Peer 
Host ID of the client FortiGate unit in its peer list. However, you could set 

Auto-Detect

 to 

Active

 on the client side FortiGate and add then a passive rule to the server side FortiGate 

unit.

Note: 

In this example the secure tunnel and the authentication group configurations are not 

required, but are added to protect the privacy of the WAN optimization tunnel. Instead of 
the secure tunnel configuration, you could configure a route-based IPSec VPN between the 
FortiGate units and use IPSec to protect the privacy of the WAN optimization tunnel.

Client Network

172.20.120.0

WAN

Encrypted

Traffic

Decrypted

Traffic

Decrypted

Traffic

Protected by the 

Encrypted tunnel

Web Server

(port 80)

IP:192.168.10.20

Server side

SSL server and Web server CA

Local Host ID:Web_servers

Client side

Rule: autodetect: off

Local Host ID:User_net

3

1

2

3

1

2

3

1

2

IP address

172.20.120.1

IP address

192.168.10.1

Содержание Gate 60D

Страница 1: ...FortiGate Version 4 0 Administration Guide Visit http support fortinet com to register your FortiGate product By registering you can receive product updates technical support and FortiGuard services...

Страница 2: ...rtinet Inc Trademarks Dynamic Threat Prevention System DTPS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard FortiGuard Antispam For...

Страница 3: ...s new in FortiOS 4 0 27 FortiOS 4 0 FortiGate models and features supported 28 UTM features grouped under new UTM menu 29 Data Leak Prevention 29 Application Control 29 SSL content scanning and inspec...

Страница 4: ...e over HTTPS 39 Adding non standard ports for firewall authentication 39 Dynamically assigning VPN client IP addresses from a RADIUS record 40 DHCP over route based IPSec VPNs 40 SNMP upgraded to v3 0...

Страница 5: ...ion 80 Viewing operational history 81 Manually updating FortiGuard definitions 82 Viewing Statistics 83 Viewing the session list 83 Viewing Content Archive information on the Statistics widget 84 View...

Страница 6: ...15 Changing the management VDOM 116 Configuring global and VDOM resource limits 116 VDOM resource limits 117 Global resource limits 118 System Network 119 Interfaces 119 Switch Mode 122 Interface sett...

Страница 7: ...Transparent mode virtual domains and VLANs 156 Troubleshooting ARP Issues 157 System Wireless 159 FortiWiFi wireless interfaces 159 Channel assignments 160 IEEE 802 11a channel numbers 160 IEEE 802 11...

Страница 8: ...199 Alert Mail replacement messages 199 Spam replacement messages 200 Administration replacement message 200 Authentication replacement messages 201 FortiGuard Web Filtering replacement messages 202 I...

Страница 9: ...es 250 CRL 251 Importing a certificate revocation list 251 System Maintenance 253 About the Maintenance menu 253 Backing up and restoring 254 Basic backup and restore options 255 Upgrading and downgra...

Страница 10: ...RIP 289 Viewing and editing basic RIP settings 290 Selecting advanced RIP options 292 Configuring a RIP enabled interface 293 OSPF 294 Defining an OSPF AS Overview 295 Configuring basic OSPF settings...

Страница 11: ...firewall policies 331 Endpoint Compliance Check options 336 DoS policies 337 Viewing the DoS policy list 337 Configuring DoS policies 338 Firewall policy examples 339 Scenario one SOHO sized business...

Страница 12: ...tual IPs 378 Adding a virtual IP with port translation only 379 Virtual IP Groups 380 Viewing the VIP group list 380 Configuring VIP groups 380 IP pools 381 IP pools and dynamic NAT 382 IP Pools for f...

Страница 13: ...Guaranteed bandwidth and maximum bandwidth 423 Traffic priority 424 Traffic shaping considerations 424 Configuring traffic shaping 425 SIP support 427 VoIP and SIP 427 The FortiGate unit and VoIP sec...

Страница 14: ...on 456 Signatures 456 Viewing the predefined signature list 457 Using display filters 458 Custom signatures 459 Viewing the custom signature list 459 Creating custom signatures 459 Protocol decoders 4...

Страница 15: ...onfiguring FortiGuard Web Filtering 488 Viewing the override list 488 Configuring administrative override rules 489 Creating local categories 491 Viewing the local ratings list 491 Configuring local r...

Страница 16: ...ist 520 Adding and configuring DLP compound rules 520 Application Control 523 What is application control 523 FortiGuard application control database 523 Viewing the application control lists 524 Crea...

Страница 17: ...Tool widget 563 Tunnel Mode widget 564 User 567 Getting started User authentication 567 Local user accounts 568 Configuring Local user accounts 568 Remote 571 RADIUS 571 Configuring a RADIUS server 5...

Страница 18: ...Gate models that support WAN optimization 604 Configuring WAN optimization 605 How list order affects rule matching 606 Moving a rule to a different position in the rule list 607 Configuring a WAN opt...

Страница 19: ...installer download 642 Viewing and configuring the software detection list 643 Monitoring endpoints 644 Log Report 647 FortiGate logging 647 FortiGuard Analysis and Management Service 648 FortiGuard A...

Страница 20: ...4 Viewing log information 664 Customizing the display of log messages 665 Column settings 666 Filtering log messages 667 Content Archive 667 Content archiving and data leak prevention 668 Configuring...

Страница 21: ...ed networking features such as high availability active active active passive for maximum network uptime and virtual domain capabilities to separate various networks requiring different security polic...

Страница 22: ...sts and describes some of the new features and changes in FortiOS Version 4 0 Web based manager introduces the features of the FortiGate web based manager and explains how to connect to it It also inc...

Страница 23: ...tions and traffic between FortiGate interfaces zones and VLAN subinterfaces Firewall Address describes how to configure addresses and address groups for firewall policies Firewall Service describes av...

Страница 24: ...eb based manager Document conventions Fortinet technical documentation uses the conventions described below IP addresses To avoid publication of public IP addresses that belong to Fortinet or any othe...

Страница 25: ...t takes to resolve your technical support ticket by providing your configuration file a network diagram and other specific information For a list of required information see the Fortinet Knowledge Cen...

Страница 26: ...h as technical notes In addition to the Fortinet Technical Documentation web site you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD and on the Fortinet Knowledge...

Страница 27: ...rs Adding IPS sensors to a DoS policy from the CLI One arm IDS sniffer mode IPS interface policies for IPv6 IPS Packet Logging Enhanced Antispam Engine ASE WCCP v2 support Any interface for firewall p...

Страница 28: ...e information in this section is subject to change Table 2 New FortiOS 4 0 feature support Feature FortiGate Models WAN optimization 51B 111C 310B 620B 3016B 3600A 3810A 5001A SW SSL Content Scanning...

Страница 29: ...rtiGate unit to detect and take action against network traffic depending on the application generating the traffic Based on FortiGate Intrusion Protection protocol decoders application control is a mo...

Страница 30: ...ins a hard disk drive these files are cached to more efficiently serve downloads to multiple end points Go to Endpoint Control FortiClient to see the software and antivirus signature versions that the...

Страница 31: ...ks can be detected and blocked before the firewall sees the packets So system resources are not affected by denial of service attacks All attacking traffic can be filtered out before being accepted by...

Страница 32: ...se processing the packets To configure one arm IDS you enable sniffer mode on a FortiGate interface and connect that interface to a hub or to the SPAN port of a switch that is processing network traff...

Страница 33: ...Network to add new antispam techniques without requiring a FortiOS firmware update You can also update the ASE manually using the following CLI command execute restore ase ftp sftp filename server use...

Страница 34: ...rtiGate interface IP address to the cache servers If all cache servers connect to the same FortiGate interface interface_ipv4 can be 0 0 0 0 and the FortiGate unit uses the IP address of that interfac...

Страница 35: ...es organized by source and destination interfaces In FortiOS 4 0 this is called Section View You can also switch to Global View to list all firewall policies in order according to a sequence number Th...

Страница 36: ...from other VIPs To configure load balance VIPs go to Firewall Load Balance In previous releases of FortiOS you created VIP mappings between one or more real servers and an external IP address In Fort...

Страница 37: ...ttings have been added to protection profiles and familiar configuration settings in protection profiles have been reorganized For a complete description of FortiOS 4 0 protection profiles see Configu...

Страница 38: ...rd determines the length of the hold down period during which the software watchdog monitors critical software processes before concluding they have stabilized Rogue Wireless Access Point detection Fo...

Страница 39: ...l authentication By default when a communication session is accepted by an identity based firewall policy the user must authenticate with the firewall by using the FTP HTTP HTTPS or Telnet protocol to...

Страница 40: ...s In previous releases of FortiOS you could use DHCP to assign IP addresses to dialup clients on policy based IPSec VPNs only In FortiOS 4 0 DHCP is also available to dialup clients on route based IPS...

Страница 41: ...ogs provide more information about the FortiGate unit operation including event log for VPN tunnel up down IPSec SSL PPTP VPNs including authenticated user name local and remote IP addresses event log...

Страница 42: ...Web filtering HTTP POST traffic blocking or comforting HTTP post traffic What s new in FortiOS 4 0 FortiGate Version 4 0 Administration Guide 42 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 43: ...running a web browser you can connect to the FortiGate web based manager to configure and manage the FortiGate unit The recommended minimum screen resolution for the management computer is 1280 by 102...

Страница 44: ...Selecting Online Help on the button bar displays help for the current web based manager page You can use the FortiGate command line interface CLI to configure the same FortiGate settings that you can...

Страница 45: ...ears The credentials entered are encrypted before they are sent to the FortiGate unit If you choose to accept the certificate permanently the warning is not displayed again Just before the FortiGate l...

Страница 46: ...hinese Changing administrative access to your FortiGate unit Through administrative access an administrator can connect to the FortiGate unit to view and change configuration settings The default conf...

Страница 47: ...However you can use the following steps to change this idle timeout To change the web based manager idle timeout 1 Go to System Admin Settings 2 Change the Idle Timeout minutes as required 3 Select Ap...

Страница 48: ...eceive product updates technical support and FortiGuard services To register a Fortinet product go to Product Registration and follow the instructions Backing up your FortiGate configuration The Backu...

Страница 49: ...ation settings apply only to a FortiGate unit operating with virtual domains enabled If you are not operating your FortiGate unit with virtual domains enabled you can ignore the VDOM and Global icons...

Страница 50: ...cannot use the Bookmark icon to add an entry to your favorites list if you are viewing online help from Internet Explorer running on a management PC with Windows XP and service pack 2 installed When y...

Страница 51: ...press the Enter key on your keyboard or select Go The search results pane lists the names of all the online help pages that contain all the words that you entered Select a name from the list to displ...

Страница 52: ...w a different tab select the tab The procedures in this manual direct you to a page by specifying the menu item the submenu item and the tab for example 1 Go to System Network Interface Figure 10 Part...

Страница 53: ...n added to a user group you must first remove the user from the user group see Figure 11 Figure 11 A web based manager list read write access If you log in as an administrator with an admin profile th...

Страница 54: ...d filters to a web based manager list by selecting any filter icon to display the Edit Filters window From the Edit Filters window you can select any column name to filter and configure the filter for...

Страница 55: ...To view the session list go to System Status In the Statistics section beside Sessions select Details Figure 14 A session list with a numeric filter set to display sessions with source IP address in t...

Страница 56: ...columns that can contain only specific items for example a log message severity or a pre defined signature action you can select a single item from a list In this case you can only filter on a single...

Страница 57: ...page 315 intrusion protection predefined signatures list see Viewing the predefined signature list on page 457 web filtering lists see Web Filter on page 475 antispam lists see Antispam on page 495 Fi...

Страница 58: ...oints on page 644 Log and report log access lists see Accessing Logs on page 662 To change column settings on a list that supports it select Column Settings From Available fields select the column hea...

Страница 59: ...o provide even more control of the information displayed by the list For example you can go to Intrusion Protection Signature Predefined and configure the Intrusion Protection predefined signatures li...

Страница 60: ...erface is up and the interface accepts traffic Change Password Change the administrator password This icon appears in the Administrators list if your admin profile enables you to give write permission...

Страница 61: ...ignificant for example firewall policies IPS Sensors and DoS Sensors Last page View the last page of a list Move to Change the position of an item in a list Used in lists when the order of items in th...

Страница 62: ...Web based manager icons Web based manager FortiGate Version 4 0 Administration Guide 62 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 63: ...ng status of the FortiGate unit FortiGate administrators whose admin profiles permit write access to system configuration can change or update FortiGate unit information For more information on admin...

Страница 64: ...ets not currently shown on the System Status page Any widgets currently on the System Status page will be greyed out in the Add Content menu as you can only have one of each display on the System Stat...

Страница 65: ...iGate unit s internal clock Select Change to change the time or configure the FortiGate unit to get the time from an NTP server For more information see Configuring system time on page 78 HA Status Th...

Страница 66: ...current firmware installed on the FortiGate unit The format for the firmware version is Select Update to change the firmware For more information see Upgrading to a new firmware version on page 80 For...

Страница 67: ...ack definitions To update the definitions manually select Update For more information see Manually updating FortiGuard definitions on page 82 Web Filtering The FortiGuard Web Filtering license license...

Страница 68: ...f the interface If you select Reboot or ShutDown a pop up window opens allowing you to enter the reason for the system event You can only have one management and one logging analyzing method displayed...

Страница 69: ...indicates there is OFTP communication Select the FortiAnalyzer graphic to configure remote logging tot he FortiAnalyzer unit on your FortiGate unit See Logging to a FortiAnalyzer unit on page 650 Fort...

Страница 70: ...ore information see Viewing operational history on page 81 CPU Usage The current CPU status displayed as a dial gauge and as a percentage The web based manager displays CPU usage for core processes on...

Страница 71: ...ed in the statistics widget is derived from log messages that can be saved to a FortiAnalyzer unit saved locally or backed up to an external source such as a syslog server You can use this data to see...

Страница 72: ...time when the counts were last reset Counts are reset when the FortiGate unit reboots or when you select Reset Reset Reset the Content Archive and Attack Log statistic counts to zero Sessions The num...

Страница 73: ...o the statistics widget You can configure a protection profile to collect statistics for HTTP HTTPS FTP IMAP POP3 and SMTP traffic If your FortiGate unit supports SSL content scanning and inspection a...

Страница 74: ...t performance For this reason when this display is not shown on the dashboard it is not collecting data and not impacting system performance When the display is shown information is only stored in mem...

Страница 75: ...ssion protocol such as tcp or udp source address and port destination address and port the ID of the policy if any that applies to the session how long until the session expires which virtual domain t...

Страница 76: ...d with this source IP address if available In the table display format this will be a separate column Display UserName is available only when the sort criteria is Source Address Resolve Host Name Sele...

Страница 77: ...ver the last hour day and month This feature can help you locate peaks in traffic that you need to address as well as their frequency duration and other information Only one interface at a time can be...

Страница 78: ...rtiGate 800 unit Administrators whose admin profiles permit system configuration write access can change the FortiGate unit host name System Time The current FortiGate system date and time Refresh Upd...

Страница 79: ...ding a local hard disk a local USB disk or the FortiGuard Network For more information about using the USB disk and the FortiGuard Network see System Maintenance on page 253 Figure 39 Firmware Upgrade...

Страница 80: ...Firmware Version line 5 Type the path and filename of the firmware image file or select Browse and locate the file 6 Select OK The FortiGate unit uploads the firmware image file upgrades to the new fi...

Страница 81: ...process takes a few minutes 7 Log into the web based manager 8 Go to System Status and check the Firmware Version to confirm that the firmware is successfully installed 9 Restore your configuration F...

Страница 82: ...or AS Rule Set field of the FortiGuard Subscriptions select Update 4 Select Browse and locate the update file or type the path and filename 5 Select OK to copy the update file to the FortiGate unit T...

Страница 83: ...sion list First Page Select to go to the first displayed page of current sessions Previous Page Select to go to the page of sessions immediately before the current page Page Enter the page number of t...

Страница 84: ...s 2 In the Content Archive section select Details for HTTP Viewing Email content information 1 Go to System Status 2 In the Content Archive section select Details for Email Policy ID The number of the...

Страница 85: ...out sessions matched by DLP rules You can select the Details link beside each attack type to view more information You can select Reset on the header of the Statistics section to clear the content arc...

Страница 86: ...Date and Time The time that the attack was detected From The source of the attack To The target host of the attack Service The service type Attack The type of attack that was detected and prevented D...

Страница 87: ...g area The viewport control at the bottom right of the topology page represents the entire drawing area The darker rectangle represents the viewport Drag the viewport rectangle within the viewport con...

Страница 88: ...e firewall address that you select and is connected by a line to the interface associated with that address See Adding a subnet object on page 89 Insert Text Select this control and then click on the...

Страница 89: ...in firewall policies Connect to interface Select the interface or zone to associate with this address If the field already displays a name changing the setting changes the interface or zone associated...

Страница 90: ...u selected an image as Background resize the diagram to fit within the image Background One of Solid A solid color selected in Background Color U S Map A map of the United States World Map A map of th...

Страница 91: ...w the release notes for the patch release Download the patch release Back up the current configuration Install the patch release using the procedure Testing firmware before upgrading on page 94 Test t...

Страница 92: ...ortiGuard Analysis and Management Service If you want to encrypt your configuration file to save VPN certificates select the Encrypt configuration file check box enter a password and then enter it aga...

Страница 93: ...ftp_username ftp_passwd encrypt_passwd Backing up your configuration to a USB key If your FortiGate unit has a USB port you can back up your current configuration to a USB key When backing up a confi...

Страница 94: ...eady downloaded the firmware image to your management computer To test the firmware image before upgrading 1 Copy the new firmware image file to the root directory of the TFTP server 2 Start the TFTP...

Страница 95: ...ce Backup and Restore This option enables you to have two firmware images such as FortiOS 3 0 MR7 and FortiOS 4 0 available for downgrading or upgrading If the upgrade was not successful go to Reverti...

Страница 96: ...mware image to your management computer To upgrade to FortiOS 4 0 through the CLI 1 Copy the new firmware image file to the root directory of the TFTP server 2 Start the TFTP server 3 Log in to the CL...

Страница 97: ...sed manager instead log in to the web based manager and go to System Maintenance FortiGuard Verifying the upgrade After logging back in to the web based manager most of your FortiOS 3 0 MR7 configurat...

Страница 98: ...settings VDOM parameters settings admin user account session helpers system accprofiles If you created additional settings in FortiOS 4 0 make sure to back up the current configuration before downgra...

Страница 99: ...following procedure assumes that you have already downloaded the firmware image to your management computer To downgrade through the CLI 1 Copy the new firmware image file to the root directory of the...

Страница 100: ...t to continue y n 7 Type y The FortiGate unit reverts to the old firmware version resets the configuration to factory defaults and restarts This process takes a few minutes After the FortiGate unit up...

Страница 101: ...ration from either a Local PC FortiManager or FortiGuard if your FortiGate unit is configured for FortiGuard Analysis and Management Service 4 If required enter your password for the configuration fil...

Страница 102: ...tings For example if the backed up configuration file is confall and the IP address of the TFTP server is 192 168 1 168 and the password is ghrffdt123 execute restore allconfig confall 192 168 1 168 g...

Страница 103: ...tration Continued security maintenance Savings in physical space and power Easier administration VDOMs provide separate security domains that allow separate zones user authentication firewall policies...

Страница 104: ...e NAT Route or Transparent can be selected independently for each VDOM For a complete list of shared configuration settings see Global configuration settings on page 107 Savings in physical space and...

Страница 105: ...nitor on page 167 Wireless Rogue AP Rogue AP detection on page 168 DHCP service Configuring DHCP services on page 172 DHCP Address Leases Viewing address leases on page 175 Config Operation mode NAT R...

Страница 106: ...tory Service on page 579 PKI PKI on page 581 User Group User Group on page 583 Options Settings on page 228 Monitor Monitoring administrators on page 229 Log Report Logging configuration FortiGate log...

Страница 107: ...a new firmware version on page 80 System Status page or Managing firmware versions on page 91 Network Interfaces and VLAN subinterfaces Interfaces on page 119 and VLAN overview on page 150 You config...

Страница 108: ...page 168 Config HA HA on page 177 Config SNMP SNMP on page 185 Config Replacement messages Replacement messages on page 194 Admin Administrators Administrators on page 209 You can add global administ...

Страница 109: ...for incoming and outgoing traffic Availability of the associated tasks depends on the permissions of the admin If your are using a super_admin profile account you can perform all tasks If you are usin...

Страница 110: ...VDOMs you must first create them When using multiple VDOMs it can be useful to assign fewer resources to some VDOMs and more resources to others This VDOM resource management will result in better Fo...

Страница 111: ...haracters This name cannot be changed 6 Optionally enter a comment for the VDOM up to a maximum of 63 characters 7 Select OK Working with VDOMs and global settings When you log in as admin and virtual...

Страница 112: ...ent VDOM It cannot be deleted or changed to disabled it is always active Name The name of the VDOM Operation Mode The VDOM operation mode either NAT or Transparent When a VDOM is in Transparent mode S...

Страница 113: ...with all virtual interfaces the speed of the link depends on the CPU load but generally it is faster than physical interfaces There are no MTU settings for inter VDOM links DHCP support includes inte...

Страница 114: ...tmask for this interface 9 Select the administrative access method or methods Keep in mind that PING TELNET and HTTP are less secure methods 10 Optionally enter a description for this interface 11 Rep...

Страница 115: ...its own resources you need to create an administrator account for that VDOM A VDOM admin can change configuration settings within that VDOM but cannot make changes that affect other VDOMs on the Forti...

Страница 116: ...agement VDOM To change the management VDOM 1 Go to System VDOM 2 From the list of VDOMs select the VDOM to be the new management VDOM This list is located to the immediate left of the Apply button 3 S...

Страница 117: ...esource limits 1 Go to System VDOM 2 Select Create New enter a name and then select OK or select the Edit icon of an existing VDOM 3 Modify the values described in the table below as required 4 Select...

Страница 118: ...view or set global resource limits go to System VDOM Global Resources Select the Edit icon to change any settings Figure 51 Configuring global resource limits Resource Description of the resource Conf...

Страница 119: ...nfiguring zones Configuring the modem interface Configuring Networking Options Web Proxy Routing table Transparent Mode VLAN overview VLANs in NAT Route mode VLANs in Transparent mode Interfaces In NA...

Страница 120: ...and interface mode Switch mode combines the internal interfaces into one switch with one address Interface mode gives each internal interface its own address Before switching modes all configuration...

Страница 121: ...n configuration is enabled you can view information only for the interfaces that are in your current virtual domain unless you are using the super admin account If VDOMs are enabled you will be able t...

Страница 122: ...OMs Pair one two interfaces that are joined together such as 2 VDOM links Virtual Domain The virtual domain to which the interface belongs This column is visible only to the super admin and only when...

Страница 123: ...ecting the Create New arrow enables you to create Inter VDOM links For more information on Inter VDOM links see Inter VDOM links on page 113 Some types of interfaces such as loopback interfaces can on...

Страница 124: ...Interfaces System Network FortiGate Version 4 0 Administration Guide 124 01 400 89802 20090424 http docs fortinet com Feedback Figure 56 Create New Interface settings Figure 57 Edit Interface settings...

Страница 125: ...s by adding up to three wireless interfaces for a total of four wireless interfaces Other models support creation of VLAN interfaces only and have no Type field You cannot change the type of an existi...

Страница 126: ...ce for PPPoE on page 131 IP Netmask Enter the IP address subnet mask in the IP Netmask field The IP address must be on the same subnet as the network to which the interface connects Two interfaces can...

Страница 127: ...ot have a DHCP server or relay configured on it it does not have any VLAN subinterfaces it is not referenced in any firewall policy VIP IP Pool or multicast policy it is not an HA heartbeat interface...

Страница 128: ...he aggregate interface and move it to the Selected Interfaces list 6 If this interface operates in NAT Route mode you need to configure addressing for it For information about dynamic addressing see C...

Страница 129: ...rface it has no defined IP address and is not configured for DHCP or PPPoE it has no DHCP server or relay configured on it it does not have any VLAN subinterfaces it is not referenced in any firewall...

Страница 130: ...By default low end models are configured to DHCP addressing mode with Override Internal DNS and Retrieve default Gateway from DHCP server both enabled These settings allow for easy out of the box con...

Страница 131: ...e Enter the administrative distance for the default gateway retrieved from the DHCP server The administrative distance an integer from 1 255 specifies the relative priority of a route when there are m...

Страница 132: ...P address for the interface If your ISP has assigned you a block of IP addresses use one of them Otherwise this IP address can be the same as the IP address of another interface or can be any IP addre...

Страница 133: ...d remote endpoints of the IPSec interface so that you can run dynamic routing over the interface or use ping to test the tunnel enable administrative access through the IPSec interface enter a descrip...

Страница 134: ...command to configure a loopback interface called loop1 with an IP address of 10 0 0 10 is config system interface edit loop1 set type loopback set ip 10 0 0 10 255 255 255 0 end For more information...

Страница 135: ...s are HTTPS and SSH You can allow remote administration of the FortiGate unit running in NAT Route mode but allowing remote administration from the Internet could compromise the security of the FortiG...

Страница 136: ...n VLAN configurations see the VLAN and VDOM guide To change the MTU size of the packets leaving an interface 1 Go to System Network Interface 2 Choose a physical interface and select Edit 3 Below Admi...

Страница 137: ...manager through this secondary IP PING Allow secondary IP to respond to pings Use this setting to verify your installation and for testing HTTP Allow HTTP connections to the web based manager through...

Страница 138: ...2 Select Create New or select the Edit icon for a zone 3 Select name and interfaces 4 Select OK Access The administrative access methods for this address They can be different from the primary IP add...

Страница 139: ...modem through a USB to serial converter For these models you must configure modem operation using the CLI Initially modem interfaces are disabled and must be enabled in the CLI to be visible in the we...

Страница 140: ...When enabled a user can dial into the unit s modem and perform administration actions as if logged in over one of the standard interfaces This feature is enabled in the CLI using config system dialins...

Страница 141: ...are routed to the modem interface The modem disconnects after the idle timeout period if there is no network activity You cannot select Dial on demand if Auto dial is selected Idle timeout Standalone...

Страница 142: ...ct the name of the interface in the modem configuration and configure a ping server for that interface You must also configure firewall policies for connections between the modem interface and other F...

Страница 143: ...to configure static routes to route traffic to the modem interface For example if the modem interface is acting as the FortiGate unit external interface you must set the device setting of the FortiGat...

Страница 144: ...tion in Dialup Accounts 4 Select Apply 5 Select Dial Now The FortiGate unit dials into each dialup account in turn until the modem connects to an ISP To disconnect from a dialup account 1 Go to System...

Страница 145: ...ptions include DNS server and dead gateway detection settings To configure network options 1 Go to System Network Options 2 Enter primary and secondary DNS servers 3 Enter local domain name 4 Enter De...

Страница 146: ...erver for that interface To add a ping server to an interface 1 Go to System Network Interface 2 Choose an interface and select Edit 3 Set Ping Server to the IP address of the next hop router on the n...

Страница 147: ...610 To enable explicit web proxy on an interface go to System Network Interface select the interface and enable explicit web proxy If VDOMs are enabled only interfaces that belong to the current VDOM...

Страница 148: ...Enable to include the Client IP Header from the original HTTP request Via Header Enable to include the Via Header from the original HTTP request X forwarded for Header Enable to include the X Forward...

Страница 149: ...routing table is located at System Network Routing Table Adding a static route in Transparent Mode 1 Ensure your FortiGate unit is in Transparent mode For more details see Changing operation mode on...

Страница 150: ...n connect with other devices in VLAN 1 but cannot connect with devices in other VLANs The communication among devices on a VLAN is independent of the physical network A VLAN segregates devices by addi...

Страница 151: ...re network and IPSec VPN traffic between security domains The FortiGate unit can also apply policies protection profiles and other firewall features for network and VPN traffic that is allowed to pass...

Страница 152: ...is the same as the relationship between any two FortiGate network interfaces Rules for VLAN IP addresses IP addresses of all FortiGate interfaces cannot overlap That is the IP addresses of all interfa...

Страница 153: ...Enter a Name to identify the VLAN subinterface 4 Select the physical interface that receives the VLAN packets intended for this VLAN subinterface 5 Enter the VLAN ID that matches the VLAN ID of the pa...

Страница 154: ...the internal interface and another VLAN subinterface to the external interface If these VLAN subinterfaces have the same VLAN IDs the FortiGate unit applies firewall policies to the traffic on this V...

Страница 155: ...virus scanning web content filtering and other services to each VLAN Figure 78 FortiGate unit in Transparent mode VLAN1 VLAN2 VLAN3 Internal External VLAN Switch or router VLAN Switch or router VLAN...

Страница 156: ...g virtual domains on page 103 Adding a VLAN subinterface in Transparent mode To add a VLAN subinterface 1 Go to System Network Interface 2 Select Create New 3 Enter a Name to identify the VLAN subinte...

Страница 157: ...nk the packets originated from two different device which is generally an attempt to hack into the network This is true especially in Transparent mode where ARP packets arriving on one interface are s...

Страница 158: ...VLANs in Transparent mode System Network FortiGate Version 4 0 Administration Guide 158 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 159: ...rent security settings For details on adding wireless interfaces see Adding a wireless interface on page 163 You can configure the FortiWiFi unit to Provide an access point that clients with wireless...

Страница 160: ...EEE 802 11a wireless standard 802 11a is only available on FortiWiFi 60B units All channels are restricted to indoor usage except in the Americas where both indoor and outdoor use is permitted on chan...

Страница 161: ...4 Ghz Band channel numbers Channel number Frequency MHz Regulatory Areas Americas EMEA Israel Japan 1 2412 2 2417 3 2422 4 2427 5 2432 6 2437 7 2442 8 2447 9 2452 10 2457 11 2462 12 2467 13 2472 14 24...

Страница 162: ...ode you can add up to three virtual wireless interfaces All wireless interfaces use the same wireless parameters That is you configure the wireless settings once and all wireless interfaces use those...

Страница 163: ...a channel for your wireless network or select Auto The channels that you can select depend on the Geography setting See Channel assignments on page 160 for channel information Tx Power Set the transm...

Страница 164: ...et as a manual address Enter a valid IP address and netmask If the FortiWiFi is running in Transparent mode this field does not appear The interface will be on the same subnet as the other interfaces...

Страница 165: ...ect a data encryption method You must also enter a pre shared key containing at least 8 characters or select a RADIUS server If you select a RADIUS server the wireless clients must have accounts on th...

Страница 166: ...ds go to System Wireless MAC Filter Managing the MAC Filter list The MAC Filter list enables you to view the MAC addresses you have added to a wireless interface and their status either allow or deny...

Страница 167: ...ng the wireless network MAC Address Enter the MAC address to add to the list Add Add the entered MAC address to the list Remove Select one or more MAC addresses in the list and select Remove to delete...

Страница 168: ...t until you mark them as either Accepted or Rogue access points This designation helps you to track access points It does not affect anyone s ability to use these access points Rx KBytes The amount of...

Страница 169: ...k indicates an active access point A grey X indicates that the access point is inactive SSID The wireless service set identifier SSID or network name for the wireless interface MAC Address The MAC add...

Страница 170: ...Rogue AP detection System Wireless FortiGate Version 4 0 Administration Guide 170 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 171: ...a relay for connections of the same type regular or IPSec You can configure one or more DHCP servers on any FortiGate interface A DHCP server dynamically assigns IP addresses to hosts on the network...

Страница 172: ...the DHCP server settings to match Figure 89 DHCP service list FortiGate 200A shown IP Range 192 168 1 110 to 192 168 1 210 Netmask 255 255 255 0 Default gateway 192 168 1 99 Lease time 7 days DNS Ser...

Страница 173: ...figure a DHCP server 1 Go to System DHCP Service 2 Select blue arrow for the interface 3 Select the Add DHCP Server icon to create a new DHCP server or select the Edit icon beside an existing DHCP ser...

Страница 174: ...DHCP clients Domain Enter the domain that the DHCP server assigns to DHCP clients Lease Time Select Unlimited for an unlimited lease time or enter the interval in days hours and minutes after which a...

Страница 175: ...3 DNS servers that the DHCP server assigns to DHCP clients WINS Server 1 WINS Server 2 Add the IP addresses of one or two WINS servers that the DHCP server assigns to DHCP clients Option 1 Option 2 O...

Страница 176: ...Viewing address leases System DHCP FortiGate Version 4 0 Administration Guide 176 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 177: ...n of HA web based manager configuration options the HA cluster members list HA statistics and disconnecting cluster members If you enable virtual domains VDOMs on the FortiGate unit HA is configured g...

Страница 178: ...Note FortiGate HA is not compatible with PPP protocols such as PPPoE FortiGate HA is also not compatible with DHCP If one or more FortiGate unit interfaces is dynamically configured using DHCP or PPPo...

Страница 179: ...nit can have two device priorities one for each virtual cluster During HA negotiation the unit with the highest device priority in a virtual cluster becomes the primary unit for that virtual cluster C...

Страница 180: ...erface of another cluster unit that still has a connection to the network This other cluster unit becomes the new primary unit Port monitoring also called interface monitoring is disabled by default L...

Страница 181: ...ach virtual cluster To display the virtual cluster members list for an operating cluster log in as the global admin administrator and go to System Config HA Figure 96 Example FortiGate 5001SX virtual...

Страница 182: ...ster units Priority The device priority of the cluster unit Each cluster unit can have a different device priority During HA negotiation the unit with the highest device priority becomes the primary u...

Страница 183: ...conds since the cluster unit was last started Monitor Displays system status information for each cluster unit CPU Usage The current CPU status of each cluster unit The web based manager displays CPU...

Страница 184: ...onnect a cluster unit from a functioning cluster without disrupting the operation of the cluster Figure 99 Disconnect a cluster member Peer View and optionally change the subordinate unit host name Pr...

Страница 185: ...prietary Fortinet and FortiGate Management Information Base MIB files A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager These MIBs provide the informati...

Страница 186: ...sses of up to 8 SNMP managers to each community SNMP Agent Enable the FortiGate SNMP agent Description Enter descriptive information about the FortiGate unit The description can be up to 35 characters...

Страница 187: ...http docs fortinet com Feedback Figure 101 SNMP community options part 1 Figure 102 SNMP community options part 2 Note When the FortiGate unit is in virtual domain mode SNMP traps can only be sent on...

Страница 188: ...Interface Optionally select the name of the interface that this SNMP manager uses to connect to the FortiGate unit You only have to select the interface if the SNMP manager is not on the same subnet...

Страница 189: ...indicates if it is found in the Fortinet MIB or the FortiGate MIB The Trap Message column includes the message included with the trap as well as the SNMP MIB field name to help locate the information...

Страница 190: ...r supply failure detected Not available on all models Available on some devices which support redundant power supplies Interface IP change fnTrapIpChange The IP address for an interface has changed Th...

Страница 191: ...s been blocked fgAvTrapVirName The virus name that triggered the event Table 19 FortiGate HA traps Trap message Description HA switch fgTrapHaSwitch The specified cluster member has transitioned from...

Страница 192: ...ember Serial Serial number of an HA cluster member fgHaStatsTable Statistics for the individual FortiGate unit in the HA cluster fgHaStatsIndex The index number of the unit in the cluster fgHaStatsSer...

Страница 193: ...ess of the active IP session fgIpSessFromPort The source port of the active IP session UDP and TCP only fgIpSessToAddr The destination IPv4 address of the active IP session fgIpSessToPort The destinat...

Страница 194: ...gateway used by the tunnel fgVpnTunEntRemGwyPort The port of the remote gateway used by the tunnel if it is UDP fgVpnTunEntLocGwyIp The IP of the local gateway used by the tunnel fgVpnTunEntLocGwyPor...

Страница 195: ...to display the replacement messages for that category Select the Edit icon beside each replacement message to customize that message for your requirements Figure 103 Replacement messages list Note Di...

Страница 196: ...editing a replacement message Different replacement messages have different sets of fields and options You can customize the following categories of replacement messages Mail replacement messages HTTP...

Страница 197: ...ofile antivirus Pass Fragmented Emails is not enabled so a fragmented email is blocked This message replaces the first fragment of the fragmented email Data leak prevention message In a DLP sensor a r...

Страница 198: ...ata leak prevention message In a DLP sensor a rule with action set to Block replaces a blocked web page or file with this web page Banned by data leak prevention message In a DLP sensor a rule with ac...

Страница 199: ...message is displayed whenever the banned user attempts to access until the user is removed from the banned user list Table 31 FTP replacement messages Message name Description Virus message Antivirus...

Страница 200: ...et the alert email Minimum log level Table 33 Spam replacement messages Message name Description Email IP Spam Filtering IP address BWL check enabled for an email protocol in a protection profile iden...

Страница 201: ...nd controls not found on other replacement messages Users see the authentication login page when they use a VPN or a firewall policy that requires authentication You can customize this page in the sam...

Страница 202: ...oes not re direct the user to a redirect URL or the firewall policy does not include a redirect URL When a firewall user selects the button on the disclaimer page to decline access through the FortiGa...

Страница 203: ...89 The OVRD_FORM tag provides the form used to initiate an override if FortiGuard Web Filtering blocks access to a web page Do not remove this tag from the replacement message Table 36 IM and P2P repl...

Страница 204: ...to include an email address or other contact information or if applicable a note about how long the user can expect to be blocked For more information about NAC quarantine see NAC quarantine and the B...

Страница 205: ...ing HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80 Table 37 NAC quarantine replacement messages Message name Des...

Страница 206: ...g override form and should not be used in other replacement messages PROTOCOL The protocol http ftp pop3 imap or smtp in which a virus was detected PROTOCOL is added to alert email virus messages QUAR...

Страница 207: ...access In Transparent mode you configure a single management IP address that applies to all interfaces in your VDOM that permit management access The FortiGate also uses this IP address to connect to...

Страница 208: ...t access can be via HTTP HTTPS telnet or SSH sessions if those services are enabled on the interface HTTPS and SSH are preferred as they are more secure You can allow remote administration of the Fort...

Страница 209: ...or with any admin profile other than super_admin A regular administrator account has access to configuration options as determined by its Admin Profile If virtual domains are enabled the regular admin...

Страница 210: ...vileges super_admin_readonly This profile cannot be deleted or changed similar to the super_admin The read only super_admin profile is suitable in a situation where it is necessary for a system admini...

Страница 211: ...here can only be one VDOM override user per system For more information see the FortiGate CLI Reference Viewing the administrators list You need to use the default admin account an account with the su...

Страница 212: ...ontrol to create a new administrator To create a new administrator go to System Admin Administrators and select Create New To configure the settings for an existing administrator select the Edit icon...

Страница 213: ...er Group The administrator user group cannot be deleted once the group is selected for authentication This is available only if Type is Remote or PKI Wildcard Select to allow all accounts on the RADIU...

Страница 214: ...rvers provide authentication authorization and accounting functions FortiGate units use the authentication and authorization functions of the RADIUS server To use the RADIUS server for authentication...

Страница 215: ...RADIUS server secret The RADIUS server administrator can provide this information 6 Optionally provide information regarding a secondary RADIUS server custom authentication scheme and a NAS IP Called...

Страница 216: ...DAP is an Internet protocol used to maintain authentication data that may include departments people groups of people passwords email addresses printers etc If you have configured LDAP support and an...

Страница 217: ...The domain name or IP address of the LDAP server Server Port The TCP port used to communicate with the LDAP server Common Name Identifier The common name identifier for the LDAP server Distinguished...

Страница 218: ...ices via one or more centralized servers If you have configured TACACS support and an administrator is required to authenticate using a TACACS server the FortiGate unit contacts the TACACS server for...

Страница 219: ...ticates using PAP MSCHAP and CHAP in that order 7 Select OK For further information about TACACS authentication see Configuring TACACS servers on page 578 To create the user group TACACS 1 Go to User...

Страница 220: ...strator to be included in the user group create a user group To view the PKI user list go to User PKI Figure 113 Example PKI user list To configure a PKI user 1 Go to User PKI 2 Select Create New or s...

Страница 221: ...ative access In addition to knowing the password an administrator must connect only through the subnet or subnets you specify You can even restrict an administrator to a single IP address if you defin...

Страница 222: ...System Admin Central Management System Admin Settings Antivirus Configuration UTM AntiVirus Auth Users User Firewall Configuration Firewall FortiGuard Update System Maintenance FortiGuard IM P2P VoIP...

Страница 223: ...th Users authgrp user Firewall Configuration fwgrp firewall Use the set fwgrp custom and config fwgrp permission commands to set some firewall permissions individually You can make selections for poli...

Страница 224: ...wing the admin profiles list You need to use the admin account or an account with Admin Users read write access to create or edit admin profiles To view the admin profiles list go to System Admin Admi...

Страница 225: ...Select Create New or select the Edit icon beside an existing profile Enter or select the following and select OK Figure 115 Admin profile options Create New Add a new admin profile Profile Name The na...

Страница 226: ...for FortiGuard Analysis and Management Service you can also remotely upgrade the firmware on the FortiGate unit Figure 116 Central Management using FortiManager Figure 117 Central Management using the...

Страница 227: ...ement for this FortiGate unit You can select FortiManager or the FortiGuard Analysis and Management Service FortiManager Select to use FortiManager as the central management service for the FortiGate...

Страница 228: ...CD equipped models only SCP capability for users logged in via SSH IPv6 support on the web based manager To configure settings go to System Admin Settings enter or select the following and select OK F...

Страница 229: ...improve security keep the idle timeout at the default value of 5 minutes Display Settings Language The language the web based manager uses Choose from English Simplified Chinese Japanese Korean Spani...

Страница 230: ...other for IPv6 addressed packets For more information see the FortiGate IPv6 Support Technical Note available from the Fortinet Knowledge Center Before you can work with IPv6 on the web based manager...

Страница 231: ...as part of the administrator admin profile New admin profiles are based on the default layout The FortiGate default layout cannot be modified Terms used in this section include Dialog box HTML layer...

Страница 232: ...ive access to Log Report items for the Report Profile profile and prevent access to the default layout Note The current administrator Access Control settings apply only to the fixed components of the...

Страница 233: ...t access to the default layout items set Access Control to None for all items except Log Report 3 Under GUI Control Menu Layout select Standard 4 Select OK to save the settings The admin profiles list...

Страница 234: ...x for Report Profile In the GUI layout dialog box select the customization drop down menu icon beside System and select hide see Figure 124 Repeat for each menu item except Log Report Select Customize...

Страница 235: ...4 Select the Create New Tier 2 icon 3 5 The first Tier 2 menu item with the default name custom menu will appear with an additional Create New Tier 2 icon below it 4 6 Select and rename the default na...

Страница 236: ...tab Figure 127 Creating tabs in page layout To modify the configuration of the current page 1 Select the required tab then select Edit Layout The Edit this tab dialog box appears see Figure 128 You ma...

Страница 237: ...dd content to the Custom Log Report Tab1 dialog box appears see Figure 129 Figure 129 Add content dialog box The Add content dialog box includes a search feature that you can use to find widgets This...

Страница 238: ...an item that you want to include in the tab The item is placed in the page layout behind the Custom Log Report Tab1 dialog box You will see the configured layout when you close the Add content to the...

Страница 239: ...Version 4 0 Administration Guide 01 400 89802 20090424 239 http docs fortinet com Feedback Figure 132 Custom Log Report Tab1 page layout preview For the Custom Log Report Tab2 select the following it...

Страница 240: ...og Report Tab2 page layout preview To preview a customized layout in the custom GUI layout dialog box select Show Preview see Figure 135 When you have completed the configuration selections for the pa...

Страница 241: ...gured the custom GUI To save the configuration select OK to close the Admin Profile dialog box see Figure 121 To view the web based manager configuration created in Report Profile you must log out of...

Страница 242: ...Customizable web based manager System Admin FortiGate Version 4 0 Administration Guide 242 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 243: ...tificates see the FortiGate Certificate Management User Guide Table 41 Automatically generated FortiGate certificates Fortinet_Firmware Embedded inside the firmware Signed by Fortinet_CA Same on all F...

Страница 244: ...ificate and send it to you to install on the FortiGate unit To view certificate requests and or import signed server certificates go to System Certificates Local Certificates To view certificate detai...

Страница 245: ...ificate request go to System Certificates Local Certificates select Generate and complete the fields in the table below To download and send the certificate request to a CA see Downloading and submitt...

Страница 246: ...FortiGate unit If you select Domain Name enter the fully qualified domain name of the FortiGate unit Do not include the protocol specification http or any port number or path names If a domain name i...

Страница 247: ...computer that has management access to the FortiGate unit To install the signed server certificate go to System Certificates Local Certificates and select Import The certificate file can be in either...

Страница 248: ...ote Certificates list To view installed Remote OCSP certificates or import a Remote OCSP certificate go to System Certificates Remote To view certificate details select the View Certificate Detail ico...

Страница 249: ...e displayed in the CA Certificates list You cannot delete the Fortinet_CA certificate To view installed CA root certificates or import a CA root certificate go to System Certificates CA Certificates T...

Страница 250: ...3 and so on Import Import a CA root certificate See Importing CA certificates on page 250 Name The names of existing CA root certificates The FortiGate unit assigns unique names CA_Cert_1 CA_Cert_2 CA...

Страница 251: ...the CRL on a computer that has management access to the FortiGate unit To import a certificate revocation list go to System Certificates CRL and select Import Import Import a CRL For more information...

Страница 252: ...URL of the HTTP server LDAP Select to use an LDAP server to retrieve the CRL then select the LDAP server from the list SCEP Select to use an SCEP server to retrieve the CRL then select the Local Certi...

Страница 253: ...backups of configuration files or update FortiGuard services The maintenance menu has the following tabs Backup Restore allows you to back up and restore your system configuration file remotely upgra...

Страница 254: ...nfiguration to your management PC a central management server or a USB disk You can back up and restore your configuration to a USB disk if the FortiGate unit includes a USB port and if you have conne...

Страница 255: ...iguration to The options available for backing up your current configuration Select one of the displayed options Local PC Back up the configuration to the management computer the FortiGate unit is con...

Страница 256: ...essfully completion of the backup Restore Restore configuration from The options available for restoring the configuration from a specific file Select one of the displayed options Local PC Restore a c...

Страница 257: ...ased by contacting support Additional information including how to register you FortiGate unit for the FortiGuard Analysis and Management Service is available in the FortiGuard Analysis and Management...

Страница 258: ...ore options and on uploading and downloading firmware for your FortiGate unit see Managing firmware versions on page 91 Backup The options available for backing up your current configuration to the Fo...

Страница 259: ...firmware options go to System Maintenance Backup Restore Note The FortiGuard FortiManager protocol is used when connecting to the FortiGuard Analysis and Management Service This protocol runs over SSL...

Страница 260: ...e if you are upgrading to FortiOS 3 0 MR6 and the FortiGate unit is located in North America the firmware version available is v3 0 MR6 NA build 0700 Allow firmware downgrade Select to allow installat...

Страница 261: ...tiple versions of configuration files Revision control requires a configured central management server This server can either be a FortiManager unit or the FortiGuard Analysis and Management Service I...

Страница 262: ...is and Management Service account The uploaded script files appear on the FortiGuard Analysis and Management Service portal web site After executing scripts you can view the script execution history o...

Страница 263: ...elect Apply to upload and execute the file If the FortiGate unit is configured to use the FortiGuard Analysis and Management Service the script will be saved on the server for later use Select From re...

Страница 264: ...ces Go to System Maintenance FortiGuard to configure your FortiGate unit to use the FortiGuard Distribution Network FDN and FortiGuard Services The FDN provides updates to antivirus definitions IPS de...

Страница 265: ...tiGuard Antispam service FortiGuard Antispam is an antispam system from Fortinet that includes an IP address black list a URL black list spam filtering tools contained in an antispam rule set that is...

Страница 266: ...ng logging and reporting capabilities for all FortiGate units These services were previously available only on FortiAnalyzer and FortiManager units The subscription based service is available from the...

Страница 267: ...vice subscription The status can be Unreachable Not Registered Valid License or Valid Contract The option Subscribe appears if Availability is Not Registered The option Renew appears if Availability h...

Страница 268: ...thod used for last attempt to download definition updates for this service Date Local system date when the FortiGate unit last checked for updates for this service Use override server address Select t...

Страница 269: ...able scheduled updates Every Attempt to update once every 1 to 23 hours Select the number of hours between each update request Daily Attempt to update once a day You can specify the hour of the day to...

Страница 270: ...Port Section Select one of the following ports for your web filtering and antispam requirements Use Default Port 53 Select to use port 53 for transmitting with FortiGuard Antispam servers Use Alterna...

Страница 271: ...to update the antivirus including grayware definitions and IPS attack definitions To make sure the FortiGate unit can connect to the FDN 1 Go to System Status and select Change on the System Time lin...

Страница 272: ...definitions and engines Messages are recorded to the event log indicating whether the update was successful or not To enable scheduled updates 1 Go to System Maintenance FortiGuard 2 Select the expand...

Страница 273: ...message to the FDN The next time new antivirus or IPS attack definitions are released the FDN notifies all FortiGate units that are configured for push updates that a new update is available Within 60...

Страница 274: ...e These procedures also include adding port forwarding virtual IP and a firewall policy to the NAT device Figure 161 Example network Push updates through a NAT device The overall process is 1 Register...

Страница 275: ...tions from the FDN to the FortiGate unit on the internal network To add a port forwarding virtual IP to the FortiGate NAT device 1 Go to Firewall Virtual IP 2 Select Create New 3 Enter the appropriate...

Страница 276: ...e key The license key is entered in System Maintenance License in the Input License Key field This appears only on high end FortiGate models Figure 162 License key for additional VDOMs Source Interfac...

Страница 277: ...leave and to which device the packet should be routed As an option you can define route policies Route policies specify additional criteria for examining the properties of incoming packets Using rout...

Страница 278: ...figuration permits delivery the FortiGate unit delivers the packet to the local network If the packet is destined for another network the FortiGate unit forwards the packet to a next hop router accord...

Страница 279: ...ure the priority field through the CLI The route with the lowest value in the priority field is considered the best route and it is also the primary route The command to set the priority field is set...

Страница 280: ...ss for those packets The gateway address specifies the next hop router to which traffic will be routed Working with static routes The Static Route list displays information that the FortiGate unit com...

Страница 281: ...ct destination you must edit the factory default configuration and make the router the default gateway for the FortiGate unit Create New Add a static route to the Static Route list For more informatio...

Страница 282: ...g specifies the IP address of the next hop router interface to the FortiGate external interface The interface behind the router 192 168 10 1 is the default gateway for FortiGate_1 In some cases there...

Страница 283: ...Destination IP mask 192 168 20 0 24 Gateway 192 168 10 1 Device internal Distance 10 Changing the gateway for the default route The default gateway determines where packets matching the default route...

Страница 284: ...ct Create New 3 Enter the IP address and netmask For example 172 1 2 0 255 255 255 0 would be a route for all addresses on the subnet 172 1 2 x 4 Enter the FortiGate unit interface closest to this sub...

Страница 285: ...conditions the FortiGate unit routes the packet through the specified interface to the specified gateway Figure 167 shows the policy route list belonging to a FortiGate unit that has interfaces named...

Страница 286: ...e received Outgoing The interfaces through which policy routed packets are routed Source The IP source addresses and network masks that cause policy routing to occur Destination The IP destination add...

Страница 287: ...and network mask to match A value of 0 0 0 0 0 0 0 0 disables the feature Destination Address Mask To perform policy routing based on the IP destination address of the packet type the destination add...

Страница 288: ...Policy Route Router Static FortiGate Version 4 0 Administration Guide 288 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 289: ...virtual domains on page 103 Bi Directional Forwarding BFD is a protocol that works with BGP and OSPF to quickly discover routers on the network that cannot be contacted and to re route traffic accordi...

Страница 290: ...nit compares two routes to the same destination it adds the route having the lowest hop count to the routing table Similarly when RIP is enabled on an interface the FortiGate unit sends RIP responses...

Страница 291: ...on see Configuring a RIP enabled interface on page 293 Advanced Options Select the Expand Arrow to view or hide advanced RIP options For more information see Selecting advanced RIP options on page 292...

Страница 292: ...or both Receive Version The versions of RIP used to listen for updates on each interface 1 2 or both Authentication The type of authentication used on this interface None Text or MD5 Passive Permissi...

Страница 293: ...ng RIP updates Timeout Enter the maximum amount of time in seconds that a route is considered reachable while no updates are received for the route This is the maximum time the FortiGate unit will kee...

Страница 294: ...OSPF area that unit can participate in OSPF communications FortiGate units use the OSPF Hello protocol to acquire neighbors in an area A neighbor is any router that directly connected to the same area...

Страница 295: ...pdates its routing table based on the results of the SPF calculation to ensure that an OSPF packet will be routed using the shortest path to its destination Depending on the network topology the entri...

Страница 296: ...of the AS definition you specify the AS areas and specify which networks to include those areas You may optionally adjust the settings associated with OSPF operation on the FortiGate interfaces To vie...

Страница 297: ...s that are part of the network are advertised in OSPF link state advertisements You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPF network address space For more informa...

Страница 298: ...nt the generation of a default route Regular Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems only if the route is stored in the FortiGate routing ta...

Страница 299: ...F domain are made known to OSPF AS However the area itself continues to be treated like a stub area by the rest of the AS Regular areas and stub areas including not so stubby areas are connected to th...

Страница 300: ...e known to OSPF AS and you want the area to be treated like a stub area by the rest of the AS STUB If the routers in the area must send packets to an area border router in order to reach the backbone...

Страница 301: ...he same FortiGate interface could be connected to two neighbors through different subnets You could configure an OSPF interface definition containing one set of Hello and dead interval parameters for...

Страница 302: ...Authenticate LSA exchanges using a plain text password The password can be up to 35 characters and is sent in clear text over the network MD5 Use one or more keys to generate an MD5 cryptographic hash...

Страница 303: ...sic BGP options Note You can configure graceful restarting and other advanced settings only through CLI commands For more information on advanced BGP settings see the router chapter of the FortiGate C...

Страница 304: ...ave a physical or VLAN interface connected to those networks IP Netmask Enter the IP address and netmask of the network to be advertised Add Add the network information to the Networks list Network Th...

Страница 305: ...to the RP and data from the source is sent to the RP If an RP for the specified IP s multicast group is already known to the Boot Strap Router BSR the RP known to the BSR is used and the static RP ad...

Страница 306: ...also receive identical feeds from two ingress points in the network and route them independently Configure multicast DNAT in the CLI by using the following command config firewall multicast policy edi...

Страница 307: ...or the whole unit and turn it off for one or two interfaces Alternatively you can specifically enable BFD for each neighbor router or interface Which method you choose will be determined by the amount...

Страница 308: ...and then disable it for each neighbor that is running the protocol config system settings set bfd enable end config router bgp config neighbor edit ip_address set bfd disable end end Configuring BFD o...

Страница 309: ...IP or OSPF The offset list is part of the RIP and OSPF routing protocols For more information about RIP see RIP on page 289 For more information about OSPF see OSPF on page 294 Each rule in an access...

Страница 310: ...a key is always available even if there is some difference in the system times RIP version 2 uses authentication keys to ensure that the routing information exchanged between routers is reliable For...

Страница 311: ...key on that chain Accept Lifetime The start and end time that this key can accept routing packets Start The start time for this key The format is H M S M D YYYY End The end time for this key The end c...

Страница 312: ...destinations using the BGP routing protocol Compared to access lists route maps support enhanced packet matching criteria In addition route maps can be configured to permit or deny the addition of rou...

Страница 313: ...must be called by a FortiGate unit routing process Figure 186 Route Map GUI widget For more information on the route map see the router chapter of the FortiGate CLI Reference Route map Enter the name...

Страница 314: ...Customizable routing widgets Router Dynamic FortiGate Version 4 0 Administration Guide 314 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 315: ...formation see Using virtual domains on page 103 This section describes Viewing routing information Searching the FortiGate routing table Viewing routing information By default all routes are displayed...

Страница 316: ...es Type The type values assigned to FortiGate routes Static Connected RIP OSPF or BGP Subtype If applicable the subtype classification assigned to OSPF routes An empty string implies an intra area rou...

Страница 317: ...select Connected from the Type list type 172 16 14 0 24 in the Network field and then select Apply Filter to display the associated routing table entry or entries Any entry that contains the word Con...

Страница 318: ...Searching the FortiGate routing table Router Monitor FortiGate Version 4 0 Administration Guide 318 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 319: ...y instructions may also include protection profiles which can specify application layer inspection and other protocol specific protection and logging For details on using protection profiles see Firew...

Страница 320: ...efore the policy to block FTP all connections including FTP would immediately match the general policy and the policy to block FTP would never be applied This policy order would not have the intended...

Страница 321: ...For more information see the FortiOS CLI Reference and the FortiGate Multicast Technical Note Viewing the firewall policy list The firewall policy list displays firewall policies in their order of mat...

Страница 322: ...e information see Firewall Address on page 345 Destination The destination address or address group to which the policy applies For more information see Firewall Address on page 345 Schedule The sched...

Страница 323: ...IPSec VPN or SSL VPN tunnel respectively and may optionally apply NAT and allow traffic for one or both directions If permitted by the firewall encryption policy a tunnel may be initiated automaticall...

Страница 324: ...ct the name of a firewall address to associate with the Source Interface Zone Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy You...

Страница 325: ...f Action is set to SSL VPN select the name of the IP address that corresponds to the host server or network that remote clients need to access behind the FortiGate unit Schedule Select a one time or r...

Страница 326: ...enabled in User Options Authentication User Authentication Disclaimer Available only on some models and only if Action is set to ACCEPT Select this option to display the Authentication Disclaimer page...

Страница 327: ...would then be able to access his or her email Traffic Priority Select High Medium or Low Select Traffic Priority so the FortiGate unit manages the relative priorities of different types of traffic Fo...

Страница 328: ...user groups for authentication Note If you do not install certificates on the network user s web browser the network users may see an SSL certificate warning message and have to manually accept the de...

Страница 329: ...Traffic If the Log Allowed Traffic option is selected when adding an identity based policy a green check mark appears Otherwise a white cross mark appears Delete icon Select to remove this policy Edit...

Страница 330: ...nally select Traffic Shaping and choose a traffic shaper 11 Select OK IPSec firewall policy options In a firewall policy see Configuring firewall policies on page 323 the following encryption options...

Страница 331: ...esses of inbound decrypted packets into the IP address of the FortiGate interface to the local private network Outbound NAT Select only in combination with a natip CLI value to translate the source ad...

Страница 332: ...P address matching the selected firewall address will be subject to this policy You can also create firewall addresses by selecting Create New from this list For more information see Configuring addre...

Страница 333: ...y to accept SSL VPN traffic This option is available only after you have added a SSL VPN user group SSL Client Certificate Restrictive Allow traffic generated by holders of a shared group certificate...

Страница 334: ...in the firewall policy To add a service to the list select the name and then select the Right Arrow Selected Services List of services that are included in the firewall policy To remove a service fro...

Страница 335: ...shaping configuration to traffic from port2 to port1 Log Allowed Traffic Select to record messages to the traffic log whenever the policy processes a connection You must also enable traffic log for a...

Страница 336: ...re evaluated for matches with user groups Tip If you select NAT the IP address of the outgoing interface of the FortiGate unit is used as the source address for new sessions started by SSL VPN Note Th...

Страница 337: ...licies in their order of matching precedence for each interface source destination address pair and service If virtual domains are enabled on the FortiGate unit DoS policies are configured separately...

Страница 338: ...see Adding filters to web based manager lists on page 53 Status When selected the DoS policy is enabled Clear the checkbox to disable the policy ID A unique identifier for each policy Policies are nu...

Страница 339: ...ftware company performing development and providing customer support In addition to their internal network of 15 computers they also have several employees who work from home all or some of the time W...

Страница 340: ...want to integrate web and email servers into the security solution To deal with their first requirement Company A configures specific policies for each home based worker to ensure secure communicatio...

Страница 341: ...gh the FortiGate unit via VPN tunnels Outbound NAT no Protection Profile Select the check mark and select standard_profile Interface Zone Source internal Destination wan1 Address Source CompanyA_netwo...

Страница 342: ...catalog server without first going through the firewall The topography at the branch office has all three users accessing the servers at the main branch through non secured internet connections Figur...

Страница 343: ...h a FortiGate HA cluster to the servers in a DMZ The public access terminals first go through a FortiWiFi unit where additional policies can be applied to the HA Cluster and finally to the servers The...

Страница 344: ...O and SMB Configuration Example Guide FortiGate Enterprise Configuration Example Source Interface Internal Source Address All Destination Interface DMZ Destination Address Servers Schedule Always Acti...

Страница 345: ...address groups About firewall addresses A firewall address can contain one or more network addresses Network addresses can be represented by an IP address with a netmask an IP address range or a full...

Страница 346: ...wing the firewall address list Firewall addresses in the list are grouped by type IP Netmask FQDN or IPv6 FortiGate unit default configurations include the all address which represents any IP address...

Страница 347: ...ly using the address Edit icon Select to edit the address Caution Be cautious if employing FQDN firewall addresses Using a fully qualified domain name in a firewall policy while convenient does presen...

Страница 348: ...For example if address A1 is associated with port1 and address A2 is associated with port2 they cannot be grouped However if A1 and A2 have an interface of Any they can be grouped even if the addresse...

Страница 349: ...The list of all configured and default firewall addresses Use the arrows to move selected addresses between the lists of available and member addresses Members The list of addresses included in the a...

Страница 350: ...Configuring address groups Firewall Address FortiGate Version 4 0 Administration Guide 350 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 351: ...ll services separately for each virtual domain For more information see Using virtual domains on page 103 This section describes Viewing the predefined service list Viewing the custom service list Con...

Страница 352: ...g TCP 135 UDP 135 DHCP Dynamic Host Configuration Protocol DHCP allocates network addresses and delivers configuration parameters from DHCP servers to hosts UDP 67 68 DHCP6 Dynamic Host Configuration...

Страница 353: ...Service ILS includes LDAP User Locator Service and LDAP over TLS SSL TCP 389 L2TP Layer 2 Tunneling Protocol L2TP is a PPP based tunnel protocol for remote access TCP 1701 UDP 1701 LDAP Lightweight Di...

Страница 354: ...puters to connect and use a network service TCP 1812 1813 RAUDIO RealAudio multimedia traffic UDP 7070 RDP Remote Desktop Protocol is a multi channel protocol that allows a user to connect to a networ...

Страница 355: ...ocol SMTP is used for sending email messages between email clients and email servers and between email servers TCP 25 SMTPS SMTP with SSL Used for sending email messages between email clients and emai...

Страница 356: ...is similar to FTP but without security features such as authentication UDP 69 TIMESTAMP ICMP timestamp request messages ICMP 13 TRACEROUTE A computer network tool used to determine the route taken by...

Страница 357: ...The protocol and port numbers for each custom service Delete icon Remove the custom service The Delete icon appears only if the service is not currently being used by a firewall policy Edit icon Edit...

Страница 358: ...t OK Figure 214 New Custom Service IP Destination Port Specify the destination port number range for the service by entering the low and high port numbers If the service uses one port number enter thi...

Страница 359: ...ervice group to simplify your firewall policy list For example instead of having five identical policies for five different but related firewall services you might combine the five services into a sin...

Страница 360: ...oup Name Enter a name to identify the service group Available Services The list of configured and predefined services available for your group with custom services at the bottom Use the arrows to move...

Страница 361: ...ate a recurring schedule that activates a policy during a specified period of time For example you might prevent game playing during office hours by creating a recurring schedule that covers office ho...

Страница 362: ...dule to block access to the Internet during a holiday To view the one time schedule list go to Firewall Schedule One time Figure 219 One time schedule list Delete icon Remove the schedule from the lis...

Страница 363: ...and stop times to 00 Figure 220 New One time Schedule Delete icon Remove the schedule from the list The Delete icon appears only if the schedule is not being used in a firewall policy Edit icon Edit t...

Страница 364: ...Configuring one time schedules Firewall Schedule FortiGate Version 4 0 Administration Guide 364 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 365: ...a NAT firewall policy For details see Configuring virtual IPs on page 370 If you enable virtual domains VDOMs on the FortiGate unit firewall virtual IPs are configured separately for each virtual doma...

Страница 366: ...ddress ranges the external IP address range corresponds to a mapped IP address range containing an equal number of IP addresses and each IP address in the external range is always translated to the sa...

Страница 367: ...gs map 192 168 37 4 to 10 10 10 42 so the FortiGate unit changes the packets addresses The source address is changed to 10 10 10 2 and the destination is changed to 10 10 10 42 The FortiGate unit make...

Страница 368: ...ent In the previous example the NAT check box is checked when configuring the firewall policy If the NAT check box is not selected when building the firewall policy the resulting policy does not perfo...

Страница 369: ...mes A physical external IP address can be used as the external VIP IP address Duplicate entries or overlapping ranges are not permitted Viewing the virtual IP list To view the virtual IP list go to Fi...

Страница 370: ...nation Address field is a virtual IP Figure 225 Creating a Virtual IP Name Enter or change the name to identify the virtual IP To avoid confusion addresses address groups and virtual IPs cannot have t...

Страница 371: ...if Port Forwarding is enabled SSL Offloading Select to accelerate clients SSL connections to the server by using the FortiGate unit to perform SSL operations then select which segments of the connecti...

Страница 372: ...net is mapped to 10 10 10 42 on a private network Attempts to communicate with 192 168 37 4 from the Internet are translated and sent to 10 10 10 42 by the FortiGate unit The computers on the Internet...

Страница 373: ...ed for 192 168 37 5 are translated and sent to 10 10 10 43 and packets destined for 192 168 37 6 are translated and sent to 10 10 10 44 The computers on the Internet are unaware of this translation an...

Страница 374: ...OK Name static_NAT_range External Interface wan1 Type Static NAT External IP Address Range The Internet IP address range of the web servers The external IP addresses are usually static IP addresses o...

Страница 375: ...t forwarding for a single IP address and a single port The IP address 192 168 37 4 port 80 on the Internet is mapped to 10 10 10 42 port 8000 on a private network Attempts to communicate with 192 168...

Страница 376: ...dmz network IP addresses of the web servers 1 Go to Firewall Policy and select Create New 2 Configure the firewall policy Name Port_fwd_NAT_VIP External Interface wan1 Type Static NAT External IP Addr...

Страница 377: ...192 168 37 5 rather than a FortiGate unit with a private network behind it Figure 232 Static NAT virtual IP port forwarding for an IP address range and a port range example To add static NAT virtual I...

Страница 378: ...ss Range The external IP addresses are usually static IP addresses obtained from your ISP This addresses must be unique not used by another host and cannot be the same as the IP address of the externa...

Страница 379: ...translation only When adding a virtual IP if you enter a virtual IP address that is the same as the mapped IP address and apply port forwarding the destination IP address will be unchanged but the po...

Страница 380: ...ber VIP IP address es and port number s Viewing the VIP group list To view the virtual IP group list go to Firewall Virtual IP VIP Group Figure 233 VIP Group list Configuring VIP groups To add a VIP g...

Страница 381: ...the policy destination interface is the same as the IP pool interface With an IP pool added to the internal interface you can select Dynamic IP pool for policies with the internal interface as the de...

Страница 382: ...ent source port translation However selecting fixed port means that only one connection can be supported through the firewall for this service To be able to support multiple connections add an IP pool...

Страница 383: ...t Configuring IP Pools To add an IP pool go to Firewall Virtual IP IP Pool 192 168 1 2 172 16 30 11 192 168 1 10 172 16 30 19 192 168 1 11 172 16 30 10 192 168 1 12 172 16 30 11 192 168 1 13 172 16 30...

Страница 384: ...d ports must be used Figure 237 Double NAT To allow the local users to access the server you can use fixed port and IP pool to allow more than one user connection while using virtual IP to translate t...

Страница 385: ...IP to translate the destination port number and the IP pool to translate the source addresses 1 Go to Firewall Policy 2 Select Create New 3 Configure the firewall policy 4 Select NAT 5 Select OK Name...

Страница 386: ...their default route One of the management IPs of the FortiGate unit is set to 192 168 1 99 This configuration results in a typical NAT mode firewall When a PC on the internal network attempts to conn...

Страница 387: ...68 1 99 24 end 2 Enter the following command to add an IP pool to the wan1 interface config firewall ippool edit nat out set interface wan1 set startip 10 1 1 201 set endip 10 1 1 201 end 3 Enter the...

Страница 388: ...mode Firewall Virtual IP FortiGate Version 4 0 Administration Guide 388 01 400 89802 20090424 http docs fortinet com Feedback Note You can add the firewall policy from the web based manager and then u...

Страница 389: ...antially more servers can be added behind the FortiGate unit in order to cope with the increased load This section describes How load balancer works Configuring virtual servers Configuring real server...

Страница 390: ...tional server is required Round Robin Directs requests to the next server and treats all servers as equals regardless of response time or number of connections Dead servers or non responsive servers a...

Страница 391: ...o which the virtual server communicates Load Balance Method Select a load balancing method For more information see Load Balance Method on page 390 Persistence Select a persistence for the virtual ser...

Страница 392: ...ther option but still improved over communications without SSL acceleration and can be used in failover configurations where the failover path does not have an SSL accelerator If the server is already...

Страница 393: ...ion The limit on the number of active connections directed to a real server If the maximum number of connections is reached for the real server the FortiGate unit will automatically switch all further...

Страница 394: ...the interval timeout or retry which are settings common to all types This field is empty if the type of the health check monitor is PING Delete Select to remove the health check monitor configuration...

Страница 395: ...s of the existing virtual servers Real Server The IP addresses of the existing real servers Health Status Display the health status according to the health check results for each real server A green a...

Страница 396: ...Monitoring the servers Firewall Load Balance FortiGate Version 4 0 Administration Guide 396 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 397: ...n apply to one or more firewall policies Because protection profiles can be used by more than one firewall policy you can configure one protection profile for the traffic types handled by a set of fir...

Страница 398: ...ion Profile in the firewall policy 4 Select the protection profile that you want to apply to the firewall policy The firewall policy will use settings from the protection profile that apply to its Ser...

Страница 399: ...P3S and SMTPS traffic To perform SSL content scanning and inspection the FortiGate unit does the following intercepts and decrypts HTTPS IMAPS POP3S and SMTPS sessions between clients and servers Fort...

Страница 400: ...ed keys Two encrypted SSL sessions are set up one between the client and the FortiGate unit and a second one between the FortiGate unit and the server Inside the FortiGate unit the packets are decrypt...

Страница 401: ...y with another signing CA certificate To do this you need the signing CA certificate file the CA certificate key file and the CA certificate password All SSL content scanning and inspection uses the s...

Страница 402: ...FortiGate unit can also apply Antivirus and DLP content inspection and content archiving to HTTPS Using SSL content scanning and inspection to decrypt HTTPS also allows you to apply more web filterin...

Страница 403: ...the DLP rules to a DLP sensor See Adding or editing a rule in a DLP sensor on page 513 Go to Firewall Protection Profile Add or edit a protection profile and use Data Leak Prevention Sensor to add th...

Страница 404: ...For Displaying content meta information on the system dashboard select HTTPS IMAPS POP3S and SMTPS as required These options display meta information on the Statistics dashboard widget For more inform...

Страница 405: ...onitors the default content protocol port numbers for example port 80 for HTTP You can edit the settings for each content protocol and select inspection for all port numbers for that protocol or selec...

Страница 406: ...pand Arrow beside Protocol Recognition enter the information as described below and select OK Figure 251 Protection profile Protocol Recognition options SSL content scanning and inspection Figure 252...

Страница 407: ...Web URL Filter and Block invalid URLs for HTTPS Selecting URL Filtering also limits the FortiGuard Web Filtering options that you can select for HTTPS Deep Scan Decryption on SSL Traffic Select this o...

Страница 408: ...s and streams traffic to the destination terminating the stream to the destination if a virus is detected For details on configuring splicing see the splice option for each protocol in the config fire...

Страница 409: ...rsize threshold Threshold If the file is larger than the threshold value in megabytes the file is passed or blocked The maximum threshold for scanning in memory is 10 of the FortiGate unit s RAM Allow...

Страница 410: ...hat the download has been blocked The number of URLs in the cache is limited by the size of the cache FTP and HTTP client comforting steps The following steps show how client comforting works for an F...

Страница 411: ...time For more information about overrides see Web Filter on page 475 You can configure web filtering for HTTP and HTTPS traffic If your FortiGate unit supports SSL content scanning and inspection and...

Страница 412: ...ry the score for the web page increases When the total score for a web page equals or exceeds the threshold the page is blocked The default score for content block list entry is 10 and the default thr...

Страница 413: ...ava Applet Filter Select to block Java applets Web Resume Download Block Select to block downloading parts of a file that have already been downloaded Enabling this option will prevent the unintention...

Страница 414: ...nd Protocol recognition options on page 405 To configure FortiGuard Web Filtering options go to Firewall Protection Profile Select Create New to add a protection profile or the Edit icon beside an exi...

Страница 415: ...tails for blocked HTTP 4xx and 5xx errors Display a replacement message for 400 and 500 series HTTP errors If the error is allowed through malicious or objectionable sites can use these common error p...

Страница 416: ...URL is blocked because it belongs to the Search Engines category which is blocked With Strict Blocking disabled the URL is allowed because it is classified as Image Search which the profile allows It...

Страница 417: ...ing options go to Firewall Protection Profile Select Create New to add a protection profile or the Edit icon beside an existing protection profile Then select the Expand Arrow beside Spam Filtering en...

Страница 418: ...ig Replacement Messages and customizing the Spam Spam submission message For more information see Spam replacement messages on page 200 IP address BWL check Select to compare the IP address of email m...

Страница 419: ...splice the FortiGate unit simultaneously scans and streams traffic to the destination terminating the stream to the destination if a virus is detected For details on configuring splicing see the splic...

Страница 420: ...e 523 To configure application control options go to Firewall Protection Profile Select Create New to add a protection profile or the Edit icon beside an existing protection profile Then select the Ex...

Страница 421: ...you enable antivirus protection you could also enable the antivirus protection profile logging options to write an event log message every time a virus is detected by this protection profile For more...

Страница 422: ...nt Block Select to log content blocking events URL Filter Select to log blocked and exempted URLs ActiveX Filter Select to log blocked Active X plugins Cookie Filter Select to log blocked cookies Java...

Страница 423: ...andwidth Traffic priority Traffic shaping considerations Configuring traffic shaping Guaranteed bandwidth and maximum bandwidth When you enter a value in the Guaranteed Bandwidth field when adding a t...

Страница 424: ...esholds have been surpassed frames and packets will be dropped and sessions will be affected in other ways For example incorrect traffic shaping configurations may actually further degrade certain net...

Страница 425: ...aper 1 Go to Firewall Traffic Shaping Traffic Shaping 2 Select Create New Figure 269 Creating traffic shapers Create New Add a traffic shaper For more information see To create a traffic shaper on pag...

Страница 426: ...e relative priorities of different types of traffic For example a policy for connecting to a secure web server needed to support ecommerce traffic should be assigned a high traffic priority Less impor...

Страница 427: ...lso describes how FortiOS SIP support works and how to configure the key SIP features For more configuration information see the FortiGate CLI Reference The FortiGate unit supports the following SIP f...

Страница 428: ...to signal the destination SIP client Figure 271 SIP in redirect mode SIP Client A SIP Client B SIP Proxy Server IP Network b example com a example com RTP Session 1 SIP clients register with SIP serve...

Страница 429: ...rity The FortiGate intrusion prevention system IPS provides another strategic line of defense particularly against VoIP network predators The IPS has deep packet inspection capabilities to provide con...

Страница 430: ...manage NAT The FortiGate unit also supports a variation of this scenario the RTP server hides its real address Figure 274 SIP destination NAT RTP server hidden In this scenario shown in Figure 274 a...

Страница 431: ...red so that the SIP phone 219 29 81 20 will connect to 217 233 90 60 The media gateway RTP server 219 29 81 10 will connect to 217 233 90 65 What happens is as follows 1 The SIP phone connects to the...

Страница 432: ...ou can enable SIP support set two rate limits enable SIP logging and view SIP statistics using the web based manager You need to configure most features however through the CLI Enabling SIP support an...

Страница 433: ...es edit 12 set register rate 100 set invite rate 30 end end More about rate limiting FortiGate units support rate limiting for the following types of VoIP traffic Session Initiation Protocol SIP Skinn...

Страница 434: ...tion see the FortiGate CLI Reference Turning on SIP tracking The FortiGate SIP ALG Application Level Gateway tracks the SIP session over its life span A SIP session or SIP dialog is normally establish...

Страница 435: ...etadata Depending on your log configuration you can view the archived information For more information see Log Report on page 647 From the CLI type the following commands config application list edit...

Страница 436: ...erver From the CLI type the following commands config application list edit list_name config entries edit 12 set reg diff port enable end end Controlling the SIP ALG You can enable contact fixup so th...

Страница 437: ...SIP support Configuring SIP FortiGate Version 4 0 Administration Guide 01 400 89802 20090424 437 http docs fortinet com Feedback edit 12 set contact fixup enable disable end end...

Страница 438: ...Configuring SIP SIP support FortiGate Version 4 0 Administration Guide 438 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 439: ...tine view the virus list and configure the grayware list For details see Using virtual domains on page 103 This section describes Order of operations Antivirus tasks Antivirus settings and controls Fi...

Страница 440: ...ices The tasks will be discussed in the order that they are applied followed by FortiGuard antivirus File size This task checks if files and email messages exceed configured thresholds It is enabled b...

Страница 441: ...if enabled performs tests on the file to detect virus like behavior or known virus indicators In this way heuristic scanning may detect new viruses but may also produce some false positive results Fi...

Страница 442: ...ed or disabled Quarantine UTM AntiVirus Quarantined Files Enable or disable quarantining for each protocol File Quarantine is only available on units with a local disk or with a configured FortiAnalyz...

Страница 443: ...file will be blocked and a replacement messages will be sent to the user If both file filter and virus scan are enabled the FortiGate unit blocks files that match the enabled file filter and does not...

Страница 444: ...lf gzip rar tar lzh upx zip cab bzip2 bzip activemime hlp arj base64 binhex uue fsg aspack jad class cod msc petite sis prc unknown ignored Note The unknown type is any file type that is not listed in...

Страница 445: ...cribe the list if required Name File filter list name To change the name edit text in the name field and select OK Comment Optional comment To add or edit comment enter text in comment field and selec...

Страница 446: ...Firewall Protection Profile Antivirus to enable quarantine for required protocols in the protection profiles For details see Configuring a protection profile on page 404 You can configure a protectio...

Страница 447: ...e Antivirus CLI configuration on page 453 If your FortiGate unit supports SSL content scanning and inspection Service can also be IMAPS POP3S SMTPS or HTTPS Apply Select to apply the sorting and filte...

Страница 448: ...ere quarantined A rapidly increasing number can indicate a virus outbreak TTL Time to live in the format hh mm When the TTL elapses the FortiGate unit labels the file as EXP under the TTL heading In t...

Страница 449: ...ns for HTTP FTP IMAP POP3 SMTP IM and NNTP Traffic If your FortiGate unit supports SSL content scanning and inspection you can also quarantine blocked and infected files from HTTPS IMAPS POP3S and SMT...

Страница 450: ...iles list When the limit is reached the TTL column displays EXP and the file is deleted although the entry in the quarantined files list is maintained Entering an age limit of 0 zero means files are s...

Страница 451: ...can enable this feature to allow the FortiGate unit to scan for non active viruses For details see Anti Virus options on page 407 To view information about the virus databases go to UTM AntiVirus Vir...

Страница 452: ...are populated with known executable files Each time the FortiGate unit receives a virus and attack definitions update the grayware categories and contents are updated To view the grayware list go to...

Страница 453: ...sance games that you may want to block from network users HackerTool Block hacker tools Hijacker Block browser hijacking programs Browser hijacking occurs when a spyware type program changes web brows...

Страница 454: ...heuristic scanning mode config antivirus quarantine The quarantine command also allows configuration of heuristic related settings This feature is available on models numbered 200 and higher config an...

Страница 455: ...guration About intrusion protection The FortiGate unit can log suspicious traffic send alert email messages to system administrators and log pass or block suspicious packets or sessions You can adjust...

Страница 456: ...all protection profiles For information about creating IPS sensors see Configuring IPS sensors on page 462 For information about accessing and modifying the protection profile IPS sensor selection see...

Страница 457: ...s and whether the signature is enabled by default To view the predefined signature list go to UTM Intrusion Protection Predefined You can also use filters and column settings to display the signatures...

Страница 458: ...ormation Low Medium High and Critical Target The target of the signature servers clients or both Protocols The protocol the signature applies to OS The operating system the signature applies to Applic...

Страница 459: ...System IPS Guide Viewing the custom signature list To view the custom signature list go to UTM Intrusion Protection Custom Figure 292 The custom signature list Creating custom signatures Use custom s...

Страница 460: ...e protocol decoder list To view the decoders and the port numbers that the protocol decoders monitor go to UTM Intrusion Protection Protocol Decoder The decoder list is provided for your reference and...

Страница 461: ...licy that controls all of the traffic to and from a web server protected by the FortiGate unit The FortiGuard Service periodically updates the pre defined signatures with signatures added to counter n...

Страница 462: ...e first compared to network traffic If the IPS sensor does not find any matches it then compares the signatures in each filter to network traffic one filter at a time from top to bottom If no signatur...

Страница 463: ...h the signatures apply Application The applications to which the signatures apply Enable The status of the signatures included in the filter The signatures can be set to enabled disabled or default Th...

Страница 464: ...signature Add Custom Override Select to create an override based on a custom signature Current position of each override in the list Name The name of the signature Enable The status of the override A...

Страница 465: ...nt to include in the filter from the Available to the Selected list or the Left Arrow to remove previously selected protocols from the filter Quarantine Attackers to Banned Users List Select to enable...

Страница 466: ...t the filter in a protection profile applied to a policy An override does not have the ability to affect network traffic until these steps are taken Signature Select the browse icon to view the list o...

Страница 467: ...bleshoot a problem the packet log history command allows you to specify how many packets are captured when an IPS signature is found in a packet If the value is set to larger than 1 the packet contain...

Страница 468: ...save them To view and save logged packets 1 Go Log Report Log Access 2 Depending on where the logs are configured to be stored select the appropriate tab Memory Select Memory if logs are stored in the...

Страница 469: ...t is capable of detecting and protecting against a number of anomaly attacks You can enable or disable logging for each traffic anomaly and configure the detection threshold and action to take when th...

Страница 470: ...ignatures will appear only in the VDOM in which they were created Create New Add a new DoS sensor to the bottom of the list ID A unique identifier for each DoS sensor The ID does not indicate the sequ...

Страница 471: ...s traffic to pass when the FortiGate unit detects it or set Block to prevent the traffic from passing Threshold Displays the number of sessions packets that must show the anomalous behavior before the...

Страница 472: ...om one source IP address exceeds the configured threshold value the action is executed The threshold is expressed in packets per second tcp_src_session If the number of concurrent TCP connections from...

Страница 473: ...on Protection Intrusion protection CLI configuration FortiGate Version 4 0 Administration Guide 01 400 89802 20090424 473 http docs fortinet com Feedback ips global socket size Set the size of the IPS...

Страница 474: ...Intrusion protection CLI configuration Intrusion Protection FortiGate Version 4 0 Administration Guide 474 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 475: ...separately for each virtual domain For details see Using virtual domains on page 103 This section describes Order of web filtering How web filtering works Web filter controls Web content block URL fil...

Страница 476: ...e FortiGuard ratings Finally the FortiGuard unit applies script filtering for ActiveX Cookie and Java applet which can be configured in Firewall Protection Profile Web Filtering Once you have finished...

Страница 477: ...page blocking based on the banned words and patterns in the content block list for HTTP or HTTPS traffic Add words and patterns to block web pages containing those words or patterns Table 49 Web filte...

Страница 478: ...rs HTTP only Rate images by URL Blocked images will be replaced with blanks HTTP only Allow web sites when a rating error occurs HTTP only Strict Blocking HTTP only Category Action FortiGuard Web Filt...

Страница 479: ...equested web page is checked against the content block list The score value of each pattern appearing on the page is added and if the total is greater than the threshold value set in the protection pr...

Страница 480: ...OK Comment Optional comment To add or edit comment enter text in comment field and select OK Create new Select to add a pattern to the web content block list Total The number of patterns in the web c...

Страница 481: ...nguage Select a language from the dropdown list Score Enter a score for the pattern Each entry in the web content block list incudes a score When you add a web content block list to a protection profi...

Страница 482: ...erwise block it To view the web content exempt list go to UTM Web Filter Web Content Exempt Select the Edit icon of the web content block list you want to view Figure 310 Sample web content exempt lis...

Страница 483: ...own icon Select to view the next page Remove All Entries icon Select to clear the table Pattern The current list of patterns Select the check box to enable all the patterns in the list Pattern type Th...

Страница 484: ...et s Knowledge Center web site http kc forticare com To add a URL filter list to the URL filter list catalog go to UTM Web Filter URL Filter Select Create New Figure 313 New URL Filter list dialog box...

Страница 485: ...l comment To add or edit comment enter text in comment field and select OK Create New Select to add a URL to the URL block list Page up icon Select to view the previous page Page down icon Select to v...

Страница 486: ...c For information about SSL content scanning and inspection see SSL content scanning and inspection on page 399 HTTP URL formats Type a top level URL or IP address to control access to all pages on a...

Страница 487: ...rest FortiGuard Web Filtering Service Point to determine the category of a requested web page then follows the firewall policy configured for that user or interface FortiGuard Web Filtering includes o...

Страница 488: ...er must provide a correct user name and password or the web site remains blocked Authentication is based on user groups and can be performed for local RADIUS and LDAP users For more information about...

Страница 489: ...cross indicates that the off site URL option is set to Block which means that the overwrite web page will not display the contents from off site domains For details see Configuring administrative over...

Страница 490: ...you set the offsite feature to allow the images on the page will then show up Only users that apply under the scope for the page override can see the images from the temporary overrides The users wil...

Страница 491: ...list IP Enter the IP address of the computer initiating the override Profile Select a protection profile from the dropdown list Off site URLs Select Allow or Block See the previous table for details...

Страница 492: ...y the URL block list is processed The local ratings override the FortiGuard server ratings and appear in reports as Local Category To create a local rating go to UTM Web Filter Local Ratings Delete ic...

Страница 493: ...uard Web Filtering Service Point name cannot be changed using the web based manager Configure all FortiGuard Web Filtering settings using the CLI For more information see the FortiGate CLI Reference f...

Страница 494: ...FortiGuard Web Filter Web Filter FortiGate Version 4 0 Administration Guide 494 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 495: ...ng URL checking E mail checksum check and Spam submission Updates to the IP reputation and spam signature databases are provided continuously via the global FortiGuard distribution network From the Fo...

Страница 496: ...se but enabled on a per profile basis Table 52 describes the Antispam settings and where to configure and access them To access protection profile Antispam options go to Firewall Protection Profile se...

Страница 497: ...s You can place an email address anywhere in the list The filter checks each email address in sequence Return e mail DNS check n a Enable or disable checking incoming email return address domain again...

Страница 498: ...phrase to the subject or MIME header of tagged email You can choose to log any spam action in the event log For IMAP spam email may be tagged only after the user downloads the entire message by openi...

Страница 499: ...threshold value set in the protection profile the FortiGate unit processes the message according to the Spam Action setting in the protection profile The score for a pattern is applied only once even...

Страница 500: ...ds Select the check box to enable all the banned words in the list Pattern Type The pattern type used in the banned word list entry Choose from wildcard or regular expression For more information see...

Страница 501: ...ss list catalog go to UTM AntiSpam IP Address and select Create New Score Enter a score for the pattern Each entry in the banned word list added to the protection profile incudes a score When an email...

Страница 502: ...ments Enter a comment to describe the list if required Name Antispam IP address list name To change the name edit text in the name field and select OK Comments Optional comment To add or edit a commen...

Страница 503: ...ddress list catalog go to UTM AntiSpam E mail Address To view any individual antispam email address list select the Edit icon for the list you want to see Figure 331 Sample antispam email address list...

Страница 504: ...Address and select the Edit icon of the antispam email address list you want to view Figure 333 Sample email address list Profiles The protection profiles each antispam email address list has been ap...

Страница 505: ...Current Page The current page number of list items that are displayed Select the left and right arrows to display the first previous next or last page of the IP address list Remove All Entries icon Cl...

Страница 506: ...ers use unsecured third party SMTP or SMTPS servers to send unsolicited bulk email Using DNSBLs and ORDBLs is an effective way to tag or reject spam as it enters the network These lists act as domain...

Страница 507: ...rd boundary In Perl regular expressions the pattern does not have an implicit word boundary For example the regular expression test not only matches the word test but also any word that contains test...

Страница 508: ...ny of a b and c such as defg d d Any two decimal digits such as 42 same as d 2 i Makes the pattern case insensitive For example bad language i blocks any instance of bad language regardless of case w...

Страница 509: ...r characters between the letters of a word to fool spam blocking software v i a g r o i cr e _01 dit i Block common spam phrases The following phrases are some examples of common phrases found in spam...

Страница 510: ...Using wildcards and Perl regular expressions Antispam FortiGate Version 4 0 Administration Guide 510 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 511: ...ortiGate unit This section describes how to configure the DLP settings If you enable virtual domains VDOMs on the Fortinet unit data leak prevention is configured separately for each virtual domain Fo...

Страница 512: ...tent_Archive All non encrypted email FTP HTTP IM and NNTP traffic is archived to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service Traffic is only archived No blocking or quaranti...

Страница 513: ...ion of the DLP sensor Create New Select Create New to add a new rule or compound rule to the sensor Enable You can disable a rule or compound rule by clearing this check box The item will be listed as...

Страница 514: ...banned message and this message is forwarded to the recipient These replacement messages also replace all subsequent communication attempts until the user is removed from the banned user list Quaranti...

Страница 515: ...r every rule in the compound rule must match the traffic to trigger the configured action Individual rules in a sensor are linked with an implicit OR condition while rules within a compound rule are l...

Страница 516: ...Canada SIN Email US SSN Email Visa Mastercard These four rules detect American Express numbers Canadian Social Insurance Numbers U S Social Security Numbers or Visa and Mastercard numbers within the m...

Страница 517: ...your FortiGate unit supports SSL content scanning and inspection you can also configure the HTTP rule to apply to HTTPS get or HTTPS post traffic or both For more information about SSL content scanni...

Страница 518: ...metadata information is included If you are scanning for text in PDF files use the Scan PDF Text option Binary formatting codes and file information may appear within the text causing text matches to...

Страница 519: ...Check the total size of the information transfer In the case of email traffic for example the transfer size includes the message header body and any encoded attachment URL Search for the specified UR...

Страница 520: ...ng the individually configurable attributes of multiple rules compound rules allow you to specify far more detailed and specific conditions to trigger an action Viewing the DLP compound rule list To v...

Страница 521: ...rule applies HTTP POST GET When the protocol is set to HTTP select whether to have the compound rule apply to POST GET or both types of HTTP transactions FTP PUT GET When the protocol is set to FTP s...

Страница 522: ...DLP Compound Rules Data Leak Prevention FortiGate Version 4 0 Administration Guide 522 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 523: ...affic passing through the FortiGate unit Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses non standard ports or pr...

Страница 524: ...l List and select Create New Enter a name and optionally a comment of description Select OK Since a new application control list is blank the list edit window appears For information on creating appli...

Страница 525: ...es First create an entry in which AIM is the specified application Set the action to Pass Then create an entry in which the Category is im the Application is all and the action is Block Since the entr...

Страница 526: ...f Application is all every application in the selected category is included Action If the FortiGate unit detects traffic from the specified application the selected action will be taken Logging If tra...

Страница 527: ...ent meta information on the system dashboard Select to include meta information detected for the IM system on the FortiGate unit dashboard VoIP options Limit Call Setup Enter the maximum number of cal...

Страница 528: ...ol the following user information is listed Current Users Users Since Last Reset Users Blocked Chat For each IM protocol the following chat information is listed Total Chat Sessions Server based Chat...

Страница 529: ...total usage of the P2P application Applications set to Block will not affect the statistics Note that the same application can have different actions set in different application control lists In thi...

Страница 530: ...Application control statistics Application Control FortiGate Version 4 0 Administration Guide 530 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 531: ...an specify manual keys Interface mode supported in NAT Route mode only creates a virtual interface for the local end of a VPN tunnel Use the following configuration procedures for all IPSec VPNs 1 Def...

Страница 532: ...ork Interface The names of all tunnels bound to physical aggregate VLAN inter VDOM link or wireless interfaces are displayed under their associated interface names in the Name column For more informat...

Страница 533: ...ult gw keyword for the vpn ipsec phase1 interface command in the FortiGate CLI Reference Auto Key You can configure two VPN peers or a FortiGate dialup server and a VPN client to generate unique Inter...

Страница 534: ...t how to choose the correct phase 1 settings for your particular situation see the FortiGate IPSec VPN User Guide Figure 351 New Phase 1 Name Type a name to represent the phase 1 definition The maximu...

Страница 535: ...t during phase 1 negotiations You must define the same value at the remote peer or client The key must contain at least 6 printable characters and should be known only by network administrators For op...

Страница 536: ...ent Dialup Clients Technical Note You must set Mode to Aggressive when the dialup clients use unique identifiers and unique pre shared keys If the dialup clients use unique pre shared keys only you ca...

Страница 537: ...u cannot configure Interface mode in a Transparent mode VDOM P1 Proposal Select the encryption and authentication algorithms used to generate keys for protecting negotiations Add or delete encryption...

Страница 538: ...tiGate unit is a dialup client type the user name and password that the FortiGate unit will need to authenticate itself to the remote XAuth server Enable as Server This is available only if Remote Gat...

Страница 539: ...generated automatically using a Diffie Hellman algorithm You can use a number of additional advanced phase 2 settings to enhance the operation of the tunnel To modify IPSec phase 2 advanced parameter...

Страница 540: ...d party intercepts a series of IPSec packets and replays them back into the tunnel Enable perfect forward secrecy PFS Enable or disable PFS Perfect forward secrecy PFS improves security by forcing a n...

Страница 541: ...dst addr type dst name src addr type and src name keywords for the vpn ipsec phase2 command in the FortiGate CLI Reference Source address If the FortiGate unit is a dialup server type the source IP a...

Страница 542: ...here is an SA for each direction so for each VPN you must specify two SPIs a local SPI and a remote SPI to cover bidirectional communications between two VPN devices To specify manual keys for creatin...

Страница 543: ...128 bit block Cipher Block Chaining CBC algorithm that uses a 128 bit key AES192 a 128 bit block Cipher Block Chaining CBC algorithm that uses a 192 bit key AES256 a 128 bit block Cipher Block Chainin...

Страница 544: ...iGate unit Site to site connections between the remote peers do not exist however You can establish VPN tunnels between any two of the remote peers through the FortiGate unit hub In a hub and spoke ne...

Страница 545: ...unnels go to User Monitor IPSEC For more information see IPSEC monitor list on page 592 Create New Define a new concentrator for an IPSec hub and spoke configuration For more information see Defining...

Страница 546: ...Monitoring VPNs IPSec VPN FortiGate Version 4 0 Administration Guide 546 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 547: ...PPTP gateway you can select a PPTP client IP from a local address range or use the server defined in the PPTP user group You select which method to use for IP address retrieval and in the case of the...

Страница 548: ...an IP address from the reserved range of IP addresses to the client PPTP interface or retrieves the assigned IP address from the PPTP user group If you use the PPTP user group you must also define th...

Страница 549: ...must add a user group before you can select the option See User Group on page 583 IP Mode Select a method of determining the IP address for the PPTP connection Range Enable to specify a local address...

Страница 550: ...ess_ipv4 The starting address of the PPTP IP address range 0 0 0 0 status disable enable Enable or disable PPTP VPN disable usrgrp group_name This keyword is available when status is set to enable Ent...

Страница 551: ...column format with the ability to modify settings minimize the widget window or other functions depending on the type of content within the widget When users have complete administrative rights over t...

Страница 552: ...guring the settings select Apply Figure 361 SSL VPN Settings Note If required you can enable SSL version 2 encryption for compatibility with older browsers through a FortiGate CLI command For more inf...

Страница 553: ...r suites that use more than 128 bits to encrypt data Low RC4 64 bits DES and higher If you are not sure which level of SSL encryption the remote client web browser supports select this option to enabl...

Страница 554: ...administrator and the system user have the ability to customize the SSL VPN portal This section describes General tab Advanced tab Adding and editing widgets Session Information widget Bookmarks widge...

Страница 555: ...s FortiGate Version 4 0 Administration Guide 01 400 89802 20090424 555 http docs fortinet com Feedback Figure 363 Default web portals Default full access web portal Edit button Default tunnel access w...

Страница 556: ...ct Advanced The SSL VPN web portal Advanced tab is displayed Use the Advanced tab to configure advanced settings that monitor the SSL VPN clients and apply other advanced settings To edit settings for...

Страница 557: ...ow a client to connect to the SSL VON session only if they are running a third party antivirus or firewall application Client Check AV Select to have the FortiGate unit check for a running antivirus a...

Страница 558: ...r example if the latest patch level is 4 and tolerance is 2 clients will be accepted with patch 2 3 4 5 or 6 OK Select to save the configuration If you select OK you exit out of the SSL VPN web portal...

Страница 559: ...r Session Information Displays the login name of the user the amount of time the user has been logged in and the inbound and outbound traffic of HTTP and HTTPS Bookmarks Displays configured bookmarks...

Страница 560: ...en select Add The Add bookmark window opens When you finish creating the bookmark select OK in the Add bookmark window and then in the Bookmarks widget Figure 368 Bookmarks widget Edit Edit Select to...

Страница 561: ...ications Add Select to create a bookmark hyperlink Edit Select to edit an existing bookmark hyperlink When you select Edit a list of existing bookmarks appears Name Enter a name for the bookmark Type...

Страница 562: ...okmark hyperlink Edit Select to edit an existing bookmark hyperlink When you select Edit a list of existing bookmarks appears Select the bookmark you want to edit Name The name of the bookmark Type Th...

Страница 563: ...save the bookmark configuration Cancel Select to exit the Bookmarks Edit window without saving the new bookmark configuration Edit Select to edit the information in the Connections Tool widget Remove...

Страница 564: ...widget Select to close the Tunnel Mode widget and remove it from the web portal home page OK Select OK to save the configuration If you select OK the Tunnel Mode configuration window closes Cancel Sel...

Страница 565: ...page web portal Link status Indicates the state of the SSL VPN tunnel Up is displayed when an SSL VPN tunnel with the FortiGate unit has been established Down is displayed when a tunnel connection has...

Страница 566: ...Default web portal configurations SSL VPN FortiGate Version 4 0 Administration Guide 566 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 567: ...r more of the following tasks prior to configuring the user groups Configure local user accounts For each user you can choose whether the password is verified by the FortiGate unit by a RADIUS server...

Страница 568: ...th a password stored on the FortiGate unit the user name and password must match a user account stored on the FortiGate unit or with a password stored on an authentication server the user name must ma...

Страница 569: ...Note Deleting the user name deletes the authentication configured for the user User Name A name that identifies the user Disable Select to prevent this user from authenticating Password Select to auth...

Страница 570: ...ed Note If virtual domains are enabled on the FortiGate unit IM features are configured globally To access these features select Global Configuration on the main menu Create New Add a new user to the...

Страница 571: ...tunnel the user must belong to one of the user groups that is allowed access correctly enter a user name and password to prove his or her identity if asked to do so RADIUS Remote Authentication and Di...

Страница 572: ...llenge handshake authentication protocol v1 CHAP challenge handshake authentication protocol provides the same functionality as PAP but does not send the password and other user information over the n...

Страница 573: ...in length Secondary Server Name IP Enter the domain name or IP address of the secondary RADIUS server if you have one Secondary Server Secret Enter the RADIUS server secret key for the secondary RADI...

Страница 574: ...ts to assign the IP address from the RADIUS record first SSL VPN tunnel mode For SSL VPN you implement this feature by adding the Tunnel Mode widget to the SSL VPN portal configuration Go to VPN SSL P...

Страница 575: ...rt does not extend to proprietary functionality such as notification of password expiration that is available from some LDAP servers Nor does the FortiGate LDAP supply information to the user about wh...

Страница 576: ...ch simple bind using a simple password authentication without a search You can use simple authentication if the user records all fall under one dn If the users are under more than one dn use the anony...

Страница 577: ...12 Query icon View the LDAP server Distinguished Name Query tree for the LDAP server that you are configuring so that you can cross reference to the Distinguished Name For more information see Using Q...

Страница 578: ...cess servers and other networked computing devices via one or more centralized servers TACACS allows a client to accept a user name and password and send a query to a TACACS authentication server The...

Страница 579: ...t the following Figure 383 TACACS server configuration Directory Service Windows Active Directory AD and Novell eDirectory provide central authentication services by storing information about network...

Страница 580: ...Because the domain controller authenticates users the FortiGate unit does not perform authentication It recognizes group members by their IP address You must install the Fortinet Server Authenticatio...

Страница 581: ...valid certificate for successful authentication no user name or password are necessary Firewall and SSL VPN are the only user groups that can use PKI authentication Add User Group Add a user or group...

Страница 582: ...er user you need a peer user name the text from the subject field of the certificate of the authenticating peer user or the CA certificate used to authenticate the peer user You can add or modify othe...

Страница 583: ...unit authenticates users by requesting each user name and password The FortiGate unit checks local user accounts first If the unit does not find a match it checks the RADIUS LDAP or TACACS servers tha...

Страница 584: ...page authorized users can authenticate to access the web page or to allow members of another group to access it For each resource that requires authentication you specify which user groups are permit...

Страница 585: ...ncluding the override feature see FortiGuard Web Filter on page 487 For information on configuring user groups see Configuring a user group on page 586 SSL VPN user groups An SSL VPN user group provid...

Страница 586: ...oup Firewall Directory Service and SSL VPN For more information see Firewall user groups on page 584 Directory Service user groups on page 585 and SSL VPN user groups on page 585 Members The Local use...

Страница 587: ...stration Guide 01 400 89802 20090424 587 http docs fortinet com Feedback Figure 389 User group configuration Firewall Figure 390 User group configuration Directory Service Right Arrow Left Arrow Expan...

Страница 588: ...d firewall policies on page 331 Portal Select the SSL VPN web portal configuration to use with the User Group For more information see SSL VPN web portal on page 554 Available Users Groups or Availabl...

Страница 589: ...ng information Figure 392 FortiGuard Web Filtering Override configuration Allow to create FortiGuard Web Filtering overrides Select to allow members of this group to request an override on the FortiGu...

Страница 590: ...d to HTTPS only you can install customized certificates on the FortiGate unit and the users can also have customized certificates installed on their browsers Otherwise users will see a warning message...

Страница 591: ...list SSL VPN monitor list IM user monitor list NAC quarantine and the Banned User list Firewall user monitor list In some environments it is useful to determine which users are authenticated by the F...

Страница 592: ...ons on page 60 Clear All Filters Remove all filters applied to the Firewall user monitor list De authenticate All Users Stop authenticated sessions for all users in the Firewall user monitor list User...

Страница 593: ...to display the first previous next or last page of monitored VPNs Filter icons Edit the column filters to filter or sort the IPSec monitor list according to the criteria you specify For more informati...

Страница 594: ...hich users to allow or block To view the list of active IM users go to User Monitor IM Figure 397 IM user monitor list No The connection identifiers User The user names of all connected remote users S...

Страница 595: ...arantine and DLP You can also use Data Leak Prevention DLP sensors to block access and to add users to the Banned User list However unlike NAC quarantine which drops packets at the network layer DLP b...

Страница 596: ...to pre defined and custom overrides in an IPS sensor For more information see Configuring filters on page 464 and Configuring pre defined and custom overrides on page 465 To configure NAC quarantine f...

Страница 597: ...nned or quarantined by Data Leak Prevention Set various options in a DLP sensor to add users or IP addresses to the Banned User list For more information see Adding or editing a rule in a DLP sensor o...

Страница 598: ...NAC quarantine and the Banned User list User FortiGate Version 4 0 Administration Guide 598 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 599: ...ual domain For details see Using virtual domains on page 103 This section describes Frequently asked questions about FortiGate WAN optimization Overview of FortiGate WAN optimization Configuring WAN o...

Страница 600: ...communication session As of FortiOS 4 0 in a single VDOM if a firewall policy includes a protection profile all sessions accepted by the policy are processed by the protection profile and are not pro...

Страница 601: ...the WAN is intercepted by a WAN optimization peer This client side WAN optimization peer sets up a WAN optimization tunnel with a server side WAN optimization peer Together these WAN optimization peer...

Страница 602: ...tiGate unit over a WAN optimization tunnel Traffic in the tunnel can be sent in plain text or encrypted using SSL Both the plain text and the encrypted tunnels use TCP port 7810 Figure 400 WAN optimiz...

Страница 603: ...ses that are always changing as the users travel to different customer sites This configuration is also useful if you have FortiGate units that get external IP addresses using DHCP or PPPoE For more i...

Страница 604: ...twork is simpler in this case because client addresses are not involved but the server sees all traffic as coming from the FortiGate unit and not from individual clients FortiGate models that support...

Страница 605: ...ring WAN optimization The WAN optimization rule list displays WAN optimization rules in their order of matching precedence If virtual domains are enabled on the FortiGate unit WAN optimization rules a...

Страница 606: ...most general prevents rules that match a wide range of traffic from superseding and effectively masking rules that match exceptions Create New Add a new WAN optimization rule New rules are added to t...

Страница 607: ...e applied This rule order would not have the intended effect Figure 403 Example secure tunneling for FTP Incorrect rule order Similarly if specific traffic requires exceptional WAN optimization rule s...

Страница 608: ...IP address matching this IP address or address range will be accepted by and subject to this rule For a passive rule the server passive source address range should be compatible with the source addres...

Страница 609: ...mode if Auto Detect is set to Active or Off You can also select transparent mode for web cache only rules Select transparent mode to keep the original source address of the packets when they are sent...

Страница 610: ...t include web caching You can add WAN optimization rules for web caching only You can also add web caching to WAN optimization rules for HTTP traffic that also include byte caching protocol optimizati...

Страница 611: ...You add WAN optimization rules that enable web caching only by going to WAN Opt Cache Rule and selecting Create New to add a WAN optimization rule To add a rule that enables web caching only set the...

Страница 612: ...server side FortiGate unit so you should also Enable Byte Caching for optimum WAN optimization performance Figure 407 Example client server active passive web cache topology Mode Web Cache Only Sourc...

Страница 613: ...FortiGate unit 1 Go to WAN Opt Cache Peer and enter a Local Host ID for the client FortiGate unit 2 Select Create New and add a Peer Host ID and the IP address for the server side FortiGate unit 3 Go...

Страница 614: ...caching configuration you create a peer to peer WAN optimization rule on the client side FortiGate unit and include the peer host ID of the server side FortiGate unit In the rule you set Auto Detect t...

Страница 615: ...hing SSL offloading secure tunneling and add an authentication group Figure 410 Example peer to peer web cache topology Figure 411 Adding the server side Peer Host ID to the client side peer list Figu...

Страница 616: ...different position in the list See Moving a rule to a different position in the rule list on page 607 Figure 413 Adding the client side Peer Host ID to the server side peer list To configure the serve...

Страница 617: ...setting WAN optimization auto detect to passive Figure 414 Example complimentary passive server WAN optimization rule Configuring client server active passive WAN optimization You configure client ser...

Страница 618: ...e rule to optimize HTTP traffic To configure peers on the client side FortiGate unit and add a firewall policy 1 Go to WAN Opt Cache Peer and enter a Local Host ID for the client side FortiGate unit 2...

Страница 619: ...above the CIFS rule in the list See Moving a rule to a different position in the rule list on page 607 Figure 417 HTTP FTP and CIFS rules in the rule list To configure the server side FortiGate unit...

Страница 620: ...l request This extra information is required because the server side FortiGate unit does not require a WAN optimization rule All that is required on the server side FortiGate unit is that the client P...

Страница 621: ...ost ID and the IP address for the server side FortiGate unit 3 Select OK to save the peer 4 Go to Firewall Policy and add a firewall policy that accepts traffic to be optimized 5 Go to WAN Opt Cache R...

Страница 622: ...with a netmask the IP address can represent one or more hosts For example a source or destination address can be a single computer such as 192 45 46 45 a subnetwork such as 192 168 1 0 for a class C s...

Страница 623: ...single file This is usually not a problem across a LAN However across WAN latency and bandwidth reduction can slow down CIFS performance When you set Protocol to CIFS in a WAN optimization rule the F...

Страница 624: ...and non compressed versions of the same file separately SSL offloading for WAN optimization and web caching WAN optimization SSL offloading uses the FortiGate unit to encrypt and decrypt SSL sessions...

Страница 625: ...server The web server CA is not downloaded from the server side to the client side FortiGate unit Instead the client side FortiGate unit proxies the SSL parameters from the client side to the server...

Страница 626: ...reate New to add the WAN optimization rule 6 Select OK to save the rule The rule is added to the bottom of the WAN optimization list 7 If required move the rule to a different position in the list See...

Страница 627: ...rver The FortiGate unit intercepts the HTTPS traffic and a web cache only WAN optimization rule with SSL offloading enabled decrypts the traffic before sending it to the web server The FortiGate unit...

Страница 628: ...Gate unit The port2 interface is connected to the Internet You could also use a different IP address and route traffic for this IP address to the FortiGate unit port2 interface This example also inclu...

Страница 629: ...fferent position in the list See Moving a rule to a different position in the rule list on page 607 To configure the FortiGate unit for SSL offloading of HTTPS traffic The firewall policy added in the...

Страница 630: ...st configure and add an authentication group to the WAN optimization rule to use secure tunneling The authentication group configures the certificate or pre shared key parameters required by the secur...

Страница 631: ...eer Authentication Group and select Create New 2 Configure the authentication group 3 Select OK to save the authentication group 4 Go to WAN Opt Cache Rule and select Create New 5 Configure a rule to...

Страница 632: ...SCSI port is TCP 3260 Its also common for some iSCSI servers to use TCP 860 If required use the following command to change the iSCSI port to 860 config wanopt iscsi set iscsi port 860 end 2 Enter the...

Страница 633: ...nstead you can use the following command to list the WAN optimization storages that you have added get wanopt storage web_cache_sto name web_cache_sto partition label 77A2A1AB1D0EF8B7 partition size 3...

Страница 634: ...w primary unit must rebuild its web and byte caches As well the new primary unit cannot connect to an iSCSI or SAS partition that was used by the failed primary unit Rebuilding the byte caches can hap...

Страница 635: ...ers added to the authentication group When you add the authentication group to a WAN optimization rule only these FortiGate units can authenticate to use this WAN optimization rule Peer s can be any p...

Страница 636: ...er the server side FortiGate unit compares the client side Local Host ID in the tunnel request with the peer name in the server side authentication group If the names match authentication is successfu...

Страница 637: ...ponse message This message includes the server side Local Host ID and the authentication group that matches the one in the tunnel request The client side FortiGate unit then performs the same authenti...

Страница 638: ...caching and protocol optimization Bandwidth Optimization Shows network bandwidth optimization per time Period A line or column chart compares an application s pre optimized LAN data size with its opti...

Страница 639: ...ache it is a strong indication that the copy in the cache is stale If so HTTP does a conditional GET to the Overlay Caching Scheme OCS based on the last modified time of the cached object Enable ignor...

Страница 640: ...using the ignore PNC option configuration you can lower the impact of the PNC by enabling the revalidate pragma no cache setting When the revalidate pragma no cache setting is enabled a client s non c...

Страница 641: ...ion you can also see the applications that are installed on endpoints This section describes Configuring endpoint control Monitoring endpoints Configuring endpoint control Endpoint control requires th...

Страница 642: ...minimum required version of the FortiClient application latest available FortiClient version latest available antivirus signature package version the number of times the FortiClient application has b...

Страница 643: ...twork The FortiClient application is provided by the FortiGuard Distribution Network The FortiGate unit must be able to access the FortiGuard Distribution Network See Configuring FortiGuard Services o...

Страница 644: ...he software detection list on page 643 Name A descriptive name for the application Pattern A pattern to match the application name as it appears in the endpoint s Windows Registry FortiClient matches...

Страница 645: ...or Both Compliant endpoints are running the minimum required version of FortiClient or a more recent version To configure the minimum required version of FortiClient see Configuring FortiClient requir...

Страница 646: ...acturer of the endpoint Computer Model The model name of the endpoint CPU Model The CPU running on the endpoint Description The description of the endpoint Detected Software The software applications...

Страница 647: ...Storing logs Log types Accessing Logs Viewing log information Customizing the display of log messages Content Archive Alert Email Reports FortiGate logging A FortiGate unit can log many different netw...

Страница 648: ...FortiGate CLI Reference In the FortiGate web based manager you can view log messages available in system memory on a FortiAnalyzer unit running firmware version 3 0 or higher or if available the hard...

Страница 649: ...ard Analysis and Management Service Administration Guide Log severity levels You can define what severity level the FortiGate unit records logs at when you configure the logging location The FortiGate...

Страница 650: ...create reports This particular log storage solution is available to all FortiGate units running FortiOS 3 0 MR6 or higher through a subscription to the FortiGuard Analysis and Management Service For...

Страница 651: ...Discovery feature This feature allows the FortiGate unit to find a FortiAnalyzer unit that is on the network within the same subnet When you select Automatic Discovery the FortiGate unit uses HELLO pa...

Страница 652: ...nalyzer units 7 Select Apply Testing the FortiAnalyzer configuration After configuring FortiAnalyzer settings test the connection between the FortiGate unit and FortiAnalyzer unit to verify both devic...

Страница 653: ...roduct name for example FortiAnalyzer 400 FortiGate Device ID The serial number of the FortiGate unit Registration Status The status of whether or not the FortiGate unit is registered with the FortiAn...

Страница 654: ...he logging levels see Table 55 Log severity levels on page 649 Logging to a Syslog server A Syslog server is a remote computer running Syslog software and is an industry standard for logging Syslog is...

Страница 655: ...ds config log webtrends setting set server address_ipv4 set status disable enable end Name IP The domain name or IP address of the syslog server Port The port number for communication with the syslog...

Страница 656: ...config log webtrends setting set status enable set server 172 16 125 99 end For more information about setting the options for the types of logs sent to WebTrends see the Log chapter in the FortiGate...

Страница 657: ...u are logging other traffic the FortiGate unit will incur a higher system load because other traffic logs log individual traffic packets Fortinet recommends logging firewall policy traffic since it mi...

Страница 658: ...heck protocol header strict end Strict header checking detects invalid raw IP packets by validating packet checksums and also checks IP headers to make sure they adhere to current standards The defaul...

Страница 659: ...wing logs System Activity event All system related events such as ping server failure and gateway status IPSec negotiation event All IPSec negotiation events such as progress and error reports DHCP se...

Страница 660: ...file includes IPS IM P2P and VoIP events that the FortiGate unit records The application control log also includes some IPS activities Before enabling logging of Application Control events verify tha...

Страница 661: ...s 1 Go to Firewall Protection Profile 2 Select Edit beside the protection profile that you want 3 Select the Expand Arrow beside Logging to reveal the available options 4 Select the web filtering even...

Страница 662: ...st run firmware version 3 0 or higher Accessing logs stored in memory You can access logs stored in the FortiGate system memory from the Memory tab The traffic log type is not available in the Log Typ...

Страница 663: ...Log Type stored on the FortiGate hard disk When a log file reaches its maximum size the FortiGate unit saves the log files with an incremental number and starts a new log file with the same name For...

Страница 664: ...ort Log Access and then select the tab that corresponds to the log storage device used Remote Memory or Disk If you are logging to the FortiGate unit s hard disk select Edit beside a rolled log file t...

Страница 665: ...s displays after the current page number For example if 3 54 appears you are currently viewing page 3 of 54 pages To view pages select the left and right arrows to display the first previous next or l...

Страница 666: ...columns 1 Go to Log Report Log Access 2 Select the tab to view logs from Memory Disk or Remote 3 Select a log type from the Log Type list 4 Select the View icon if you are viewing a log file on a Fort...

Страница 667: ...in the Filter list You can also select the columns that appear in the Filter list instead of selecting the actual column You can view log messages in Raw format only after configuring the filters If...

Страница 668: ...prevention DLP sensors Then you add the DLP sensors to protection profiles and add the protection profiles to firewall policies All sessions accepted by firewall policies that are matched by rules in...

Страница 669: ...ions from the web based manager before using the CLI to enable content archiving for the VoIP protocols For more information about configuring application lists see Configuring an application control...

Страница 670: ...ction profile for that remote logging device For example if the FortiAnalyzer unit is configured to receive content archives then only content archives from the FortiAnalyzer unit appear in the Conten...

Страница 671: ...or logging on to the SMTP server to send alert email You need to do this only if you selected SMTP authentication Send alert email for the following Select to have the alert email sent for one or mult...

Страница 672: ...ire an alert email message based on firewall authentication failures SSL VPN login failure Select if you require an alert email message based on any SSL VPN logins that failed Administrator login logo...

Страница 673: ...hical format to show network usage for a number of services The charts show the bytes used for the service traffic To view basic traffic reports go to Log Report Report Access Memory Figure 439 Viewin...

Страница 674: ...inistrator before configuring report schedules from the FortiGate unit to verify that the appropriate report layout is configured Report layouts can only be configured from the FortiAnalyzer unit Brow...

Страница 675: ...hedules in Report Config General report schedule settings Create New Create a new report schedule Name The name of the report schedule Description The comment made when the report schedule was created...

Страница 676: ...variables for the report Virtual Domain Select to create a report based on virtual domains Enter a specific virtual domain to include in the report User Select to create a report based on a network us...

Страница 677: ...Arrow to view the rolled report and view the entire report After viewing the report select Historical Reports to return to the list Figure 441 Generated reports displayed in Report Access Printing yo...

Страница 678: ...Reports Log Report FortiGate Version 4 0 Administration Guide 678 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 679: ...ed IP pool and virtual IP 384 content archive 668 custom firewall service 357 custom service firewall 357 custom signatures 459 customized CLI console 64 DHCP interface settings 130 DHCP relay agent 1...

Страница 680: ...ort 375 static NAT virtual IP IP address range 373 static route transparent mode 149 static route adding to routing table 284 subnet object 89 system administrators 209 system certificates 247 system...

Страница 681: ..._failopen 453 BHO grayware 452 CLI configuration 453 configure antivirus heuristic 453 configuring grayware list 452 dial grayware 452 download grayware 452 file block 443 file block list 445 game gra...

Страница 682: ...banned word web content block 480 483 banned word spam filter action 500 adding words to the banned word list 500 catalog 498 language 500 list 499 pattern 500 pattern type 500 banned word check prot...

Страница 683: ...m dialup account 144 web based manager 44 conservation mode 191 contact information SNMP 186 contacting customer support 48 content archive viewing 84 content block catalog 479 web filter 478 content...

Страница 684: ...420 Distinguished Name query 577 DLP See data leak protection DNAT virtual IPs 367 368 DNS service 352 documentation commenting on 26 Fortinet 26 domain name 346 DoS policy 337 configuring 338 viewing...

Страница 685: ...443 default list of patterns 443 list antivirus 445 protection profile 408 file name quarantine files list 447 file pattern catalog 444 quarantine autosubmit list 448 filter filtering information on w...

Страница 686: ...g 326 329 335 user groups 584 firewall protection profile default protection profiles 398 list 399 options 404 firewall service AFS3 352 AH 352 ANY 352 AOL 352 BGP 352 CVSPSERVER 352 DCE RPC 352 DHCP...

Страница 687: ...or FDN and services 266 configuring web filter service 266 FortiGuard Analysis and Management Services 266 licenses 66 265 management and analysis service options 270 support contract 266 web filterin...

Страница 688: ...p 50 using FortiGate online help 49 heuristics antivirus 453 quarantine 454 high availability See HA 177 hijacker grayware category 453 host name changing 78 changing for a cluster 182 viewing 78 host...

Страница 689: ...IP range subnet 384 385 list 383 name 384 385 options 383 PPPoE 326 proxy ARP 370 390 SIP 431 start IP 383 transparent mode 386 IP range subnet firewall address 347 IP pool 384 385 IPS see intrusion...

Страница 690: ...unit 663 accessing logs on FortiGuard Analysis server 664 ActiveX filter 422 alert email configuring 670 applying through protection profile 421 basic traffic reports 673 blocked files 422 browsing lo...

Страница 691: ...rts 407 monitoring WAN optimization 637 moving a firewall policy 320 607 MS CHAP 572 MS CHAP V2 572 MS SQL service 353 MTU size 127 135 multicast 304 multicast destination NAT 306 multicast policy 321...

Страница 692: ...old 409 oversized file email protection profile 409 P P1 Proposal IPSec phase 1 537 P2 Proposal IPSec VPN phase 2 540 P2P grayware category 453 packets VDOM 104 page controls web based manager 57 PAP...

Страница 693: ...PPTP IP address user group 547 549 PPTP range defining addresses 547 549 PPTP tunnel setup CLI command 549 customized GUI 547 predefined services 351 predefined signature default action 458 list 457 P...

Страница 694: ...ors protection profile 415 proxy SIP 427 proxy ARP 370 390 FortiGate interface 370 390 IP pool 370 390 virtual IP 370 390 proxy server 273 push updates 273 push update 268 configuring 273 external IP...

Страница 695: ...schedules 674 FortiAnalyzer printing 677 viewing FortiAnalyzer reports 677 restoring 3 0 configuration 101 using the CLI 101 using web based manager 101 return email DNS check protection profile 418...

Страница 696: ...GP 352 custom service list 356 CVSPSERVER 352 DCE RPC 352 DHCP 172 352 DHCP6 352 DNS 352 ESP 352 FINGER 352 firewall policy 322 325 FTP 352 FTP_GET 352 FTP_PUT 352 GOPHER 352 GRE 352 group 359 H323 35...

Страница 697: ...port workflow 432 SIP MSNmessenger service 355 Skinny Call Control Protocol See SCCP SMTP service 355 user 671 SNAT virtual IPs 367 SNMP configuring community 186 contact information 186 event 188 man...

Страница 698: ...vpn pptp 550 status description quarantine files list 448 stop one time schedule 363 recurring schedule 362 streaming mode 408 419 strict default protection profile 398 strict blocking HTTP only prote...

Страница 699: ...Priority 606 635 traffic priority firewall policy 606 635 traffic shaping 606 635 traffic reports viewing 673 traffic shaping configuring 425 firewall policy 326 329 335 guaranteed bandwidth 326 425...

Страница 700: ...ks 113 license key 276 limited resources 110 management VDOM 112 maximum number 110 NAT Route 104 packets 104 RADIUS authentication 116 system maintenance 254 transparent mode 104 VDOM partitioning HA...

Страница 701: ...alog 479 web content exempt list 482 web content exempt list catalog 481 wireless monitor 167 viewport 87 VIP transparent mode 386 VIP group configuring 380 Virtual IP transparent mode 386 virtual IP...

Страница 702: ...0 web content block list web filter 479 web content exempt protection profile 412 web content exempt list adding 482 web equivalent privacy 165 web filter 475 adding a URL to the web URL block list 48...

Страница 703: ...gs FortiWiFi 50B 162 settings FortiWiFi 60A 162 settings FortiWiFi 60AM 162 settings FortiWiFi 60B 162 SSID 164 SSID broadcast 164 Tx power 163 viewing monitor 167 WLAN interface 159 WLAN interface ad...

Страница 704: ...Index FortiGate Version 4 0 Administration Guide 704 01 400 89802 20090424 http docs fortinet com Feedback...

Страница 705: ...www fortinet com...

Страница 706: ...www fortinet com...

Отзывы:

Нет отзывов

Похожие инструкции для Gate 60D

Nortel QPC705 Maintenance Manual preview
QPC705
Бренд: Nortel Страницы: 40
Yeastar Technology S-Series Getting Started Manual preview
S-Series
Бренд: Yeastar Technology Страницы: 21
Panasonic KX-HTS32 Programming Item List preview
KX-HTS32
Бренд: Panasonic Страницы: 92
IPshop PX0522 User Manual preview
PX0522
Бренд: IPshop Страницы: 48
Gigaset Pro series Hybird 120 Manual preview
Pro series Hybird 120
Бренд: Gigaset Страницы: 423

Бренды по названию

Популярные бренды

Загрузить еще бренды