Fortinet 50A Network Card User Manual
Contents
1. fnVpnipsec IPSec VPN configuration including the Phase 1 list Phase 2 list manual key list and VPN concentrator list Status and timeout for each VPN tunnel Phase 2 and the dialup monitor list showing dialup tunnel status fnVpnPPTP PPTP VPN configuration fnVpnL2TP L2TP VPN configuration fnVpnCert IPSec VPN with certificates configuration NIDS configuration Table 12 NIDS MI B fields fnNidsDetection NIDS detection configuration fnNidsPrevention NIDS prevention configuration fnNidsResponse NIDS response configuration Antivirus configuration Table 13 Antivirus MIB fields fnAvFileBlock Antivirus file blocking configuration fnAvQuarantine Antivirus quarantine configuration fnAVConfig Antivirus configuration including the current virus definition virus list Web filter configuration Table 14 Web filter MIB fields fnWebFiltercfgM sgTable Web filter content block list and configuration fnWebFilterUrIBlk Web filter URL block list fnWebFilterScripts Web filter script blocking configuration fnWebFilterExemptUrl Web filter exempt URL list Logging and reporting configuration Table 15 Logging and reporting MIB fields fnLoglogSetting Log setting configuration fnLoglog Log setting traffic filter configuration fnLogAlertEmail Alert email configuration Fortinet Inc2. Management Computer ETETE e General configuration steps Set the FortiGate unit to operate in Transparent mode Configure the Management IP address and Netmask of the FortiGate unit Configure the static route to the FortiResponse server kh O N Configure the default route to the external network FortiGate 50A Installation and Configuration Guide 49 Transparent mode configuration examples Transparent mode installation Web based manager example configuration steps To configure the basic FortiGate settings and a static route using the web based manager 1 Go to System gt Status e Select Change to Transparent Mode e Select Transparent in the Operation Mode list e Select OK The FortiGate unit changes to Transparent mode 2 Go to System gt Network gt Management e Change the Management IP and Netmask IP 192 168 1 1 Mask 255 255 255 0 e Select Apply 3 Goto System gt Network gt Routing e Select New to add the static route to the FortiResponse server Destination IP 24 102 233 5 Mask 255 255 255 0 Gateway 192 168 1 2 e Select OK e Select New to add the default route to the external network Destination IP 0 0 0 0 Mask 0 0 0 0 Gateway 192 168 1 2 e Select OK CLI configuration steps To configure the Fortinet basic settings and a static route using the CLI 1 Set the system to operate in Transparent Mode set system opmode transparent 2 Add the Management IP address and Netmask set system
3. ccccccecceeececeeeeenceeeceeeeeeeeeeeseeeecceneaecaeeeeeeeeeeeeeteees 242 EN alice echoes E E E E 245 General configuration Steps 2 2 2c s ccceeeceeecececeeteneeeedenueeeeeeedeueceeeedenensseeeecuaneeeddenuneeeed 245 Email banned word liSt ssc ccscecsecceceeessaeecetceeseeeeeceneseeecentccnseeecutecsaneeaunactaueecanecneeeemuiccnene 246 Adding words and phrases to the email banned word list ccccceeeeeeteeeteeteees 246 Downloading the email banned word list ccc ceeeeeeeeeeeeeeeeeeeeeeseeeeeeeeeeeeeaeeeeeneeaeeees 247 Uploading the email banned Word list ec ceeeeeeeeeeeeeeceeeeeeeeeeneeeeeeeeeeeeeretnieeeeenee 247 10 Fortinet Inc Contents Email block ISten etter treet nner ee eerie eee ee ee ee ee EE AEE EEEE EEEE EEEE 248 Adding address patterns to the email block list eee cece eeeeeeeeeeenteeeeeeenaeeeeeeeaas 248 Downloading the email block list 0 0 eeeeeeeeeeeeeee aniani aa ANR 248 Uploading an email block list n ecicsccniccenna a 249 Eraill exempt listesinin a a aa a e aa aai 249 Adding address patterns to the email exempt list eee eee eeeeeecceeceeeeeeeeeeeteeteees 250 Adding a subject 1a cc2i scoccesetiiece denen he AEN 250 LCN and reporti iiss ct cesta renee pinas ebran r eenean iiS 251 Recording Togs chitceseh via deceeekddccczdhutalaaces veils E eh calcageesatlsctancsbeds 251 Recording logs on a remote COMPUTED eee ceeeeeeeeeeeeeeeeeteeeee
4. Internal IP interface Netmask IP Netmask External Default Gateway interface 4 Primary DNS Server Secondary DNS Server Web Server SMTP Server POP3 Server Internal servers IMAP Server FTP Server If you provide access from the Internet to a web server mail server IMAP server or FTP server installed on an internal network add the IP addresses of the servers here Fortinet Inc NAT Route mode installation Using the setup wizard Advanced NAT Route mode settings Use Table 13 to gather the information that you need to customize advanced FortiGate NAT Route mode settings Table 13 Advanced FortiGate NAT Route mode settings Starting IP Ending IP Netmask DHCP server Default Route DNS IP The FortiGate unit contains a DHCP server that you can configure to automatically set the addresses of the computers on your internal network Using the setup wizard From the web based manager you can use the setup wizard to create the initial configuration of your FortiGate unit To connect to the web based manager see Connecting to the web based manager on page 19 Starting the setup wizard 1 Select Easy Setup Wizard the middle button in the upper right corner of the web based manager 2 Use the information that you gathered in Table 12 on page 34 to fill in the wizard fields Sel
5. System configuration Replacement messages Replacement messages Replacement messages are added to content passing through the firewall to replace e Files or other content removed from POP3 and IMAP email messages by the antivirus system e Files or other content removed from HTTP downloads by the antivirus system or web filtering e Files removed from FTP downloads by the antivirus system You can edit the content of replacement messages You can also edit the content added to alert email messages to control the information that appears in alert emails for virus incidents NIDS events critical system events and disk full events This section describes e Customizing replacement messages e Customizing alert emails Figure 3 Sample replacement message Message setup Email virus message Allowed Formats Text HTML Size 4095 characters Sorry Dangerous Attachment has been Removed lt INFECTED gt The file FILES has heen removed because of a virus It was infected with the S VIRUS S virus lt INFECTED gt lt QUARANTINE gt File quarantined as QUARF ILENAMES lt QUARANTINE gt Customizing replacement messages Each of the replacement messages in the replacement message list is created by combining replacement message sections You can use these sections as building blocks to create your own replacement messages You can edit any of the replacement messages in the rep
6. ID Rule Name Revision 298319873 TFTP GET Admin dll i 113770498 Possible SYN FIN scan il 113770499 CGI PHF access X ak Downloading the user defined signature list You can back up the user defined signature list by downloading it to a text file on the management computer A Note You cannot download individual signatures You must download the entire user defined A signature list To download the user defined signature list 1 Go to NIDS gt Detection gt User Defined Signature List 2 Select Download The FortiGate unit downloads the user defined signature list to a text file on the management computer You can specify a location to which to download the text file as well as a name for the text file FortiGate 50A Installation and Configuration Guide 219 Preventing attacks Network Intrusion Detection System NIDS Preventing attacks NIDS attack prevention protects the FortiGate unit and the networks connected to it from common TCP ICMP UDP and IP attacks You can enable NIDS attack prevention to prevent a set of default attacks with default threshold values You can also enable or disable and set the threshold values for individual attack prevention signatures Note After the FortiGate unit reboots NIDS attack prevention and synflood prevention are always disabled e Enabling NIDS attack prevention e Enabling NIDS attack prevention signatures e Setting signature threshold values Enabling NIDS attack pr
7. cccceecceeceeeetetne eee eeeene neste tienes eee tieeeeeeetieeesestiieeeeseetieeeeenenea 133 Customizing replacement MESSAGES ccceceeeeeeeseeeeeeeeeseeeeeeeeeeeneaeeeeseeeaeeeeseeeaeeees 133 Customizing alert emallS siise annn aeann eeyedeeed NEA EEEREN EEEE E ARAE EERS 134 Firewall configuratio iM isser aae eee 137 Default firewall configuration eee ee eettee eee ettte eter eete tees ee taeeeeeeetaeeeeeetaeeeeertiaeeeeenes 138 ACONOSSOS encan E E E sauaceioesaabae eter vaceetisieceevee rane 138 DOT VICOS E EE NA AEEA OE EA EE O E E E T 139 SCNCCUICS crrincccconinroni i a A A A 139 Content profiles cece cececceeccecce cee ee eee eeeeeeeceaeaaecaeceeeeeeeeeeeseceaaaaaeaeeeeeeeeeeeeeteeesensaaeeees 139 Adding firewall policies si0 cccscecticeceeeectaeeceeenesseeeeueccsaceeentccneaeecaecehaseecutscenieacaedenaeeeareneiee 140 Firewall policy Options cccccceeeeceecceeeeeeeeeee seca eeaaeeaeeeeeeeeeeeeeeteseceacccacaeeeeeeeeeeeeeeeees 140 CONTIGUIING POLICY ISIS lt 2 20 3 fessersans eevecters cesteueth eevee aeeweestsatanceees vinaa ceeet Gaiadvesevennteevevt dina de 144 Policy matching in detail cc eee eeceeeee scene eee eee tennessee eeaeee eee eaaeeeeeeeaaeeeeeeeaeeeseeeaas 145 Changing the order of policies in a policy liSt ec eect eee eetteee eee ettteeeeeeeetieeeeeereae 145 Enabling and disabling policies cccecceeeeseeeeeeeeeecneeeeeeeaeeeeeeeaeeeeeeenaeeeeeseaas 146 AGO
8. Configuring Cerberian web filter After you add the Cerberian web filter users on the FortiGate unit you can add these users to the user groups on the Cerberian web filter server Then you can create policies and apply these policies to the user groups About the default group and policy There is a default user group which is associated with a default policy that exists on the Cerberian web filter server You can add users to the default group and apply any policies to the group Use the default group to add All the users who are not assigned alias names on the FortiGate unit e All the users who are not assigned to other user groups The Cerberian web filter groups URLs into 53 categories The default policy blocks the URLs of 12 categories You can modify the default policy and apply it to any user groups To configure Cerberian web filtering 1 Add the user name which is the alias you added on the FortiGate unit to a user group on the Cerberian server Web policies can be applied only to user groups If you did not enter an alias for a user s IP address on the FortiGate unit the user s IP address is automatically added to the default Cerberian group Create policies by selecting the web categories that you want to block Apply the policy to a user group that contains the user For detailed procedures see the online help on the Cerberian Web Filter web page Enabling Cerberian URL filtering After you add the C
9. ahh AMMAN LLL AAAA Va wu Si SOAWAAAAAVAL DALLA eaTEtee VeabAAAb IL LLLT TILLIT an ALCITITITEA ark vnn a c S Inet INTERNAL EXTERNAL Bo aa STATUS o E Eoen Gare 50A LINK100 LINK 100 FortiGate User Manual Volume 1 Version 2 50 29 February 2004 Copyright 2004 Fortinet Inc All rights reserved No part of this publication including text examples diagrams or illustrations may be reproduced transmitted or translated in any form or by any means electronic mechanical manual optical or otherwise for any purpose without prior written permission of Fortinet Inc FortiGate 50A Installation and Configuration Guide Version 2 50 29 February 2004 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS CAUTION RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS For technical support please visit http www fortinet com Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet com Contents Table of Contents MERLE OMi aaaea ap oroipen inadai ierti 13 NAT Route mode and Transparent MOdE ccceceeeeeeeecneccaeceeeeeeeeeeeeteseecasenaeaeeeeeeeeees 13 NAT Route MOE cere eee tt ee eee eee eee ee eee e ee ee eee taeeee ee taeeeeeeneeeeeenia
10. Figure 46 Example new traffic address entry Log Setting Traffic Filter Name FTP_Main_Office Source IP Address 10 10 10 1 Source Netmask 255 255 255 0 Destination IP ese Address 10 10 10 2 Destination Netmask 255 255 255 0 Service FTP v Configuring alert email You can configure the FortiGate unit to send alert email to up to three email addresses when there are virus incidents block incidents network intrusions and other firewall or VPN events or violations After you set up the email addresses you can test the settings by sending test email e Adding alert email addresses e Testing alert email e Enabling alert email Adding alert email addresses Because the FortiGate unit uses the SMTP server name to connect to the mail server the FortiGate unit must look up this name on your DNS server Before you configure alert email make sure that you configure at least one DNS server To add a DNS server Go to System gt Network gt DNS If they are not already there type the primary and secondary DNS server addresses provided by your ISP Select Apply To add alert email addresses Go to Log amp Report gt Alert Mail gt Configuration Select the Authentication check box if your email server requires an SMTP password FortiGate 50A Installation and Configuration Guide 257 Configuring alert email 258 7 Logging and reporting In the SMTP Server field type the name of the SMTP server wh
11. Manually initiating antivirus and attack definitions updates on page 75 or from the CLI enter execute updatecenter updatenow Fortinet Inc System status Changing the FortiGate firmware 12 To confirm that the antivirus and attack definitions have been updated enter the following command to display the antivirus engine virus and attack definitions version contract expiry and last update attempt information get system objver Installing firmware images from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to default settings You can use this procedure to upgrade to a new firmware version revert to an older firmware version or re install the current firmware version To perform this procedure you e access the CLI by connecting to the FortiGate console port using a null modem cable e install a TFTP server that you can connect to from the FortiGate internal interface The TFTP server should be on the same subnet as the internal interface Before beginning this procedure you can e Back up the FortiGate unit configuration For information see Backing up system settings on page 64 e Back up the NIDS user defined signatures For information see the FortiGate NIDS Guide e Back up web content and email filtering lists For information see the FortiGate Content Protection Guide If you are reverting to a previous FortiOS version for example
12. To create an AutolIKE VPN configuration Note Prior to configuring an AutolKE VPN that uses digital certificates you must add the CA and local certificates to the FortiGate unit For information about digital certificates see Managing digital certificates on page 190 Add the phase 1 parameters See Adding a phase 1 configuration for an AutolIKE VPN on page 183 Add the phase 2 parameters See Adding a phase 2 configuration for an AutolKE VPN on page 188 Configure an encrypt policy that includes the tunnel source address and destination address for both ends of the tunnel See Configuring encrypt policies on page 193 Adding a phase 1 configuration for an AutolIKE VPN When you add a phase 1 configuration you define the terms by which the FortiGate unit and a remote VPN peer gateway or client authenticate themselves to each other prior to establishing an IPSec VPN tunnel The phase 1 configuration is related to the phase 2 configuration In phase 1 the VPN peers are authenticated in phase 2 the tunnel is established You have the option to use the same phase 1 parameters to establish multiple tunnels In other words the same remote VPN peer gateway or client can have multiple tunnels to the local VPN peer the FortiGate unit When the FortiGate unit receives an IPSec VPN connection request it authenticates the VPN peers according to the phase 1 parameters Then depending on the source and destinati
13. without the leading period to block access to all URLs with this suffix Note URL blocking does not block access to other services that users can access with a web browser For example URL blocking does not block access to ftp ftp badsite com Instead you can use firewall policies to deny FTP connections Ensure that the Enable checkbox has been selected and then select OK FortiGate 50A Installation and Configuration Guide 235 URL blocking 236 Web filtering Select OK to add the URL to the Web URL block list You can enter multiple URLs and then select Check All to enable all items in the Web URL block list You can disable all of the URLs on the list by selecting Uncheck All Li Each page of the Web URL block list displays 100 URLs Use Page Up 5 and Page Down to navigate through the Web URL block list Note You must select the Web URL Block option in the content profile to enable the URL blocking Figure 37 Example URL block list URL Block y Enable URL Block w O amp amp amp ee Ee URE Gr Patom eo 2 ees MDB cece www badsite com Tt E 123 78 41 22 news html T E www timewaste com products html it amp E Clearing the Web URL block list Go to Web Filter gt Web URL Block Select Clear URL Block List EA to remove all URLs and patterns from the Web URL block list Downloading the Web URL block list You can back up the Web URL block list by downloading it to a text fi
14. Inbound NAT Select inbound NAT if required Outbound NAT Select outbound NAT if required See Adding an encrypt policy on page 195 Arrange the policies in the following order e encrypt policies e default non encrypt policy Internal_All gt External_All Adding a VPN concentrator kh ON To add a VPN concentrator configuration Go to VPN gt IPSec gt Concentrator Select New to add a VPN concentrator Enter the name of the new concentrator in the Concentrator Name field To add tunnels to the VPN concentrator select a VPN tunnel from the Available Tunnels list and select the right arrow To remove tunnels from the VPN concentrator select the tunnel in the Members list and select the left arrow Select OK to add the VPN concentrator Fortinet Inc IPSec VPN IPSec VPN concentrators Figure 26 Adding a VPN concentrator Manual Key Be Phase 2 R Phase 1 A Concentrator D Dialup Monitor New YPN Concentrator Concentrator Name Concentrator_1 Available Tunnels Members Certificate_1_tunnel Certificate_2 tunnel gt Preshared_key_2_tuni Manual_key_1_tunnel VPN spoke general configuration steps A remote VPN peer that functions as a spoke requires the following configuration A tunnel AutolKE phase 1 and phase 2 configuration or manual key configuration for the hub e The source address of the local VPN spoke e The destination address of eac
15. Timeout The time before the next key exchange The time is calculated by subtracting the time elapsed since the last key exchange from the keylife FortiGate 50A Installation and Configuration Guide 201 Monitoring and Troubleshooting VPNs 202 Testing a VPN IPSec VPN Proxy ID Source The actual IP address or subnet address of the remote peer Proxy ID The actual IP address or subnet address of the local peer Destination Figure 28 Dialup Monitor A B Remote gateway Lifetime Timeout Proxy ID Source Proxy ID Destination 192 168 100 124 1800 secs 79 14 14 14 0 255 255 255 0 192 168 100 124 255 255 255 255 192 168 100 40 1800 secs 3585 14 14 14 0 255 255 255 0 192 168 100 40 255 255 255 255 To confirm that a VPN between two networks has been configured correctly use the ping command from one internal network to connect to a computer on the other internal network The IPSec VPN tunnel starts automatically when the first data packet destined for the VPN is intercepted by the FortiGate unit To confirm that a VPN between a network and one or more clients has been configured correctly start a VPN client and use the ping command to connect to a computer on the internal network The VPN tunnel initializes automatically when the client makes a connection attempt You can start the tunnel and test it at the same time by pinging from the client to an address on the internal network Fortinet Inc RAT MET PPTP a
16. gt You can configure DHCP server or DHCP relay agent functionality on any FortiGate interface A FortiGate interface can act as either a DHCP server or as a DHCP relay agent An interface cannot provide both functions Note To configure DHCP server or DHCP relay functionality on an interface the FortiGate unit must be in NAT Route mode and the interface must have a static IP address This section describes the following e Configuring a DHCP relay agent e Configuring a DHCP server Configuring a DHCP relay agent ao a fF WN In a DHCP relay configuration the FortiGate unit forwards DHCP requests from DHCP clients through the FortiGate unit to a DHCP server The FortiGate unit also returns responses from the DHCP server to the DHCP clients The DHCP server must have a route to the FortiGate unit that is configured as the DHCP relay so that the packets sent by the DHCP server to the DHCP client arrive at the FortiGate performing DHCP relay To configure an interface as a DHCP relay agent Go to System gt Network gt DHCP Select Service Select the interface to be the DHCP relay agent Select DHCP Relay Agent Enter the DHCP Server IP address Select Apply Fortinet Inc Network configuration Configuring DHCP services Configuring a DHCP server a Fk WO N As a DHCP server the FortiGate unit dynamically assigns IP addresses to hosts located on connected subnets You can configure a DHCP server for any Fort
17. First Name Customer tsti i s s S S Last Name Name o Company Company tsts sS Title Administrator Email Customer company com Addressa 123 My Stret Address 2 CT City City rade ce tate a hz Country onte states Zip 123456 Region os UNITED STATES contact 1 555 555 5555 Fax Number one Security Question Security question will be used if you forgot your password Answer to Security Question will be used if you forgot your password Provide a security question and an answer to the security question FortiGate 50A Installation and Configuration Guide 85 Updating registration information Virus and attack definitions updates and registration Select the model number of the Product Model to register Enter the Serial Number of the FortiGate unit If you have purchased a FortiCare Support Contract for this FortiGate unit enter the support contract number Figure 6 Registering a FortiGate unit product information Product Information Product Model FGT 60 x Serial FGT 60280303002 Number Located on bottom of unit and also on System screen on the web user interface Support presna Contract No 034278334744 _ indicates Required Fields Select Finish If you have not entered a FortiCare Support Contract number SCN you can return to the previous page to enter the number If you do not have a FortiCare Support Contract you can select Cont
18. POP3 and SMTP content traffic Web To apply antivirus scanning and web content blocking to HTTP content traffic You can add this content profile to firewall policies that control HTTP traffic Unfiltered Use if you do not want to apply content protection to content traffic You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected Adding content profiles kh OO N If the default content profiles do not provide the protection that you require you can create custom content profiles To add a content profile Go to Firewall gt Content Profile Select New Type a Profile Name Enable the antivirus protection options that you want Anti Virus Scan Scan web FTP and email traffic for viruses and worms See Antivirus scanning on page 226 File Block Delete files with blocked file patterns even if they do not contain viruses Enable file blocking when a virus has been found that is so new that virus scanning does not detect it See File blocking on page 227 Note If both Anti Virus Scan and File Block are enabled the FortiGate unit blocks files that match enabled file patterns before they are scanned for viruses Enable the web filtering options that you want Web URL Block Block unwanted web pages and web sites This option adds FortiGate Web URL blocking see Configuring FortiGate Web URL blocking
19. The FortiGate unit sends a replacement message for an oversized file or email attachment to the HTTP or email proxy client Configuring limits for oversized files and email To configure limits for oversized files and email Go to Anti Virus gt Config gt Config Type the size limit in MB Select Apply Exempting fragmented email from blocking 228 A fragmented email is a large email message that has been split into smaller messages that are sent individually and recombined when they are received By default when antivirus protection is enabled the FortiGate unit blocks fragmented emails and replaces them with an email block message that is forwarded to the receiver It is recommended that you disable the fragmenting of email messages in the client email software To exempt fragmented emails from automatic antivirus blocking Caution The FortiGate unit cannot scan fragmented emails for viruses or use file pattern blocking to remove files from these email messages Enable Pass Fragmented Emails for IMAP POP3 and SMTP traffic in a content profile Select Anti Virus amp Web filter in a firewall policy For example to pass fragmented emails that internal users send to the external network select an internal to external policy Select a content profile that has Pass Fragmented Emails enabled for the traffic that you want the FortiGate unit to scan Fortinet Inc Antivirus protection Viewing the virus list Viewing th
20. encrypt policy 141 encrypt policy allow inbound 142 allow outbound 142 Inbound NAT 142 Outbound NAT 142 ending IP address DHCP 22 PPTP 204 209 environmental specifications 19 event log 253 exclusion range DHCP 22 exempt URL list 241 249 adding URL 241 250 exempting URLs from content and URL blocking 241 249 expire system status 71 F factory default restoring system settings 65 FAQs 201 FDN connecting to 74 FortiResponse Distribution Network 74 FDS FortiResponse Distribution Server 74 filename pattern adding 227 blocking 227 FortiGate 50A Installation and Configuration Guide Index filter RIP 117 filtering log messages 253 filtering traffic 254 firewall authentication timeout 122 configuring 137 overview 137 firewall events enabling alert email 258 firewall policies modem 111 firewall policy accept 141 Comments 144 deny 141 guaranteed bandwidth 142 Log Traffic 144 maximum bandwidth 143 firewall setup wizard 35 42 starting 35 42 firmware changing 54 installing 59 re installing current version 59 reverting to an older version 59 upgrading 54 upgrading to a new version 55 upgrading using the CLI 55 57 upgrading using the web base manager 55 56 first trap receiver IP address SNMP 127 fixed port 142 FortiCare service contracts 84 support contract number 88 Fortinet customer service 16 Fortinet support recovering a lost password 86 FortiResponse Distribution Network 74 connecting to 74
21. gt Interface Choose an interface and select Modify z In the Addressing Mode section select PPPoE Enter your PPPoE account User Name and Password Clear the Retrieve default gateway and DNS from server check box if you do not want the FortiGate unit to obtain a default gateway IP address and DNS server IP addresses from the PPPoE server By default this option is enabled Clear the Connect to Server check box if you do not want the FortiGate unit to connect to the PPPoE server By default this option is enabled Select Apply The FortiGate unit attempts to contact the PPPoE server from the interface to set the IP address netmask default gateway IP address and DNS server IP addresses Select Status to refresh the addressing mode status message Possible messages initializing No activity connecting The FortiGate unit is attempting to connect to the DHCP server connected The FortiGate unit retrieves an IP address netmask and other settings from the PPPoE server failed The FortiGate unit was unable to retrieve an IP address and other information from the PPPoE server Select OK Adding a secondary IP address to an interface You can use the CLI to add a secondary IP address to any FortiGate interface The secondary IP address cannot be the same as the primary IP address but it can be on the same subnet To add a secondary IP address from the CLI enter the command set system interface lt intf_str gt confi
22. gt Update Select the Use override server address check box Type the IP address of a FortiResponse server kh ON Select Apply The FortiGate unit tests the connection to the override server If the FortiResponse Distribution Network setting changes to available the FortiGate unit has successfully connected to the override server If the FortiResponse Distribution Network stays set to not available the FortiGate unit cannot connect to the override server Check the FortiGate configuration and network configuration for settings that would prevent the FortiGate unit connecting to the override FortiResponse server FortiGate 50A Installation and Configuration Guide 77 Enabling push updates Virus and attack definitions updates and registration Enabling scheduled updates through a proxy server If your FortiGate unit must connect to the Internet through a proxy server you can use the set system autoupdate tunneling command to allow the FortiGate unit to connect or tunnel to the FDN using the proxy server Using this command you can specify the IP address and port of the proxy server As well if the proxy server requires authentication you can add the user name and password required for the proxy server to the autoupdate configuration The full syntax for enabling updates through a proxy server is set system autoupdate tunneling enable address lt proxy address ip gt port lt proxy port gt username lt username_ str
23. or a PPTP or L2TP configuration To delete a user group 1 Go to User gt User Group 2 Select Delete 1 beside the user group that you want to delete 3 Select OK 178 Fortinet Inc AT MET IPSec VPN A Virtual Private Network VPN is an extension of a private network that encompasses links across shared or public networks such as the Internet For example a company that has two offices in different cities each with its own private network can use a VPN to create a secure tunnel between the offices Similarly a teleworker can use a VPN client for remote access to a private office network In both cases the secure connection appears to the user as a private network communication even though the communication is over a public network Secure VPN connections are enabled by a combination of tunneling data encryption and authentication Tunneling encapsulates data so that it can be transferred over the public network Instead of being sent in its original format the data frames are encapsulated within an additional header and then routed between tunnel endpoints Upon arrival at the destination endpoint the data is decapsulated and forwarded to its destination within the private network Encryption changes a data stream from clear text something that a human or a program can interpret to cipher text something that cannot be interpreted The information is encrypted and decrypted using mathematical algorithms known as keys Au
24. or if your FortiGate unit connects to the Internet using a proxy server see Enabling scheduled updates through a proxy server on page 78 Manually initiating antivirus and attack definitions updates You can use the following procedure to update the antivirus and attack definitions at any time The FortiGate unit must be able to connect to the FDN or to an override FortiResponse server To update antivirus and attack definitions Go to System gt Update 2 Select Update Now to update the antivirus and attack definitions If the connection to the FDN or override server is successful the web based manager displays a message similar to the following Your update request has been sent Your database will be updated in a few minutes Please check your update page for the status of the update After a few minutes if an update is available the System Update page lists new version information for antivirus definitions the antivirus engine or attack definitions The System Status page also displays new dates and version numbers for antivirus and attack definitions Messages are recorded to the event log indicating whether the update was successful or not FortiGate 50A Installation and Configuration Guide 75 Scheduling updates Virus and attack definitions updates and registration Configuring update logging Use the following procedure to configure FortiGate logging to record log messages when the FortiGate unit upd
25. pass pass pass pass pass Pass Fragmented Emails a r Oversized File Email 226 Fortinet Inc Antivirus protection File blocking Blocking files File blocking Enable file blocking to remove all files that are a potential threat and to provide the best protection from active computer virus attacks Blocking files is the only protection from a virus that is so new that antivirus scanning cannot detect it You would not normally operate the FortiGate unit with blocking enabled However it is available for extremely high risk situations in which there is no other way to prevent viruses from entering your network File blocking deletes all files that match a list of enabled file patterns The FortiGate unit replaces the file with an alert message that is forwarded to the user The FortiGate unit also writes a message to the virus log and sends an alert email if it is configured to do so Note If both blocking and scanning are enabled the FortiGate unit blocks files that match enabled file patterns and does not scan these files for viruses By default when blocking is enabled the FortiGate unit blocks the following file patterns e executable files bat com and exe compressed or archive files gz rar tar tgz and zip e dynamic link libraries dll e HTML application hta e Microsoft Office files doc ppt xI e Microsoft Works files wps e Visual Basic files vb
26. screen saver files scr in firewall traffic Use content profiles to apply file blocking to HTTP FTP POP3 IMAP and SMTP traffic controlled by firewall policies To block files in firewall traffic Select file blocking in a content profile See Adding content profiles on page 167 Add this content profile to firewall policies to apply content blocking to the traffic controlled by the firewall policy See Adding content profiles to policies on page 169 Adding file patterns to block 1 2 To add file patterns to block Go to Anti Virus gt File Block Select New FortiGate 50A Installation and Configuration Guide 227 Blocking oversized files and emails Antivirus protection Type the new pattern in the File Pattern field You can use an asterisk to represent any characters and a question mark 7 to represent any single character For example dot blocks Microsoft Word template files and do blocks both Microsoft Word template files and document files Select the check box beside the traffic protocols for which you want to enable blocking of this file pattern Select OK Blocking oversized files and emails You can configure the FortiGate unit to buffer 1 to 15 percent of available memory to store oversized files and email The FortiGate unit then blocks a file or email that exceeds this limit instead of bypassing antivirus scanning and sending the file or email directly to the server or receiver
27. the FortiGate unit also sends the SETUP message to notify the FDN of the address change Enabling push updates through a NAT device If the FDN can connect to the FortiGate unit only through a NAT device you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration Using port forwarding the FDN connects to the FortiGate unit using either port 9443 or an override push port that you specify FortiGate 50A Installation and Configuration Guide 79 Enabling push updates Virus and attack definitions updates and registration JA Note You cannot receive push updates through a NAT device if the external IP address of the lt NAT device is dynamic for example set using PPPoE or DHCP Example push updates through a NAT device This example describes how to configure a FortiGate NAT device to forward push updates to a FortiGate unit installed on its internal network For the FortiGate unit on the internal network to receive push updates the FortiGate NAT device must be configured with a port forwarding virtual IP This virtual IP maps the IP address of the external interface of the FortiGate NAT device and a custom port to the IP address of the FortiGate unit on the internal network This IP address can either be the external IP address of the FortiGate unit if it is operating in NAT Route mode or the Management IP address of the FortiGate unit if it is operating in Transparent mod
28. without authentication If DNS is not available users cannot connect to a web FTP or Telnet server using a domain name Anti Virus amp Web filter Enable antivirus protection and web filter content filtering for traffic controlled by this policy You can select Anti Virus amp Web filter if Service is set to ANY HTTP SMTP POP3 IMAP or FTP or to a service group that includes the HTTP SMTP POP3 IMAP or FTP services Select a content profile to configure how antivirus protection and content filtering is applied to the policy For information about selecting a content profile see Content profiles on page 166 FortiGate 50A Installation and Configuration Guide 143 Configuring policy lists Firewall configuration Figure 6 Adding a Transparent mode policy Edit Policy Source Internal_All v Destination External_All 7 Schedule Always 7 Service ANY Action ACCEPT X M Traffic Shapin Guaranteed Ho sia Bandwidth 100 KBytes s Maximum Bandwidth 100 KBytes s Traffic Priority Medium 7 M Authentication User_Group_1 M2 Anti Virus amp Web filter Content Profile Scan 7 l Log Traffic Comments maximum 63 characters Policy Traffic Shaping Authentication and Virus Scanning Log Traffic Select Log Traffic to write messages to the traffic log whenever the policy processes a connection For information about logging see Logging and reporting on page 251 Comments You
29. 0 00 eeeeeeeeeeeeeeeeeeeeceeeeeeeeeeeeeeeeeeseeeaeeeeseeeeaeeeeseeeaaeeeeeeeeaeeees 76 Scheduling updates 20 0 cece ee eeeeeee eee eeeeaeeeeseeeaaeeeeseeeaaeeeeseeaaeeeeseeiaeeeeseeiaeeeeeeenaees 76 Enabling scheduled updates ccceccceeesecccneeeeeecceeeeeeteccneeeeeeaccneneneeeceeeesneeaaeeeneneeaee 76 Adding AN override SOLVED eect ceeeeee eee eeeneeeeeeeeeaeeeeeeeeaaeeeeeeeeaaaeeeseeeaaeeeeeeenineeeeeeeaas 77 Enabling scheduled updates through a proxy SEIVel cceeeeceeeeeeeeeteeeeeeeeeteeeeeeeenaas 78 Enabling pushupdateS eiiiai iaiia a adia aaia a a aaa 78 Enabling push updates sssini aai a a aa 79 Push updates when FortiGate IP addresses Chang ccccesseceeeceeeeeeeeeeeeeseeeeeeeeaas 79 Enabling push updates through a NAT deVICE ecceeeeeeeeeceeeeeeeetteeeeeeeenneeeeeeeaaas 79 Registering FortiGate Units 32 cecce eiecedeteeedeccdiaioecectiaeedeccdiaeeseiacdijwesataelaveesaeiiseiendinaceecs 83 FortiCare Service Contracts eslias iaa EANA AREAN 84 Registering the FortiGate Unit ccceeeeeeeneeeeeeeecneeeeeeeeeeeeeeeaaeeeeeeeaaeeeeeeeaaeeeeeeeaas 85 Updating registration information cccccceeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaeeeeteneaaeeeseeeaeeess 86 Recovering a lost Fortinet Support DASSWOMG eceeceeeeeeeeeeeeeeeeceneeeeeeeeeeeeeeteeteees 86 Viewing the list of registered FortiGate units 0 cc ee eeeeeeeeeeneeeeeeeeeneeeeseeenaeeeeeeeaees 87 Registering a
30. 50A Installation and Configuration Guide 31 Next steps Getting started 32 Fortinet Inc RAT MET NAT Route mode installation This chapter describes how to install the FortiGate unit in NAT Route mode To install the FortiGate unit in Transparent mode see Transparent mode installation on page 41 This chapter describes e Installing the FortiGate unit using the default configuration e Preparing to configure NAT Route mode e Using the setup wizard e Using the command line interface e Connecting the FortiGate unit to your networks e Configuring your networks e Completing the configuration Installing the FortiGate unit using the default configuration Depending on your requirements you may be able to deploy the FortiGate unit without changing its factory default configuration If the factory default settings in Table 11 are compatible with your requirements all you need to do is configure your internal network and then connect the FortiGate unit Table 11 FortiGate unit factory default configuration Operating Mode NAT Route mode Firewall Policy One NAT mode policy that allows users on the internal network to access any Internet service No other traffic is allowed All web and email traffic is scanned for viruses External interface The External interface receives its IP address by DHCP from your Internet Service Provider ISP DHCP Server on internal network The FortiG
31. Add content profiles to policies to apply antivirus protection web filtering and email filtering to web file transfer and email services The FortiGate unit includes the following default content profiles Strict to apply maximum content protection to HTTP FTP IMAP POP3 and SMTP content traffic e Scan to apply antivirus scanning to HTTP FTP IMAP POP3 and SMTP content traffic e Web to apply antivirus scanning and Web content blocking to HTTP content traffic Unfiltered to allow oversized files to pass through the FortiGate unit without scanned for viruses The default policy includes the scan content profile For more information about content profiles see Content profiles on page 166 FortiGate 50A Installation and Configuration Guide 139 Adding firewall policies Firewall configuration Adding firewall policies Add Firewall policies to control connections and traffic between FortiGate interfaces To add a firewall policy 1 Go to Firewall gt Policy Select the policy list to which you want to add the policy Select New to add a new policy You can also select Insert Policy before 4 on a policy in the list to add the new policy above a specific policy 4 Configure the policy For information about configuring the policy see Firewall policy options on page 140 Select OK to add the policy Arrange policies in the policy list so that they have the results that you expect For inf
32. Adding IP MAC addresses e Viewing the dynamic IP MAC list e Enabling IP MAC binding Configuring IP MAC binding for packets going through the firewall Use the following procedure to use IP MAC binding to filter packets that a firewall policy would normally allow through the firewall To configure IP MAC binding for packets going through the firewall Go to Firewall gt IP MAC Binding gt Setting Select the Enable IP MAC binding going through the firewall check box Go to Firewall gt IP MAC Binding gt Static IP MAC FortiGate 50A Installation and Configuration Guide 163 IP MAC binding Firewall configuration 4 Select New to add IP MAC binding pairs to the IP MAC binding list All packets that would normally be allowed through the firewall by a firewall policy are first compared with the entries in the IP MAC binding list If a match is found then the firewall attempts to match the packet with a policy For example if the IP MAC pair IP 1 1 1 1 and 12 34 56 78 90 ab cd is added to the IP MAC binding list A packet with IP address 1 1 1 1 and MAC address 12 34 56 78 90 ab cd is allowed to go on to be matched with a firewall policy A packet with IP 1 1 1 1 but with a different MAC address is dropped immediately to prevent IP spoofing A packet with a different IP address but with a MAC address of 12 34 56 78 90 ab cd is dropped immediately to prevent IP spoofing A packet with both the IP address and MAC address
33. Destination to the address to which PPTP users can connect Set Service to match the traffic type inside the PPTP VPN tunnel For example if PPTP users can access a web server select HTTP Set Action to ACCEPT Select NAT if address translation is required You can also configure traffic shaping logging and antivirus and web filter settings for PPTP policies Select OK to save the firewall policy FortiGate 50A Installation and Configuration Guide 205 Configuring PPTP 206 PPTP and L2TP VPN Configuring a Windows 98 client for PPTP oOo N Oa Fk WO DY a Fk WOW N O O ON CO 12 Use the following procedure to configure a client computer running Windows 98 so that it can connect to a FortiGate PPTP VPN To configure the Windows 98 client you must install and configure Windows dialup networking and virtual private networking support To install PPTP support Go to Start gt Settings gt Control Panel gt Network Select Add Select Adapter Select Add Select Microsoft as the manufacturer Select Microsoft Virtual Private Networking Adapter Select OK twice Insert diskettes or CDs as required Restart the computer To configure a PPTP dialup connection Go to My Computer gt Dial Up Networking gt Configuration Double click Make New Connection Name the connection and select Next Enter the IP address or host name of the FortiGate unit to connect to and select Next Select Finish An icon fo
34. FortiResponse Distribution Server 74 from IP system status 71 from port system status 71 G get community SNMP 127 grouping services 153 groups address 148 user 177 guaranteed bandwidth 142 265 Index H hard disk full alert email 258 HTTP enabling web filtering 231 245 HTTPS 150 259 ICMP 151 259 configuring checksum verification 216 ICMP service custom 153 idle timeout web based manager 122 IKE 259 IMAP 150 259 Inbound NAT encrypt policy 142 interface adding a DHCP server 105 administrative access 97 administrative status 94 changing administrative status 94 DHCP 95 management access 97 manual IP address 94 modem 107 MTU size 98 ping server 97 PPPoE 96 RIP 115 secondary IP address 96 traffic logging 98 viewing the interface list 94 internal address example 147 internal address group example 149 internal network configuring 38 Internet blocking access to Internet sites 235 248 blocking access to URLs 235 248 Internet key exchange 259 intrusion attempts alert email 258 intrusion status 69 IP configuring checksum verification 216 IP address interface 94 IP MAC binding 163 266 IP addresses configuring from the CLI 36 42 IP pool adding 161 IP service custom 153 IP spoofing 163 IP MAC binding 163 adding 165 allow traffic 164 block traffic 164 dynamic IP MAC list 163 enabling 165 static IP MAC list 163 IPSec 259 IPSec VPN authentication for user group 177 AutolKE 180 certifi
35. Note Banned Word must be selected in the content profile for web pages containing banned ae words to be blocked Figure 35 Example banned word list Content Block y Banned Word O Modify banned wT Bw VV banned phrase 1 wT Bw Vv banned phrase 2 rT M Clearing the Banned Word list 1 Go to Web Filter gt Content Block 2 Select Clear List E to remove all banned words and phrases from the banned word list Backing up the Banned Word list You can back up the banned word list by downloading it to a text file on the management computer To back up the banned word list 1 Go to Web Filter gt Content Block 2 Select Backup Banned Word List Ey The FortiGate unit downloads the list to a text file on the management computer You can specify a location to which to download the text file as well as a name for the text file Restoring the Banned Word list You can create a Banned Word list in a text editor and then upload the text file to the FortiGate unit Add one banned word or phrase to each line of the text file The word or phrase should be followed by two parameters separated by spaces The first parameter specifies the status of the entry The second parameter specifies the language of the entry FortiGate 50A Installation and Configuration Guide 233 Content blocking 234 gt Web filtering Table 21 Banned Word list configuration parameters Parameter Setting Descri
36. PPPoE addressing mode the MTU size can be from 576 to 1492 bytes Configuring traffic logging for connections to an interface 98 To configure traffic logging for connections to an interface Go to System gt Network gt Interface Choose an interface and select Modify z Select the Log check box to record log messages whenever a firewall policy accepts a connection to this interface Select OK to save the changes Fortinet Inc Network configuration Configuring interfaces Configuring the management interface in Transparent mode Configure the management interface in Transparent mode to set the management IP address of the FortiGate unit Administrators connect to this IP address to administer the FortiGate unit The FortiGate also uses this IP address to connect to the FDN for virus and attack updates see Updating antivirus and attack definitions on page 73 You can also configure the management interface to control how administrators connect to the FortiGate unit for administration and the FortiGate interfaces to which administrators can connect Controlling administrative access to a FortiGate interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet However allowing remote administration from the Internet could compromise the security of the FortiGate unit You should avoid allowing administrative access for an interface connected to the Internet unless
37. Select Add Change Contract number Fortinet Inc Virus and attack definitions updates and registration Updating registration information Select the Serial Number of the FortiGate unit for which to add or change a FortiCare Support Contract number Add the new Support Contract number Select Finish The list of FortiGate products that you have registered is displayed The list now includes the new support contract information Changing your Fortinet support password on oo O N To change your Fortinet support password Go to System gt Update gt Support Select Support Login Enter your Fortinet support user name and password Select Login Select My Profile Select Change Password Enter your current password Enter and confirm a new password An email is sent to your email address confirming that your password has been changed Use your current user name and new password the next time you log into the Fortinet technical support web site Changing your contact information or security question oOo N Oo oa A WO N To change your contact information or security question Go to System gt Update gt Support Select Support Login Enter your Fortinet support user name and password Select Login Select My Profile Select Edit Profile Make the required changes to your contact information Make the required changes to your security question and answer Select Update Profile Your changes are
38. Support database This information is used to make sure that your registered FortiGate units can be kept up to date All information is strictly confidential Fortinet does not share this information with any third party organizations for any reason This section describes FortiCare Service Contracts e Registering the FortiGate unit FortiCare Service Contracts Owners of a new FortiGate unit are entitled to 90 days of technical support services To continue receiving support services after the 90 day expiry date you must purchase a FortiCare Support Contract from an authorized Fortinet reseller or distributor Different levels of service are available so you can purchase the support that you need For maximum network protection Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates See your Fortinet reseller or distributor for details of packages and pricing To activate the FortiCare Support Contract you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information You can also register the FortiGate unit without purchasing a FortiCare Support Contract In that case when you purchase a FortiCare Support Contract you can update the registration information to add the support contract number A single FortiCare Support Contract can cover multiple FortiGate units You must enter the same service contract number for e
39. The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords ForitGate LDAP supports all LDAP servers compliant with LDAP v3 FortiGate LDAP support does not extend to proprietary functionality such as notification of password expiration that is available from some LDAP servers FortiGate LDAP support does not supply information to the user about why authentication failed LDAP user authentication is supported for PPTP L2TP IPSec VPN and firewall authentication With PPTP L2TP and IPSec VPN PAP packet authentication protocol is supported and CHAP Challenge Handshake Authentication Protocol is not This section describes e Adding LDAP servers e Deleting LDAP servers Adding LDAP servers To add an LDAP server 1 Go to User gt LDAP Select New to add a new LDAP server Type the Name of the LDAP server You can type any name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Enter the Server Name or IP address of the LDAP server Enter the Server Port used to communicate with the LDAP server By default LDAP uses port 389 6 Enter the common name identifier for the LDAP server The common name identifier for most LDAP servers is cn However some servers use other common name identifiers such as uid FortiGate 50A Installation a
40. The following email has been repeated x times in the last y seconds and the original message Manual message reduction If you want to reduce the number of alerts that the NIDS generates you can review the content of attack log messages and alert email If a large number of the alerts are nuisance alerts for example web attacks when you are not running a web server you can disable the signature group for that attack type Use the ID number in the attack log or alert email to locate the attack in the signature group list See Disabling NIDS attack signatures on page 218 FortiGate 50A Installation and Configuration Guide 223 Logging attacks Network Intrusion Detection System NIDS 224 Fortinet Inc RAT MET Antivirus protection You can enable antivirus protection in firewall policies You can select a content profile that controls how the antivirus protection behaves Content profiles control the type of traffic protected HTTP FTP IMAP POP3 SMTP the type of antivirus protection and the treatment of fragmented email and oversized files or email This chapter describes e General configuration steps e Antivirus scanning e File blocking e Blocking oversized files and emails Exempting fragmented email from blocking e Viewing the virus list General configuration steps Configuring antivirus protection involves the following general steps 1 Select antivirus protection options in a new or existing conten
41. VPN peer Select OK to save the destination address Adding an encrypt policy ao a fF WN 9 To add an encrypt policy Go to Firewall gt Policy Select the Int gt Ext policy list Select New to add a new policy Set Source to the source address Set Destination to the destination address Set Service to control the services allowed over the VPN connection You can select ANY to allow all supported services over the VPN connection or select a specific service or service group to limit the services allowed over the VPN connection Set Action to ENCRYPT Configure the ENCRYPT parameters VPN Tunnel Select an Auto Key tunnel for this encrypt policy Allow inbound Select Allow inbound to enable inbound users to connect to the source address Allow outbound Select Allow outbound to enable outbound users to connect to the destination address Inbound NAT The FortiGate unit translates the source address of incoming packets to the IP address of the FortiGate interface connected to the source address network Typically this is an internal interface of the FortiGate unit Inbound NAT makes it impossible for local hosts to see the IP addresses of remote hosts hosts located on the network behind the remote VPN gateway Outbound NAT The FortiGate unit translates the source address of outgoing packets to the IP address of the FortiGate interface connected to the destination address network Typically this is an external in
42. a dialup account In standalone mode the modem interface replaces the external ethernet interface When configuring the modem you must set Redundant for to the name of the ethernet interface that the modem interface replaces You must also configure firewall policies for connections between the modem interface and other FortiGate interfaces Note Do not add a default route to the ethernet interface that the modem interface replaces Note Do not add firewall policies for connections between the ethernet interface that the modem replaces and other interfaces To operate in standalone mode Go to System gt Network gt Modem From the Redundant for list select the ethernet interface that the modem is replacing Configure other modem settings as required See Configuring modem settings on page 108 Make sure there is correct information in one or more Dialup Accounts Select Dial Up The FortiGate unit initiates dialing into each dialup account in turn until the modem connects to an ISP Configure firewall policies for connections to the modem interface See Adding firewall policies for modem connections on page 111 Adding firewall policies for modem connections The modem interface requires firewall addresses and policies You can add one or more addresses to the modem interface For information about adding addresses see Adding addresses on page 147 When you add addresses the modem interface appears on the p
43. a week You can specify the day of the week and the time of day to check for updates 76 Fortinet Inc Virus and attack definitions updates and registration Scheduling updates 4 Select Apply The FortiGate unit starts the next scheduled update according to the new update schedule Whenever the FortiGate unit runs a scheduled update the event is recorded in the FortiGate event log Figure 1 Configuring automatic antivirus and attack definitions updates Update FortiResponse Distribution Network available Push Update not available I Use override server address Update Version Expiry date Last update attempt ndate Status Anti Virus Engine 1 00 Mon Nov 29 19 00 00 1999 Tue Aug 12 14 25 21 2003 No updates anti Virus Definition 4 115 Mon Nov 29 19 00 00 1999 Tue Aug 12 14 25 21 2003 No updates Attack Definition 2 56 Mon Nov 29 19 00 00 1999 Tue Aug 12 14 25 21 2003 No updates V Allow Push Update M Use override push IP 64 230 123 149 Port 45034 V Scheduled Update Every o x hour m a minutes after the hour C Daily jo a hour foo minute C Weekly Sunday z day fo H hour foo minute Adding an override server If you cannot connect to the FDN or if your organization provides antivirus and attack updates using their own FortiResponse server you can use the following procedure to add the IP address of an override FortiResponse server To add an override server Go to System
44. and restarts The installation might take a few minutes to complete Fortinet Inc System status Changing the FortiGate firmware Restoring the previous configuration Change the internal interface addresses if required You can do this from the CLI using the command set system interface After changing the interface addresses you can access the FortiGate unit from the web based manager and restore the configuration To restore the FortiGate unit configuration see Restoring system settings on page 64 e To restore NIDS user defined signatures see Adding user defined signatures on page 218 e To restore web content filtering lists see Restoring the Banned Word list on page 233 and Uploading a URL block list on page 236 e To restore email filtering lists see Uploading the email banned word list on page 247 and Uploading an email block list on page 249 If you are reverting to a previous firmware version for example reverting from FortiOS v2 50 to FortiOS v2 36 you might not be able to restore your previous configuration from the backup up configuration file Update the virus and attack definitions to the most recent version see Manually initiating antivirus and attack definitions updates on page 75 Testing a new firmware image before installing it kh O N You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memo
45. any key to interrupt the system startup As the FortiGate units starts a series of system startup messages are displayed When one of the following messages appears Press any key to enter configuration menu Immediately press any key to interrupt the system startup Note You have only 3 seconds to press any key If you do not press a key soon enough the FortiGate unit reboots and you must log in and repeat the execute reboot command If you successfully interrupt the startup process one of the following messages appears G Get firmware image from TFTP server F Format boot device Q Quit menu and continue to boot with default firmware H Display this list of options Enter G F Q or H Type G to get the new firmware image from the TFTP server Type the address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1 188 Type the address of the internal interface of the FortiGate unit and press Enter Note The local IP address is used only to download the firmware image After the firmware is installed the address of this interface is changed back to the default IP address for this interface The following message appears Enter File Name image out Enter the firmware image file name and press Enter The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear Save as Default firmware Run i
46. attacks try to use the IP address of a trusted computer to connect to or through the FortiGate unit from a different computer The IP address of a computer is easy to change to a trusted address but MAC addresses are added to ethernet cards at the factory and are not easy to change You can enter the static IP addresses and corresponding MAC addresses of trusted computers in the static IP MAC table If you have trusted computers with dynamic IP addresses that are set by the FortiGate DHCP server the FortiGate unit adds these IP addresses and their corresponding MAC addresses to the dynamic IP MAC table For information about viewing the table see Viewing a DHCP server dynamic IP list on page 107 The dynamic IP MAC binding table is not available in Transparent mode You can enable IP MAC binding for packets in sessions connecting to the firewall or passing through the firewall Note If you enable IP MAC binding and change the IP address of a computer with an IP or MAC address in the IP MAC list you must also change the entry in the IP MAC list or the computer does not have access to or through the FortiGate unit You must also add the IP MAC address pair of any new computer that you add to your network or the new computer does not have access to or through the FortiGate unit This section describes e Configuring IP MAC binding for packets going through the firewall e Configuring IP MAC binding for packets going to the firewall e
47. be able to connect to the FortiResponse Distribution Network FDN The FortiGate unit uses HTTPS on port 8890 to connect to the FDN The FortiGate external interface must have a path to the Internet using port 8890 For information about configuring scheduled updates see Scheduling updates on page 76 You can also configure the FortiGate unit to allow push updates Push updates are provided to the FortiGate unit from the FDN using HTTPS on UDP port 9443 To receive push updates the FDN must have a path to the FortiGate external interface using UDP port 9443 For information about configuring push updates see Enabling push updates on page 78 The FDN is a world wide network of FortiResponse Distribution Servers FDSs When the FortiGate unit connects to the FDN it connects to the nearest FDS To do this all FortiGate units are programmed with a list of FDS addresses sorted by nearest time zone according to the time zone configured for the FortiGate unit To make sure the FortiGate unit receives updates from the nearest FDS check that you have selected the correct time zone for your area To make sure the FortiGate unit can connect to the FDN 1 Go to System gt Config gt Time and make sure the time zone is set to the time zone for the region in which your FortiGate unit is located 2 Go to System gt Update Select Refresh The FortiGate unit tests its connection to the FDN The test results are displayed at the top of
48. can add a description or other information about the policy The comment can be up to 63 characters long including spaces Configuring policy lists The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match You must arrange policies in the policy list from more specific to more general 144 Fortinet Inc Firewall configuration Configuring policy lists For example the default policy is a very general policy because it matches all connection attempts When you create exceptions to that policy you must add them to the policy list above the default policy No policy below the default policy will ever be matched This section describes e Policy matching in detail e Changing the order of policies in a policy list e Enabling and disabling policies Policy matching in detail we gt When the FortiGate unit receives a connection attempt at an interface it must select a policy list to search through for a policy that matches the connection attempt The FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt The FortiGate unit then starts at the top of the selected policy list and searches down the list for the first policy that matches the connection attempt source and destination addresses service port and time and date at which the connection attempt was received The first policy that m
49. ccudenuebies tastaceceeeetuenenscmuentacdenton ceed 42 Starting the setup WIZANG ess cece sere E 0 hapa cenesce E 42 Reconnecting to the web based manager cceeccceeeeeeeeeeeeeeenteeeeeeeeaeeeeeeeesaeeeeeneaaas 42 Using the command line interface cece etter eee eecneee eee eaeee eee taeeeeeetaeeeeeetiaeeeeeee 42 Changing to Transparent MOE ccceceeceeeeteeeee eee eeeeeeeeeesedeeeeeeeeeeeeeeeeeeeeeaaeeeeneeaaanees 43 Configuring the Transparent mode management IP address 00 ceeeeeeeeeeeeees 43 Configure the Transparent mode default gateway ccccscceeeeseteeeeeetetteeeeeetteeeeees 43 Connecting the FortiGate unit to your NEtWOFKS ee ee eeeeeeeeeeete eter eeeaeeeeseeeaeeeeeneaees 43 Completing the CONfIQuratiOn cc cceeeeeeeeeeeeeee eee aaRS ANAREN 45 Setting the date and time s ccs5 ci cccsseeeecdi cetesadileeeenualaneechadiawenecdansneeiehieeedaadiaeedes 45 Enabling antivirus protection ccceccceeetneeeeeeeeeceeeeeeeseeeeeeeesneeeeeesnaeeeeeeeeneeeeesenaaes 45 Registering your FortiGate 2 33 scctecteneecaseneetanh E 45 Configuring virus and attack definition updates eect eeeeee cette teteeeeeeeetaeeeeeeeee 45 Transparent mode configuration Examples c ccccceeeeeeeeeeeeeeeceeeneecaeceeeeeeeeeeeeeeeteees 46 Default routes and static routes 2 cccccseeeeccccceeeeeecceeeeeeseeceeeeeeseeaeeeesseaeaeeeesteneaeeeeeneeaes 46 Example defau
50. cece ceeeeeeeeeeeeeeeeeeeeeeeeeeeeeteeeeeeeeeseeeaeeeeeeeenaees 107 Connecting a modem to the FortiGate Unit 0 0 cee eceee cere entree eee eteeeeeeeetaeeeeere 108 Configuring modem SettiNgS c eect niiin sakan nnan EERE ANANN REANA 108 Connecting to a dialup ACCOUN eissssrnii anidan i aa A A AAEE RAA 109 Disconnecting the modem c cceeeceeeeeeeeeceeeeeeeeeeneeeeeeeaaeeeeeeeaaeeeeeeeiaeeeeseeneeeeeeeeaas 109 Viewing modemi Status serececciccorenisiri aiiin ceeevl duiaeeveeesnancavevtanna ds 110 Backup mode Configuration sessir ae nA AREA ALA ARAA 110 Standalone mode Configuration ssssssicasiicoeseiin inaina AEEA 110 Adding firewall policies for modem connections sssseseessseeserssseerrrssrrerressrrrrrsssrrenns 111 RIP COnNgUrAtO M recisi iaraa EEE SERESA ai ainia 113 RIP S ttinS ecccceeceecccceeeeeccceeeeeeeaaaeeneneaaeceeeeseaaeaeeeseaaaeeaesaeaaaeeneseaaaeeeeseeaaeaeeteeaaaeeeeees 113 Configuring RIP for FortiGate interfaces 0 2 ceeeeeeeeeeeneeeeeeeenneeeeeeeenaeeeeeeeenaeeeeeeenaaes 115 Adding RIP filters 2 0 ecceeeeeeeetee reese entre ee eee ene eee ee taaeeee eee teeeeeetaeeeeeseiieeeeeeeniieeeeeeenea 117 Adding a RIP filter WSti ss scoscecess aise Pacts arseedcans archewans agueneands dageneans gayecedeidaseevoests sageteends paced 117 Assigning a RIP filter list to the neighbors filter eee cceeeeeteeeeeeeeeteeeeeeeenteeeeeeeaaas 118 Assigning a RIP filter list to the incoming filter ee eecee
51. comments at the top of each list and to combine the lists that you want into a single file Note All changes made to the URL block list using the web based manager are lost when you upload a new list However you can download your current URL block list add more items to it using a text editor and then upload the edited list to the FortiGate unit To upload a URL block list In a text editor create the list of URLs and patterns that you want to block Using the web based manager go to Web Filter gt Web URL Block Select Upload URL Block List El Type the path and filename of the URL block list text file or select Browse and locate the file Select OK to upload the file to the FortiGate unit Select Return to display the updated Web URL block list Each page of the Web URL block list displays 100 URLs Use Page Down and Page Up F to navigate through the Web URL block list You can continue to maintain the Web URL block list by making changes to the text file and uploading it again Configuring FortiGate Web pattern blocking we ee You can configure FortiGate web pattern blocking to block web pages that match a URL pattern Create URL patterns using regular expressions for example badsite matches badsite com badsite org badsite net and so on FortiGate web pattern blocking supports standard regular expressions You can add up to 20 patterns to the web pattern block list To add patterns to the Web pattern b
52. confirm that the antivirus and attack definitions are successfully updated enter the following command to display the antivirus engine virus and attack definitions version contract expiry and last update attempt information get system objver Reverting to a previous firmware version Use the following procedures to revert your FortiGate unit to a previous firmware version Reverting to a previous firmware version using the web based manager The following procedures revert the FortiGate unit to its factory default configuration and delete NIDS user defined signatures web content lists email filtering lists and changes to replacement messages Before beginning this procedure you can e Back up the FortiGate unit configuration For information see Backing up system settings on page 64 e Back up the NIDS user defined signatures For information see the FortiGate NIDS Guide e Back up web content and email filtering lists For information see the FortiGate Content Protection Guide Fortinet Inc System status a fF WN 10 Changing the FortiGate firmware If you are reverting to a previous FortiOS version for example reverting from FortiOS v2 50 to FortiOS v2 36 you might not be able to restore the previous configuration from the backup configuration file Note Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are ins
53. default 167 cookies blocking 240 CPU status 67 68 critical firewall events alert email 258 critical VPN events alert email 258 custom ICMP service 153 custom IP service 153 custom TCP service 152 custom UDP service 152 customer service 16 D date and time setting example 122 133 date setting 121 default gateway configuring Transparent mode 43 default route 22 106 deny firewall policy 141 policy 141 destination policy option 140 destination route adding 101 adding a default route 100 detection NIDS 215 device auto 101 DHCP adding a DHCP server to an interface 105 adding a reserved IP to a DHCP server 106 adding a scope to a DHCP server 105 configuring 104 configuring a DHCP server 105 configuring DHCP relay 104 ending IP address 22 interface addressing mode 95 viewing a dynamic IP list 107 dialup account connecting the modem 109 dialup L2TP configuring Windows 2000 client 211 configuring Windows XP client 213 dialup PPTP configuring Windows 2000 client 207 configuring Windows 98 client 206 configuring Windows XP client 207 Fortinet Inc dialup VPN viewing connection status 201 disabling NIDS 216 DMZ interface definition 259 DNS server addresses 100 domain DHCP 106 downloading attack definition updates 90 virus definition updates 90 dynamic IP list viewing 107 dynamic IP pool IP pool 142 dynamic IP MAC list 163 viewing 165 E email alert testing 258 email filter log 253 enabling policy 146
54. downloads and installs the updated definitions The FortiGate unit uses HTTPS on port 8890 to check for updates The FortiGate external interface must have a path to the FortiResponse Distribution Network FDN using port 8890 To configure automatic virus and attack updates see Updating antivirus and attack definitions on page 73 FortiGate 50A Installation and Configuration Guide 39 Completing the configuration 40 NAT Route mode installation Fortinet Inc AT MET Transparent mode installation This chapter describes how to install your FortiGate unit in Transparent mode If you want to install the FortiGate unit in NAT Route mode see NAT Route mode installation on page 33 This chapter describes Preparing to configure Transparent mode Using the setup wizard Using the command line interface Connecting the FortiGate unit to your networks Completing the configuration Transparent mode configuration examples Preparing to configure Transparent mode Use Table 14 to gather the information that you need to customize Transparent mode settings Table 14 Transparent mode settings Administrator Password Management IP IP Netmask Default Gateway The management IP address and netmask must be valid for the network from which you will manage the FortiGate unit Add a default gateway if the FortiGate unit must connect to a router to reach the management computer D
55. external IP address can be on different subnets If the IP address of the external interface selected in step 4 is set using PPPoE or DHCP you can enter 0 0 0 0 for the external IP address The FortiGate unit substitutes the IP address set for this external interface using PPPoE or DHCP In Map to IP type the real IP address on the destination network for example the IP address of a web server on an internal network Note The firewall translates the source address of outbound packets from the host with the Map to IP address to the virtual IP External IP Address instead of the firewall external address Select OK to save the virtual IP You can now add the virtual IP to firewall policies Fortinet Inc Firewall configuration Virtual IPs Figure 12 Adding a static NAT virtual IP Virtual IP Add New Virtual IP Mapping Name web_Server Type Static NAT Port Forwarding External IP Address 173 87 39 21 _ Map to IP fio 10 105 Adding port forwarding virtual IPs To add port forwarding virtual IPs 1 Go to Firewall gt Virtual IP Select New to add a virtual IP Type a Name for the virtual IP The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Select the virtual IP External Interface from the list The external interface is the interface connected to the source network that receives the pack
56. generated and the certificate request is displayed on the Local Certificates list with a status of Pending Figure 24 Adding a Local Certificate Local Certificates oN Certification Name User_One Generate Certificate Signing Request Subject Information Country e mail Key Type Key Size ID Type E mail z e mail one fortinet com Optional Information Orgnization Unit Orgnization Locality City State Province MFO Fortinet vancouver eo canab O 1024 Bit z FortiGate 50A Installation and Configuration Guide 191 Managing digital certificates 192 kh ON S IPSec VPN Downloading the certificate request Use the following procedure to download a certificate request from the FortiGate unit to the management computer To download the certificate request Go to VPN gt Certificates gt Local Certificates Select Download to download the local certificate to the management computer Select Save Name the file and save it in a directory on the management computer After downloading the certificate request you can submit it tor your CA so that your CA can sign the certificate Importing the signed local certificate With this procedure you import the signed local certificate from the management computer to the FortiGate unit To import the signed local certificate Go to VPN gt Certificates gt Local Certificates Select Import Enter the path or bro
57. kh OO N Select the Automatically adjust clock for daylight saving changes check box if you want the FortiGate system clock to be adjusted automatically when your time zone changes to daylight saving time 5 Select Set Time and set the FortiGate system date and time to the correct date and time if required 6 Select Synchronize with NTP Server to configure the FortiGate unit to use NTP to automatically set the system time and date For more information about NTP and to find the IP address of an NTP server that you can use see http Awww ntp org 7 Enter the IP address or domain name of the NTP server that the FortiGate unit can use to set its time and date 8 Specify how often the FortiGate unit should synchronize its time with the NTP server A typical Syn Interval would be 1440 minutes for the FortiGate unit to synchronize its time once a day FortiGate 50A Installation and Configuration Guide 121 Changing system options System configuration 9 Select Apply Figure 1 Example date and time setting System Time Tue Jun 24 07 18 53 2003 Time Zone GMT 8 00 Pacific Time US amp Canada a I Automatically adjust clock for daylight saving changes SetTime Hour 7 x Minute 18 Second 53 7 Month un x Day 24 7 Year 2003 7 C Synchronize with NTP Server Server Syn Interval eo mins Changing system options 122 On the System Config Options page you can Set the system idle ti
58. lt A Transparent mode policies controlling traffic between internal and external networks Internal network ee 10 10 10 3 Configuration options Once you have selected Transparent or NAT Route mode operation you can complete the configuration plan and begin to configure the FortiGate unit You can use the web based manager setup wizard or the command line interface CLI for the basic configuration of the FortiGate unit Setup wizard If you are configuring the FortiGate unit to operate in NAT Route mode the default the setup wizard prompts you to add the administration password and internal interface address The setup wizard also prompts you to choose either a manual static or a dynamic DHCP or PPPoE address for the external interface Using the wizard you can also add DNS server IP addresses and a default route for the external interface Fortinet Inc Getting started Planning the FortiGate configuration In NAT Route mode you can also change the configuration of the FortiGate DHCP server to supply IP addresses for the computers on your internal network You can also configure the FortiGate to allow Internet access to your internal Web FTP or email servers If you are configuring the FortiGate unit to operate in Transparent mode you can switch to Transparent mode from the web based manager and then use the setup wizard to add the administration password the management IP address and gateway and the DN
59. manager Use the following procedure to connect to the web based manager for the first time Configuration changes made with the web based manager are effective immediately without resetting the firewall or interrupting service To connect to the web based manager you need e acomputer with an ethernet connection e Internet Explorer version 4 0 or higher acrossover cable or an ethernet hub and two ethernet cables Note You can use the web based manager with recent versions of most popular web browsers S The web based manager is fully supported for Internet Explorer version 4 0 or higher FortiGate 50A Installation and Configuration Guide 19 Connecting to the command line interface CLI Getting started To connect to the web based manager Set the IP address of the computer with an ethernet connection to the static IP address 192 168 1 2 and a netmask of 255 255 255 0 You can also configure the management computer to obtain an IP address automatically using DHCP The FortiGate DHCP server assigns the management computer an IP address in the range 192 168 1 1 to 192 168 1 254 Using the crossover cable or the ethernet hub and cables connect the internal interface of the FortiGate unit to the computer ethernet connection Start Internet Explorer and browse to the address https 192 168 1 99 The FortiGate login is displayed Type admin in the Name field and select Login The Register Now window is displayed Use the inform
60. not defined in the IP MAC binding table e is allowed to go on to be matched with a firewall policy if IP MAC binding is set to Allow traffic e is blocked if IP MAC binding is set to Block traffic Configuring IP MAC binding for packets going to the firewall Use the following procedure to use IP MAC binding to filter packets that would normally connect with the firewall for example when an administrator is connecting to the FortiGate unit for management To configure IP MAC binding for packets going to the firewall Go to Firewall gt IP MAC Binding gt Setting Select the Enable IP MAC binding going to the firewall check box Go to Firewall gt IP MAC Binding gt Static IP MAC Select New to add IP MAC binding pairs to the IP MAC binding list All packets that would normally connect to the firewall are first compared with the entries in the IP MAC binding table For example if the IP MAC pair IP 1 1 1 1 and 12 34 56 78 90 ab cd is added to the IP MAC binding list e A packet with IP address 1 1 1 1 and MAC address 12 34 56 78 90 ab cd is allowed to connect to the firewall A packet with IP 1 1 1 1 but with a different MAC address is dropped immediately to prevent IP spoofing A packet with a different IP address but with a MAC address of 12 34 56 78 90 ab cd is dropped immediately to prevent IP spoofing A packet with both the IP address and MAC address not defined in the IP MAC binding table e is allowed to con
61. of all IPSec AutolKE key VPN tunnels For each tunnel the list shows the status and the tunnel time out To view VPN tunnel status Go to VPN gt IPSEC gt Phase 2 2 View the status and timeout for each VPN tunnel Status The status of each tunnel If Status is Up the tunnel is active If Status is Down the tunnel is not active If Status is Connecting the tunnel is attempting to start a VPN connection with a remote VPN gateway or client Timeout The time before the next key exchange The time is calculated by subtracting the time elapsed since the last key exchange from the keylife Figure 27 AutolKE key tunnel status Manual Key m Phase2 Phase1 Concentrator Dialup Monitor Remote Gateway Lifetime sec kb EAEE AutoIKE_tunnel_1 66 34 23 78 300 10240 Up AutoIKE_tunnel_2 55 66 77 88 300 NA Down 0 py Viewing dialup VPN connection status You can use the dialup monitor to view the status of dialup VPNs The dialup monitor lists the remote gateways and the active VPN tunnels for each gateway The monitor also lists the tunnel lifetime timeout proxy ID source and proxy ID destination for each tunnel To view dialup connection status Go to VPN gt IPSec gt Dialup Monitor 2 View the dialup connection status information for the FortiGate unit Remote gateway The IP address of the remote dialup remote gateway on the FortiGate unit Lifetime The amount of time that the dialup VPN connection has been active
62. on page 235 FortiGate Web Pattern blocking see Configuring FortiGate Web pattern blocking on page 237 and Cerberian URL filtering see Configuring Cerberian URL filtering on page 238 to HTTP traffic accepted by a policy Web Content Block Block web pages that contain unwanted words or phrases See Content blocking on page 232 Web Script Filter Remove scripts from web pages See Script filtering on page 240 FortiGate 50A Installation and Configuration Guide 167 Content profiles 168 Web Exempt List URL list on page 241 Enable the email filter protection options that you want Email Block List block list on page 248 Email Exempt List Firewall configuration Exempt URLs from web filtering and virus scanning See Exempt Add a subject tag to email from unwanted addresses See Email Exempt sender address patterns from email filtering See Email exempt list on page 249 Email Content Block Add a subject tag to email that contains unwanted words or phrases See Email banned word list on page 246 Enable the fragmented email and oversized file and email options that you want Oversized File Email Block or pass files and email that exceed thresholds configured as a percent of system memory See Blocking oversized files and emails on page 228 Pass Fragmented Allow email messages that have been fragmented to bypass antivirus Email scanning See Exempting fr
63. push update connections from the FDN to a FortiGate unit on the internal network To configure the FortiGate NAT device Go to Firewall gt Virtual IP Select New Type a name for the virtual IP kh ON In the External Interface section select the external interface that the FDN connects to For the example topology select the external interface a In the Type section select Port Forwarding In the External IP Address section type the external IP address that the FDN connects to For the example topology enter 64 230 123 149 7 Type the External Service Port that the FDN connects to For the example topology enter 45001 8 In the Map to IP section type the IP address of the FortiGate unit on the internal network If the FortiGate unit is operating in NAT Route mode enter the IP address of the external interface If the FortiGate unit is operating in Transparent mode enter the management IP address For the example topology enter 192 168 1 99 9 Set the Map to Port to 9443 10 Set Protocol to UDP 11 Select OK FortiGate 50A Installation and Configuration Guide 81 Enabling push updates 82 Virus and attack definitions updates and registration Figure 3 Push update port forwarding virtual IP Virtual IP A Name Push_VIP External Interface external x Type C Static NAT Port Forwarding External IP Address 64 230 123 149 External Service Port 45001 Map to IP 192 168 1 99 Map to Por
64. replacement messages Before beginning this procedure you can e Back up the FortiGate unit configuration using the command execute backup config e Back up the NIDS user defined signatures using the command execute backup nidsuserdefsig e Back up web content and email filtering lists For information see the FortiGate Content Protection Guide If you are reverting to a previous FortiOS version for example reverting from FortiOS v2 50 to FortiOS v2 36 you might not be able to restore your previous configuration from the backup configuration file FortiGate 50A Installation and Configuration Guide 57 Changing the FortiGate firmware System status 58 kh OO N 10 11 Note Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing After you install new firmware use the procedure Manually initiating antivirus and attack definitions updates on page 75 to make sure that antivirus and attack definitions are up to date You can also use the CLI command execute updatecenter updatenow to update the antivirus and attack definitions To use the following procedure you must have a TFTP server that the FortiGate unit can connect to To revert to a previous firmware version using the CLI Make sure that the TFTP server is running Copy the new firmware image file to the root directory of the TFTP server Log into the FortiGate CLI as
65. saved to the Fortinet technical support database If you changed your contact information the changes are displayed FortiGate 50A Installation and Configuration Guide 89 Updating registration information Virus and attack definitions updates and registration Downloading virus and attack definitions updates NO oO fF WD 90 Use the following procedure to manually download virus and attack definitions updates This procedure also describes how to install the attack definitions updates on your FortiGate unit To download virus and attack definitions updates Go to System gt Update gt Support Select Support Login Enter your Fortinet support user name and password Select Login Select Download Virus Attack Update If required select the FortiOS version Select the virus and attack definitions to download Figure 8 Downloading virus and attack definition updates Download Virus Attack Updates Version v2 36 2 30 FGT Unit irus Definition Attack Definition FGT 50 OS2 3 6_4 77 2 36 1 41 FGT 60 2 36 1 41 FGT 100 052 3 6_4 77 2 36 1 41 FGT 200 OS2 3 6_4 77 2 36 1 41 FGT 300 0523 6 A77 2 36 1 41 FGT 400 OS2 3 6_4 77 2 36 1 41 FGT 500 052 3 6_4 77 2 36 1 41 FGT 1000 2 36 1 41 FGT 3000 0523 64 77 2 36 1 41 FGT 3600 2 36 1 41 For information about how to install the downloaded files see Manual virus definition updates on page 63 and Manual attack definition updates on page 63 Fortinet
66. segments of 16 characters Select an Authentication Algorithm from the list Use the same algorithm at both ends of the tunnel Enter the Authentication Key Each two character combination entered in hexadecimal format represents one byte Use the same authentication key at both ends of the tunnel MD5 Enter a 32 character 16 byte hexadecimal number 0 9 A F Separate the number into two segments of 16 characters SHA1 Enter a 40 character 20 byte hexadecimal number 0 9 A F Separate the number into two segments the first of 16 characters the second of 24 characters Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration See Adding a VPN concentrator on page 198 Select OK to save the manual key VPN tunnel AutolKE IPSec VPNs 182 FortiGate units support two methods of Automatic Internet Key Exchange AutolKE for establishing IPSec VPN tunnels AutolKE with pre shared keys and AutolKE with digital certificates e General configuration steps for an AutolIKE VPN e Adding a phase 1 configuration for an AutolKE VPN e Adding a phase 2 configuration for an AutolKE VPN Fortinet Inc IPSec VPN AutolKE IPSec VPNs General configuration steps for an AutolIKE VPN An AutolIKE VPN configuration consists of phase 1 and phase 2 configuration parameters the source and destination addresses for both ends of the tunnel and an encrypt policy to control access to the VPN tunnel
67. signatures by ID number and name Clear the Enable check box Select OK Repeat steps 2 to 4 for each NIDS attack signature group that you want to disable Select Check All a enable all NIDS attack signature groups in the signature list I Select Uncheck A to disable all NIDS attack signature groups in the signature list Adding user defined signatures S You can create a user defined signature list in a text file and upload it from the management computer to the FortiGate unit Note You cannot upload individual signatures You must include in a single text file all the user defined signatures that you want to upload The file can contain one or more signatures For information about how to write user defined signatures see the FortiGate NIDS Guide Fortinet Inc Network Intrusion Detection System NIDS Detecting attacks To add user defined signatures 1 Go to NIDS gt Detection gt User Defined Signature List 2 Select Upload Ert AS Caution Uploading the user defined signature list overwrites the existing file 3 Type the path and filename of the text file for the user defined signature list or select Browse and locate the file Select OK to upload the text file for the user defined signature list Select Return to display the uploaded user defined signature list Figure 33 Example user defined signature list General xX Signature List A User Defined Signature List _User Defined Signature Detail
68. supported for RADIUS server authentication Select the Networking tab Set VPN server type to Layer 2 Tunneling Protocol L2TP Save the changes and continue with the following procedure To disable IPSec Select the Networking tab Select Internet Protocol TCP IP properties Double click the Advanced tab Go to the Options tab and select IP security properties Make sure that Do not use IPSEC is selected Select OK and close the connection properties window Note The default Windows 2000 L2TP traffic policy does not allow L2TP traffic without IPSec encryption You can disable default behavior by editing the Windows 2000 Registry as described in the following steps See the Microsoft documentation for editing the Windows Registry Use the registry editor regedit to locate the following key in the registry HKEY LOCAL MACHINE System CurrentControlSet Services Rasman Parameters Add the following registry value to this key Value Name ProhibitIpSec Data Type REG DWORD Value 1 Save the changes and restart the computer for the changes to take effect You must add the ProhibitIpSec registry value to each Windows 2000 based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created When the ProhibitIpSec registry value is set to 1 your Windows 2000 based computer does not create the automatic filter that uses CA authentication Instead it check
69. the FortiGate unit we Note The CA certificate must adhere to the X 509 standard Importing CA certificates Import the CA certificate from the management computer to the FortiGate unit To import the CA certificate Go to VPN gt Certificates gt CA Certificates Select Import Enter the path or browse to locate the CA certificate on the management computer Select OK The CA is displayed on the CA Certificates list The system assigns a unique name to each CA certificate The names are numbered consecutively CA_Cert_1 CA_Cert_2 CA_Cert_3 and so on kh O N Configuring encrypt policies A VPN connects the local internal network to a remote external network The principal role of the encrypt policy is to define and limit which addresses on these networks can use the VPN A VPN requires only one encrypt policy to control both inbound and outbound connections Depending on how you configure it the policy controls whether users on your internal network can establish a tunnel to the remote network the outbound connection and whether users on the remote network can establish a tunnel to your internal network the inbound connection This flexibility allows one encrypt policy to do the same function as two regular firewall policies Although the encrypt policy controls both incoming and outgoing connections it must always be configured as an outgoing policy An outgoing policy has a source address on an internal
70. the FortiGate unit is operating in NAT Route mode or Transparent mode To configure SNMP access to an interface in NAT Route mode Go to System gt Network gt Interface Choose the interface that the SNMP manager connects to and select Modify E For Administrative Access select SNMP Select OK To configure SNMP access to an interface in Transparent mode Go to System gt Network gt Management Choose the interface that the SNMP manager connects to and select SNMP Select Apply Configuring SNMP community settings You can configure a single SNMP community for each FortiGate device An SNMP community consists of identifying information about the FortiGate unit your SNMP get community and trap community strings and the IP addresses of up to three SNMP managers that can receive traps sent by the FortiGate SNMP agent Fortinet Inc System configuration Configuring SNMP To configure SNMP community settings 1 Go to System gt Config gt SNMP v1 v2c Select the Enable SNMP check box Configure the following SNMP settings System Name Automatically set to the FortiGate host name To change the System Name see Changing the FortiGate host name on page 54 System Location Describe the physical location of the FortiGate unit The system location description can be up to 31 characters long and can contain spaces numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ The lt
71. the System Update page 74 Fortinet Inc Virus and attack definitions updates and registration Updating antivirus and attack definitions Table 1 Connections to the FDN Connections Status Comments Available The FortiGate unit can connect to the FDN You can configure the FortiGate unit for scheduled updates See Scheduling updates on page 76 Not available The FortiGate unit cannot connect to the FDN You j must configure your FortiGate unit and your network so FortiResponse that the FortiGate unit can connect to the Internet and Distribution to the FDN For example you may need to add routes Network to the FortiGate routing table or configure your network to allow the FortiGate unit to use HTTPS on port 8890 to connect to the Internet You may also have to connect to an override FortiResponse server to receive updates See Adding an override server on page 77 Available The FDN can connect to the FortiGate unit to send push updates You can configure the FortiGate unit to receive push updates See Enabling push updates on page 78 Not available The FDN cannot connect to the FortiGate unit to send push updates Push updates may not be available if Push Update you have not registered the FortiGate unit see Registering the FortiGate unit on page 85 if there is a NAT device installed between the FortiGate unit and the FDN see Enabling push updates through a NAT device on page 79
72. the admin administrative user Make sure the FortiGate unit can connect to the TFTP server You can use the following command to ping the computer running the TFTP server For example if the TFTP server s IP address is 192 168 1 168 execute ping 192 168 1 168 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit xecute restore image lt name_str gt lt tftp_ ip gt Where lt name_str gt is the name of the firmware image file on the TFTP server and lt tftp_ip gt is the IP address of the TFTP server For example if the firmware image file name is FGT_300 v250 build045 FORTINET out and the IP address of the TFTP server is 192 168 1 168 enter xecute restore image FGT_ 300 v250 build045 FORTINET out 192 168 1 168 The FortiGate unit uploads the firmware image file After the file uploads a message similar to the following is displayed Get image from tftp server OK This operation will downgrade the current firmware version Do you want to continue y n Type Y The FortiGate unit reverts to the old firmware version resets the configuration to factory defaults and restarts This process takes a few minutes Reconnect to the CLI To confirm that the new firmware image has been loaded enter get system status Restore your previous configuration Use the following command xecute restore config Update antivirus and attack definitions For information see
73. the entry If you do not add this information to the text file the FortiGate unit automatically enables all URLs and patterns that are followed with a 1 or no number when you upload the text file Table 22 URL Exempt list configuration parameters Parameter Setting Description Status 0 Disabled 1 Enabled Figure 41 Example URL Exempt list text file www goodsite com 1 www goodsite com index 1 127 33 44 55 1 Note All changes made to the URL block list using the web based manager are lost when you upload a new list However you can download your current URL block list add more items to it using a text editor and then upload the edited list to the FortiGate unit In a text editor create the list of URLs to exempt Using the web based manager go to Web Filter gt URL Exempt Fortinet Inc Web filtering Exempt URL list Select Upload URL Exempt List El Type the path and filename of your URL Exempt List text file or select Browse and locate the file Select OK to upload the file to the FortiGate unit Select Return to display the updated URL Exempt List You can continue to maintain the URL Exempt List by making changes to the text file and uploading it again as necessary FortiGate 50A Installation and Configuration Guide 243 Exempt URL list Web filtering 244 Fortinet Inc AT MET Email filter Email filtering is enabled in firewall policies When you enable Anti Virus
74. the following port settings and select OK Bits per second 9600 Data bits 8 Parity None Stop bits 1 Flow control None Press Enter to connect to the FortiGate CLI The following prompt is displayed FortiGate 50A login Type admin and press Enter twice The following prompt is displayed Type for a list of commands For information about how to use the CLI see the FortiGate CLI Reference Guide FortiGate 50A Installation and Configuration Guide 21 Factory default FortiGate configuration settings Getting started Factory default FortiGate configuration settings The FortiGate unit is shipped with a factory default configuration The default configuration allows you to connect to and use the FortiGate web based manager to configure the FortiGate unit onto the network To configure the FortiGate unit onto the network you add an administrator password change network interface IP addresses add DNS server IP addresses and configure routing if required If you plan to operate the FortiGate unit in Transparent mode you can switch to Transparent mode from the factory default configuration and then configure the FortiGate unit onto the network in Transparent mode Once the network configuration is complete you can perform additional configuration tasks such as setting system time configuring virus and attack definition updates and registering the FortiGate unit The factory default firewall configuration includes a single ne
75. the interface If the administrative status is a green arrow the interface is up and can accept network traffic If the administrative status is a red arrow the interface is administratively down and cannot accept traffic To change the administrative status see Changing the administrative status of an interface on page 94 Changing the administrative status of an interface You can use the following procedures to start an interface that is administratively down and stop and interface that is administratively up To start up an interface that is administratively down 1 Go to System gt Network gt Interface The interface list is displayed 2 Select Bring Up for the interface that you want to start To stop an interface that is administratively up 1 From the FortiGate CLI enter the command set system interface lt intf str gt config status down You can only stop an interface that is administratively up from the FortiGate command line interface CLI Configuring an interface with a manual IP address You can change the static IP address of any FortiGate interface To change an interface with a manual IP address 1 Go to System gt Network gt Interface Choose an interface and select Modify 4 Set Addressing Mode to Manual 94 Fortinet Inc Network configuration Configuring interfaces Change the IP address and Netmask as required The IP address of the interface must be on the same subnet as the network th
76. the tunnel is referenced indirectly by a route that points to a tunnel interface You must select this option if the remote VPN peer is a non FortiGate unit that has been configured to operate in tunnel interface mode 13 Select OK to save the AutolIKE key VPN tunnel Figure 23 Adding a phase 2 configuration ManualKey Phase2 Phase1 Concentrator Dialup Monitor New PN Tunnel Tunnel Name Tunnel_1 Remote Gateway Remote_Client_1 z E P2 Proposal 1 Encryption 3DES Authentication SHA1 7 2 Encryption 3DES z Authentication MD5 z 3 Encryption 4ES128 z Authentication MD5 z E M Enable replay detection M Enable perfect forward secrecy PFS DHGroup 10 20 5 Keylife Seconds z 1800 Seconds 46508000 KBytes Autokey Keep Alive Enable Concentrator None 7 ARSED a Des ONS TOS SCOUTS FortiGate 50A Installation and Configuration Guide 189 Managing digital certificates IPSec VPN Managing digital certificates 190 we a Use digital certificates to make sure that both participants in an IPSec communication session are trustworthy prior to setting up an encrypted VPN tunnel between the participants Fortinet uses a manual procedure to obtain certificates This involves copying and pasting text files from your local computer to the certificate authority and from the certificate authority to your local computer e Obtaining a signed local certificate e Obtaining CA cer
77. updates See Registering the FortiGate unit on page 85 When you configure a FortiGate unit to allow push updates the FortiGate unit sends a SETUP message to the FDN The next time a new antivirus engine new antivirus definitions or new attack definitions are released the FDN notifies all FortiGate units that are configured for push updates that a new update is available Within 60 seconds of receiving a push notification the FortiGate unit requests an update from the FDN Note Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN For more information see Enabling scheduled updates through a proxy server on page 78 Fortinet Inc Virus and attack definitions updates and registration Enabling push updates When the network configuration permits configuring push updates is recommended in addition to configuring scheduled updates On average the FortiGate unit receives new updates sooner through push updates than if the FortiGate unit receives only scheduled updates However scheduled updates make sure that the FortiGate unit receives the latest updates Enabling push updates is not recommended as the only method for obtaining updates The FortiGate unit might not receive the push notification Also when the FortiGate unit receives a push notification it makes only one attempt to connect to the FDN and download updates This section describes e Enabling push updates e Push
78. updates when FortiGate IP addresses change e Enabling push updates through a NAT device Enabling push updates To enable push updates 1 Go to System gt Update Select Allow Push Update Select Apply Push updates when FortiGate IP addresses change The SETUP message that the FortiGate unit sends when you enable push updates includes the IP address of the FortiGate interface that the FDN connects to If your FortiGate unit is running in NAT Route mode the SETUP message includes the FortiGate external IP address If your FortiGate unit is running in Transparent mode the SETUP message includes the FortiGate management IP address The FDN must be able to connect to this IP address for your FortiGate unit to be able to receive push update messages If your FortiGate unit is behind a NAT device see Enabling push updates through a NAT device on page 79 Whenever the external IP address of the FortiGate unit changes the FortiGate unit sends a new SETUP message to notify the FDN of the address change As long as the FortiGate unit sends this SETUP message and the FDN receives it the FDN can maintain the most up to date external IP address for the FortiGate unit The FortiGate unit sends the SETUP message if you change the external IP address manually or if you have set the external interface addressing mode to DHCP or PPPoE and your DHCP or PPPoE server changes the IP address In Transparent mode if you change the management IP address
79. 01 memory 67 network 68 sessions 68 viewing dialup connection status 201 viewing VPN tunnel status 201 virus 69 subnet definition 261 subnet address definition 261 support contract number adding 88 changing 88 support password changing 89 syn interval 121 synchronize with NTP server 121 system configuration 121 system date and time setting 121 system location SNMP 127 system name SNMP 127 system options changing 122 system settings backing up 64 restoring 64 restoring to factory default 65 system status 53 67 113 system status monitor 70 T TCP configuring checksum verification 216 custom service 152 technical support 16 testing alert email 258 time setting 121 time zone 121 timeout firewall authentication 122 idle 122 IPSec VPN 201 web based manager 122 to IP system status 71 to port system status 71 270 traffic configuring global settings 255 filtering 254 logging 254 traffic filter adding entries 256 display 255 log setting 255 port number 255 resolve IP 255 service name 255 traffic log 253 Traffic Priority 143 Traffic Shaping 142 Transparent mode 13 adding routes 102 changing to 43 65 configuring the default gateway 43 management interface 99 management IP address 43 trap community SNMP 127 traps SNMP 129 troubleshooting 201 trusted host administrator account 124 125 U UDP configuring checksum verification 216 custom service 152 unwanted content blocking 232 246 update 25
80. 2 168 1 0 for a class C subnet e 0 0 0 0 to represent all possible IP addresses 6 Enter the Netmask The netmask corresponds to the type of address that you are adding For example e The netmask for the IP address of a single computer should be 255 255 255 255 The netmask for a class A subnet should be 255 0 0 0 e The netmask for a class B subnet should be 255 255 0 0 e The netmask for a class C subnet should be 255 255 255 0 e The netmask for all addresses should be 0 0 0 0 s Note To add an address to represent any address on a network set the IP Address to 0 0 0 0 es and the Netmask to 0 0 0 0 7 Select OK to add the address Figure 7 Adding an internal address New Address Address Name Web_Server IP Address 192 168 2 3 NetMask 255 255 255 255 FortiGate 50A Installation and Configuration Guide 147 Addresses 148 Firewall configuration Editing addresses 1 2 3 4 Edit an address to change its IP address and netmask You cannot edit the address name To change the address name you must delete the address entry and then add the address again with a new name To edit an address Go to Firewall gt Address Select the interface list containing the address that you want to edit Choose an address to edit and select Edit Address Z Make the required changes and select OK to save the changes Deleting addresses Deleting an address removes it from an address list To delete an addres
81. 2 168 1 1 Ending IP 192 168 1 254 Netmask 255 255 255 0 Lease Duration 604800 seconds Default Route 192 168 1 99 Exclusion Range 192 168 1 99 192 168 1 99 22 Fortinet Inc Getting started Factory default FortiGate configuration settings Factory default NAT Route mode network configuration When the FortiGate unit is first powered on it is running in NAT Route mode and has the basic network configuration listed in Table 3 This configuration allows you to connect to the FortiGate unit web based manager and establish the configuration required to connect the FortiGate unit to the network In Table 3 HTTPS management access means you can connect to the web based manager using this interface Ping management access means this interface responds to ping requests Table 3 Factory default NAT Route mode network configuration Administrator User name admin account Password none IP 192 168 1 99 Internal interface Netmask 255 255 255 0 Management Access HTTPS Ping Addressing Mode DHCP External interface Management Access Ping Factory default Transparent mode network configuration If you switch the FortiGate unit to Transparent mode it has the default network configuration listed in Table 4 Table 4 Factory default Transparent mode network configuration Administrator User name admin account Password none IP 10 10 10 1 Management IP Netmask 255 255 255 0
82. 203 209 Tunnel 142 viewing dialup connection status 201 VPN events enabling alert email 258 VPN tunnel viewing status 201 Ww web filtering ActiveX 240 cookies 240 Java applets 240 overview 231 245 web filtering log 253 web page content blocking 232 246 web pattern blocking 237 web URL blocking 235 web based manager connecting to 19 35 language 123 timeout 122 WebTrends recording logs on NetIQ WebTrends server 252 Windows 2000 configuring for L2TP 211 configuring for PPTP 207 connecting to L2TP VPN 212 connecting to PPTP VPN 207 Windows 98 configuring for PPTP 206 connecting to PPTP VPN 206 Windows XP configuring for L2ZTP 213 configuring for PPTP 207 connecting to L2TP VPN 214 connecting to PPTP VPN 208 wizard firewall setup 35 42 starting 35 42 worm list displaying 229 worm protection 229 271 Index 272 Fortinet Inc
83. 21 4708 192 168 110 3 443 58 T FortiGate 50A Installation and Configuration Guide 71 Session list System status 72 Fortinet Inc RAT MET Virus and attack definitions updates and registration You can configure the FortiGate unit to connect to the FortiResponse Distribution Network FDN to update the antivirus and attack definitions and the antivirus engine You have the following update options Request updates from the FDN Schedule updates to automatically request the latest versions hourly daily or weekly Set Push updates so that the FDN contacts your FortiGate unit when a new update is available To receive scheduled updates and push updates you must register the FortiGate unit on the Fortinet support web page This chapter describes Updating antivirus and attack definitions Scheduling updates Enabling push updates Registering FortiGate units Updating registration information Registering a FortiGate unit after an RMA Updating antivirus and attack definitions You can configure the FortiGate unit to connect to the FortiResponse Distribution Network FDN to automatically receive the latest antivirus and attack definitions and antivirus engine updates The FortiGate unit supports the following antivirus and attack definition update features User initiated updates from the FDN Hourly daily or weekly scheduled antivirus and attack definition and antivirus engine updates from the FDN
84. 3 attack 77 push 78 updated antivirus 77 updating attack definitions 73 75 virus definitions 73 75 upgrade firmware 55 upgrading firmware 54 firmware using the CLI 55 57 firmware using the web based manager 55 56 URL adding to exempt URL list 241 250 adding to URL block list 237 248 blocking access 235 248 URL block list adding URL 237 248 clearing 236 downloading 233 236 242 248 uploading 233 236 242 249 URL block message 232 Fortinet Inc URL blocking 235 exempt URL list 241 249 web pattern blocking 237 URL exempt list see also exempt URL list 241 249 use selectors from policy quick mode identifier 189 use wildcard selectors quick mode identifier 189 user authentication 171 user groups configuring 177 deleting 178 user name and password adding 173 adding user name 172 user defined ICMP services 153 user defined IP services 153 user defined signature NIDS 218 user defined TCP services 152 user defined UDP services 152 V viewing dialup connection status 201 VPN tunnel status 201 virtual IP 157 adding 158 port forwarding 157 159 static NAT 157 virus definition updates downloading 90 virus definitions updating 73 75 virus incidents enabling alert email 258 virus list displaying 229 viewing 229 virus log 253 virus protection overview 225 virus status 69 FortiGate 50A Installation and Configuration Guide Index VPN configuring L2TP gateway 209 configuring PPTP gateway
85. 54 Firewall configuration Type a Group Name to identify the group This name appears in the service list when you add a policy and cannot be the same as a predefined service name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed To add services to the service group select a service from the Available Services list and select the right arrow to copy it to the Members list To remove services from the service group select a service from the Members list and select the left arrow to remove it from the group Select OK to add the service group Figure 9 Adding a service group New Service Group Group Name web_Services Available Services Members Use schedules to control when policies are active or inactive You can create one time schedules and recurring schedules You can use one time schedules to create policies that are effective once for the period of time specified in the schedule Recurring schedules repeat weekly You can use recurring schedules to create policies that are effective only at specified times of the day or on specified days of the week This section describes e Creating one time schedules e Creating recurring schedules e Adding schedules to policies Fortinet Inc Firewall configuration Schedules Creating one time schedules You can cr
86. 9 uppercase and lowercase letters A Z a z and the special characters and _ Spaces and the lt gt amp characters are not allowed Trap Receiver IP Type the IP addresses of up to three trap receivers on your network that Addresses are configured to receive traps from your FortiGate unit Traps are only sent to the configured addresses 4 Select Apply FortiGate 50A Installation and Configuration Guide 127 Configuring SNMP System configuration Figure 2 Sample SNMP configuration Enable SNMP System Name System Location Contact Information Phone 555 1234 Get Community Trap Community First Trap Receiver IP Address 192 168 100 3 Second Trap Receiver IP Address 192 168 23 7 Third Trap Receiver IP Address 54 67 23 45 FortiGate MIBs Iv jF ortigate Server Room our_get_com our_trap_com The FortiGate SNMP agent supports FortiGate proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs The FortiGate MIBs are listed in Table 1 You can obtain these MIB files from Fortinet technical support To be able to communicate with the SNMP agent you must compile all of these MIBs into your SNMP manager Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use You must add the Fortinet proprietary MIBs to this database If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile
87. A Installation and Configuration Guide 135 Replacement messages 136 System configuration Critical event Used for critical firewall event alert emails Section Start lt CRITICAL_EVENT gt Allowed Tags CRITICAL_EVENT The firewall critical event message A Section End lt CRITICAL_EVENT gt Fortinet Inc AT MET Firewall configuration Firewall policies control all traffic passing through the FortiGate unit Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request When the firewall receives a connection request in the form of a packet it analyzes the packet to extract its source address destination address and service port number For the packet to be connected through the FortiGate unit a firewall policy must be in place that matches the source address destination address and service of the packet The policy directs the firewall action on the packet The action can be to allow the connection deny the connection require authentication before the connection is allowed or process the packet as an IPSec VPN packet You can also add schedules to policies so that the firewall can process connections differently depending on the time of day or the day of the week month or year Each policy can be individually configured to route connections or apply network address translation NAT to translate source and destin
88. ADIUS server which checks that the information is correct and then authorizes access to the ISP system Router A device that connects LANs into an internal network and routes traffic between them Routing The process of determining a path to use to send data to its destination Routing table A list of valid paths through which data can be transmitted Server An application that answers requests from other devices clients Used as a generic term for any device that provides services to the rest of the network such as printing high capacity storage and network access SMTP Simple Mail Transfer Protocol In TCP IP networks this is an application for providing mail delivery services SNMP Simple Network Management Protocol A set of protocols for managing networks SNMP works by sending messages to different parts of a network SNMP compliant devices called agents store data about themselves in Management Information Bases MIBs and return this data to the SNMP requesters Fortinet Inc SSH Secure shell A secure Telnet replacement that you can use to log into another computer over a network and run commands SSH provides strong secure authentication and secure communications over insecure channels Subnet A portion of a network that shares a common address component On TCP IP networks subnets are defined as all devices whose IP addresses have the same prefix For example all devices with IP addresses that st
89. DNS Primary DNS Server 207 194 200 1 Secondary DNS Server 207 194 200 129 Internal HTTPS Ping Management access External Ping Factory default firewall configuration The factory default firewall configuration is the same in NAT Route and Transparent mode Table 5 Factory default firewall configuration Internal ace IP 0 0 0 0 oe het all of the IP addresses on the internal Address Mask 0 0 0 0 f External Eana Ki IP 0 0 0 0 ee all of the IP addresses on the external Address Mask 0 0 0 0 f FortiGate 50A Installation and Configuration Guide 23 Factory default FortiGate configuration settings Getting started Table 5 Factory default firewall configuration Continued Recurring Schedule Always The schedule is valid at all times This means that the firewall policy is valid at all times Firewall Policy Int gt Ext Firewall policy for connections from the internal network to the external network Source Internal_All The policy source address Internal_All means that the policy accepts connections from any internal IP address Destination External_All The policy destination address External_All means that the policy accepts connections with a destination address to any IP address on the external network Schedule Always The policy schedule Always means that the policy is valid at any time Service ANY The po
90. Ext Source Internal_All 7 Destination External_All 7 Schedule Always 7 Service ANY 7 Action ACCEPT 7 M NAT Dynamic IP Pool M Fixed Port C M Traffic Shapin Guaranteed ee Bandwidth 100 KBytes s Maximum foo Bandwidth 100 KBytes s Traffic Priority High 7 M authentication User_Group_1 7 M Anti virus amp Web filter Content Profile Scan 7 l Log Traffic Comments maximum 63 characters Policy Traffic Shaping Authentication and Virus Scanning Action Select how you want the firewall to respond when the policy matches a connection attempt ACCEPT DENY ENCRYPT Accept the connection If you select ACCEPT you can also configure NAT and Authentication for the policy Deny the connection The only other policy option that you can configure is Log Traffic to log the connections denied by this policy Make this policy an IPSec VPN policy If you select ENCRYPT you can select an AutolKE Key or Manual Key VPN tunnel for the policy and configure other IPSec settings You cannot add authentication to an ENCRYPT policy ENCRYPT is not available in Transparent mode See Configuring encrypt policies on page 193 FortiGate 50A Installation and Configuration Guide 141 Adding firewall policies 142 Firewall configuration NAT Configure the policy for NAT NAT translates the source address and the source port of packets accepted by the policy If you s
91. FortiGate interfaces to which administrators can connect Controlling administrative access for an interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet However allowing remote administration from the Internet could compromise the security of your FortiGate unit You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration To improve the security of a FortiGate unit that allows remote administration from the Internet e Use secure administrative user passwords Change these passwords regularly e Enable secure administrative access to this interface using only HTTPS or SSH e Do not change the system idle timeout from the default value of 5 minutes see To set the system idle timeout on page 122 To configure administrative access in Transparent mode see Configuring the management interface in Transparent mode on page 99 To control administrative access to an interface Go to System gt Network gt Interface FortiGate 50A Installation and Configuration Guide 97 Configuring interfaces 4 Network configuration Choose an interface and select Modify 2 Select the Administrative Access methods for the interface HTTPS To allow secure HTTPS connections to the web based manager through this interface PING If you want this interface to respond to pings Use this set
92. HCP request received by the DHCP server is not forwarded by a DHCP relay the DHCP server decides which scope to use based on the IP address of the interface that received the DHCP request usually the scope with the same subnet as the interface If the DHCP request received by the server is forwarded by a DHCP relay the relay IP is used to select the scope To add a scope to a DHCP server Go to System gt Network gt DHCP Select Address Scope FortiGate 50A Installation and Configuration Guide 105 Configuring DHCP services 106 Network configuration Select an interface You must configure the interface as a DHCP server before it can be selected Select New to add an address scope Configure the address scope Scope Name Enter the address scope name IP Pool Enter the starting IP and ending IP for the range of IP addresses that this DHCP server assigns to DHCP clients Netmask Enter the netmask that the DHCP server assigns to the DHCP clients Lease Duration Enter the interval in days hours and minutes after which a DHCP client must ask the DHCP server for a new address If you select Unlimited DHCP leases never expire Domain Optionally enter in the domain that the DHCP server assigns to the DHCP clients Default Route Enter the default route to be assigned to DHCP clients The default route must be on the same subnet as the IP pool Select Advanced if you want to configure Advanced Options DNS IP Enter
93. ID Rule Name Revision 101646337 gobbles SSH exploit attempt 16 101646338 ssh CRC32 overflow bin sh 16 101646339 ssh CRC32 overflaw NOOP 16 101646340 ssh CRC32 overflow 16 101646341 x86linuxsambaoverflow G S 101646342 Solaris x86 nips overflow attempt 16 101646343 nlps x86 solaris overflow 16 101646344 LPRng overflow 16 101646345 redhat 7 0 lprd overflow 16 Disabling NIDS attack signatures ee res By default all NIDS attack signatures are enabled You can use the NIDS signature list to disable detection of some attacks Disabling unnecessary NIDS attack signatures can improve system performance and reduce the number of IDS log messages and alert emails that the NIDS generates For example the NIDS detects a large number of web server attacks If you do not provide access to a web server behind your firewall you might want to disable all web server attack signatures Note To save your NIDS attack signature settings Fortinet recommends that you back up your FortiGate configuration before you update the firmware and restore the saved configuration after the update To disable NIDS attack signatures Go to NIDS gt Detection gt Signature List Scroll through the signature list to find the signature group that you want to disable Attack ID numbers and rule names in attack log messages and alert email match those in the signature group members list You can scroll through a signature group members list to locate specific attack
94. IOSSOS uarie nei lacecetithsenvee Fis dace ext nha cieeevias eeee i ieeeee bia tainedeatsan ee idee eataes 146 Adding addresses 00 see cece ee eennee eect entree eee eee tunnt eaeeeeeeeteaeeeeeeenaeeeeeeenaeeeeeeesiaeeeseeenaaes 147 Editing addreSSeS ccii sincceseiiatinece EAA 148 Deleting addresses eresia cdekd deen cadens a EAS agnaadeeedyedceetes taped glee 148 Organizing addresses into address GrOUNPS ceeseeeeeeeeeeeeeeeeeeeeeteeeeeeeetaeeeeeeeeteeeeee 148 DOMNVICES uoun a E cpweed tive se beleee E E peecedte ppeeedeney de 149 Predetined SCrviGeS szccc siedacddeevianazadavvsuacccastiphaceaastguedccacaveuedscactapetecedaveundcecesvebedcagdangoeds 149 Adding custom TCP and UDP services 0 0 0 0 ee eeeeeeceeenneeeeeeeenaaeeeeeeeaaeeeeeeenaaeeeeeseaaas 152 Adding custom ICMP ServiCeS cccceeeeeeeeneeeeeeeeneeeeeeeaaeeeeeeeaaeeeseeeaeeeeeeeaeeeeeeeaaes 153 Adding custom IF SORVICOS ics s gcccc2aedsaceedsevnesac O adjecee ain seeeeaedecedenecces 153 Grouping SENICE S esseni anie e E inaaceuenypaveueesereedeedantenees 153 SCMEGUICS soea a a A O 154 Creating one time schedules seeesssseeessreesssrnassensnnensnannaarernnaaatannaaantnnnnennannaaneeanaaana 155 Creating recurring schedules 2 ccceceececeeeeeeeeneeeeeeceneneseeeceeneeseeenneesececeneeeeeeeeeenenees 155 Adding schedules to policies c2 cccsiesescigeescacceccavencdctuasasdtecudstenedacceseniandiecervetsceeeasbetecs 156 FortiGate 50A Installation and Con
95. Inc IPSec VPN AutolKE IPSec VPNs 10 Configure the Local ID the that the FortiGate unit sends to the remote VPN peer e Preshared key If the FortiGate unit is functioning as a client and uses its ID to authenticate itself to the remote VPN peer enter an ID If no ID is specified the FortiGate unit transmits its IP address e RSA Signature No entry is required because the Local ID field contains the Distinguished Name DN of the certificate associated with this phase 1 configuration The DN identifies the owner of the certificate and includes as a minimum a Common Name CN The DN is transmitted in place of an ID or IP address Configuring advanced options To configure phase 1 advanced options 1 Select Advanced Options 2 Selecta Peer Option if you want to authenticate remote VPN peers by the ID that they transmit during phase 1 Accept any peer ID Select to accept any peer ID and therefore not authenticate remote VPN peers by peer ID Accept this peer ID Select to authenticate a specific VPN peer or a group of VPN peers with a shared user name ID and password pre shared key Also add the peer ID Accept peer ID in dialup group Select to authenticate each remote VPN peer with a unique user name ID and password pre shared key Also select a dialup group user group Configure the user group prior to configuring this peer option 3 Optionally configure XAuth XAuth IKE eXtended Authentication authenticates V
96. Inc Virus and attack definitions updates and registration Registering a FortiGate unit after an RMA Registering a FortiGate unit after an RMA The Return Material Authorization RMA process starts when a registered FortiGate unit does not work properly because of a hardware failure If this happens while the FortiGate unit is protected by hardware coverage you can return the FortiGate unit that is not functioning to your reseller or distributor The RMA is recorded and you will receive a replacement unit Fortinet adds the RMA information to the Fortinet support database When you receive the replacement unit you can use the following procedure to update your product registration information To register a FortiGate unit after an RMA Go to System gt Update gt Support Select Support Login Enter your Fortinet support user name and password to log in Select Add Registration Select the link to replace a unit with a new unit from an RMA ao a fF WN Select Finish The list of FortiGate products that you have registered is displayed The list now includes the replacement FortiGate unit All support levels are transferred to the replacement unit FortiGate 50A Installation and Configuration Guide 91 Registering a FortiGate unit after an RMA Virus and attack definitions updates and registration 92 Fortinet Inc RAT MET Network configuration You can use the System Network page to change any of the following FortiGat
97. NE gt Allowed Tag QUARFILE The name of the file that was quarantined NAME Section End lt QUARANTINE gt Customizing alert emails 134 Customize alert emails to control the content displayed in alert email messages sent to system administrators To customize alert emails Go to System gt Config gt Replacement Messages For the alert email message that you want to customize select Modify E In the Message setup dialog box edit the text of the message Table 17 lists the replacement message sections that can be added to alert email messages and describes the tags that can appear in each section In addition to the allowed tags you can add text and HTML code Select OK to save the changes Fortinet Inc System configuration Table 17 Alert email message sections Replacement messages NIDS event Used for NIDS event alert email messages Section Start lt NIDS_EVENT gt Allowed Tags NIDS_EVENT The NIDS attack message Section End lt NIDS_EVENT gt Virus alert Used for virus alert email messages Section Start lt VIRUS_ALERT gt Allowed Tags VIRUS The name of the virus PROTOCOL The service for which the virus was detected SOURCE_IP The IP address from which the virus was received For email this is the IP address of the email server that sent the email co
98. NES oc cersccdacdevesavacecersvaaaaidarvandac dea siabadanene nas i i aai aaa ai aaa 166 Default content profiles nsii anina ci idaarse vee eqeeeeratnadeadesidaaatter eateries 167 Adding content promi siscacdeycsveped ovestasgecedxehegsacexeueveed vesunsgdsdeznausadee Abened eaaeaeseee esses 167 Adding content profiles to policies ceccececececcecceeeeeeeeeeeeeceeeaecaeeeeeeeeeeeteteeeeeenaees 169 Users and authentication nsec a cc cecece cece seccne seneccnneectcntnzneseaweecke de ecccaeen cectcene 171 Setting authentication tiMCOut ee eee ee eeeene eee eeeeaaaeeeeeeeaeeeeeeeeaeeeeeeeiaeeeeseenaaes 172 Adding user names and configuring authentication cc eceeeeeeeeenteeeeeeeenaeeeeeeeeaaes 172 Adding user names and configuring authentication cc ceeeeeeeeeeeeeeeeeeeeeeneeeeeeeeee 172 Deleting user names from the internal database ccceeeeeeeeeeeeeeeeeteeeeeeeeteeeeeees 173 Configuring RADIUS SUPPOFt eee eeeeeee eee eeenee tere eeeaeeeeeeeeaeeeeeeeeaeeeeeeeeiaeeeeeeeaaes 174 Adding RADIUS S6nVerS siscccesvecdecdivvanenticcrvponccanervesaacdaari side canervinadiactvasidasadveves Na 174 Deleting RADIUS Servers siccicctsicecectinadeecdent Meteetet ines steneetiet Hee renieiend cil aeeeectent 174 Contiguning LDAP SUPO scccienico cs fedeace sed coun dopa tedelie ce aeedenseeed PSS pa geeee te gece ss caceddevin dds 175 Adding LDAP ServefS cccccccecceeeeeteeeee eee eenneeeeeeeneeeeeeen
99. NS Settings Primary DNS Server Secondary DNS Server FortiGate 50A Installation and Configuration Guide 41 Using the setup wizard Transparent mode installation Using the setup wizard From the web based manager you can use the setup wizard to create the initial configuration of your FortiGate unit To connect to the web based manager see Connecting to the web based manager on page 19 Changing to Transparent mode kh OO N The first time that you connect to the FortiGate unit it is configured to run in NAT Route mode To switch to Transparent mode using the web based manager Go to System gt Status Select Change to Transparent Mode Select Transparent in the Operation Mode list Select OK The FortiGate unit changes to Transparent mode To reconnect to the web based manager change the IP address of your management computer to 10 10 10 2 Connect to the internal or DMZ interface and browse to https followed by the Transparent mode management IP address The default FortiGate Transparent mode management IP address is 10 10 10 1 Starting the setup wizard 1 3 Select Easy Setup Wizard the middle button in upper right corner of the web based manager Use the information that you gathered in Table 14 on page 41 to fill in the wizard fields Select the Next button to step through the wizard pages Confirm your configuration settings and then select Finish and Close Reconnec
100. PN peers at the user level If the the FortiGate unit the local VPN peer is configured as an XAuth server it authenticates remote VPN peers by referring to a user group The users contained in the user group can be configured locally on the FortiGate unit or on remotely located LDAP or RADIUS servers If the FortiGate unit is configured as an XAuth client it provides a user name and password when it is challenged XAuth Enable as a Client Name Enter the user name the local VPN peer uses to authenticate itself to the remote VPN peer Password Enter the password the local VPN peer uses to authenticate itself to the remote VPN peer FortiGate 50A Installation and Configuration Guide 185 AutolKE IPSec VPNs Encryption method Usergroup IPSec VPN XAuth Enable as a Server Select the encryption method used between the XAuth client the FortiGate unit and the authentication server PAP Password Authentication Protocol CHAP Challenge Handshake Authentication Protocol MIXED Select MIXED to use PAP between the XAuth client and the FortiGate unit and CHAP between the FortiGate unit and the authentication server Use CHAP whenever possible Use PAP if the authentication server does not support CHAP Use PAP with all implementations of LDAP and some implementations of Microsoft RADIUS Use MIXED if the authentication server supports CHAP but the XAuth client does not Use MIXED with the Fortinet Remote VPN Client S
101. Push updates from the FDN Update status including version numbers expiry dates and update dates and times Push updates through a NAT device FortiGate 50A Installation and Configuration Guide 73 Updating antivirus and attack definitions Virus and attack definitions updates and registration The Update page on the web based manager displays the following antivirus and attack definition update information Version Current antivirus engine virus definition and attack definition version numbers Expiry date Expiry date of your license for antivirus engine virus definition and attack definition updates Last update Date and time on which the FortiGate unit last attempted to download attempt antivirus engine virus definition and attack definition updates Last update Success or failure of the last update attempt No updates means the last status update attempt was successful but no new updates were available Update succeeded or similar messages mean the last update attempt was successful and new updates were installed Other messages can indicate that the FortiGate was not able to connect to the FDN and other error conditions This section describes Connecting to the FortiResponse Distribution Network e Manually initiating antivirus and attack definitions updates e Configuring update logging Connecting to the FortiResponse Distribution Network Before the FortiGate unit can receive antivirus and attack updates it must
102. S server addresses CLI If you are configuring the FortiGate unit to operate in NAT Route mode you can add the administration password and the Internal interface address You can also use the CLI to configure the external interface for either a manual static or a dynamic DHCP or PPPoE address Using the CLI you can also add DNS server IP addresses and a default route for the external interface In NAT Route mode you can also change the configuration of the FortiGate DHCP server to supply IP addresses for the computers on your internal network If you are configuring the FortiGate unit to operate in Transparent mode you can use the CLI to switch to Transparent mode Then you can add the administration password the management IP address and gateway and the DNS server addresses FortiGate 50A Installation and Configuration Guide 29 FortiGate model maximum values matrix Getting started FortiGate model maximum values matrix Table 10 FortiGate maximum values matrix FortiGate model 50A 60 100 200 300 400 500 800 1000 3000 3600 4000 Routes 500 500 500 500 500 500 500 500 500 500 500 500 Policy routing 500 500 500 500 500 500 500 500 500 500 500 500 gateways Administrative 500 500 500 500 500 500 500 500 500 500 500 500 users VLAN N A N A N A 4096 4096 4096 4096 4096 4096 4096 4096 4096 subinterf
103. S servers and LDAP servers to user groups To add a user group 1 Go to User gt User Group Select New to add a new user group Enter a Group Name to identify the user group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 To add users to the user group select a user from the Available Users list and select the right arrow to add the name to the Members list 5 To add a RADIUS server to the user group select a RADIUS server from the Available Users list and select the right arrow to add the RADIUS server to the Members list 6 To add an LDAP server to the user group select an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list FortiGate 50A Installation and Configuration Guide 177 Configuring user groups Users and authentication Figure 20 Adding a user group User Group New User Group Group Name PPTP_User_Group Available Users Members 7 To remove users RADIUS servers or LDAP servers from the user group select a user RADIUS server or LDAP server from the Members list and select the left arrow to remove the name RADIUS server or LDAP server from the group 8 Select OK Deleting user groups You cannot delete user groups that have been selected in a policy a dialup user phase 1 configuration
104. SNMP manager General FortiGate traps Table 2 General FortiGate traps Trap message Description Cold Start The FortiGate unit starts or restarts An administrator enables the SNMP agent or changes FortiGate SNMP settings This trap is sent when the agent starts during system startup System Down The SNMP agent stops because the FortiGate unit shuts down Agent Down An administrator disables the SNMP agent Agent Up An administrator enables the SNMP agent This trap is also sent when the agent starts during system startup The lt interface_name gt The IP address of an interface of a FortiGate unit changes The trap Interface IP is changed message includes the name of the interface the new IP address of to lt new_IP gt Serial the interface and the serial number of the FortiGate unit This trap No can be used to track interface IP address changes for interfaces lt FortiGate_serial_no gt configured with dynamic IP addresses set using DHCP or PPPoE System traps Table 3 FortiGate system traps Trap message Description interface An interface changes from the up state to the running state indicating lt interface_name gt is that the interface has been connected to a network up When the interface is up it is administratively up but not connected to a network When the interface is running it is administratively up and connected to a network interface An interf
105. TPS on port 8890 to check for updates The FortiGate external interface must have a path to the FortiResponse Distribution Network FDN using port 8890 To configure automatic virus and attack updates see Updating antivirus and attack definitions on page 73 FortiGate 50A Installation and Configuration Guide 45 Transparent mode configuration examples Transparent mode installation Transparent mode configuration examples 46 A FortiGate unit operating in Transparent mode still requires a basic configuration to operate as a node on the IP network As a minimum the FortiGate unit must be configured with an IP address and subnet mask These are used for management access and to allow the unit to receive antivirus and definitions updates Also the unit must have sufficient route information to reach e the management computer The FortiResponse Distribution Network FDN e a DNS server A route is required whenever the FortiGate unit connects to a router to reach a destination If all of the destinations are located on the external network you may be required to enter only a single default route If however the network topology is more complex you may be required to enter one or more static routes in addition to the default route This section describes e Default routes and static routes e Example default route to an external network e Example static route to an external destination Example static route to an interna
106. The routing broadcasts are UDP packets with a destination port of 520 RIP1 Receive Enables listening on port 520 of an interface for RIP version 1 broadcasts RIP2 Send Enables sending RIP version 2 broadcasts from this interface to the network it is connected to The routing broadcasts are UDP packets with a destination port of 520 RIP2 Receive Enables listening on port 520 of an interface for RIP version 2 broadcasts Split Horizon Prevents RIP from sending updates for a route back out the interface from which it received those routes Split horizon is enabled by default You should only disable split horizon if there is no possibility of creating a counting to infinity loop when network topology changes Authentication Enables authentication for RIP version 2 packets sent and received by an interface Because the original RIP standard does not support authentication authentication is only available for RIP version 2 FortiGate 50A Installation and Configuration Guide 115 Configuring RIP for FortiGate interfaces Password Mode Metric RIP configuration Enter the password to be used for RIP version 2 authentication The password can be up to 16 characters long Defines the authentication used for RIP version 2 packets sent and received by this interface If you select Clear the password is sent as plain text If you select MD5 the password is used to generate an MD5 hash MD5 only guarantees the authenticity of the upda
107. U and memory status indicates how close the FortiGate unit is to running at full capacity The web based manager displays CPU and memory usage for core processes only CPU and memory use for management processes for example for HTTPS connections to the web based manager is excluded If CPU and memory use is low the FortiGate unit is able to process much more network traffic than is currently running If CPU and memory use is high the FortiGate unit is performing near its full capacity Putting additional demands on the system might cause traffic processing delays CPU and memory intensive processes such as encrypting and decrypting IPSec VPN traffic virus scanning and processing high levels of network traffic containing small packets increase CPU and memory usage To view CPU and memory status 1 Go to System gt Status gt Monitor CPU amp Memory status is displayed The display includes bar graphs of current CPU and memory usage as well as line graphs of CPU and memory usage for the previous minute 2 Set the automatic refresh interval and select Go to control how often the web based manager updates the display More frequent updates use system resources and increase network traffic However this occurs only when you are viewing the display using the web based manager 3 Select Refresh to manually update the information displayed FortiGate 50A Installation and Configuration Guide 67 System status System status F
108. able Advertise Default if you want RIP to always send the default route to neighbors whether or not the default route is in the static routing table If you disable Advertise Default RIP never sends the default route 4 Change the following RIP default settings as required RIP defaults are effective in most configurations You should only have to change these settings to troubleshoot problems with the RIP configuration FortiGate 50A Installation and Configuration Guide 113 RIP settings 114 Default Metric Input Queue Output Delay RIP configuration RIP uses the default metric to advertise routes learned from other routing protocols Set Default Metric to a positive integer lower than 16 to advertise that metric for all routes learned from other routing protocols The default setting for the Default Metric is 2 Change the depth of the RIP input queue The higher the number the deeper the input queue Change the input queue depth to prevent loss of information from the routing table when you have a FortiGate unit sending at high speed to a router that cannot receive at high speed The range is 0 to 1024 The default input queue depth is 50 A queue size of 0 means there is no input queue Add a delay in milliseconds between packets in a multiple packet RIP update Add an output delay if you are configuring RIP on a FortiGate unit that could be sending packets to a router that cannot receive the packets at the rate the FortiG
109. ace changes from the running state to the up state indicating lt interface_name gt is that the interface has been disconnected from a network down CPU usage high CPU usage exceeds 90 memory low Memory usage exceeds 90 disk low On a FortiGate unit with a hard drive hard drive usage exceeds 90 lt FortiGate_serial_no gt The configuration of an interface of a FortiGate unit changes The trap lt interface_name gt message includes the name of the interface and the serial number of the FortiGate unit HA switch The primary unit in an HA cluster fails and is replaced with a new pri mary unit FortiGate 50A Installation and Configuration Guide 129 Configuring SNMP System configuration VPN traps Table 4 FortiGate VPN traps Trap message Description VPN tunnel is up An IPSec VPN tunnel starts up and begins processing network traf fic VPN tunnel down An IPSec VPN tunnel shuts down NIDS traps Table 5 FortiGate NIDS traps Trap message Description Flood attack happened NIDS attack prevention detects and provides protection from a syn flood attack Port scan attack hap NIDS attack prevention detects and provides protection from a pened port scan attack Antivirus traps Table 6 FortiGate antivirus traps Trap message Description virus detected The FortiGate unit detects a virus and removes the infected file from an HTTP or FTP download or from
110. aces Zones N A N A N A 100 100 100 100 100 200 300 500 500 Virtual domains N A N A N A 16 32 64 64 64 128 512 512 512 DHCP address 32 32 32 32 32 32 32 32 32 32 32 32 scopes DHCP reserved 10 20 30 30 50 50 100 100 200 200 200 200 IP MAC pairs Firewall policies 200 500 1000 2000 5000 5000 20000 20000 50000 50000 50000 50000 Firewall 500 500 500 500 3000 3000 6000 6000 10000 10000 10000 10000 addresses Firewall address 500 500 500 500 500 500 500 500 500 500 500 500 groups Firewall custom 500 500 500 500 500 500 500 500 500 500 500 500 services Firewall service 500 500 500 500 500 500 500 500 500 500 500 500 groups Firewall recurring 256 256 256 256 256 256 256 256 256 256 256 256 schedules Firewall onetime 256 256 256 256 256 256 256 256 256 256 256 256 schedules Firewall virtual 500 500 500 500 500 500 500 500 500 500 500 500 IPs Firewall IP pools 50 50 50 50 50 50 50 50 50 50 50 50 IP MAC binding 500 500 500 500 500 500 500 500 500 500 500 500 table entries Firewall content 32 32 32 32 32 32 32 32 32 32 32 32 profiles User names 20 500 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 Radius servers 6 6 6 6 6 6 6 6 6 6 6 6 LDAP servers 6 6 6 6 6 6 6 6 6 6 6 6 User groups 100 100 100 100 100 100 100 100 100 100 100 100 Total number of 300 300 300 300 300 300 300 300 300 300 300 300 user group members Includes the number of physical interfaces 30 Fortinet Inc Getting started Table 10 FortiGate maximum values mat
111. ach of the FortiGate models covered by the service contract Fortinet Inc Virus and attack definitions updates and registration Registering FortiGate units Registering the FortiGate unit 3 Before registering a FortiGate unit you require the following information e Your contact information including e First and last name Company name e Email address Your Fortinet support login user name and password will be sent to this email address e Address e Contact phone number e A security question and an answer to the security question This information is used for password recovery The security question should be a simple question that only you know the answer to The answer should not be easy to guess e The product model and serial number for each FortiGate unit that you want to register The serial number is located on a label on the bottom of the FortiGate unit You can view the Serial number from the web based manager by going to System gt Status The serial number is also available from the CLI using the get system status command e FortiCare Support Contract numbers if you purchased FortiCare Support Contracts for the FortiGate units that you want to register To register one or more FortiGate units Go to System gt Update gt Support Enter your contact information on the product registration form Figure 5 Registering a FortiGate unit contact information and security question Contact Information
112. acters long the system displays a warning message but still accepts the password 5 Select OK 6 To edit the settings of an administrator account select Edit 4 7 Optionally type a Trusted Host IP address and netmask for the location from which the administrator can log into the web based manager If you want the administrator to be able to access the FortiGate unit from any address set the trusted host to 0 0 0 0 and the netmask to 255 255 255 255 To limit the administrator to only be able to access the FortiGate unit from a specific network set the trusted host to the address of the network and set the netmask to the netmask for the network For example to limit an administrator to accessing the FortiGate unit from your internal network set the trusted host to the address of your internal network for example 192 168 1 0 and set the netmask to 255 255 255 0 8 Change the administrator s permission level as required 9 Select OK 10 To delete an administrator account choose the account to delete and select Delete T Configuring SNMP You can configure the FortiGate SNMP agent to report system information and send traps to SNMP managers Using an SNMP manager you can access SNMP traps and data from any FortiGate interface or VLAN subinterface configured for SNMP management access The FortiGate SNMP implementation is read only SNMP v1 and v2c compliant SNMP managers have read only access to FortiGate system informati
113. administrator account 124 read only access level administrator account 124 recording logs 251 recording logs on NetIQ WebTrends server 252 recovering a lost Fortinet support password 86 recurring schedule 156 creating 155 registered FortiGate units viewing the list of 87 registering FortiGate unit 83 85 86 88 FortiGate unit after an RMA 91 list of registered FortiGate units 88 registration contact information 89 security question 89 updating information 86 relay DHCP 104 remote administration 97 99 replacement messages customizing 128 reporting 251 reserved IP adding to a DHCP server 106 resolve IP 255 traffic filter 255 Fortinet Inc restarting 66 restoring system settings 64 restoring system settings to factory default 65 reverting firmware to an older version 59 RIP configuring 113 filters 117 interface configuration 115 settings 113 RMA registering a FortiGate unit 91 route adding default 100 adding to routing table 101 adding to routing table Transparent mode 102 destination 101 device 101 router next hop 97 routing 260 adding static routes 101 configuring 100 configuring routing table 102 policy 103 routing table 260 adding default route 100 adding routes 101 adding routes Transparent mode 102 configuring 102 S scanning antivirus 226 schedule 154 applying to policy 156 automatic antivirus and attack definition updates 76 creating one time 155 creating recurring 155 one time 155 policy o
114. aeeeeeeeenaeeees 216 Viewing the signature list cece eeeeeee eee eeeeaeeeeeeeaaeeeeeeeaaeeeeseeaaeeeeeeenaeeeeeeeaas 217 Viewing attack deSCriptionS ccc0s1 ccccceeesecceuceenceedeceenececeegeuersneedeeebssedeedensnseeeeeeeensede 217 Disabling NIDS attack signatures 0 2 0 eceeeee scene eeeeeeeneeeeeeeeeeaeeeeeeeaaeeeeeeeaaeeeeeneaaas 218 Adding user defined signatures ccceceeeeeeeeeenneeeeeeeenaeeeeeeeeaeeeeeeeeaeeeeeeeenaeeeeeneeaas 218 Preventing attacks ciccetiesieeceecieaseeceeccaseeecdeensseeeuetcnevecceutenseeeeueeenasecuutscnaneceatecneeecuntenaee 220 Enabling NIDS attack prevention c ceeceeeeeeeeecneeeeeeenneeeeeeeeaeeeeeeeeneeeeeeeeneeeeeeeaas 220 Enabling NIDS attack prevention signatures cceeeecteeeeeeeteeeeeeeeetteeeeeeenaeeeeeeenaas 220 Setting signature threshold values ccceeeeeee tenet eee eeeneeeeeeetaeeeeeeeteeeeerenneeeeene 221 FortiGate 50A Installation and Configuration Guide Contents Contents Logging AttACKS eee e cette cette eeee eee eee aeee eee seeaeeeeeesaeeeeeeesaeeaeeeseeeesaeeeseeeaeeeeseeaaeeees 222 Logging attack messages to the attack 10Q ccecceeceeeeeeeeneeeeeeeeeeeeeeseeeaeeeeeeeeaeeees 222 Reducing the number of NIDS attack log and email messages 222 Antivirus TOR OUG GUUON ccs safc cists cesses cceetdectanticcedactdescetiusecateatexttecteetdecenicet 225 General configuration Steps cccceeeseneeeeeeeneneeeeeeuene
115. agmented email from blocking on page 228 Select OK Figure 16 Example content profile Content Profile y Options HTTP Anti Virus Scan File Block xI Quarantine Web URL Block Web Content Block Web Script Filter Web Exempt List Email Block List LLL La Email Exempt List Email Content Block C block Oversized File Email pass Pass Fragmented Emails FTP iv m C block pass Edit Content Profile Profile Name Scan IMAP Vv T T r r r C block pass POP3 SMTP M M O E E T r r r block block pass pass D E Fortinet Inc Firewall configuration Content profiles Adding content profiles to policies You can add content profiles to policies with action set to allow or encrypt and with service set to ANY HTTP FTP IMAP POP3 SMTP or a service group that includes these services To add a content profile to a policy 1 Go to Firewall gt Policy 2 Select a policy list that contains policies that you want to add a content profile to For example to enable network protection for files downloaded by internal network users from the web select an internal to external policy list Select New to add a new policy or choose a policy and select Edit E Select the Anti Virus amp Web filter check box Select a content profile from the list Configure the remaining policy settings if required Select OK Repeat this procedure for any policies that y
116. ame for pre shared key and certification VPNs To add a phase 2 configuration Go to VPN gt IPSEC gt Phase 2 Select New to add a new phase 2 configuration Enter a Tunnel Name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Select a Remote Gateway to associate with the VPN tunnel A remote gateway can be either a gateway to another network or an individual client on the Internet Remote gateways are added as part of the phase 1 configuration For details see Adding a phase 1 configuration for an AutoIKE VPN on page 183 Choose either a single DIALUP remote gateway or up to three STATIC remote gateways Multiple STATIC remote gateways are necessary if you are configuring IPSec redundancy Configure the P2 Proposal Select up to three encryption and authentication algorithm combinations to propose for phase 2 The VPN peers must use the same P2 proposal settings Optionally enable Replay Detection Replay detection protects the VPN tunnel from replay attacks Note Do not select replay detection if you have also selected Null Authentication for the P2 Proposal Optionally enable Perfect Forward Secrecy PFS PFS improves security by forcing a new Diffie Hellman exchange whenever keylife expires Select the DH Group s The VPN peers must use the same DH Group settings Enter the Keylife Th
117. amp Web filter in a firewall policy you select a content profile that controls how email filtering behaves for email IMAP and POP3 traffic Content profiles control the following types of protection to identify unwanted email e filtering unwanted sender address patterns e filtering unwanted content exempting sender address patterns from blocking This chapter describes e General configuration steps Email banned word list e Email block list Email exempt list e Adding a subject tag General configuration steps Configuring email filtering involves the following general steps 1 Select email filter options in a new or existing content profile See Adding content profiles on page 167 2 Select the Anti Virus amp Web filter option in firewall policies that allow IMAP and POP3 connections through the FortiGate unit Select a content profile that provides the email filtering options that you want to apply to a policy See Adding content profiles to policies on page 169 3 Add a subject tag to the unwanted email so that receivers can use their mail client software to filter messages based on the tag See Adding a subject tag on page 250 A Note For information about receiving email filter log messages see Configuring logging in the aN Logging Configuration and Reference Guide For information about email filter log message categories and formats see Log messages in the FortiGate Logg
118. an automated system of key management is required IPSec supports the automated generation and negotiation of keys using the Internet Key Exchange protocol This method of key management is referred to as AutolKE Fortinet supports AutolKE with pre shared keys and AutolKE with certificates AutolKE with pre shared keys If both peers in a session are configured with the same pre shared key they can use it to authenticate themselves to each other The peers do not send the key to each other Instead as part of the security negotiation process they use it in combination with a Diffie Hellman group to create a session key The session key is used for encryption and authentication and is automatically regenerated by IKE during the communication session Pre shared keys are similar to manual keys in that they require the network administrator to distribute and manage matching information at the VPN peer sites Whenever a pre shared key changes the administrator must update both sites AutolKE with certificates This method of key management involves a trusted third party the certificate authority CA Each peer in a VPN is first required to generate a set of keys known as a public private key pair The CA signs the public key for each peer creating a signed digital certificate The peer then contacts the CA to retrieve their own certificates plus that of the CA After the certificates are uploaded to the FortiGate units and appropriate IPSec tu
119. an email message Logging traps Table 7 FortiGate logging traps Trap message Description log full On a FortiGate unit with a hard drive hard drive usage exceeds 90 On a FortiGate unit without a hard drive log to memory usage has exceeds 90 Fortinet MIB fields 130 The Fortinet MIB contains fields for configuration settings and current status information for all parts of the FortiGate product This section lists the names of the high level MIB fields and describes the configuration and status information available for each one You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet mib file into your SNMP manager and browsing the Fortinet MIB fields Fortinet Inc System configuration Configuring SNMP System configuration and status Table 8 System MIB fields MIB field Description fnSysStatus FortiGate system configuration including operation mode firmware version virus definition version attack definition version and serial number Status monitor information including current CPU usage CPU idle status CPU interrupts memory usage system up time the number of active communi cation sessions as well as descriptive information for each active communi cation session fnSysUpdate FortiGate system update configuration including connection status to the FDN push update status periodic update status a
120. art with 100 100 100 would be part of the same subnet Dividing a network into subnets is useful for both security and performance reasons IP networks are divided using a subnet mask Subnet Address The part of the IP address that identifies the subnetwork TCP Transmission Control Protocol One of the main protocols in TCP IP networks TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent FortiGate 50A Installation and Configuration Guide Glossary UDP User Datagram Protocol A connectionless protocol that like TCP runs on top of IP networks Unlike TCP UDP provides very few error recovery services offering instead a direct way to send and receive datagrams over an IP network It is used primarily for broadcasting messages over a network VPN Virtual Private Network A network that links private networks over the Internet VPNs use encryption and other security mechanisms to ensure that only authorized users can access the network and that data cannot be intercepted Virus A computer program that attaches itself to other programs spreading itself through computers or networks by this mechanism usually with harmful intent Worm A program or algorithm that replicates itself over a computer network usually through email and performs malicious actions such as using up the computer s resources and possibly shutting the system down 261 Glo
121. atches is applied to the connection attempt If no policy matches the connection is dropped The default policy accepts all connection attempts from the internal network to the Internet From the internal network users can browse the web use POP3 to get email use FTP to download files through the firewall and so on If the default policy is at the top of the Int gt Ext policy list the firewall allows all connections from the internal network to the Internet because all connections match the default policy If more specific policies are added to the list below the default policy they are never matched A policy that is an exception to the default policy for example a policy to block FTP connections must be placed above the default policy in the Int gt Ext policy list In this example all FTP connection attempts from the internal network would then match the FTP policy and be blocked Connection attempts for all other kinds of services would not match with the FTP policy but they would match with the default policy Therefore the firewall would still accept all other connections from the internal network Note Policies that require authentication must be added to the policy list above matching policies that do not otherwise the policy that does not require authentication is selected first Changing the order of policies in a policy list To change the order of a policy in a policy list Go to Firewall gt Policy Select the policy li
122. atches the L2TP address range Set Destination to the address to which L2TP users can connect Set Service to match the traffic type inside the L2TP VPN tunnel For example if L2TP users can access a web server select HTTP Set Action to ACCEPT Select NAT if address translation is required You can also configure traffic shaping logging and antivirus and web filter settings for L2TP policies Select OK to save the firewall policy Configuring a Windows 2000 client for L2TP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiGate L2TP VPN To configure an L2TP dialup connection Go to Start gt Settings gt Network and Dial up Connections Double click Make New Connection to start the Network Connection Wizard and select Next For Network Connection Type select Connect to a private network through the Internet and select Next For Destination Address enter the address of the FortiGate unit to connect to and select Next Set Connection Availability to Only for myself and select Next Select Finish In the Connect window select Properties FortiGate 50A Installation and Configuration Guide 211 Configuring L2TP 212 ao a fF WN kh OO N PPTP and L2TP VPN Select the Security tab Make sure that Require data encryption is selected Note If a RADIUS server is used for authentication do not select Require data encryption L2TP encryption is not
123. ate file to the FortiGate unit The FortiGate unit updates the antivirus definitions This takes about 1 minute 6 Go to System gt Status to confirm that the Antivirus Definitions Version information has updated Manual attack definition updates The Status page of the FortiGate web based manager displays the current installed versions of the FortiGate Attack Definitions used by the Network Intrusion Detection System NIDS A Note For information about configuring the FortiGate unit for automatic attack definitions N updates see Virus and attack definitions updates and registration on page 73 You can also manually start an attack definitions update by going to System gt Update and selecting Update Now To update the attack definitions manually 1 Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web based manager Start the web based manager and go to System gt Status In the Attack Definitions Version section select Definitions Update SE Type the path and filename for the attack definitions update file or select Browse and locate the attack definitions update file 5 Select OK to copy the attack definitions update file to the FortiGate unit The FortiGate unit updates the attack definitions This takes about 1 minute 6 Go to System gt Status to confirm that the Attack Definitions Version information has updated FortiGate 50A Installa
124. ate unit functions as a DHCP server for your internal network If you configure the computers on your internal network to obtain an IP address automatically using DHCP the FortiGate unit automatically sets the IP addresses of the computers in this range Starting IP 192 168 1 1 Ending IP 192 168 1 254 One IP address is reserved for the FortiGate internal interface 192 168 1 99 FortiGate 50A Installation and Configuration Guide 33 Preparing to configure NAT Route mode NAT Route mode installation 34 To use the factory default configuration follow these steps to install the FortiGate unit Configure the TCP IP settings of the computers on your internal network to obtain an IP address automatically using DHCP Refer to your computer documentation for assistance Complete the procedure in the section Connecting the FortiGate unit to your networks on page 37 Changing the default configuration You can use the procedures in this chapter to change the default configuration For example if your ISP assigns IP addresses using PPPoE instead of DHCP you only need to change the configuration of the external interface Use the information in the rest of this chapter to change the default configuration as required Preparing to configure NAT Route mode Use Table 12 to gather the information that you need to customize NAT Route mode settings Table 12 NAT Route mode settings Administrator password
125. ate unit is sending them Output Delay can be from 8 to 50 milliseconds The default output delay is 0 milliseconds Change the following RIP timer settings as required RIP timer defaults are effective in most configurations You should only have to change these timers to troubleshoot network routing problems All routers and access servers in the network should have the same RIP timer settings Update Invalid Holddown Flush The time interval in seconds between RIP updates The default is 30 seconds The time interval in seconds after which a route is declared invalid Invalid should be at least three times the value of Update During the invalid interval after the first update is missed and before the invalid timer expires the route is marked inaccessible and advertised as unreachable however the route is still used for forwarding packets The invalid interval allows for the loss of one or more update packets before RIP considers the route unusable If RIP receives an update for a route before the invalid timer expires it resets the invalid timer to 0 The default for Invalid is 180 seconds The time interval in seconds during which RIP ignores routing information for a route Holddown should be at least three times the value Update A route enters the holddown state when RIP receives an update packet indicating that a route is unreachable or when the invalid timer for the route expires The holddown interval allows time
126. ates antivirus and attack definitions The update log messages are recorded on the FortiGate Event log To configure update logging 1 Go to Log amp Report gt Log Setting 2 Select Config Policy for the type of logs that the FortiGate unit is configured to record For information about recording logs see Recording logs on page 251 3 Select Update to record log messages when the FortiGate unit updates antivirus and attack definitions 4 Select any of the following update log options Failed Update Records a log message whenever an update attempt fails Successful Records a log message whenever an update attempt is successful Update FDN error Records a log message whenever it cannot connect to the FDN or whenever it receives an error message from the FDN 5 Select OK Scheduling updates The FortiGate unit can check for and download updated definitions hourly daily or weekly according to a schedule that you specify This section describes e Enabling scheduled updates e Adding an override server e Enabling scheduled updates through a proxy server Enabling scheduled updates To enable scheduled updates 1 Go to System gt Update Select the Scheduled Update check box Select one of the following to check for and download updates Hourly Once every 1 to 23 hours Select the number of hours and minutes between each update request Daily Once a day You can specify the time of day to check for updates Weekly Once
127. ation IP addresses and ports You can add IP pools to use dynamic NAT when the firewall translates source addresses You can use policies to configure port address translation PAT through the FortiGate You can add content profiles to policies to apply antivirus protection web filtering and email filtering to web file transfer and email services You can create content profiles that perform one or any combination of the following actions Apply antivirus protection to HTTP FTP SMTP IMAP or POP3 services e Apply web filtering to HTTP services Apply email filtering to IMAP and POP3 services You can also add logging to a firewall policy so that the FortiGate unit logs all connections that use this policy FortiGate 50A Installation and Configuration Guide 137 Default firewall configuration Firewall configuration This chapter describes e Default firewall configuration e Adding firewall policies e Configuring policy lists e Addresses e Services e Schedules e Virtual IPs IP pools IP MAC binding e Content profiles Default firewall configuration 138 Addresses Firewall policies control connections between interfaces By default the users on your internal network can connect through the FortiGate unit to the Internet The firewall blocks all other connections The firewall is configured with a default policy that matches any connection request received from the internal network and instructs the
128. ation in this window to register your FortiGate unit so that Fortinet can contact you for firmware updates You must also register to receive updates to the FortiGate virus and attack definitions Figure 2 FortiGate login FortiGate 50A A Name Password Lorin N N E SX Connecting to the command line interface CLI 20 As an alternative to the web based manager you can install and configure the FortiGate unit using the CLI Configuration changes made with the CLI are effective immediately without resetting the firewall or interrupting service To connect to the FortiGate CLI you need a computer with an available communications port e the null modem cable included in your FortiGate package e terminal emulation software such as HyperTerminal for Windows Fortinet Inc Getting started Connecting to the command line interface CLI Note The following procedure describes how to connect to the CLI using Windows HyperTerminal software You can use any terminal emulation program To connect to the CLI Connect the null modem cable to the communications port of your computer and to the FortiGate Console port Make sure that the FortiGate unit is powered on Start HyperTerminal enter a name for the connection and select OK Configure HyperTerminal to connect directly to the communications port on the computer to which you have connected the null modem cable and select OK Select
129. attack log and email messages Intrusion attempts might generate an excessive number of attack messages Based on the frequency that messages are generated the FortiGate unit automatically deletes duplicates If you still receive an excessive number of unnecessary messages you can manually disable message generation for unneeded signature groups Automatic message reduction The attack log and alert email messages that the NIDS produces include the ID number and name of the attack that generated the message The attack ID number and name in the message are identical to the ID number and rule name that appear on the NIDS Signature Group Members list Fortinet Inc Network Intrusion Detection System NIDS Logging attacks The FortiGate unit uses an alert email queue in which each new message is compared with the previous messages If the new message is not a duplicate the FortiGate unit sends it immediately and puts a copy in the queue If the new message is a duplicate the FortiGate unit deletes it and increases an internal counter for the number of message copies in the queue The FortiGate unit holds duplicate alert email messages for 60 seconds If a duplicate message has been in the queue for more than 60 seconds the FortiGate unit deletes the message and increases the copy number If the copy number is greater than 1 the FortiGate unit sends a summary email that includes Repeated x times in the subject header the statement
130. bad feces vided sedesawadetcens shgdecad suluddlnes sbdd tans setd etageseatedeeasbila 235 Configuring FortiGate Web URL DIOCKING 0 cecceeeeeeeee eee eeteeeeeeeteeeeeeeeneeeeeee 235 Configuring FortiGate Web pattern blocking eceeeeeeeeeeeeeeeeeteeeeeeeeteteeeeeeetneeeeeerens 237 Configuring Cerberian URL filtering 0 0 cece eeeeenee eee eeeeeee eee eeeaaaeeeeeeeaeeeeeeenaeeeeeeenaaes 238 Installing a Cerberian license Key cc ceeeeceeeeeneeeeeeeeeneeeeeeeeaeeeeseeeteeeeeeeenaeeeeeeeeaes 238 Adding a Cerberian USEF cc cccceccceeneeeeeeeenneeeeeeeaaeeeesecaaaeeeeeeeaaeeeeeeeaaeeeeeeenaeeeeeeseaas 238 Configuring Cerberian web filter 0 0 ceceeeeceeneeeeeeeeeeeeeeseeeeeeeeeeseeeaeeeeseeeaaeeeeseeaaeees 239 Enabling Cerberian URL filtering 2 00 eececeeeeeenne cere ee eeneeee eee eaaeeeeeeeaaeeeeeeeiaaeeeeeeeaaas 239 SCMIPU KINN iss 5 fees ee cc chests A 240 Enabling script filtering ccccissecciessascecueedessoceeche ancecueeeasaneceversaacecueesuecceeeeessaeteeeseeesane 240 Selecting script filter Options ccccceccceceecee cece eeceeeceneaeceeeeeeeeeeeeseceneecncesaeeeeeeeeeess 240 Exempt URE MISE cececs cee coe cycidedeieeetatecd a aiaa ia heas tei ELN eked 241 Adding URLs to the URL Exempt list 0 0 00 cee eeceeeeeeenneee eee enneeeeeeeaeeeeeeeaaeeeeeeeaaes 241 Downloading the URL Exempt List eee eeeeeeeeeeeenteeeeeeeaaeeeeeeeaaeeeeeeenaeeeeeneaaas 242 Uploading a URL Exempt LiSt
131. ber or path names E Mail For E mail enter the email address of the owner of the FortiGate unit being certified Typically e mail addresses are entered only for clients not gateways Configure the Optional Information to further identify the object being certified Fortinet Inc IPSec VPN Organization Unit Organization Locality State Province Country e mail 6 Configure the key Key Type Key Size Managing digital certificates Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiGate unit such as Manufacturing or MF Enter the legal name of the organization that is requesting the certificate for the FortiGate unit such as Fortinet Enter the name of the city or town where the FortiGate unit is located such as Vancouver Enter the name of the state or province where the FortiGate unit is located such as California or CA Select the country where the FortiGate unit is located Enter a contact email address for the FortiGate unit Typically email addresses are entered only for clients not gateways Select RSA as the key encryption type No other key type is supported Select 1024 Bit 1536 Bit or 2048 Bit Larger keys are slower to generate but more secure Not all IPSec VPN products support all three key sizes 7 Select OK to generate the private and public key pair and the certificate request The private public key pair are
132. can edit existing policies and add a new schedule to them 156 Fortinet Inc Firewall configuration Virtual IPs ao a fF WON Virtual IPs To add a schedule to a policy Go to Firewall gt Policy Create a new policy or edit a policy to change its schedule Configure the policy as required Add a schedule by selecting it from the Schedule list Select OK to save the policy Arrange the policy in the policy list to have the effect that you expect For example to use a one time schedule to deny access to a policy add a policy that matches the policy to be denied in every way Choose the one time schedule that you added and set Action to DENY Then place the policy containing the one time schedule in the policy list above the policy to be denied Use virtual IPs to access IP addresses on a destination network that are hidden from the source network by NAT security policies To allow connections between these networks you must create a mapping between an address on the source network and the real address on the destination network This mapping is called a virtual IP For example if the computer hosting your web server is located on your internal network it might have a private IP address such as 192 168 1 34 To get packets from the Internet to the web server you must have an external address for the web server on the Internet You must then add a virtual IP to the firewall that maps the external IP address of the web server t
133. cates 180 disabling 212 213 manual keys 180 pre shared keys 180 remote gateway 177 status 201 timeout 201 IPSec VPN tunnel testing 202 J Java applets 240 removing from web pages 240 L L2TP 177 259 configuring Windows XP client 213 L2TP gateway configuring 209 language web based manager 123 LDAP example configuration 176 LDAP server adding server address 175 deleting 176 lease duration DHCP 22 106 log message levels 253 log setting filtering log entries 76 253 traffic filter 255 Log Traffic firewall policy 144 policy 144 Fortinet Inc logging 251 attack log 253 configuring traffic settings 255 connections to an interface 98 email filter log 253 enabling alert email 258 event log 253 filtering log messages 253 log to remote host 251 log to WebTrends 252 message levels 253 recording 251 selecting what to log 253 traffic log 253 traffic logging 98 traffic sessions 254 update log 253 virus log 253 web filtering log 253 logs recording on NetIQ WebTrends server 252 MAC address 260 IP MAC binding 163 malicious scripts removing from web pages 240 250 management access to an interface 97 management interface 99 management IP address transparent mode 43 manual IP address interface 94 manual keys introduction 180 matching policy 145 maximum bandwidth 143 memory status 67 68 messages replacement 128 MIB FortiGate 128 modem adding firewall policies 111 backup mode 107 110 configuring 107 c
134. cation do not select Require data encryption L2TP encryption is not supported for RADIUS server authentication Select Advanced to configure advanced settings Select Settings Select Challenge Handshake Authentication Protocol CHAP Make sure that none of the other settings are selected Select the Networking tab Make sure that the following options are selected e TCP IP e QoS Packet Scheduler Make sure that the following options are not selected e File and Printer Sharing for Microsoft Networks e Client for Microsoft Networks To disable IPSec Select the Networking tab Select Internet Protocol TCP IP properties Double click the Advanced tab FortiGate 50A Installation and Configuration Guide 213 Configuring L2TP 214 a Fk WN PPTP and L2TP VPN Go to the Options tab and select IP security properties Make sure that Do not use IPSEC is selected Select OK and close the connection properties window Note The default Windows XP L2TP traffic policy does not allow L2TP traffic without IPSec encryption You can disable default behavior by editing the Windows XP Registry as described in the following steps See the Microsoft documentation for editing the Windows Registry Use the registry editor regedit to locate the following key in the registry HKEY LOCAL MACHINE System CurrentControlSet Services Rasman Parameters Add the following registry value to this key Value Name ProhibitIpSec Data Typ
135. cation service Gopher organizes and displays Internet server contents as a hierarchically structured list of files tcp 70 H323 H 323 multimedia protocol H 323 is a standard approved by the International Telecommunication Union ITU that defines how audiovisual conferencing data is transmitted across networks tcp 1720 1503 HTTP HTTP is the protocol used by the word wide web for transferring data for web pages tcp 80 HTTPS HTTP with secure socket layer SSL service for secure communication with web servers cp 443 IKE IKE is the protocol to obtain authenticated keying material for use with ISAKMP for IPSEC udp 500 IMAP Internet Message Access Protocol is a protocol used for retrieving email messages tcp 143 Internet Locator Service Internet Locator Service includes LDAP User Locator Service and LDAP over TLS SSL tcp 389 IRC Internet Relay Chat allows people connected to the Internet to join live discussions tcp 6660 6669 L2TP L2TP is a PPP based tunnel protocol for remote access tcp 1701 Fortinet Inc Firewall configuration Table 18 FortiGate predefined services Continued Services two or more users Service name Description Protocol Port LDAP Lightweight Directory Access Protocol is a set tc
136. cement messages see Replacement messages on page 133 To change to Transparent mode Go to System gt Status Select Change to Transparent Mode Select Transparent in the operation mode list Select OK The FortiGate unit changes operation mode kh OQ N 5 To reconnect to the web based manager connect to the interface configured for Transparent mode management access and browse to https followed by the Transparent mode management IP address By default in Transparent mode you can connect to the internal interface The default Transparent mode management IP address is 10 10 10 1 FortiGate 50A Installation and Configuration Guide 65 Changing to NAT Route mode System status Changing to NAT Route mode Use the following procedure to change the FortiGate unit from Transparent mode to NAT Route mode After you change the FortiGate unit to NAT Route mode most of the configuration resets to NAT Route mode factory defaults The following items are not set to NAT Route mode factory defaults e The admin administrator account password see Adding and editing administrator accounts on page 123 e Custom replacement messages see Replacement messages on page 133 To change to NAT Route mode Go to System gt Status Select Change to NAT Mode Select NAT Route in the operation mode list Select OK The FortiGate unit changes operation mode kh O N 5 To reconnect to the web based manager you must
137. cess the server Destination Select the virtual IP Schedule Select a schedule as required Service Select the service that matches the Map to Service that you selected for the port forwarding virtual IP Action Set action to ACCEPT to accept connections to the internal server You can also select DENY to deny access NAT Select NAT if the firewall is protecting the private addresses on the destination network from the source network Authentication Optionally select Authentication and select a user group to require users to authenticate with the firewall before accessing the server using port forwarding Log Traffic Select these options to log port forwarded traffic and apply antivirus Anti Virus amp Web filter and web filter protection to this traffic 4 Select OK to save the policy IP pools An IP pool also called a dynamic IP pool is a range of IP addresses added to a firewall interface If you add IP pools to an interface you can select Dynamic IP Pool when you configure a policy with the destination set to this interface You can add an IP pool if you want to add NAT mode policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface For example if you add an IP pool to the internal interface you can select Dynamic IP pool for Ext gt Int policies You can add multiple IP pools to any interface but only the first IP poo
138. checksum verification on IP TCP UDP and ICMP traffic For maximum detection you can turn on checksum verification for all types of traffic However if the FortiGate unit does not need to run checksum verification you can turn it off for some or all types of traffic to improve system performance For example you might not need to run checksum verification if the FortiGate unit is installed behind a router that also does checksum verification To configure checksum verification 1 Go to NIDS gt Detection gt General Select the type of traffic that you want to run Checksum Verifications on Select Apply Figure 31 Example NIDS detection configuration General Signature List User Defined Signature List Monitored Interface I external I internal Checksum Verifications C IP M TCP M upp P ICMP 216 Fortinet Inc Network Intrusion Detection System NIDS Detecting attacks Viewing the signature list You can display the current list of NIDS signature groups and the members of a signature group To view the signature list Go to NIDS gt Detection gt Signature List View the names and action status of the signature groups in the list The NIDS detects attacks listed in all the signature groups that have check marks in the Enable column Note The user defined signature group is the last item in the signature list See Adding user defined signatures on page 218 Select View Details GE to disp
139. connect to the interface configured by default for management access By default in NAT Route mode you can connect to the internal interface The default Transparent mode management IP address is 192 168 1 99 Restarting the FortiGate unit 1 Go to System gt Status 2 Select Restart The FortiGate unit restarts Shutting down the FortiGate unit You can restart the FortiGate unit after shutdown only by turning the power off and then on 1 Go to System gt Status 2 Select Shutdown The FortiGate unit shuts down and all traffic flow stops 66 Fortinet Inc System status System status System status You can use the system status monitor to display FortiGate system health information The system health information includes memory usage the number of active communication sessions and the amount of network bandwidth currently in use The web based manager displays current statistics as well as statistics for the previous minute You can also view current virus and intrusion status The web based manager displays the current number of viruses and attacks as well as a graph of virus and attack levels over the previous 20 hours In each case you can set an automatic refresh interval that updates the display every 5 to 30 seconds You can also refresh the display manually e Viewing CPU and memory status e Viewing sessions and network status e Viewing virus and intrusions status Viewing CPU and memory status Current CP
140. d logs on a NetIQ WebTrends server Go to Log amp Report gt Log Setting Select the Log in WebTrends Enhanced Log Format check box Type the IP address of the NetIQ WebTrends firewall reporting server Select the severity level for which you want to record log messages The FortiGate logs all levels of severity down to but not lower than the level you choose For example if you want to record emergency alert critical and error messages select Error See Log message levels on page 253 Select Config Policy To configure the FortiGate unit to filter the types of logs and events to record use the procedures in Filtering log messages on page 253 and Configuring traffic logging on page 254 Select OK Select Apply Fortinet Inc Logging and reporting Log message levels Filtering log messages Table 23 lists and describes FortiGate log message levels Table 23 FortiGate log message levels Levels Description Generated by 0 Emergency The system has become unstable Emergency messages not available 1 Alert Immediate action is required NIDS attack log messages 2 Critical Functionality is affected DHCP 3 Error An error condition exists and Error messages not available functionality could be affected 4 Warning Functionality could be affected Antivirus Web filter email filter and system event log messages 5 Notice Information about normal events Antiv
141. d to any other device You can only add a given IP ee address or MAC address once 7 Select OK Viewing a DHCP server dynamic IP list You can view the list of IP addresses that the DHCP server has assigned their corresponding MAC addresses and the expiry time and date for these addresses To view a DHCP server dynamic IP list 1 Go to System gt Network gt DHCP Select Dynamic IP Select the interface for which you want to view the list Configuring the modem interface You can connect a modem to the FortiGate unit and use it as either a backup interface or standalone interface In backup mode the modem interface automatically takes over from a selected ethernet interface when that ethernet interface is unavailable In standalone mode the modem interface is the connection from the FortiGate unit to the Internet When connecting to the ISP in either configuration the FortiGate unit modem can automatically dial up to three dialup accounts until the modem connects to an ISP e Connecting a modem to the FortiGate unit e Configuring modem settings e Connecting to a dialup account e Disconnecting the modem e Viewing modem status e Backup mode configuration e Standalone mode configuration e Adding firewall policies for modem connections FortiGate 50A Installation and Configuration Guide 107 Configuring the modem interface Network configuration Connecting a modem to the FortiGate unit The FortiGate unit can
142. digital Certificates esinsin nanii dia Aaa aN ARA NA 190 Obtaining a signed local Certificate 0 0 cece eee eeeecee eee eeeaaeeeeeeeaeeeeeeeaeeeeeeenaaes 190 Obtaining CA Certificates oeccerccsrccinniei icira sia deeesevints ceeeevaladeseessandaveesveaiates 192 Configuring encrypt POliCieS cece eeeeeneeeeeeeene eee eeeeaaeeeeeeeaaeeeeeeenaeeeeseeeneeeeesenaaes 193 Adding a Source address cisise ceccetes seenecevts nininini AAEN RAEE anA NEEESE ana aE 194 Adding a destination addresS8S eesssesseerressssrnesserennnnsnsnnaatntnnaaatinnaaanennnaatnannaateennaaana 194 Adding an enciypt POllCy scceciciveccdeive dete a aed 195 IPSec VPN concentrato enneren esas cesta is scineeet Hascbentis siete debe ietectiatieeedestcine 196 VPN concentrator hub general configuration steps 0 ee eeeeeeeeeeeeeeeeeeeeeetteeeeeeeaas 197 Adding a VPN concentrator ccccscccceeeescccceeeeeeeceeeeseseeceeeeeneaeeeeeenseceeeeeenseeeeeeneneaees 198 VPN spoke general configuration stepS eee eeeeeeeeeeeenteeeeeeeenaaeeeeeeenaeeeeeeeaaas 199 Monitoring and Troubleshooting VPNS cccceeeeeeeeeeeeeeeeeceeeeeeeeeeeeeeeeeeneeeeeeetaeeeeeeees 201 Viewing VPN tunnel Status icc viccccocndaccedusfoteaceciusteact eet a ARA A sentuenecy needs 201 Viewing dialup VPN connection Status 0 eeceeceeeeeeneeeeeeeeenteeeeeeeetaeeeeeeeenaeeeeeeeeaes 201 Testing a VPN accec stiscer trend ceccttiti de eceeeliiceee cd nkiccessvaithacbeev
143. ding a secondary IP address to an interface 00 0 eeeeeeeeeeeeeeeeeneeeeeeeeeneeeeeeeeeaeees 96 Adding a ping server to an interface o oo cece ceeeee eee eeeeneeeeeeeaaeeeeeeenaeeeeseeenaeeeeseenaees 97 Controlling administrative access to an interface eeeecceeee sent eeeeeeeteeeeeeeneeeeeeeeaas 97 Changing the MTU size to improve network performance cccceeeeeeeteeeeeeeeteeeeeeeetaes 98 Configuring traffic logging for connections to an interface eee cecceeeetteeeeeeetteeteeeeeaes 98 Configuring the management interface in Transparent MOdE cccceeeeeeeeeeteees 99 Adding DNS server IP addresses eceeceeeeeeneeeeeeeeneneeeeeeeeaeeeeeeeaeeeeeeeenaeeeeeeesnaeeeeeeneaas 100 CONMGQUNNG TOUTING osnneam oti ce Ailes sted ea E E dnt teehee eee 100 Adding a default route ec cceeeeeeeeeeeeeeeeeneeeeeseeneeeeeseeaaeeeeseeaaeeeeseeaaeeeeeeeneeeeeeeaas 100 Adding destination based routes to the routing table eee eeeeeeeeeeentteeeeeeeaes 101 Adding routes in Transparent MOdEC c cccceeeeeeeeeeeeeeteeeeeeenaeeeeeeeenaeeeeeeeeneeeeeeeaaes 102 Configuring the routing table ce dnan aen aAA 102 Policy FOULING siacerveniczdecrsaeddcdccuesidacaces i A E 103 Contiguining DHCP Serice S seroren E 104 Configuring a DHCP relay ag nlencerccmariecnencanan 104 Configuring a DHCP server ccecceeeceeeeeeeeeceeeeeeeeeceeeeeeeseceeeeeeeeeneaaeeeeteeeaaeeeeeeeaaeeees 105 Configuring the modem interface
144. dition to the data In IP networks packets are often called datagrams Ping Packet Internet Grouper A utility used to determine whether a specific IP address is accessible It works by sending a packet to the specified address and waiting for a reply POP3 Post Office Protocol A protocol used to transfer e mail from a mail server to a mail client across the Internet Most e mail clients use POP 260 PPP Point to Point Protocol A TCP IP protocol that provides host to network and router to router connections PPTP Point to Point Tunneling Protocol A Windows based technology for creating VPNs PPTP is supported by Windows 98 2000 and XP To create a PPTP VPN your ISP s routers must support PPTP Port In TCP IP and UDP networks a port is an endpoint to a logical connection The port number identifies what type of port it is For example port 80 is used for HTTP traffic Protocol An agreed upon format for transmitting data between two devices The protocol determines the type of error checking to be used the data compression method if any how the sending device indicates that it has finished sending a message and how the receiving device indicates that it has received a message RADIUS Remote Authentication Dial In User Service An authentication and accounting system used by many Internet Service Providers ISPs When users dial into an ISP they enter a user name and password This information is passed to a R
145. dress from the Available Addresses list and select the right arrow to add it to the Members list Fortinet Inc Firewall configuration Services 5 To remove addresses from the address group select an address from the Members list and select the left arrow to remove it from the group 6 Select OK to add the address group Figure 8 Adding an internal address group Services Use services to determine the types of communication accepted or denied by the New Address Group Web_Server Internal_Address1 Internal_Subnet1 Internal_Address2 Internal_Subnet2 Internal_Address3 Internal_Address1 Internal_Address2 Internal_Address3 Group Name Internal_Group1 Available Addresses Members firewall You can add any of the predefined services to a policy You can also create custom services and add services to service groups This section describes Predefined services Adding custom TCP and UDP services Adding custom ICMP services Adding custom IP services Grouping services Predefined services The FortiGate predefined firewall services are listed in Table 18 You can add these services to any policy Table 18 FortiGate predefined services Service name Description Protocol Port ANY Match connections on any port A connection that uses any of the predefined services is allowed through the firewall all all FortiGate 50A Installatio
146. e A Note This example describes the configuration for a FortiGate NAT device However you can n use any NAT device with a static external IP address that can be configured for port forwarding Figure 2 Example network topology Push updates through a NAT device oo FortiResponse S Distribution i J Network FDN Internet Push Update to gt IP address 64 230 123 149 ii and port 45001 External IP 64 230 123 149 Virtual IP Maps 64 230 123 149 45001 to 192 168 1 99 9443 FortiGate 300 NAT Device External IP or e Management IP FortiGate 50A 80 Fortinet Inc Virus and attack definitions updates and registration Enabling push updates General procedure Use the following steps to configure the FortiGate NAT device and the FortiGate unit on the internal network so that the FortiGate unit on the internal network can receive push updates 1 Add a port forwarding virtual IP to the FortiGate NAT device 2 Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP 3 Configure the FortiGate unit on the internal network with an override push IP and port A Note Before completing the following procedure you should register the internal network cs FortiGate unit so that it can receive push updates Adding a port forwarding virtual IP to the FortiGate NAT device Use the following procedure to configure a FortiGate NAT device to use port forwarding to forward
147. e REG DWORD Value 1 Save the changes and restart the computer for the changes to take effect You must add the ProhibitIpSec registry value to each Windows XP based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created When the ProhibitIpSec registry value is set to 1 your Windows XP based computer does not create the automatic filter that uses CA authentication Instead it checks for a local or active directory IPSec policy To connect to the L2TP VPN Connect to your ISP Start the VPN connection that you configured in the previous procedure Enter your L2TP VPN User Name and Password Select Connect In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password Fortinet Inc sRTINET Network Intrusion Detection System NIDS The FortiGate NIDS is a real time network intrusion detection sensor that uses attack signature definitions to both detect and prevent a wide variety of suspicious network traffic and direct network based attacks Also whenever an attack occurs the FortiGate NIDS can record the event in a log and send an alert email to the system administrator This chapter describes Detecting attacks Preventing attacks Logging attacks Detecting attacks The NIDS Detection module detects a wide va
148. e interface is connecting to Two interfaces cannot have the same IP address and cannot have IP addresses on the same subnet Select OK to save your changes If you changed the IP address of the interface to which you are connecting to manage the FortiGate unit you must reconnect to the web based manager using the new interface IP address Configuring an interface for DHCP kh OO N You can configure any FortiGate interface to use DHCP If you configure the interface to use DHCP the FortiGate unit automatically broadcasts a DHCP request You can disable connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the DHCP request By default the FortiGate unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server You can disable the option Retrieve default gateway and DNS from server if you do not want the DHCP server to configure these FortiGate settings To configure an interface for DHCP Go to System gt Network gt Interface Choose an interface and select Modify 2 In the Addressing Mode section select DHCP Clear the Retrieve default gateway and DNS from server check box if you do not want the FortiGate unit to obtain a default gateway IP address and DNS server IP addresses from the DHCP server By default this option is enabled Clear the Connect to Server check box if you do not want the FortiGate unit to connect to t
149. e network settings e Configuring interfaces e Adding DNS server IP addresses e Configuring routing e Configuring DHCP services e Configuring the modem interface Configuring interfaces Use the following procedures to configure FortiGate interfaces e Viewing the interface list e Changing the administrative status of an interface e Configuring an interface with a manual IP address e Configuring an interface for DHCP e Configuring an interface for PPPoE e Adding a secondary IP address to an interface e Adding a ping server to an interface e Controlling administrative access to an interface e Changing the MTU size to improve network performance e Configuring traffic logging for connections to an interface e Configuring the management interface in Transparent mode FortiGate 50A Installation and Configuration Guide 93 Configuring interfaces Network configuration Viewing the interface list To view the interface list 1 Go to System gt Network gt Interface The interface list is displayed The interface list shows the following status information for all the FortiGate interfaces and VLAN subinterfaces The name of the interface The IP address of the interface e The netmask of the interface e The administrative access configuration for the interface See Controlling administrative access to an interface on page 97 for information about administrative access options The administrative status for
150. e 50A Antivirus Firewall is an easy to deploy and easy to administer solution that delivers exceptional value and performance for small office and home office SOHO applications Fornisare 50A Your FortiGate 50A is a dedicated easily managed security device that delivers a full suite of capabilities that include e application level services such as virus protection and content filtering e network level services such as firewall intrusion detection VPN and traffic shaping NAT Route mode and Transparent mode The FortiGate can operate in NAT Route mode or Transparent mode NAT Route mode In NAT Route mode the FortiGate 50A is installed as a privacy barrier between the internal network and the Internet The firewall provides network address translation NAT to protect the internal private network You can control whether firewall policies run in NAT mode or route mode NAT mode policies route allowed connections between firewall interfaces performing network address translation to hide addresses on the protected internal networks Route mode policies route allowed connections between firewall interfaces without performing network address translation Transparent mode Transparent Mode provides firewall protection to a pre existing network with public addresses The internal and external network interfaces of the FortiGate unit must be in the same subnet and the FortiGate unit can be inserted into your network at a
151. e PPTP users For information about adding and configuring users see Adding user names and configuring authentication on page 172 Go to User gt User Group Add and configure PPTP user groups For information about adding and configuring user groups see Configuring user groups on page 177 To enable PPTP and specify an address range Go to VPN gt PPTP gt PPTP Range Select Enable PPTP Enter the Starting IP and the Ending IP for the PPTP address range Select the User Group that you added in To add users and user groups on page 203 Select Apply to enable PPTP through the FortiGate unit a Fk Q N Figure 29 Example PPTP Range configuration PPTP Range A Enable PPTP Starting IP 192 168 1 100 Ending IP 192 168 1 110 User Group PPTP_users Disable PPTP To add a source address Add a source address for every address in the PPTP address range Go to Firewall gt Address Select the interface to which PPTP clients connect Select New to add an address Enter the Address Name IP Address and NetMask for an address in the PPTP address range kh O N a Select OK to save the source address 6 Repeat for all addresses in the PPTP address range 204 Fortinet Inc PPTP and L2TP VPN A a A OO N ao a Aa OQO N a N Configuring PPTP Note If the PPTP address range is comprised of an entire subnet add an address for this subnet Do not add an addre
152. e Remote SPI at the opposite end of the tunnel 5 Enter the Remote SPI The Remote Security Parameter Index is a hexadecimal number of up to eight digits digits can be 0 to 9 a to f in the range bb8 to FFFFFFF This number must be added to the Local SPI at the opposite end of the tunnel FortiGate 50A Installation and Configuration Guide 181 AutolKE IPSec VPNs 10 11 12 IPSec VPN Enter the Remote Gateway This is the external IP address of the FortiGate unit or other IPSec gateway at the opposite end of the tunnel Select an Encryption Algorithm from the list Use the same algorithm at both ends of the tunnel Enter the Encryption Key Each two character combination entered in hexadecimal format represents one byte Depending on the encryption algorithm that you select you might be required to enter the key in multiple segments Use the same encryption key at both ends of the tunnel DES Enter a 16 character 8 byte hexadecimal number 0 9 A F 3DES Enter a 48 character 24 byte hexadecimal number 0 9 A F Separate the number into three segments of 16 characters AES128 Enter a 32 character 16 byte hexadecimal number 0 9 A F Separate the number into two segments of 16 characters AES192 Enter a 48 character 24 byte hexadecimal number 0 9 A F Separate the number into three segments of 16 characters AES256 Enter a 64 character 32 byte hexadecimal number 0 9 A F Separate the number into four
153. e VPN peer it also sends a DPD probe to determine the status of the link To control the length of time that the FortiGate unit takes to detect a dead peer with DPD probes configure the Retry Count and the Retry Interval Set the number of times that the local VPN peer retries the DPD probe before it considers the channel to be dead and tears down the security association SA To avoid false negatives because of congestion or other transient failures set the retry count to a sufficiently high value for your network Set the time in seconds that the local VPN peer unit waits between retrying DPD probes Set the time in seconds that a link must remain unused before the local VPN peer pro actively probes its state After this period of time expires the local peer sends a DPD probe to determine the status of the link even if there is no traffic between the local peer and the remote peer 6 Select OK to save the phase 1 parameters 186 Fortinet Inc IPSec VPN Figure 21 Adding a phase 1 configuration Standard options New VPN Gateway Gateway Name Remote_Client_3 Remote Gatevray Dialuo User z Mode agressive Main 1D protection P1 Proposal 1 Encryption 308S Z Authantication SHA1 1 2 Eneryption 30ES z Authenticationm05 2 A DH Group i 2 5M Keylife 28800 seconds Authentication Method R54 Signature Certificate Name Local_FGT_certificate 2 Local ID optional W Advanced Option
154. e Web URL blocking to block all pages on a website by adding the top level URL or IP address You can also block individual pages on a website by including the full path and filename of the web page to block e Adding URLs to the Web URL block list e Clearing the Web URL block list e Downloading the Web URL block list Uploading a URL block list Adding URLs to the Web URL block list Go to Web Filter gt Web URL Block Select New to add a URL to the Web URL block list Type the URL the you want to block Type a top level URL or IP address to block access to all pages on a website For example www badsite comor122 133 144 155 blocks access to all pages at this website Type a top level URL followed by the path and filename to block access to a single page on a website For example www badsite com news html or 122 133 144 155 news html blocks the news page on this website To block all pages with a URL that ends with badsite com add badsite com to the block list For example adding badsite com blocks access to www badsite com mail badsite com www finance badsite com and so on Note Do not include http in the URL that you want to block Note Do not use regular expressions in the Web URL block list You can use regular expressions in the Web Pattern Block list to create URL patterns to block See Configuring FortiGate Web pattern blocking on page 237 Note You can type a top level domain suffix for example com
155. e keylife causes the phase 2 key to expire after a specified time after a specified number of Kbytes of data have been processed by the VPN tunnel or both If you select both the key does not expire until both the time has passed and the number of Kbytes have been processed When the key expires a new key is generated without interrupting service P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 99999 Kbytes Fortinet Inc IPSec VPN AutolIKE IPSec VPNs 10 Enable Autokey Keep Alive if you want to keep the VPN tunnel running even if no data is being processed 11 Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration If you use the procedure Adding a VPN concentrator on page 198 to add the tunnel to a concentrator the next time you open the tunnel the Concentrator field displays the name of the concentrator to which you added the tunnel 12 Select a Quick Mode Identity Use selectors from policy Select this option for policy based VPNs A policy based VPN uses an encrypt policy to select which VPN tunnel to use for the connection In this configuration the VPN tunnel is referenced directly from the encrypt policy You must select this option if both VPN peers are FortiGate units Use wildcard selectors Select this option for routing based VPNs A routing based VPN uses routing information to select which VPN tunnel to use for the connection In this configuration
156. e mode IP addresses Log into the CLI if you are not already logged in Set the IP address and netmask of the internal interface to the internal IP address and netmask that you recorded in Table 12 on page 34 Enter set system interface internal mode static ip lt IP address gt lt netmask gt Example set system interface internal mode static ip 192 168 1 1 2552259425940 Set the IP address and netmask of the external interface to the external IP address and netmask that you recorded in Table 12 on page 34 To set the manual IP address and netmask enter set system interfac xternal static ip lt IP address gt lt netmask gt Example set system interfac xternal mode static ip 204 23 1 5 25 5 20042050 To set the external interface to use DHCP enter set system interfac xternal mode dhcp connection enable To set the external interface to use PPPoE enter set system interfac xternal mode pppoe username lt user name gt password lt password gt connection enable Example set system interfac xternal mode pppoe usernam user domain com password mypass connection enable Confirm that the addresses are correct Enter get system interface The CLI lists the IP address netmask and other settings for each of the FortiGate interfaces Set the primary DNS server IP addresses Enter set system dns primary lt IP address gt Example set system dns primary 293 44 75 21 Fortinet Inc NAT Route mode i
157. e peers As a result when traffic matches a policy requiring the tunnel it can be authenticated and encrypted immediately e General configuration steps for a manual key VPN e Adding a manual key VPN tunnel General configuration steps for a manual key VPN A manual key VPN configuration consists of a manual key VPN tunnel the source and destination addresses for both ends of the tunnel and an encrypt policy to control access to the VPN tunnel To create a manual key VPN configuration 1 Add a manual key VPN tunnel See Adding a manual key VPN tunnel on page 181 2 Configure an encrypt policy that includes the tunnel source address and destination address for both ends of the tunnel See Configuring encrypt policies on page 193 Adding a manual key VPN tunnel Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiGate unit and a remote IPSec VPN client or gateway that is also using manual key To add a manual key VPN tunnel 1 Go to VPN gt IPSec gt Manual Key 2 Select New to add a new manual key VPN tunnel 3 Type a VPN Tunnel Name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Enter the Local SPI The Local Security Parameter Index is a hexadecimal number of up to eight digits digits can be 0 to 9 a to f in the range bb8 to FFFFFFF This number must be added to th
158. e same destination per second icmpsrcsession Total number of ICMP sessions 128 1 1000000 initiated from the same source icmpsweep Maximum number of ICMP packets 128 1 1000000 received from the same source per second icmplarge Maximum ICMP packet size bytes 32000 64 64000 FortiGate 50A Installation and Configuration Guide 221 Logging attacks Network Intrusion Detection System NIDS To set Prevention signature threshold values Go to NIDS gt Prevention Select Modify ES beside the signature for which you want to set the Threshold value Signatures that do not have threshold values do not have Modify z4 icons Type the Threshold value Select the Enable check box Select OK Logging attacks 222 Whenever the NIDS detects or prevents an attack it generates an attack message You can configure the system to add the message to the attack log e Logging attack messages to the attack log e Reducing the number of NIDS attack log and email messages Logging attack messages to the attack log a Fk WO N To log attack messages to the attack log Go to Log amp Report gt Log Setting Select Config Policy for the log locations you have set Select Attack Log Select Attack Detection and Attack Prevention Select OK Note For information about log message content and formats and about log locations see the FortiGate Logging and Message Reference Guide Reducing the number of NIDS
159. e virus list You can view the names of the viruses and worms in the current virus definition list To view the virus list 1 Go to Anti Virus gt Config gt Virus List 2 Scroll through the virus and worm list to view the names of all viruses and worms in the list FortiGate 50A Installation and Configuration Guide 229 Viewing the virus list Antivirus protection 230 Fortinet Inc RAT MET Web filtering When you enable Anti Virus amp Web filter in a firewall policy you select a content profile that controls how web filtering behaves for HTTP traffic Content profiles control the following types of content filtering e blocking unwanted URLs e blocking unwanted content removing scripts from web pages exempting URLs from blocking You can also use the Cerberian URL filtering to block unwanted URLs For more information see Configuring Cerberian URL filtering on page 238 This chapter describes e General configuration steps e Content blocking e URL blocking e Configuring Cerberian URL filtering Script filtering e Exempt URL list General configuration steps Configuring web filtering involves the following general steps 1 Select web filtering options in a new or existing content profile See Adding content profiles on page 167 2 Select the Anti Virus amp Web filter option in firewall policies that allow HTTP connections through the FortiGate unit e Select a content profile that p
160. each L2TP client 1 Go to User gt Local 2 Add and configure L2TP users See Adding user names and configuring authentication on page 172 Go to User gt User Group Add and configure L2TP user groups See Configuring user groups on page 177 To enable L2TP and specify an address range Go to VPN gt L2TP gt L2TP Range Select Enable L2TP Enter the Starting IP and the Ending IP for the L2TP address range Select the User Group that you added in To add users and user groups on page 209 Select Apply to enable L2TP through the FortiGate unit a fF WOW N FortiGate 50A Installation and Configuration Guide 209 Configuring L2TP PPTP and L2TP VPN WO ND Figure 30 Sample L2TP address range configuration L2TP Range y Enable L2TP Starting IP 192 168 1 200 Ending IP 192 168 1 201 User Group L2TP_users C Disable L2TP To add source addresses Add a source address for every address in the L2TP address range Go to Firewall gt Address Select the interface to which L2TP clients connect Select New to add an address Enter the Address Name IP Address and NetMask for an address in the L2TP address range Select OK to save the source address Repeat for all addresses in the L2TP address range Note If the L2TP address range is comprised of an entire subnet add an address for this subnet Do not add an address group To add a source address group Organize the s
161. eate a one time schedule that activates or deactivates a policy for a specified period of time For example your firewall might be configured with the default policy that allows access to all services on the Internet at all times You can add a one time schedule to block access to the Internet during a holiday period To create a one time schedule 1 Go to Firewall gt Schedule gt One time Select New Type a Name for the schedule The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed 4 Set the Start date and time for the schedule Set Start and Stop times to 00 for the schedule to be active for the entire day 5 Set the Stop date and time for the schedule One time schedules use a 24 hour clock 6 Select OK to add the one time schedule Figure 10 Adding a one time schedule One time D Recurring oN New One time Schedule Notes start time should be earlier than stop time Creating recurring schedules You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week For example you might want to prevent Internet use outside working hours by creating a recurring schedule FortiGate 50A Installation and Configuration Guide 155 Schedules Firewall configuration If you create a recurring schedule wit
162. ect the Next button to step through the wizard pages 3 Confirm your configuration settings and then select Finish and Close A Note If you use the setup wizard to configure internal server settings the FortiGate unit adds S port forwarding virtual IPs and firewall policies for each server For each server located on your i internal network the FortiGate unit adds an Ext gt lnt policy Reconnecting to the web based manager If you used the setup wizard to change the IP address of the internal interface you must reconnect to the web based manager using a new IP address Browse to https followed by the new IP address of the internal interface Otherwise you can reconnect to the web based manager by browsing to https 192 168 1 99 You have now completed the initial configuration of your FortiGate unit and you can proceed to Connecting the FortiGate unit to your networks on page 37 FortiGate 50A Installation and Configuration Guide 35 Using the command line interface NAT Route mode installation Using the command line interface 36 As an alternative to using the setup wizard you can configure the FortiGate unit using the command line interface CLI To connect to the CLI see Connecting to the command line interface CLI on page 20 Configuring the FortiGate unit to operate in NAT Route mode Use the information that you gathered in Table 12 on page 34 to complete the following procedures Configuring NAT Rout
163. educing messages 218 attack prevention configuring signature threshold values 221 enabling prevention signatures 220 NIDS 220 attack updates configuring 77 scheduling 76 through a proxy server 78 authentication 143 171 configuring 172 enabling 177 LDAP server 175 RADIUS server 174 timeout 122 auto device in route 101 263 Index AutolKE 180 certificates 180 introduction 180 pre shared keys 180 automatic antivirus and attack definition updates configuring 77 B backing up system settings 64 backup mode modem 107 110 bandwidth guaranteed 142 maximum 143 banned word list adding words 232 246 restoring 247 blacklist URL 237 249 block traffic IP MAC binding 164 blocking access to Internet sites 235 248 access to URLs 235 248 adding filename patterns 227 file 227 oversized files and email 228 URL 235 web pages 232 246 web pattern blocking 237 Cc certificates introduction 180 checksum verification configuring 216 clearing communication sessions 70 URL block list 236 CLI configuring IP addresses 36 42 configuring NAT Route mode 36 connecting to 20 upgrading the firmware 55 57 Comments firewall policy 144 policy 144 connecting to the FDN 74 to the FortiResponse Distribution Network 74 to your network 37 43 web based manager 19 35 contact information registration 89 SNMP 127 264 content blocking exempting URLs 241 249 web page 232 246 content filter 231 245 content profiles
164. eedadeseeceeit Laced eentdaseeseaeasieeesaasteceeneiseeectenesveness 64 Restoring system SettingS ccccececceeeeeeeeceeeeeseeeeeeeeeeeeeeeeeeseeeaeeeeeseeeeeeeeeseeeaeeeeseeenaeeees 64 Restoring system settings to factory defaults 0 ee eeeceeeeeeeeeeeeeeeeeeneeeeeteeeaaeeeseeenaeenes 65 Changing to Transparent mode cece eceeeee eee eeeeaeeeeeeeeaaeeeeeeeeaeeeeeeeenaeeeeeeeenaeeeeeeeeaaes 65 Changing to NAT Route MOda enesenn ninien AEAEE 66 Restarting the FortiGate Unit sssrini naiiai E E RANA E E N AAAA iA 66 4 Fortinet Inc Contents Shutting down the FortiGate Unit cece eeceeee erences eee eetaaeeeeeeeaaeeeeeeseeeeeeesaeeeeeee 66 SYSTOM SlALUS crni i aA N ERE E 67 Viewing CPU and memory Status ssiinssissiiisinsn anuk anni aaa Naa 67 Viewing sessions and network Status cceeeeceeeeeeeeeeeeeeeeeeeeeeeeeteeeaeeeeseeeeaeeeteeeaeees 68 Viewing virus and intrusions StatUS sisii ssrsiiiiianniidiiirananiindiranaii idda kanadia anaiai 69 SOSSIOM MISE E E E E E E E E A 70 Virus and attack definitions updates and registration cccccceeeeeeeeeeeeeeees 73 Updating antivirus and attack definitions eeeeeeeeeeeeeeeeeeeeeerneseeerrretteerrnseenrensennsssrennent 73 Connecting to the FortiResponse Distribution Network sssssssssseirssesrrrsseerrrsssrerrsssrns 74 Manually initiating antivirus and attack definitions Updates 0 eee eeeteeeeeeenees 75 Configuring Update logging 0
165. eeedeaaeneeeeecauansesedenneneeeeeeneneeees 225 POTINS SCANMIMG ss a a eddies lena eats 226 File pock osese E retuned 227 Blocking files in firewall traffic sisarseura inann EANNA ATANAN RANAN RAAT 227 Adding file patterns to DIOCK 00 00 ecccceee scene ee eeeeeneee eee eaaeeeeeeeaaeeeseeeaeeeeeeeenaeeeeeeenaaes 227 Blocking oversized files ANd emails 0 0 0 2 eee eeeeeeeeeeeeeeeeeeeeeeeeeeeceeeeeeeseeeeeeeeseeeaaeeeseeenaeeees 228 Configuring limits for oversized files and EMail cceeeeeeeeeeeeeeeeeeetteeeeeeettteeeeetees 228 Exempting fragmented email from DIOCKING ccecceeeeeeteeeeeeeeeteeeeeeetetieeeeeeetneeeeeeee 228 Viewing the Virus lISt iii cssenecaseddsnidareh E aAa a A AEE apiece 229 Wep HItEriN iii ass ceed aon ep See Ee tes ias trac eeni anapi asiana 231 General configuration Steps ccccecsseceeeeeeeeeneeeeeeeneeeeeedeeeeeeeeeaueeeeeeeneenaeeeeeneneeees 231 Content DIOCKING tiie ocd esecen cd cne eee E cdeeaeieecasdtpeees 232 Adding words and phrases to the Banned Word list ccccsceeeeeeeneeeeeeestteeeeeeenaaes 232 Clearing the Banned Word list 0 cecceeeeeeeceeeeeeeettneeeeeeecneeeeeeeaeeeeeetaeeeeeesiaeeeeere 233 Backing up the Banned Word list cecccceeeeseeeeeeeeeeenneeeeeeeaaeeeeeeeaaeeeeeeenaeeeeeeeaas 233 Restoring the Banned Word list cceeseceeceeeeenneeee eee eeneeeeeeeaaeeeeeeenaeeeesesiaeeeeeneaaas 233 WIRE DIOKNO fats Gaz sant ecztestidcncas
166. eeeeeeeeeeeeeeteeeaaeeeeeeeaaeeees 251 Recording logs on a NetIQ WebTrends server ccceeceeeeeeeeeeeeeceeeeeeettteeeeeetneeeeeeee 252 Log MESSAGE levels 0 0 eeeeeeeeeeeeeeeeeeeeteee cette eteaeeeeeeteaaeeeeeeseaeeeeeeseeeeaeeeeseceaeeeeteeenaeeees 253 Filtering log MESSAGES sec2i 5 ceieades ceneecd Me eeeeee dati deedevauneneest dias cceesy satineevevbiai S i 253 Configuring traffic logging 0 0 2 eect ceeeeee eee eeeneeeeeeeeeeaaeeeeeeeaaaeeeseeeaaaeeeeseeaeeeeeeseneeeeeeenaas 254 Enabling rafc JOGGING 22 5 c3scc2 beeatteets E eed 255 Configuring traffic filter setings ee ceeeeeeeeceeeee eee eeeeeee eee eeeeeeeeeeseeeeaeeeeseeeaeeeeseeeaaees 255 Adding trame iter entles iieevs ascezdvveneecuccrsiemeeeanneencedeve ands redcsias cedar aes 256 Contiguring alert omalll 1 22eccisees sectevadsaeebeeedebi ceveesdal deneeetadancvebevituactedebas anceectacs vain caudate 257 Adding alert email AddreSSES eee eeceeceeeeeenneee eee eetteeeeeeeaaeeeeeeeaaeeeeeesnaeeeeeeeenaeeeeeneeaas 257 Testing alert trail ic cccdcctecececsteaecevisiaieeeeesislaceeevisndlaceeoviiiiceesevataaacecdvatinescnvaiaieeseieniaas 258 Enabling alert Oral ice cictiees senved sce ponddeuectenvddedoens shesgueesenbededect wbidladuetphedladess EE 258 GIOSS INY srren eeaeee aaar 259 AO ae a a E a eeeinre Serr ER cero 263 FortiGate 50A Installation and Configuration Guide 11 Contents 12 Fortinet Inc RAT MET Introduction The FortiGat
167. eeeeeeeneeeeeeeeneeeeeeeenaeeeeeneaas 118 Assigning a RIP filter list to the outgoing filter eee ceeeeeeneteeeeeeeeteeeeeeenaeeeeeeenaas 119 System COMPQUPAUON caissas isoina naniii aaa ania aniani ai iian 121 Setting system date and timMe 0 66csceeccecceceeeeee ceecanete ededabneddceceunenddcccanbeadededenueedcuecanennees 121 6 Fortinet Inc Contents Changing system Options ccceceeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseneaeeeeseeeeaeeeeseeeaeeeeseeenaees 122 Adding and editing administrator accounts ccceeceeeeenteeeeeeeeeteeeeeeetnaeeeeeeeetaeeeeeeeaas 123 Adding new administrator ACCOUNS 0 eeceeeeeeeeeneeeeeeeeeneeeeeeeaaeeeeeeeaeeeeeeenaeeeeesenaaes 124 Editing administrator ACCOUNES cece eeeeeee eee eei EE 124 Configuring SNMP 00 0 eceeceeceeeeee eee eeeete eee eeeeeaeeeeeeeeeaeeeeseeeaaeeeeeeeeaeeeeeeeiaeeeeeeenaeeeeesenaaes 125 Configuring the FortiGate unit for SNMP monitoring 0 cceeeeeeeeeeeeeeeeeettteeeeeeeeee 126 Configuring FortiGate SNMP support 0 cece eeteee tere eete eee eeetteee eee taaeeeeeetaeeeeeread 126 FortiGate MIBS s2icci ccccciccccecncives ieanceceessduaceuteesaancedesssasaeeenrssanecueveaaabieeevasaaciaveestsaneeveeseane 128 FortiGate traps cccccccceceeceeeeeeeeeeec eee eeaaeaeceeeeeeeeeseceacaecaaeaeeeeeeeeeeeseesececccuccaseeeeeeeeeeess 129 Fortinet MIB field s sicccecccsdeeececisaceeeet tea cents a E anand ade 130 Replacement messages
168. eeeeereaa 13 Transparent MOS esses ve fees cosas donettaad desde vias wasted beeen tanta thane aaa a a ii 13 Document CONVENTIONS 0000 2 eee cere eee e eee eee erent deere eee seen anes eee naeeeeeeeaeeesereea 14 Fortinet documentations jade aiii pit EE einen 15 Comments on Fortinet technical documentation cccceeeeeeeeeeeeeeeeeeeeeteeneeeeeeeeaeeees 15 Customer service and technical SUPPOMt cc eeeceeeeeeeeeeeeenneeeeeeeaaeeeeeeeateeeeeeetaeeeeeneaees 16 Getting STATED sesicicnvrsidivadsstavecenserssctsncavenesereovninceqadiveveperndiiucipersebenguiunceneatennveveyee 17 Package COMIN exiiienicccterts Anecksdea seen i eeiveviadieaeeedie seed act eee eed anand tneeetade ed 18 MOU e EE dec nadeisheeee paps tak eneg tee A E E E 18 Powering ON ereciesrier inn venti teactveiaiiis needa A A 19 Connecting to the web based manager sssseessssssesrseesssrnnasrennnesssnnnaaannnnenesannnaaennnnannann 19 Connecting to the command line interface CLI cece eeteeeeeeeeteteeeeeeeeteeeeeetnaeeeeeeees 20 Factory default FortiGate configuration settings cccececeeeeeeeeeettteeeeeseieeeeeeetneeeeereea 22 Factory default DHCP Configuration 0 cecceeeeeeeeeeeeeee entrees ee eieeeeeetaeeeeesteeeeereea 22 Factory default NAT Route mode network Configuration cccceeeeeeeteeeeeenteeeeeeeenaes 23 Factory default Transparent mode network configuration ceeeeeseeeeeeeetteeeeeeeees 23 Factory default firewal
169. eer IDs during phase 1 negotiations Select Aggressive or Main ID Protection mode When using aggressive mode the VPN peers exchange identifying information in the clear When using main mode identifying information is hidden The VPN peers must use the same mode Configure the P1 Proposal Select up to three encryption and authentication algorithm combinations to propose for phase 1 The VPN peers must use the same P1 proposal settings Select the DH Group s Select one or more Diffie Hellman groups to propose for phase 1 As a general rule the VPN peers should use the same DH Group settings Enter the Keylife The keylife is the amount of time in seconds before the phase 1 encryption key expires When the key expires a new key is generated without interrupting service P1 proposal keylife can be from 120 to 172 800 seconds For Authentication Method select Preshared Key or RSA Signature e Preshared Key Enter a key that is shared by the VPN peers The key must contain at least 6 printable characters and should only be known by network administrators For optimum protection against currently known attacks make sure the key consists of a minimum of 16 randomly chosen alphanumeric characters e RSA Signature Select a local certificate that has been digitally signed by the certificate authority CA To add a local certificate to the FortiGate unit see Obtaining a signed local certificate on page 190 Fortinet
170. el for all encrypt policies Allow inbound Do not enable Allow outbound Select allow outbound Inbound NAT Select inbound NAT if required Outbound NAT Select outbound NAT if required See Adding an encrypt policy on page 195 5 Add an inbound encrypt policy This policy controls the encrypted connections initiated by the remote VPN spokes The encrypt policy for the hub must include the appropriate source and destination addresses and the tunnel added in step 1 Use the following configuration Source The local VPN spoke address Destination External_All Action ENCRYPT VPN Tunnel i ee tunnel name added in step 1 Use the same tunnel for all encrypt policies Allow inbound Select allow inbound Allow outbound Do not enable Inbound NAT Select inbound NAT if required Outbound NAT Select outbound NAT if required See Adding an encrypt policy on page 195 6 Arrange the policies in the following order e outbound encrypt policies inbound encrypt policy e default non encrypt policy Internal_All gt External_All A Note The default non encrypt policy is required to allow the VPN spoke to access other networks such as the Internet 200 Fortinet Inc IPSec VPN Monitoring and Troubleshooting VPNs Monitoring and Troubleshooting VPNs e Viewing VPN tunnel status e Viewing dialup VPN connection status e Testing a VPN Viewing VPN tunnel status You can use the IPSec VPN tunnel list to view the status
171. elect NAT you can also select Dynamic IP Pool and Fixed Port NAT is not available in Transparent mode Dynamic IP Select Dynamic IP Pool to translate the source address to an address Pool randomly selected from an IP pool The IP pool must be added to the destination interface of the policy You cannot select Dynamic IP Pool if the destination interface is configured using DHCP or PPPoE For information about adding IP pools see IP pools on page 161 Fixed Port Select Fixed Port to prevent NAT from translating the source port Some applications do not function correctly if the source port is changed If you select Fixed Port you must also select Dynamic IP Pool and add a dynamic IP pool address range to the destination interface of the policy If you do not select Dynamic IP Pool a policy with Fixed Port selected can only allow one connection at a time for this port or service VPN Tunnel Select a VPN tunnel for an ENCRYPT policy You can select an AutolKE key or Manual Key tunnel VPN Tunnel is not available in Transparent mode Allow inbound Select Allow inbound so that users behind the remote VPN gateway can connect to the source address Allow outbound Select Allow outbound so that users can connect to the destination address behind the remote VPN gateway Inbound NAT Select Inbound NAT to translate the source address of incoming packets to the FortiGate internal IP address Outbound NAT Select Outbound NAT to translate t
172. elect a group of users to be authenticated by XAuth The individual users within the group can be authenticated locally or by one or more LDAP or RADIUS servers The user group must be added to the FortiGate configuration before it can be selected here 4 Optionally configure NAT Traversal Enable Keepalive Frequency Select Enable if you expect the IPSec VPN traffic to go through a gateway that performs NAT If no NAT device is detected enabling NAT traversal has no effect Both ends of the VPN both VPN peers must have the same NAT traversal setting If you enable NAT traversal you can change the number of seconds in the Keepalive Frequency field This number specifies in seconds how frequently empty UDP packets are sent through the NAT device to ensure that the NAT mapping does not change until P1 and P2 keylife expires The keepalive frequency can be from 0 to 900 seconds 5 Optionally configure Dead Peer Detection Use these settings to monitor the status of the connection between VPN peers DPD allows dead connections to be cleaned up and new VPN tunnels established DPD is not supported by all vendors Enable Short Idle Retry Count Retry Interval Long Idle Select Enable to enable DPD between the local and remote peers Set the time in seconds that a link must remain unused before the local VPN peer considers it to be idle After this period of time expires whenever the local peer sends traffic to the remot
173. en it blocks files affected by viruses Select Enable alert email for intrusions to have the FortiGate unit send an alert email to notify the system administrator of attacks detected by the NIDS Select Enable alert email for critical firewall VPN events or violations to have the FortiGate unit send an alert email when a critical firewall or VPN event occurs Critical firewall events include failed authentication attempts Critical VPN events include when replay detection detects a replay packet Replay detection can be configured for both manual key and AutolIKE Key VPN tunnels Select Send alert email when disk is full to have the FortiGate unit send an alert email when the hard disk is almost full Select Apply Fortinet Inc Glossary Connection A link between machines applications processes and so on that can be logical physical or both DMZ Demilitarized Zone Used to host Internet services without allowing unauthorized access to an internal private network Typically the DMZ contains servers accessible to Internet traffic such as Web HTTP servers FTP servers SMTP email servers and DNS servers DMZ interface The FortiGate interface that is connected to a DMZ network DNS Domain Name Service A service that converts symbolic node names to IP addresses Ethernet A local area network LAN architecture that uses a bus or star topology and supports data transfer rates of 10 Mbps Ethernet is one of the mo
174. erberian users and groups and configure the Cerberian web filter you can enable Cerberian URL filtering To enable cerberian URL filtering 1 Go to Web Filter gt URL Block gt Cerberian URL Filtering 2 Select the Cerberian URL Filtering option FortiGate 50A Installation and Configuration Guide 239 Script filtering oA NO Rt W Script filtering we es Web filtering Go to Firewall gt Content Profile Create a new or select an existing content profile and enable Web URL Block Go to Firewall gt Policy Create a new or select an existing policy Select Anti Virus amp Web filter Select the content profile from the Content Profile list Select OK You can configure the FortiGate unit to remove Java applets cookies and Activex scripts from the HTML web pages Note Blocking any of these items might prevent some web pages from working properly e Enabling script filtering e Selecting script filter options Enabling script filtering 1 2 3 4 Go to Firewall gt Content Profile Select the content profile for which you want to enable script filtering Select Script Filter Select OK Selecting script filter options 1 2 240 Go to Web Filter gt Script Filter Select the script filter options that you want to enable You can block Java applets cookies and Activex Select Apply Figure 39 Example script filter settings to block Java applets and ActiveX Filtering Options M Java Ap
175. ere you want the FortiGate unit to send email in the format smtp domain com The SMTP server can be located on any network connected to the FortiGate unit In the SMTP User field type a valid email address in the format user domain com This address appears in the From header of the alert email In the Password field type the password that the SMTP user needs to access the SMTP server A password is required if you select Authentication Type up to three destination email addresses in the Email To fields These are the email addresses to which the FortiGate unit sends alert email Select Apply Testing alert email You can test the alert email settings by sending a test email To send a test email Go to Log amp Report gt Alert Mail gt Configuration Select Test to send test email messages from the FortiGate unit to the Email To addresses Enabling alert email You can configure the FortiGate unit to send alert email in response to virus incidents intrusion attempts and critical firewall or VPN events or violations If you have configured logging to a local disk you can enable sending an alert email when the hard disk is almost full To enable alert email Go to Log amp Report gt Alert Mail gt Categories Select Enable alert email for virus incidents Alert email is not sent when antivirus file blocking deletes a file Select Enable alert email for block incidents to have the FortiGate unit send an alert email wh
176. ers allowed to use Cerberian web filtering through the FortiGate unit To install a Cerberian licence key Go to Web Filter gt URL Block Select Cerberian URL Filtering Enter the license number Select Apply Adding a Cerberian user The Cerberian web policies can be applied only to user groups You can add users on the FortiGate unit and then add the users to user groups on the Cerberian administration web site When the end user tries to access a URL the FortiGate unit checks whether the user s IP address is in the IP address list on the FortiGate unit If the user s IP address is in the list the request is sent to the Cerberian server Otherwise an error message is sent to the user saying that the user does not have authorized access to the Cerberian web filter To add a Cerberian user Go to Web Filter gt URL Block Select Cerberian URL Filtering Select New Fortinet Inc Web filtering Configuring Cerberian URL filtering 4 Enter the IP address and netmask of the user computers You can enter the IP address of a single user For example 192 168 100 19 255 255 255 255 You can also enter a subnet of a group of users For example 192 168 100 0 255 255 255 0 5 Enter an alias for the user The alias is used as the user name when you add the user to a user group on the Cerberian server If you do not enter an alias the user s IP is used and added to the default group on the Cerberian server 6 Select OK
177. ets and information messages relating to IP This is the protocol used by the ping function when sending ICMP Echo Requests to a network host IKE Internet Key Exchange A method of automatically exchanging authentication and encryption keys between two secure servers IMAP Internet Message Access Protocol An Internet email protocol that allows access to your email from any IMAP compatible browser With IMAP your mail resides on the server IP Internet Protocol The component of TCP IP that handles routing IP Address An identifier for a computer or device on a TCP IP network An IP address is a 32 bit numeric address written as four numbers separated by periods Each number can be zero to 255 L2TP Layer Two 2 Tunneling Protocol An extension to the PPTP protocol that enables ISPs to operate Virtual Private Networks VPNs L2TP merges PPTP from Microsoft and L2F from Cisco Systems To create an L2TP VPN your ISP s routers must support L2TP IPSec Internet Protocol Security A set of protocols that support secure exchange of packets at the IP layer IPSec is most often used to support VPNs 259 Glossary LAN Local Area Network A computer network that spans a relatively small area Most LANs connect workstations and personal computers Each computer on aLAN is able to access data and devices anywhere on the LAN This means that many users can share data as well as physical resources such as printers MAC add
178. ets to be forwarded to the destination network In the Type section select Port Forwarding Enter the External IP Address that you want to map to an address on the destination zone You can set the external IP address to the IP address of the external interface selected in step 4 or to any other address If the IP address of the external interface selected in step 4 is set using PPPoE or DHCP you can enter 0 0 0 0 for the External IP Address The FortiGate unit substitutes the IP address set for this external interface using PPPoE or DHCP For example if the virtual IP provides access from the Internet to a server on your internal network the external IP address must be a static IP address obtained from your ISP for this server This address must be a unique address that is not used by another host However this address must be routed to the external interface selected in step 4 The virtual IP address and the external IP address can be on different subnets FortiGate 50A Installation and Configuration Guide 159 Virtual IPs 160 10 11 Firewall configuration Enter the External Service Port number that you want to configure port forwarding for The external service port number must match the destination port of the packets to be forwarded For example if the virtual IP provides access from the Internet to a web server the external service port number is 80 the HTTP port In Map to IP enter the real IP address on the destinat
179. evention 1 2 To enable NIDS attack prevention Go to NIDS gt Prevention Select the Enable Prevention check box in the top left corner Enabling NIDS attack prevention signatures 220 The NIDS Prevention module contains signatures that are designed to protect your network against attacks Some signatures are enabled by default others must be enabled For a complete list of NIDS Prevention signatures and descriptions see the FortiGate NIDS Guide To enable attack prevention signatures Go to NIDS gt Prevention Select the Enable check box beside each signature that you want to enable Select Check All to enable all signatures in the NIDS attack prevention signature list Select Uncheck All to disable all signatures in the NIDS attack prevention signature list Select Reset to Default Values to enable only the default NIDS attack prevention signatures and return to the default threshold values Fortinet Inc Network Intrusion Detection System NIDS Preventing attacks Setting signature threshold values You can change the default threshold values for the NIDS Prevention signatures listed in Table 20 The threshold depends on the type of attack For flooding attacks the threshold is the maximum number of packets received per second For overflow attacks the threshold is the buffer size for the command For large ICMP attacks the threshold is the ICMP packet size limit to pass through For example setting the icmp
180. face 97 policy accept 141 Anti Virus amp Web filter 143 arranging in policy list 144 Comments 144 deny 141 disabling 146 enabling 146 enabling authentication 177 fixed port 142 guaranteed bandwidth 142 Log Traffic 144 matching 145 maximum bandwidth 143 policy list configuring 144 policy routing 103 POP3 151 260 port address translation 159 port forwarding 159 adding virtual IP 159 virtual IP 157 port number traffic filter display 255 power requirements 18 powering on 19 PPPoE interface addressing mode 96 PPTP 177 260 configuring gateway 203 209 configuring Windows 2000 client 207 configuring Windows 98 client 206 configuring Windows XP client 207 enabling 203 209 ending IP address 204 209 starting IP 204 209 PPTP dialup connection configuring Windows 2000 client 207 configuring Windows 98 client 206 configuring Windows XP client 207 PPTP gateway configuring 203 predefined services 149 pre shared keys introduction 180 268 prevention NIDS 220 protocol service 149 system status 71 proxy server 78 push updates 78 push update configuring 78 external IP address changes 79 management IP address changes 79 through a NAT device 79 through a proxy server 78 Q quick mode identifier use selectors from policy 189 use wildcard selectors 189 quick mode identity 189 R RADIUS definition 260 example configuration 174 RADIUS server adding server address 174 deleting 174 read amp write access level
181. fic email address type the email address For example sender abccompany com To exempt email sent from a specific domain type the domain name For example abccompany com To exempt email sent from a specific subdomain type the subdomain name For example mail abccompany com e To exempt email sent from an entire organization category type the top level domain name For example type net to exempt email sent from all organizations that use net as the top level domain The pattern can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters hyphen underscore and Spaces and other special characters are not allowed Select OK to add the address pattern to the email exempt list Adding a subject tag 250 When the FortiGate unit receives email from an unwanted address or email that contains an item in the email banned word list the FortiGate unit adds a tag to the subject line and sends the message to the destination email address Email users can use their mail client software to filter the messages based on the subject tag To add a subject tag Go to Email Filter gt Config Type the Subject Tag that you want to display in the subject line of email received from unwanted addresses or that contains banned words For example type Unwanted Mail Note Do not use quotation marks in the subject tags Select Apply The FortiGate unit adds the tag to the subject line of all unwa
182. figuration The admin user is the only user who can go to the System Status page and manually update firmware update the antivirus definitions update the attack definitions download or upload system settings restore the FortiGate unit to factory defaults restart the FortiGate unit and shut down the FortiGate unit There is only one admin user Read amp Write Can view and change the FortiGate configuration Can view but cannot add edit or delete administrator accounts Can change own administrator account password Cannot make changes to system settings from the System Status page Read Only Can view the FortiGate configuration Adding new administrator accounts From the admin account use the following procedure to add new administrator accounts and control their permission levels To add an administrator account Go to System gt Config gt Admin Select New to add an administrator account Type a login name for the administrator account The login name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Type and confirm a password for the administrator account For improved security the password should be at least 6 characters long The password can contain any characters except spaces Optionally type a Trusted Host IP address and netmask for the location from which the administrator can log into the web based
183. figuration Guide 7 Contents Virtual IPSS creana E NEEE EE EENE E AREE 157 Adding statie NAT virtual IFS secicccdevsietoceccavieccceceavecacccievautaccedsiduadedccasviadcedanveadsedeanstecs 158 Adding port forwarding virtual IPS sseeeeeeeseeeeessserreeserrresttrrssstrrsssttnnsssttennsstennnnnnt 159 Adding policies with virtual PS sensein annen aE ETENEE 161 P OOS re csicssacstrces aceeacaavst sas acess staaketesdsatansanvsataedenaadaaedadaresadaagaaiseies ices niadian tal ate uadecseinavienn ee 161 Adding am IP Polseres phe ted ales anh eta tntdadee thee aes tel eee atte 162 IP Pools for firewall policies that use fixed Ports 00 ccceeeeeeeeeeeeeceeceeeeeeeeeeeteeseenaees 162 IP pools arid dynamic NAT siseccesccediaeced teva ghedeccevtgascdecetl EE AEEA EEEN 162 IP MAC binding 2 2 cccececceeecceceeeeeeeeeeeceeaeeeecaaeeeceeeeceaeeeeeeeeescaeeescaeesseaeeesaaeeseeureesiaeeees 163 Configuring IP MAC binding for packets going through the firewall 0 ceeee 163 Configuring IP MAC binding for packets going to the firewall cceeeeeeseeeeeeeees 164 Adding IP MAC addresses i cciscci cetitacedeeniilikeeestsialeceeevlidaceeeniiaieeetininseeeessiaiaeeevananee 165 Viewing the dynamic IP MAC list eceeeeeeeeeeneeeeeeeeeeeeeeeeeeeeeeeeseeeeaeeeeseeeaeeeeteeeaaees 165 Enabling IP MAC binding cccceeeeeeeeeeeeeeeeee eee eeeeaaeeeeeeeaaaeeeeeeeaaaeeeeeesaaeeeeesenaaeeeeeeeaas 165 CONTENT PHO
184. filtering for IMAP and POP3 policies e Configure oversized file and email blocking for HTTP FTP POP3 SMTP and IMAP policies e Pass fragmented email for POP3 SMTP and IMAP policies Using content profiles you can build protection configurations that can be applied to different types of firewall policies This allows you to customize types and levels of protection for different firewall policies For example while traffic between internal and external addresses might need strict protection traffic between trusted internal addresses might need moderate protection You can configure policies for different traffic services to use the same or different content profiles Content profiles can be added to NAT Route mode and Transparent mode policies e Default content profiles e Adding content profiles e Adding content profiles to policies 166 Fortinet Inc Firewall configuration Content profiles Default content profiles The FortiGate unit has the following four default content profiles that are displayed on the Firewall Content Profile page You can use the default content profiles or create your own Strict To apply maximum content protection to HTTP FTP IMAP POP3 and SMTP content traffic You would not use the strict content profile under normal circumstances but it is available if you have extreme problems with viruses and require maximum content screening protection Scan To apply antivirus scanning to HTTP FTP IMAP
185. firewall to forward the connection to the Internet The default policy also applies virus scanning to all HTTP FTP SMTP POP3 and IMAP traffic matched by the policy The policy applies virus scanning because the Antivirus amp Web Filter option is selected and the Content profile is set to Scan For more information about content profiles see Content profiles on page 166 Figure 4 Default firewall policy ID Source Dest Schedule Service Action Enable Config 1 1 Internal_All External_All Always ANY ACCEPT M T amp ca c e Addresses e Services e Schedules e Content profiles Add policies to control connections between FortiGate interfaces and between the networks connected to these interfaces To add policies between interfaces the interfaces must include addresses By default the FortiGate unit is configured with two firewall addresses e Internal_All added to the internal interface this address matches all addresses on the internal network e External_All added to the external interface this address matches all addresses on the external network Fortinet Inc Firewall configuration Default firewall configuration The firewall uses these addresses to match the source and destination addresses of packets received by the firewall The default policy matches all connections from the internal network because it includes the Internal_All address The default policy also matches all connections to the external networ
186. flood signature threshold to 500 allows 500 echo requests from a source address to which the system sends echo replies The FortiGate unit drops any requests over the threshold of 500 If you enter a threshold value of O or a number out of the allowable range the FortiGate unit uses the default value Table 20 NIDS Prevention signatures with threshold values Signature Threshold value units Default Minimum Maximum abbreviation threshold threshold threshold value value value synflood Threshold Maximum number of SYN 2048 1 1000000 segments received per second Queue Size Maximum proxied 4096 100 1000000 connections Timeout Number of seconds for the 15 1 3600 SYN cookie to keep a proxied connection alive portscan Maximum number of SYN segments 512 1 1000000 received per second srcsession Total number of TCP sessions initiated 2048 1 1000000 from the same source ftpovfl Maximum buffer size for an FTP 256 32 1408 command bytes smtpovfl Maximum buffer size for an SMTP 512 32 1408 command bytes pop3ovfl Maximum buffer size for a POP3 512 32 1408 command bytes udpflood Maximum number of UDP packets 2048 1 1000000 received from the same source or sent to the same destination per second udpsrcsession Total number of UDP sessions initiated 2048 1 1000000 from the same source icmpflood Maximum number of ICMP packets 256 1 1000000 received from the same source or sent to th
187. for bad routing information to clear the network during network convergence The route is marked inaccessible and advertised as unreachable and is no longer used for forwarding packets The default for Holddown is 180 seconds The time in seconds that must elapse after the last update for a route before RIP removes the route from the routing table Flush should be greater than the value of Invalid to allow the route to go into the holddown state The default for Flush is 240 seconds Select Apply to save the changes Fortinet Inc RIP configuration Configuring RIP for FortiGate interfaces Figure 1 Configuring RIP settings Settings D Interface Filter yX M Enable RIP l Enable Advertise Default Default Metric 1 Input Queue 50 Ouput Delay 0 RIP Timer Update 30 secs Invalid 180 secs Holddown 180 secs Flush 240 secs Configuring RIP for FortiGate interfaces You can customize a RIP configuration for each FortiGate interface This allows you to customize RIP for the network to which each interface is connected To configure RIP for FortiGate interfaces 1 Go to System gt RIP gt Interface On this page you can view a summary of the RIP settings for each FortiGate interface Select Modify ESI for the interface for which to configure RIP settings Configure any of the following RIP settings RIP1 Send Enables sending RIP version 1 broadcasts from this interface to the network itis connected to
188. for viruses You can use the following procedure to change the antivirus configuration To change the antivirus configuration Select Edit to edit this policy For Anti Virus amp Web Filter you can select a different Content Profile See Factory default content profiles on page 25 for descriptions of the default content profiles Select OK to save your changes You can also add you own content profiles See Adding content profiles on page 167 Fortinet Inc NAT Route mode installation Completing the configuration Registering your FortiGate unit After purchasing and installing a new FortiGate unit you can register the unit by going to System gt Update gt Support or using a web browser to connect to http support fortinet com and selecting Product Registration Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased Registration is quick and easy You can register multiple FortiGate units in a single session without re entering your contact information For more information about registration see Registering FortiGate units on page 83 Configuring virus and attack definition updates You can go to System gt Update to configure the FortiGate unit to automatically check to see if new versions of the virus definitions and attack definitions are available If it finds new versions the FortiGate unit automatically
189. from all address subdomains by adding the top level domain name Alternatively you can tag email sent from individual subdomains by including the subdomain to block e Adding address patterns to the email block list e Downloading the email block list e Uploading an email block list Adding address patterns to the email block list 4 To add an address pattern to the email block list Go to Email Filter gt Block List Select New Type a Block Pattern e To tag email from a specific email address type the email address For example sender abccompany com To tag email from a specific domain type the domain name For example abccompany com e To tag email from a specific subdomain type the subdomain name For example mail abccompany com To tag email from an entire organization category type the top level domain name For example type com to tag email sent from all organizations that use com as the top level domain The pattern can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters hyphen underscore and Spaces and other special characters are not allowed Select OK to add the address pattern to the Email Block list Downloading the email block list You can back up the email block list by downloading it to a text file on the management computer To download the email block list Go to Email Filter gt Block List Select Download The FortiGate unit downl
190. g a text editor and then upload the edited list to the FortiGate unit To upload the email block list In a text editor create the list of patterns to block Using the web based manager go to Email Filter gt Block List Select Upload kh OO N Type the path and filename of your email block list text file or select Browse and locate the file Select OK to upload the file to the FortiGate unit Select Return to display the updated email block list a You can continue to maintain the email block list by making changes to the text file and uploading it again Email exempt list Add address patterns to the exempt list to allow legitimate IMAP and POP3 traffic that might otherwise be tagged by email or content blocking For example if the email banned word list is set to block email that contains pornography related words and a reputable company sends email that contains these words the FortiGate unit would normally add a subject tag to the email Adding the domain name of the reputable company to the exempt list allows IMAP and POP3 traffic from the company to bypass email and content blocking FortiGate 50A Installation and Configuration Guide 249 Adding a subject tag Email filter Adding address patterns to the email exempt list To add an address pattern to the email exempt list Go to Email Filter gt Exempt List Select New Type the address pattern that you want to exempt To exempt email sent from a speci
191. g secip lt second_ip gt lt netmask ip gt Fortinet Inc Network configuration Configuring interfaces You can also configure management access and add a ping server to the secondary IP address set system interface lt intf_str gt config secallowaccess ping https ssh snmp http telnet set system interface lt intf_str gt config secgwdetect enabl Adding a ping server to an interface 5 Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface Adding a ping server is required for routing failover See Adding destination based routes to the routing table on page 101 To add a ping server to an interface Go to System gt Network gt Interface Choose an interface and select Modify z Set Ping Server to the IP address of the next hop router on the network connected to the interface Select the Enable check box The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to make sure that the FortiGate unit can connect to this IP address To configure dead gateway detection see Modifying the Dead Gateway Detection settings on page 123 Select OK to save the changes Controlling administrative access to an interface For a FortiGate unit running in NAT Route mode you can control administrative access to an interface to control how administrators access the FortiGate unit and the
192. ges such as mail goodsite com from all content and URL filtering rules unless goodsite com without the www is added to the exempt URL list Ensure that the Enable checkbox has been selected Select OK to add the URL to the exempt URL list You can enter multiple URLs and then select Check All to activate all items in the exempt URL list You can disable all the URLs in the list by selecting Uncheck All Each page of the exempt URL list displays 100 URLs Use Page Down and Page Up 4 to navigate the exempt URL list FortiGate 50A Installation and Configuration Guide 241 Exempt URL list 242 Web filtering Figure 40 Example URL Exempt list Exempt URL aN Url Exempt List www goodsite com Tt E www goodsite com index T E 127 33 44 55 wT amp Vv Downloading the URL Exempt List You can back up the URL Exempt List by downloading it to a text file on the management computer Go to Web Filter gt URL Exempt Select Download URL Exempt List Ese The FortiGate unit downloads the list to a text file on the management computer You can specify a location to which to download the text file as well as a name for the text file Uploading a URL Exempt List amp ae You can create a URL Exempt list in a text editor and then upload the text file to the FortiGate unit Add one URL or pattern to each line of the text file The word or phrase should be followed by a parameter specifying the status of
193. gt amp characters are not allowed Contact Information Add the contact information for the person responsible for this FortiGate unit The contact information can be up to 31 characters long and can contain spaces numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ The lt gt gt amp characters are not allowed Get Community Also called read community get community is a password to identify SNMP get requests sent to the FortiGate unit When an SNMP manager sends a get request to the FortiGate unit it must include the correct get community string The default get community string is public Change the default get community string to keep intruders from using get requests to retrieve information about your network configuration The get community string must be used in your SNMP manager to enable it to access FortiGate SNMP information The get community string can be up to 31 characters long and can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Spaces and the lt gt amp characters are not allowed Trap Community The trap community string functions like a password that is sent with SNMP traps The default trap community string is public Change the trap community string to the one accepted by your trap receivers The trap community string can be up to 31 characters long and can contain numbers 0
194. gt password lt password str gt For example if the IP address of the proxy server is 64 23 6 89 and its port is 8080 enter the following command set system autouopdate tunneling enable address 64 23 6 89 port 8080 For more information about the set system autoupdate command see Volume 6 FortiGate CLI Reference Guide The FortiGate unit connects to the proxy server using the HTTP CONNECT method as described in RFC 2616 The FortiGate unit sends an HTTP CONNECT request to the proxy server optionally with authentication information specifying the IP address and port required to connect to the FDN The proxy server establishes the connection to the FDN and passes information between the FortiGate unit and the FDN The CONNECT method is used mostly for tunneling SSL traffic Some proxy servers do not allow the CONNECT to connect to any port they restrict the allowed ports to the well known ports for HTTPS and perhaps some other similar services Because FortiGate autoupdates use HTTPS on port 8890 to connect to the FDN your proxy server might have to be configured to allow connections on this port There are no special tunneling requirements if you have configured an override server address to connect to the FDN Enabling push updates 78 oe as The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations You must register the FortiGate unit before it can receive push
195. h a stop time that occurs before the start time the schedule starts at the start time and finishes at the stop time on the next day You can use this technique to create recurring schedules that run from one day to the next You can also create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time To create a recurring schedule 1 Go to Firewall gt Schedule gt Recurring Select New to create a new schedule Type a Name for the schedule The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Select the days of the week that you want the schedule to be active on Set the Start and Stop hours in between which you want the schedule to be active Recurring schedules use a 24 hour clock 6 Select OK to save the recurring schedule Figure 11 Adding a recurring schedule One time D Recurring New Recurring Schedule Name working Week Week me Minute 17 Minute Notes If the stop time is set earlierthan the start time the stop time will be during next day If the start time is equal to the stop time the schedule will run for 24 hours Adding schedules to policies After you create schedules you can add them to policies to schedule when the policies are active You can add the new schedules to policies when you create the policy or you
196. h remote VPN spoke e A separate outbound encrypt policy for each remote VPN spoke These policies allow the local VPN spoke to initiate encrypted connections A single inbound encrypt policy This policy allows the local VPN spoke to accept encrypted connections To create a VPN spoke configuration Configure a tunnel between the spoke and the hub Choose between a manual key tunnel or an AutolKE tunnel e To adda manual key tunnel see Manual key IPSec VPNs on page 181 e To add an AutolKE tunnel see AutolKE IPSec VPNs on page 182 Add the source address One source address is required for the local VPN spoke See Adding a source address on page 194 Add a destination address for each remote VPN spoke The destination address is the address of the spoke either a client on the Internet or a network located behind a gateway See Adding a destination address on page 194 FortiGate 50A Installation and Configuration Guide 199 IPSec VPN concentrators IPSec VPN 4 Add a separate outbound encrypt policy for each remote VPN spoke These policies control the encrypted connections initiated by the local VPN spoke The encrypt policy must include the appropriate source and destination addresses and the tunnel added in step 1 Use the following configuration Source The local VPN spoke address Destination The remote VPN spoke address Action ENCRYPT VPN Tunnel jee tunnel name added in step 1 Use the same tunn
197. hat the FortiGate unit Timer waits before switching from the modem interface to the primary interface after the primary interface has been restored The default is 1 second Configure a higher value if you find the FortiGate unit switching repeatedly between the primary interface and the modem interface Redundant for To associate the modem interface with the ethernet interface that you want to either back up backup configuration or replace standalone configuration Enter the following Dialup Account 1 settings Phone Number The phone number required to connect to the dialup account Do not add spaces to the phone number Make sure to include standard special characters for pauses country codes and other functions as required by your modem to connect to your dialup account User Name The user name maximum 63 characters sent to the ISP Password The password sent to the ISP If you have multiple dialup accounts enter Phone Number User Name and Password for Dialup Account 2 and Dialup Account 3 Select Apply Connecting to a dialup account a Ff WO N Use the following procedure to connect the modem to a dialup account To connect to a dialup account Go to System gt Network gt Modem Select Enable USB Modem Make sure there is correct information in one or more Dialup Accounts Select Apply if you make any configuration changes Select Dial Up The FortiGate unit initiates dialing into each dialup account in
198. he DHCP server By default this option is enabled Select Apply The FortiGate unit attempts to contact the DHCP server from the interface to set the IP address netmask default gateway IP address and DNS server IP addresses Select Status to refresh the addressing mode status message initializing No activity connecting The FortiGate unit is attempting to connect to the DHCP server connected The FortiGate unit retrieves an IP address netmask and other settings from the DHCP server failed The FortiGate unit was unable to retrieve an IP address and other information from the DHCP server Select OK FortiGate 50A Installation and Configuration Guide 95 Configuring interfaces 96 Network configuration Configuring an interface for PPPoE a fF WOW N 9 Use the following procedure to configure any FortiGate interface to use PPPoE If you configure the interface to use PPPoE the FortiGate unit automatically broadcasts a PPPoE request You can disable connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request By default the FortiGate unit also retrieves a default gateway IP address and DNS server IP addresses from the PPPoE server You can disable the option Retrieve default gateway and DNS from server if you do not want the PPPoE server to configure these FortiGate settings To configure an interface for PPPoE Go to System gt Network
199. he destination interface and then select dynamic IP pool in the policy The firewall randomly selects an IP address from the IP pool and assigns it to each connection In this case the number of connections that the firewall can support is limited by the number of IP addresses in the IP pool IP pools and dynamic NAT You can use IP pools for dynamic NAT For example your organization might have purchased a range of Internet addresses but you might have only one Internet connection on the external interface of your FortiGate unit You can assign one of your organization s Internet IP addresses to the external interface of the FortiGate unit If the FortiGate unit is operating in NAT Route mode all connections from your network to the Internet appear to come from this IP address 162 Fortinet Inc Firewall configuration IP MAC binding If you want connections to originate from all your Internet IP addresses you can add this address range to an IP pool for the external interface Then you can select Dynamic IP Pool for all policies with the external interface as the destination For each connection the firewall dynamically selects an IP address from the IP pool to be the source address for the connection As a result connections to the Internet appear to be originating from any of the IP addresses in the IP pool IP MAC binding A ae IP MAC binding protects the FortiGate unit and your network from IP spoofing attacks IP spoofing
200. he internal network FortiGate 50A Installation and Configuration Guide 51 Transparent mode configuration examples Transparent mode installation 52 Configure the default route to the external network Web based manager example configuration steps To configure the FortiGate basic settings a static route and a default route using the web based manager Go to System gt Status e Select Change to Transparent Mode e Select Transparent in the Operation Mode list e Select OK The FortiGate unit changes to Transparent mode Go to System gt Network gt Management e Change the Management IP and Netmask IP 192 168 1 1 Mask 255 255 255 0 e Select Apply Go to System gt Network gt Routing e Select New to add the static route to the management computer Destination IP 172 16 1 11 Mask 255 255 255 0 Gateway 192 168 1 3 e Select OK e Select New to add the default route to the external network Destination IP 0 0 0 0 Mask 0 0 0 0 Gateway 192 168 1 2 e Select OK CLI configuration steps To configure the FortiGate basic settings a static route and a default route using the CLI Set the system to operate in Transparent Mode set system opmode transparent Add the Management IP address and Netmask set system management ip 192 168 1 1 255 255 255 0 Add the static route to the management computer set system route number 1 dst 172 16 1 11 255 255 255 0 gwl 192 168 2103 Add the default route to the exter
201. he packet using the default route Fortinet Inc Network configuration Policy routing Configuring routing To configure the routing table Go to System gt Network gt Routing Table Choose the route that you want to move and select Move to E to change its order in the routing table Type a number in the Move to field to specify where in the routing table to move the route and select OK Select Delete jf to delete a route from the routing table Figure 9 Routing table Interface DNS RoutingTable DHCP IP Mask Gateway 1 Gateway 2 Device 1 Device 2 Leanar 10 10 10 0 255 255 255 0 120 45 67 10 external es 0 0 0 0 0 0 0 0 64 230 129 22 120 45 67 19 external a amp Policy routing extends the functions of destination routing Using policy routing you can route traffic based on the following e Destination address e Source address e Protocol service type or port range Incoming or source interface Using policy routing you can build a routing policy database RPDB that selects the appropriate route for traffic by applying a set of routing rules To select a route for traffic the FortiGate unit matches the traffic with the policy routes added to the RPDB starting at the top of the list The first policy route that matches is used to set the route for the traffic The route supplies the next hop gateway as well as the FortiGate interface to be used by the traffic Packets are matched
202. he source address of outgoing packets to the FortiGate external IP address Traffic Shaping Traffic Shaping controls the bandwidth available to and sets the priority of the traffic processed by the policy Traffic Shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiGate device For example the policy for the corporate web server might be given higher priority than the policies for most employees computers An employee who needs unusually high speed Internet access could have a special outgoing policy set up with higher bandwidth If you set both guaranteed bandwidth and maximum bandwidth to 0 the policy does not allow any traffic Guaranteed You can use traffic shaping to guarantee the amount of bandwidth available Bandwidth through the firewall for a policy Guarantee bandwidth in Kbytes to make sure that there is enough bandwidth available for a high priority service Fortinet Inc Firewall configuration Adding firewall policies Maximum You can also use traffic shaping to limit the amount of bandwidth available Bandwidth through the firewall for a policy Limit bandwidth to keep less important services from using bandwidth needed for more important services Traffic Priority Select High Medium or Low Select Traffic Priority so that the FortiGate unit manages the relative priorities of different types of traffic For example a policy for connect
203. he uploaded system settings have taken effect Fortinet Inc System status Restoring system settings to factory defaults Restoring system settings to factory defaults Use the following procedure to restore system settings to the values set at the factory This procedure does not change the firmware version or the antivirus or attack definitions Caution This procedure deletes all changes that you have made to the FortiGate configuration and reverts the system to its original configuration including resetting interface addresses To restore system settings to factory defaults 1 Go to System gt Status Select Restore Factory Defaults Select OK to confirm The FortiGate unit restarts with the configuration that it had when it was first powered on 4 Reconnect to the web based manager and review the system configuration to confirm that it has been reset to the default settings For information about restoring system settings see Restoring system settings on page 64 Changing to Transparent mode Use the following procedure to change the FortiGate unit from NAT Route mode to Transparent mode After you change the FortiGate unit to Transparent mode most of the configuration resets to Transparent mode factory defaults The following items are not set to Transparent mode factory defaults The admin administrator account password see Adding and editing administrator accounts on page 123 e Custom repla
204. host names e display the port number or service The traffic filter list displays the name source address and destination address and the protocol type of the traffic to be filtered 254 Fortinet Inc Logging and reporting Configuring traffic logging This section describes e Enabling traffic logging e Configuring traffic filter settings e Adding traffic filter entries Enabling traffic logging 1 2 3 4 You can enable logging on any interface and firewall policy Enabling traffic logging for an interface If you enable traffic logging for an interface all connections to and through the interface are recorded in the traffic log To enable traffic logging for an interface Go to System gt Network gt Interface Select Edit in the Modify column beside the interface for which you want to enable logging For Log select Enable Select OK Repeat this procedure for each interface for which you want to enable logging Enabling traffic logging for a firewall policy If you enable traffic logging for a firewall policy all connections accepted by the firewall policy are recorded in the traffic log To enable traffic logging for a firewall policy Go to Firewall gt Policy Select a policy tab Select Log Traffic Select OK Configuring traffic filter settings You can configure the information recorded in all traffic log messages To configure traffic filter settings Go to Log amp Report gt Log Setti
205. iGate interface You can also configure a DHCP server for more than one FortiGate interface For each DHCP server configuration you can add multiple scopes also called address scopes so that the DHCP server can assign IP addresses to computers on multiple subnets Use these procedures to configure an interface as a DHCP server e Adding a DHCP server to an interface e Adding scopes to a DHCP server e Adding a reserve IP to a DHCP server e Viewing a DHCP server dynamic IP list Adding a DHCP server to an interface To add a DHCP server to an interface Go to System gt Network gt DHCP Select Service Select an interface Select DHCP Server Select Apply Adding scopes to a DHCP server If you have configured an interface as a DHCP server the interface requires at least one scope also called an address scope The scope designates the starting IP and ending IP for the range of addresses that the FortiGate unit assigns to DHCP clients You can add multiple scopes to an interface so that the DHCP server added to that interface can supply IP addresses to computers on multiple subnets Add multiple scopes if the DHCP server receives DHCP requests from subnets that are not connected directly to the FortiGate unit In this case the DHCP requests are sent to the FortiGate unit through DHCP relay DHCP relay packets contain DHCP relay IP which is the IP address of the subnet from which the DHCP relay received the request If the D
206. icy intercepts the connection attempt and starts the VPN tunnel added to the policy The tunnel uses the remote gateway added to its configuration to connect to the remote VPN gateway When the remote VPN gateway receives the connection attempt it checks its own policy gateway and tunnel configuration If the configuration is allowed an IPSec VPN tunnel is negotiated between the two VPN peers e Adding a source address e Adding a destination address e Adding an encrypt policy Adding a source address kh O N 5 The source address is located within the internal network of the local VPN peer It can be a single computer address or the address of a network To add a source address Go to Firewall gt Address Select an internal interface Select New to add an address Enter the Address Name IP Address and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer Select OK to save the source address Adding a destination address The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway To add a destination address Go to Firewall gt Address Select an external interface Select New to add an address Fortinet Inc IPSec VPN 4 5 Configuring encrypt policies Enter the Address Name IP Address and NetMask for a single computer or for an entire subnetwork on an internal interface of the remote
207. igure 1 CPU and memory status monitor Automatic Refresh Interval 5 seconds 7 CPU amp Memory Sessions amp Network Virus amp Intrusions CPU Usage CPU Usage History LJ EE last 1 min Memory Usage Memory Usage History LJ Ferrer eereeee last 1 min Viewing sessions and network status 68 Use the session and network status display to track how many network sessions the FortiGate unit is processing and to see what effect the number of sessions has on the available network bandwidth Also by comparing CPU and memory usage with session and network status you can see how much demand network traffic is putting on system resources The Sessions section displays the total number of sessions being processed by the FortiGate unit on all interfaces It also displays the sessions as a percentage of the maximum number of sessions that the FortiGate unit is designed to support The Network utilization section displays the total network bandwidth being used through all FortiGate interfaces It also displays network utilization as a percentage of the maximum network bandwidth that can be processed by the FortiGate unit To view sessions and network status Go to System gt Status gt Monitor Select Sessions amp Network Sessions and network status is displayed The display includes bar graphs of the current number of sessions and current network utilization as well as line graphs of session and network utilizat
208. iles including files compressed with up to 12 layers of compression using zip rar gzip tar upx and OLE in the content streams for which you enable antivirus protection Each file is tested to determine the file type and the most effective method of scanning the file for viruses For example binary files are scanned using binary virus scanning and Microsoft Office files containing macros are scanned for macro viruses FortiGate virus scanning does not scan the following file types cdimage floppy image ace e bzip2 e Tar Gzip Bzip2 If a file is found to contain a virus the FortiGate unit removes the file from the content stream and replaces it with a replacement message To scan FortiGate firewall traffic for viruses 1 Select antivirus scanning in a content profile For information about content profiles see Adding content profiles on page 167 2 Add this content profile to firewall policies to apply virus scanning to the traffic controlled by the firewall policy See Adding content profiles to policies on page 169 Figure 34 Example content profile for virus scanning New Content Profile Profile Name Virus scanning Options HTTP FTP IMAP POP3 SMTP Anti Virus Scan Vv Iv Iv Vv Iv File Block E r D T L Web URL Block E Web Content Block L Web Script Filter E Web Exempt List Email Block List E E Email Exempt List T O Email Content Block E L C block C block C block C block C block
209. ing Configuration and Reference Guide FortiGate 50A Installation and Configuration Guide 245 Email banned word list Email filter Email banned word list When the FortiGate unit detects an email that contains a word or phrase in the banned word list the FortiGate unit adds a tag to the subject line of the email and writes a message to the event log Receivers can then use their mail client software to filter messages based on the subject tag You can add banned words to the list in many languages using Western Simplified Chinese Traditional Chinese Japanese or Korean character sets e Adding words and phrases to the email banned word list e Downloading the email banned word list Uploading the email banned word list Adding words and phrases to the email banned word list To add a word or phrase to the banned word list 1 Go to Email Filter gt Content Block Select New Type a banned word or phrase e If you type a single word for example banned the FortiGate unit tags all IMAP and POP3 email that contains that word e Ifyou type a phrase for example banned phrase the FortiGate unit tags email that contains both words When this phrase appears on the banned word list the FortiGate unit inserts plus signs in place of spaces for example banned phrase Ifyou type a phrase in quotes for example banned word the FortiGate unit tags all email in which the words are found together as a phrase Conte
210. ing to a secure web server needed to support e commerce traffic should be assigned a high traffic priority Less important services should be assigned a low priority The firewall provides bandwidth to low priority connections only when bandwidth is not needed for high priority connections Authentication Select Authentication and select a user group to require users to enter a user name and password before the firewall accepts the connection Select the user group to control the users that can authenticate with this policy For information about adding and configuring user groups see Configuring user groups on page 177 You must add user groups before you can select Authentication You can select Authentication for any service Users can authenticate with the firewall using HTTP Telnet or FTP For users to be able to authenticate you must add an HTTP Telnet or FTP policy that is configured for authentication When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password If you want users to authenticate to use other services for example POP3 or IMAP you can create a service group that includes the services for which you want to require authentication as well as HTTP Telnet and FTP Then users could authenticate with the policy using HTTP Telnet or FTP before using the other service In most cases you should make sure that users can use DNS through the firewall
211. interface that is on a different subnet than the destination IP address of the packets without routing them using the default route FortiGate 50A Installation and Configuration Guide 101 Configuring routing 102 gt A s Network configuration Set Device 2 to the FortiGate interface through which to route traffic to connect to Gateway 2 You can select the name of an interface or Auto the default If you select the name of an interface the traffic is routed to that interface If you select Auto the system selects the interface according to the following rules e Ifthe Gateway 2 IP address is on the same subnet as a FortiGate interface the system sends the traffic to that interface e Ifthe Gateway 2 IP address is not on the same subnet as a FortiGate interface the system routes the traffic to the external interface using the default route You can use Device 2 to send packets to an interface that is on a different subnet than the destination IP address of the packets without routing them using the default route Select OK to save the route Note Any two routes in the routing table must differ by something other than just the gateway to be simultaneously active If two routes added to the routing table are identical except for their gateway IP addresses only the route closer to the top of the routing table can be active Note Arrange routes in the routing table from more specific to more general For informa
212. inue to complete the registration If you have entered a support contract number a real time validation is performed to verify that the SCN information matches the FortiGate unit If the information does not match you can try entering it again A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit Your Fortinet support user name and password is sent to the email address provided with your contact information Updating registration information 86 Recovering a You can use your Fortinet support user name and password to log on to the Fortinet Support web site at any time to view or update your Fortinet support information This section describes e Recovering a lost Fortinet support password e Viewing the list of registered FortiGate units e Registering a new FortiGate unit e Adding or changing a FortiCare Support Contract number e Changing your Fortinet support password e Changing your contact information or security question e Downloading virus and attack definitions updates lost Fortinet support password If you provided a security question and answer when you registered on the Fortinet support web site you can use the following procedure to receive a replacement password If you did not provide a security question and answer contact Fortinet technical support Fortinet Inc Virus and attack definitions updates and regi
213. ion network For example the real IP address could be the IP address of a web server on an internal network In Map to Port enter the port number to be added to packets when they are forwarded If you do not want to translate the port enter the same number as the External Service Port If you want to translate the port enter the port number to which to translate the destination port of the packets when they are forwarded by the firewall Select the protocol TCP or UDP that you want the forwarded packets to use Select OK to save the port forwarding virtual IP Figure 13 Adding a port forwarding virtual IP Virtual IP A Add New Virtual IP Mapping Name Web_Server Type Static NAT Port Forwarding External IP Address 173 87 39 21 External Service Port so Map to IP 10 10 10 5 Map to Port so Protocol TCP UDP Fortinet Inc Firewall configuration IP pools Adding policies with virtual IPs Use the following procedure to add a policy that uses a virtual IP to forward packets To add a policy with a virtual IP 1 Go to Firewall gt Policy 2 Select the type of policy that you want to add e The source interface must match the interface selected in the External Interface list e The destination interface must match the interface connected to the network with the Map to IP address 3 Use the following information to configure the policy Source Select the source address from which users can ac
214. ion usage for the last minute The line graph scales are shown in the upper left corner of the graph Set the automatic refresh interval and select Go to control how often the web based manager updates the display More frequent updates use system resources and increase network traffic However this only occurs when you are viewing the display using the web based manager Fortinet Inc System status 4 System status Select Refresh to manually update the information displayed Figure 2 Sessions and network status monitor Automatic Refresh Interval 10 seconds CPU amp Memory Sessions amp Network Virus amp Intrusions Sessions Session History LJ SrHESCHHioceat last 1 min Network Utilization Network Utilization History LJ Pree EEEn EE last 1 min Viewing virus and intrusions status Use the virus and intrusions status display to track when viruses are found by the FortiGate antivirus system and to track when the NIDS detects a network based attack To view virus and intrusions status Go to System gt Status gt Monitor Select Virus amp Intrusions Virus and intrusions status is displayed The display includes bar graphs of the number viruses and intrusions detected per hour as well as line graphs of the number of viruses and intrusions detected for the last 20 hours Set the automatic refresh interval and select Go to control how often the web based manager updates the di
215. irus Web filter and email filter log messages 6 Information General information about system Antivirus Web filter email filter log operations messages and other event log messages Filtering log messages You can configure the logs that you want to record and the message categories that you want to record in each log To filter log entries Go to Log amp Report gt Log Setting 2 Select Config Policy for the log location that you selected in Recording logs on page 251 3 Select the log types that you want the FortiGate unit to record Traffic Log Event Log Virus Log Web Filtering Log Attack Log Email Filter Log Update FortiGate 50A Installation and Configuration Guide Record all connections to and through the interface To configure traffic filtering see Adding traffic filter entries on page 256 Record management and activity events in the event log Management events include changes to the system configuration as well as administrator and user logins and logouts Activity events include system activities such as VPN tunnel establishment and HA failover events Record virus intrusion events such as when the FortiGate unit detects a virus blocks a file type or blocks an oversized file or email Record activity events such as URL and content blocking and exemption of URLs from blocking Record attacks detected by the NIDS and prevented by the NIDS Prevention module Rec
216. ist e Restoring the Banned Word list Adding words and phrases to the Banned Word list 1 2 3 Go to Web Filter gt Content Block Select New to add a word or phrase to the Banned Word list Choose a language or character set for the banned word or phrase You can choose Western Chinese Simplified Chinese Traditional Japanese or Korean Your computer and web browser must be configured to enter characters in the character set that you choose Type a banned word or phrase If you type a single word for example banned the FortiGate unit blocks all web pages that contain that word If you type a phrase for example banned phrase the FortiGate unit blocks web pages that contain both words When this phrase appears on the banned word list the FortiGate unit inserts plus signs in place of spaces for example banned phrase If you type a phrase in quotes for example banned word the FortiGate unit blocks all web pages in which the words are found together as a phrase Content filtering is not case sensitive You cannot include special characters in banned words To enable the banned word ensure that the Enable checkbox is selected Select OK The word or phrase is added to the Banned Word list You can enable all the words on the banned word list by selecting Check All You can disable all the words on the banned word list by selecting Uncheck All Fortinet Inc Web filtering Content blocking rs
217. itladeed inle devel aa deevt nbnecebevstade 202 PPTP ang E2TR VEN rn aE Heeeniner fe Seen ae Seiten nee 203 Contiguring PP TF vsiccinie inten ictal Aantal it Geetha shel 203 Configuring the FortiGate unit as a PPTP gateway eeeseeeeeeeeenteteeeeentaeeeeeeeaaes 203 Configuring a Windows 98 client for PPTP cceccceeeeeeeneeeeeeeeeeeeeeeeeaeeeeeeeeeaees 206 Configuring a Windows 2000 client for PPTP 0 eeccceeeeseeeseeeeeeeeeeeeeeeteeeeaeeeeeeeenaees 207 Configuring a Windows XP client for PPTP ccecceeeeeeeeeeeeeeeeeeneeeeeeseeaaeeeeeeeaaees 207 CONnNQUNING LZ TP ninsis siaii a veledeusdathoneseeunabiac sain nondieas vents 209 Configuring the FortiGate unit as an L2TP gateway cceceeeeeetteeeeeeeetteeeeeeeeee 209 Configuring a Windows 2000 client for L2TP 0 eecteeeeeeeeeneeeeeeettieeeeeeetneeeeeerena 211 Configuring a Windows XP client for LOTP 0 eeeceeeeceeeetneeeeeeeeeneee sere tennessee tnneeeeene 213 Network Intrusion Detection System NIDS cccccssssseeeeeeeeeeeeeeeeeeeeeeeeeaee 215 Detecting attacks ini i S2tctr heen E apcedeciad geeseeeds poyetedela ieee 215 Selecting the interfaces to MOMItOM ee cceeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeseeeeaaeeeseeeaeeees 216 Disabling monitoring interfaces eee eect eee eneee eter eee ee eeeetaeeeeeetineeeeeeetieeeeeeenaa 216 Configuring checksum verification cc ceeeeeeeeeeeeeeeeeeeeeeeceeeeeeeeeseeeaaeeeseee
218. k because it includes the External_All address You can add more addresses to each interface to improve the control you have over connections through the firewall For more information about firewall addresses see Addresses on page 146 You can also add firewall policies that perform network address translation NAT To use NAT to translate destination addresses you must add virtual IPs Virtual IPs map addresses on one network to a translated address on another network For more information about Virtual IPs see Virtual IPs on page 157 Services Policies can control connections based on the service or destination port number of packets The default policy accepts connections using any service or destination port number The firewall is configured with over 40 predefined services You can add these services to a policy for more control over the services that can be used by connections through the firewall You can also add user defined services For more information about services see Services on page 149 Schedules Policies can control connections based on the time of day or day of the week when the firewall receives the connection The default policy accepts connections at any time The firewall is configured with one schedule that accepts connections at any time You can add more schedules to control when policies are active For more information about schedules see Schedules on page 154 Content profiles
219. kBytes s Traffic Priority High z I Anti Virus amp Web filter Content Profile Strict l Log Traffic Comments maxmium 63 chars OK Cancel IPSec VPN concentrators In a hub and spoke network all VPN tunnels terminate at a single VPN peer called a hub The peers that connect to the hub are known as spokes The hub functions as a concentrator on the network managing the VPN connections between the spokes The advantage of a hub and spoke network is that the spokes are simpler to configure because they require fewer policy rules Also a hub and spoke network provides some processing efficiencies particularly on the spokes The disadvantage of a hub and spoke network is its reliance on a single peer to handle management of all VPNs If this peer fails encrypted communication in the network is impossible A hub and spoke VPN network requires a special configuration Setup varies depending on the role of the VPN peer 196 Fortinet Inc IPSec VPN IPSec VPN concentrators If the VPN peer is a FortiGate unit functioning as the hub or concentrator it requires a VPN configuration connecting it to each spoke AutolKE phase 1 and 2 settings or manual key settings plus encrypt policies It also requires a concentrator configuration that groups the hub and spoke tunnels together The concentrator configuration defines the FortiGate unit as the hub in a hub and spoke network If the VPN peer is one of the sp
220. l Configuration cceceeeeeeeeeeeeee tenses ee eetneeeeeesiaeeeeeetieeeeeetea 23 Factory default content profiles cccccccccccesenecceceneenecencessenssdeassendcdadsneeeadeneetenndcceannensacee 25 Planning the FortiGate Configuration cccccecceceeeeeeneeeeeeeteneeeeeee tenes eeeteeeeeeeeneeeeeeee 27 NA TROU MOG 6 oneee a hdd dedagd lu biagens sildddeagssidtengensbbddeedareahitee 27 Transparent MOdE cccceececceceeceeeeeeeeeeee cece aeaaaeaeceeeeeeeeesecccaaeaaeaeeceeeeeeeeeeesenssnsaseeeeees 28 COnnNQUIATION OPTIONS 25 00 2ccci ivbecdels ieee AE A 28 FortiGate model maximum values Matrix cee eeeeee eee eette ee eee ea nets eee taaeeeeeetiaeeeeeeeee 30 Next SLC DS sa dcceaveinectciacssacadivs oveadec aa a a cedex ded tqudandsina taal a 31 NAT Route mode INStAN AO Nec picciani ect ce therein 33 Installing the FortiGate unit using the default configuration eceeeteeeeeetsteeeeeeentaees 33 Changing the default Configuration cecccccceeeeeeeeeeee eee eeneeeeeeeeeeeeeeeteeeeeeetieeeeere 34 Preparing to configure NAT ROUte MOdE ccccceceeeeteeeeeeeeeeeeeeeeeetaeeeeeeeeaaeeeeeeenaaeeeeeeeaas 34 Advanced NAT Route mode settings ccccccecceeeneeeeeeeenceeeeeeeeaaeeeeeeeecaeeeeeeeeneeeeeeeeaas 35 Using the sep WIZAI epen aA th oad mpaauaeed eedeaseee Poeaeed 35 Starting the setup WIZANG veiecct cteccedenebecveeeescheustient cduecedansadcecsvents cuccedes RS NNE AEAN 35 Reconnecting t
221. l Number FGT 602803030020 Support Type Hours Activation Date Expiration Date Hardware Coverage 5 12 2003 5 11 2004 Firmware Updates 5 12 2003 8 10 2003 Telephone Support 5 12 2003 8 10 2003 Virus Definitions Updates 5 12 2003 8 10 2003 Attack Definitions Updates 5 12 2003 8 10 2003 Serial Number FGT1002801021024 Support Type Hours Activation Date Expiration Date Hardware Coverage 5 7 2003 5 6 2004 Firmware Updates 5 7 2003 8 5 2003 Telephone Support 5 7 2003 8 5 2003 Virus Definitions Updates 5 7 2003 8 5 2003 Attack Definitions Updates 5 7 2003 8 5 2003 Registering a new FortiGate unit oN Oa fF WwW DY To register a new FortiGate unit Go to System gt Update gt Support Select Support Login Enter your Fortinet support user name and password Select Login Select Add Registration Select the model number of the product model that you want to register Enter the serial number of the FortiGate unit If you have purchased a FortiCare Support Contract for this FortiGate unit enter the support contract number Select Finish The list of FortiGate products that you have registered is displayed The list now includes the new FortiGate unit Adding or changing a FortiCare Support Contract number a Ff WO N To add or change a FortiCare Support Contract number Go to System gt Update gt Support Select Support Login Enter your Fortinet support user name and password Select Login
222. l characters and _ Other special characters and spaces are not allowed Select the virtual IP External Interface from the list The external interface is the interface connected to the source network that receives the packets to be forwarded to the destination network You can set the virtual IP external interface to any FortiGate interface Table 19 contains example virtual IP external interface settings and describes the policies that you can add the resulting virtual IP to Table 19 Virtual IP External Interface examples External Interface Description internal To map an internal address to an external address If you select internal the static NAT virtual IP can be added to Int gt Ext policies external To map an external address to an internal address If you select external the static NAT virtual IP can be added to Ext gt Int policies In the Type section select Static NAT Enter the External IP Address that you want to map to an address on the destination network For example if the virtual IP provides access from the Internet to a web server on a destination network the external IP address must be a static IP address obtained from your ISP for your web server This address must be a unique address that is not used by another host and cannot be the same as the IP address of the external interface selected in step 4 However this address must be routed to this interface The virtual IP address and the
223. l destination Default routes and static routes we To create a route to a destination you need to define an IP prefix which consists of an IP network address and a corresponding netmask value A default route matches any prefix and forwards traffic to the next hop router otherwise known as the default gateway A static route matches a more specific prefix and forwards traffic to the next hop router Default route example IP Prefix 0 0 0 0 IP address 0 0 0 0 Netmask Next Hop 192 168 1 2 Static Route example IP Prefix 172 100 100 0 IP address 255 255 255 0 Netmask Next Hop 192 168 1 2 Note When adding routes to the FortiGate unit add the default route last so that it x appears on the bottom of the route list This ensures that the unit will attempt to match more specific routes before selecting the default route Fortinet Inc Transparent mode installation Transparent mode configuration examples Example default route to an external network Figure 7 shows a FortiGate unit where all destinations including the management computer are located on the external network To reach these destinations the FortiGate unit must connect to the upstream router leading to the external network To facilitate this connection you must enter a single default route that points to the upstream router as the next hop default gateway Figure 7 Default route to an external network FortiResponse ONS tena a Distributi
224. l is a common udp 520 distance vector routing protocol SMTP For sending mail between email servers on tcp 25 the Internet SNMP Simple Network Management Protocol is a tcp 161 162 pe ieee for managing complex udp 161 162 SSH SSH service for secure connections to tcp 22 computers for remote management udp 22 SYSLOG Syslog service for remote logging udp 514 TALK A protocol supporting conversations between udp 517 518 FortiGate 50A Installation and Configuration Guide 151 Services Firewall configuration Table 18 FortiGate predefined services Continued Service name Description Protocol Port TCP All TCP ports tcp 0 65535 TELNET Telnet service for connecting to a remote tcp 23 computer to run commands TFTP Trivial file transfer protocol a simple file udp 69 transfer protocol similar to FTP but with no security features UDP All UDP ports udp 0 65535 UUCP Unix to Unix copy utility a simple file copying udp 540 protocol VDOLIVE For VDO Live streaming multimedia traffic tcp 7000 7010 WAIS Wide Area Information Server An Internet tcp 210 search protocol WINFRAME For WinFrame communications between tcp 1494 computers running Windows NT X WINDOWS For remote communications between an tcp 6000 6063 X Window server and X Window clients Adding custom TCP and UDP services kh OO N 152 Add a custom TCP or UDP service if you need to create a policy fo
225. l is used by the firewall This section describes e Adding an IP pool e IP Pools for firewall policies that use fixed ports e IP pools and dynamic NAT FortiGate 50A Installation and Configuration Guide 161 IP pools Firewall configuration Adding an IP pool To add an IP pool Go to Firewall gt IP Pool Select the interface to which to add the IP pool Select New to add a new IP pool to the selected interface kh O N Enter the Start IP and End IP addresses for the range of addresses in the IP pool The start IP and end IP must define the start and end of an address range The start IP must be lower than the end IP The start IP and end IP must be on the same subnet as the IP address of the interface that you are adding the IP pool 5 Select OK to save the IP pool Figure 14 Adding an IP Pool Internal h External A New Dynamic IP Pool Start IP 192 168 1 10 End IP 192 168 1 20 IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection NAT translates source ports to keep track of connections for a particular service You can select fixed port for NAT policies to prevent source port translation However selecting fixed port means that only one connection can be supported through the firewall for this service To be able to support multiple connections you can add an IP pool to t
226. lacement message list and add and edit the replacement message sections as required To customize a replacement message 1 Go to System gt Config gt Replacement Messages FortiGate 50A Installation and Configuration Guide 133 Replacement messages System configuration For the replacement message that you want to customize select Modify E In the Message setup dialog box edit the content of the message Table 16 lists the replacement message sections that can be added to replacement messages and describes the tags that can appear in each section In addition to the allowed tags you can add text For mail and HTTP messages you can also add HTML code Select OK to save the changes Table 16 Replacement message sections File blocking Used for file blocking all services Section Start lt BLOCKED gt Allowed Tags FILE The name of the file that was blocked PWVURL The URL of the blocked web page Section End lt BLOCKED gt Scanning Used for virus scanning all services Section Start lt INFECTED gt Allowed Tags FILE The name of the file that was infected VUVVIRUS The name of the virus infecting the file WVURL The URL of the blocked web page or file Section End lt INFECTED gt Quarantine Used when quarantine is enabled permitted for all scan services and block services for email only Section Start lt QUARANTI
227. lation and Configuration Guide 15 Customer service and technical support Introduction Customer service and technical support 16 For antivirus and attack definition updates firmware updates updated product documentation technical support information and other resources please visit the Fortinet technical support web site at http support fortinet com You can also register FortiGate Antivirus Firewalls from http support fortinet com and modify your registration information at any time Fortinet email support is available from the following addresses amer_support fortinet com For customers in the United States Canada Mexico Latin America and South America apac_support fortinet com For customers in Japan Korea China Hong Kong Singapore Malaysia all other Asian countries and Australia eu_support fortinet com For customers in the United Kingdom Scandinavia Mainland Europe Africa and the Middle East For information on Fortinet telephone support see http support fortinet com When requesting technical support please provide the following information Your name Company name Location Email address Telephone number FortiGate unit serial number FortiGate model FortiGate FortiOS firmware version Detailed description of the problem Fortinet Inc RAT MET Getting started This chapter describes unpacking setting up and powering on a FortiGate Antivirus Firewall unit When you have com
228. lay the members of a signature group The Signature Group Members list displays the attack ID Rule Name and Revision number for each group member Viewing attack descriptions kh OO N Fortinet provides online information for all NIDS attacks You can view the FortiResponse Attack Analysis web page for an attack listed on the signature list To view attack descriptions Go to NIDS gt Detection gt Signature List Select View Details gE to display the members of a signature group Select a signature and copy its attack ID Open a web browser and enter the following URL http www fortinet com ids ID lt attack ID gt Make sure that you include the attack ID For example to view the Fortinet Attack Analysis web page for the ssh CRC32 overflow bin sh attack ID 101646338 use the following URL http www fortinet com ids ID101646338 Note Each attack log message includes a URL that links directly to the FortiResponse Attack Analysis web page for that attack This URL is available in the Attack Log messages and Alert email messages For information about log message content and formats and about log locations see the FortiGate Logging and Message Reference Guide For information about logging attack messages see Logging attacks on page 222 FortiGate 50A Installation and Configuration Guide 217 Detecting attacks 218 Network Intrusion Detection System NIDS Figure 32 Example signature group members list
229. le Use the strict content profile to apply maximum content protection to HTTP FTP IMAP POP3 and SMTP content traffic You do not need to use the strict content profile under normal circumstances but it is available if you have extreme problems with viruses and require maximum content screening protection Table 6 Strict content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan vw m i A A File Block m l l i i Web URL Block m Web Content Block m Web Script Filter m Web Exempt List m Email Block List l M Email Exempt List Mw M Email Content Block l MV Oversized File Email Block block block block block block Pass Fragmented Emails E O E FortiGate 50A Installation and Configuration Guide 25 Factory default FortiGate configuration settings Getting started Scan content profile Use the scan content profile to apply antivirus scanning to HTTP FTP IMAP POP3 and SMTP content traffic Table 7 Scan content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan MV Mw Mw MV MV File Block O O O o o Web URL Block O Web Content Block O Web Script Filter O Web Exempt List O Email Block List O O Email Exempt List O O Email Content Block O O Oversized File Email Block pass pass pass pass pass Pass Fragmented Emails O O O Web content profile Use the web content profile to apply an
230. le on the management computer To download a Web URL block list Go to Web Filter gt Web URL Block Select Download URL Block List 7 The FortiGate unit downloads the list to a text file on the management computer You can specify a location to which to download the text file as well as a name for the text file Uploading a URL block list You can create a URL block list in a text editor and then upload the text file to the FortiGate unit Add one URL or pattern to each line of the text file You can follow the item with a space and then a 1 to enable or a zero 0 to disable the URL If you do not add this information to the text file the FortiGate unit automatically enables all URLs and patterns that are followed by a 1 or no number when you upload the text file Fortinet Inc Web filtering kh OO N oa URL blocking Figure 38 Example URL block list text file www badsite com index 1 www badsite com products 1 182 63 44 67 index 1 You can either create the URL block list or add a URL list created by a third party URL block or blacklist service For example you can download the squidGuard blacklists available at http www squidguard org blacklist as a starting point for creating a URL block list Three times per week the squidGuard robot searches the web for new URLs to add to the blacklists You can upload the squidGuard blacklists to the FortiGate unit as a text file with only minimal editing to remove
231. lect Refresh to make sure that push updates work Push Update changes to Available Registering FortiGate units After purchasing and installing a new FortiGate unit you can register the unit using the web based manager by going to System Update Support page or by using a web browser to connect to http support fortinet com and selecting Product Registration Registration consists of entering your contact information and the serial numbers of the FortiGate units that you or your organization purchased You can register multiple FortiGate units in a single session without re entering your contact information Once registration is completed Fortinet sends a Support Login user name and password to your email address You can use this user name and password to log on to the Fortinet support web site to e View your list of registered FortiGate units e Register additional FortiGate units e Add or change FortiCare Support Contract numbers for each FortiGate unit e View and change registration information e Download virus and attack definitions updates e Download firmware upgrades e Modify registration information after an RMA Soon you will also be able to e Access Fortinet user documentation Access the Fortinet knowledge base FortiGate 50A Installation and Configuration Guide 83 Registering FortiGate units Virus and attack definitions updates and registration 84 All registration information is stored in the Fortinet Customer
232. licies to apply antivirus protection web content filtering and email filtering to HTTP FTP and email content passing through the FortiGate unit Volume 2 FortiGate VPN Guide Contains in depth information about FortiGate IPSec VPN using certificates pre shared keys and manual keys for encryption Also contains basic configuration information for the Fortinet Remote VPN Client detailed configuration information for FortiGate PPTP and L2TP VPN and VPN configuration examples Volume 3 FortiGate Content Protection Guide Describes how to configure antivirus protection web content filtering and email filtering to protect content as it passes through the FortiGate unit Volume 4 FortiGate NIDS Guide Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network based attacks Volume 5 FortiGate Logging and Message Reference Guide Describes how to configure FortiGate logging and alert email Also contains the FortiGate log message reference Volume 6 FortiGate CLI Reference Guide Describes the FortiGate CLI and contains a reference to all FortiGate CLI commands The FortiGate online help also contains procedures for using the FortiGate web based manager to configure and manage your FortiGate unit Comments on Fortinet technical documentation You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet com FortiGate 50A Instal
233. licy service ANY means that this policy processes connections for all services Action ACCEPT The policy action ACCEPT means that the policy allows connections M NAT NAT is selected for the NAT Route mode default policy so that the policy applies network address translation to the traffic processed by the policy NAT is not available for Transparent mode policies O Traffic Sha ping Traffic shaping is not selected The policy does not apply traffic shaping to the traffic controlled by the policy You can select this option to control the maximum or minimum amount of bandwidth available to traffic processed by the policy O Authentication Authentication is not selected Users do not have to authenticate with the firewall before connecting to their destination address You can configure user groups and select this option to require users to authenticate with the firewall before they can connect through the firewall M Antivirus amp Web Filter Antivirus amp Web Filter is selected Content Profile Scan The scan content profile is selected The policy scans all HTTP FTP SMTP POP3 and IMAP traffic for viruses See Scan content profile on page 26 for more information about the scan content profile You can select one of the other content profiles to apply different levels of content protection to traffic processed by this policy O Log Traffic Log Traffic is not
234. ll words are enabled by default Optionally you can enter a space and a 1 after the word to enable it and another space and a number to indicate the language 0 Western 1 Chinese Simplified 2 Chinese Traditional 3 Japanese 4 Korean If you do not add this information to all items in the text file the FortiGate unit automatically enables all banned words and phrases that are followed with a 1 or no number in the Western language when you upload the text file Figure 42 Example Western email banned word list text file banned 1 0 banned phraset l 1 0 banned phrase 2 1 0 To upload the banned word list 1 Go to Email Filter gt Content Block Select Upload Type the path and filename of the banned word list text file or select Browse and locate the file 4 Select OK to upload the banned word list text file Select Return to display the banned word list FortiGate 50A Installation and Configuration Guide 247 Email block list Email filter Email block list 248 You can configure the FortiGate unit to tag all IMAP and POP3 protocol traffic sent from unwanted email addresses When the FortiGate unit detects an email sent from an unwanted address pattern the FortiGate unit adds a tag to the subject line of the email and writes a message to the email filter log Receivers can then use their mail client software to filter messages based on the subject tag You can tag email from a specific sender address or
235. lock list Go to Web Filter gt URL Block gt Web Pattern Block Select New to add an item to the Web pattern block list Type the web pattern that you want to block You can use standard regular expressions for web patterns Note URL blocking does not block access to other services that users can access with a web browser For example URL blocking does not block access to ftp ftp badsite com Instead you can use firewall policies to deny FTP connections FortiGate 50A Installation and Configuration Guide 237 Configuring Cerberian URL filtering Web filtering we gt Select Enable to block the pattern Select OK to add the pattern to the Web pattern block list Note You must select the Web URL Block option in the content profile to enable the URL blocking Configuring Cerberian URL filtering 238 The FortiGate unit supports Cerberian URL filtering For information about Cerberian URL filtering see www cerberian com If you have purchased the Cerberian web filtering functionality with your FortiGate unit use the following configuration procedures to configure FortiGate support for Cerberian web filtering e Installing a Cerberian license key e Adding a Cerberian user e Configuring Cerberian web filter e Enabling Cerberian URL filtering Installing a Cerberian license key 1 2 3 4 Before you can use the Cerberian web filter you must install a license key The license key determines the number of end us
236. lt authentication timeout is 15 minutes Adding user names and configuring authentication Use the following procedures to add user names and configure authentication This section describes e Adding user names and configuring authentication e Deleting user names from the internal database Adding user names and configuring authentication 172 To add a user name and configure authentication Go to User gt Local Select New to add a new user name Type the User Name The user name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Select one of the following authentication configurations Disable Prevent this user from authenticating Password Enter the password that this user must use to authenticate The password should be at least six characters long The password can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Fortinet Inc Users and authentication Adding user names and configuring authentication LDAP Require the user to authenticate to an LDAP server Select the name of the LDAP server to which the user must authenticate You can only select an LDAP server that has been added to the FortiGate LDAP configuration See Configuring LDAP support on page 175 Radius Require the user to authenticate t
237. lt route to an external NEtWOFK cccccceeeeeeeeeeeeeeeneeeaeeeeeeteeeeeeeteeteees 47 Example static route to an external destination cccceeeeeeeeeeeeceeeeeeeeeeteeeeteeeeeneees 48 Example static route to an internal destination c c ccccecceceeeeeeeeeeeeeeecaeeeeeeeeeetenes 51 UN OS rca sala csp sek cece tik emacs eee E Eeen a E eE E 53 Changing the FortiGate host NAME eee eeeecee eee eeeeee eee eeeeeeeeeeseeeeeeeeeeeeeaeeeeseeeaeeees 54 Changing the FortiGate firmware oieri aandie aiaa Aaaa 54 Upgrading to a new firmware version ceeccceeee tener eee eeenneeeeeeeeaaeeeeeeeaaeeeseeenaeeeeeeeeaas 55 Reverting to a previous firmware VErSiON cccccceeeeeeeeeeeteeeeeeeeeneeeeeetteeeeeetnieeeeentea 56 Installing firmware images from a system reboot using the CLI i e 59 Testing a new firmware image before installing it cc eeeeeeeeeeeeeeeeeeeeeeneeeeeeeeaaees 61 Manual virus definition updates 2 0 0 2 eecceceeeeeeeecee cee eeeeeeeeeeeeeseceeaaaecaeeeeeeeeeeeeeeeeteeneenaaees 63 Manual attack definition updates 2 2 2 2 eee ceeceeeeeeeeceee cece teste eee eeeeeceeaaecaeeeeeeeeeeeeeeeeeeenensaaees 63 Displaying the FortiGate serial NUMDEM ccceceeeeeeteeeee teeter eee eetaeeeeeeeaeeeeeeetnaeeeeeee 64 Displaying the FortiGate Up time cc eeeceeeeceeenee eee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseneaaeeeeeeeeaeeees 64 Backing up system SettinOS ccc cccchscsee
238. m an ethernet interface to the modem you must select the name of the interface in the modem configuration and configure a ping server for that interface You must also configure firewall policies for connections between the modem interface and other FortiGate interfaces Note Do not add policies for connections between the modem interface and the interface that the modem is backing up To configure backup mode Go to System gt Network gt Modem From the Redundant for list select the ethernet interface that you want the modem to back up Configure other modem settings as required See Configuring modem settings on page 108 Configure a ping server for the ethernet interface selected in step 2 See Adding a ping server to an interface on page 97 Configure firewall policies for connections to the modem interface See Adding firewall policies for modem connections on page 111 Standalone mode configuration In standalone mode you manually connect the modem to a dialup account The modem interface operates as the primary connection to the Internet The FortiGate unit routes traffic through the modem interface which remains permanently connected to the dialup account Fortinet Inc Network configuration Configuring the modem interface If the connection to the dialup account fails the FortiGate unit redials the modem The modem redials the number of times specified by the redial limit or until it connects to
239. mage without saving D R Type R The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware image but with its current configuration You can log into the CLI or the web based manager using any administrative account To confirm that the new firmware image has been loaded from the CLI enter get system status You can test the new firmware image as required Fortinet Inc System status Manual virus definition updates Manual virus definition updates The Status page of the FortiGate web based manager displays the current installed versions of the FortiGate antivirus definitions A Note For information about configuring the FortiGate unit for automatic antivirus definitions S updates see Virus and attack definitions updates and registration on page 73 You can also manually start an antivirus definitions update by going to System gt Update and selecting Update Now To update the antivirus definitions manually 1 Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web based manager Start the web based manager and go to System gt Status In the Antivirus Definitions Version section select Definitions Update SE Type the path and filename for the antivirus definitions update file or select Browse and locate the antivirus definitions update file 5 Select OK to copy the antivirus definitions upd
240. management ip 192 168 1 1 255 255 255 0 3 Add the static route to the primary FortiResponse server set system route number 1 dst 24 102 233 5 255 255 255 0 gwl 192 168 1 2 4 Add the default route to the external network set system route number 2 gwl 192 168 1 2 50 Fortinet Inc Transparent mode installation Transparent mode configuration examples Example static route to an internal destination Figure 9 shows a FortiGate unit where the FDN is located on an external subnet and the management computer is located on a remote internal subnet To reach the FDN you need to enter a single default route that points to the upstream router as the next hop default gateway To reach the management computer you need to enter a single static route that leads directly to it This route will point to the internal router as the next hop No route is required for the DNS servers because they are on the same layer 3 subnet as the FortiGate unit Figure 9 Static route to an internal destination FortiResponse Distribution Internet Network FDN Upstream Gateway IP 192 168 1 2 Router DNS DMZ Internal Network A Gateway IP 192 168 1 3 Internal Router Internal Network B Management Computer 172 16 1 11 General configuration steps 1 Set the unit to operate in Transparent mode 2 Configure the Management IP address and Netmask of the FortiGate unit 3 Configure the static route to the management computer on t
241. manager If you want the administrator to be able to access the FortiGate unit from any address set the trusted host to 0 0 0 0 and the netmask to 0 0 0 0 To limit the administrator to only access the FortiGate unit from a specific network set the trusted host to the address of the network and set the netmask to the netmask for the network For example to limit an administrator to accessing the FortiGate unit from your internal network set the trusted host to the address of your internal network for example 192 168 1 0 and set the netmask to 255 255 255 0 Set the Permission level for the administrator Select OK to add the administrator account Editing administrator accounts The admin account user can change individual administrator account passwords configure the IP addresses from which administrators can access the web based manager and change the administrator permission levels Administrator account users with Read amp Write access can change their own administrator passwords Fortinet Inc System configuration Configuring SNMP To edit an administrator account 1 Go to System gt Config gt Admin To change an administrator account password select Change Password fg Type the Old Password hk OO N Type and confirm a new password For improved security the password should be at least 6 characters long The password can contain any characters except spaces If you enter a password that is less than 6 char
242. me of the RIP filter list to assign to the incoming filter Select Apply Fortinet Inc RIP configuration Adding RIP filters Assigning a RIP filter list to the outgoing filter The outgoing filter allows or denies adding routes to outgoing RIP update packets You can assign a single RIP filter list to the outgoing filter To assign a RIP filter list to the outgoing filter 1 Go to System gt RIP gt Filter Add RIP filter lists as required For Outgoing Routes Filter select the name of the RIP filter list to assign to the outgoing filter 4 Select Apply FortiGate 50A Installation and Configuration Guide 119 Adding RIP filters RIP configuration 120 Fortinet Inc AT MET System configuration Use the System Config page to make any of the following changes to the FortiGate system configuration Setting system date and time e Changing system options e Adding and editing administrator accounts e Configuring SNMP e Replacement messages Setting system date and time For effective scheduling and logging the FortiGate system time must be accurate You can either manually set the FortiGate system time or you can configure the FortiGate unit to automatically keep its system time correct by synchronizing with a Network Time Protocol NTP server To set the date and time Go to System gt Config gt Time Select Refresh to display the current FortiGate system date and time Select your Time Zone from the list
243. meout Set the authentication timeout e Select the language for the web base manager e Modify the dead gateway detection settings To set the system idle timeout 1 Go to System gt Config gt Options For Idle Timeout type a number in minutes Select Apply Idle Timeout controls the amount of inactive time that the web based manager waits before requiring the administrator to log in again The default idle time out is 5 minutes The maximum idle time out is 480 minutes 8 hours To set the Auth timeout 1 Go to System gt Config gt Options 2 For Auth Timeout type a number in minutes Fortinet Inc System configuration Adding and editing administrator accounts 3 Select Apply Auth Timeout controls the amount of inactive time that the firewall waits before requiring users to authenticate again For more information see Users and authentication on page 171 The default Auth Timeout is 15 minutes The maximum Auth Timeout is 480 minutes 8 hours To select a language for the web based manager 1 Go to System gt Config gt Options 2 From the Languages list select a language for the web based manager to use 3 Select Apply You can choose English Simplified Chinese Japanese Korean or Traditional Chinese A Note When the web based manager language is set to use Simplified Chinese Japanese Korean or Traditional Chinese you can change to English by selecting the English button on the u
244. n The FortiGate 50A unit can be installed on any stable surface Make sure that the appliance has at least 1 5 in 3 75 cm of clearance on each side to allow for adequate air flow and cooling Dimensions 8 63 x 6 13 x 1 38 in 21 9 x 15 6 x 3 5 cm Weight 1 5 Ib 0 68 kg Power requirements DC input voltage 5 V e DC input current 3A Fortinet Inc Getting started Powering on Powering on Environmental specifications e Operating temperature 32 to 104 F 0 to 40 C e Storage temperature 13 to 158 F 25 to 70 C e Humidity 5 to 95 non condensing To power on the FortiGate 50A unit Connect the AC adapter to the power connection at the back of the FortiGate 50 unit Connect the AC adapter to a power outlet The FortiGate 50A starts up The Power and Status lights light The Status light flashes while the unit is starting up and turns off when the system is up and running Table 1 FortiGate 50A LED indicators Power Green The FortiGate unit is powered on Off The FortiGate unit is powered off Status Green The FortiGate unit is starting Off The FortiGate unit is operating normally Link Green The correct cable is in use and the connected Internal External equipment has power Flashing Green Network activity at this interface Off No link established 100 Green The interface is connected at 100 Mbps Internal External Connecting to the web based
245. n and Configuration Guide 149 Services 150 Table 18 FortiGate predefined services Continued Firewall configuration Service name Description Protocol Port GRE Generic Routing Encapsulation A protocol that allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol by encapsulating the packets of the protocol within GRE packets 47 AH Authentication Header AH provides source host authentication and data integrity but not secrecy This protocol is used for authentication by IPSec remote gateways set to aggressive mode 51 ESP Encapsulating Security Payload This service is used by manual key and AutolKE VPN tunnels for communicating encrypted data AutolKE key VPN tunnels use ESP after establishing the tunnel using IKE 50 AOL AOL instant messenger protocol tcp 5190 5194 BGP Border Gateway Protocol routing protocol BGP is an interior exterior routing protocol tcp 179 DHCP Relay Dynamic Host Configuration Protocol DHCP allocates network addresses and delivers configuration parameters from DHCP servers to hosts udp 67 DNS Domain name service for translating domain names into IP addresses cp 53 udp 53 FINGER A network service that provides information about users tcp 79 FTP FTP service for transferring files tcp 21 GOPHER Gopher communi
246. n contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Specify the ICMP type and code for the service Select OK to add the custom service You can now add this custom service to a policy Adding custom IP services Add a custom IP service if you need to create a policy for a service that is not in the predefined service list To add a custom IP service Go to Firewall gt Service gt Custom Select IP from the Protocol list Select New kh OO N Type a Name for the new custom IP service This name appears in the service list used when you add a policy The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Specify the IP protocol number for the service Select OK to add the custom service You can now add this custom service to a policy Grouping services To make it easier to add policies you can create groups of services and then add one policy to provide or block access for all the services in the group A service group can contain predefined services and custom services in any combination You cannot add service groups to another service group To group services 1 Go to Firewall gt Service gt Group 2 Select New FortiGate 50A Installation and Configuration Guide 153 Schedules Schedules 1
247. naeeeeeetaaeeeeseeiaeeeeesesneeeeeseaas 175 Deleting LDAP SORVErS chasni E AE adateayedd EE A 176 Configuring USEF QrOUPS ainesssnecissaniss diina nE EE AEE 177 Adding User GOUDE siici iss ceceeeticaceteetisas i inr iE eameceeb di seein dee eaac 177 Deleting usergroups e E O 178 aoe gd Gl PSE enc ener ene ree corer eer ree eerie Seer nee enre Werte eer nee ee reer ener oe roe 179 Key MANAGEMENL eee etter eee et teeter etn e ee eee t nee ee errand eee ae ee eee taaeeeeeenaeeeeeeeneeeeene 180 Manual Keys sccis svtateccepntalticessbadeuactdantitues eptbh dante phnbsecntfaitdceeesPviadlces anbeeeed esas 180 Automatic Internet Key Exchange AutolKE with pre shared keys or certificates 180 Manual key IPSec VPNS sies cecesste eneeeettd cen cncte dyes evtade EEE EEA 181 General configuration steps for a manual key VPN 0 eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeneaeees 181 Adding a manual key VPN tunnel 0 eeceeceeeeeeeeeee eee eeeneee eee eaaeeeeeeeaaaeeeeeeesaeeeeeeeeaaes 181 8 Fortinet Inc AutolKE IPSec VPNS 0cccccecceceeeeeeeecececeeeeeeaeeeceeesaaaeeeeeeeeeseaeeeseaeeeseaeeeseaeeseeureeenaeeees 182 General configuration steps for an AUtOIKE VPN eeeeceeeeeeeeeeeeeenneeeeeeeennaeeeeeeeaaes 183 Adding a phase 1 configuration for an AutoIKE VPN 00 ceeeececeeeeeeeceeeeeeeeenteeeeeeeaas 183 Adding a phase 2 configuration for an AutoIKE VPN 0 eeecsceeeeeeeteeeeeeeenteeeeeeeaas 188 Managing
248. nal network set system route number 2 gwl 192 168 1 2 Fortinet Inc RAT MET System status You can connect to the web based manager and view the current system status of the FortiGate unit The status information that is displayed includes the current firmware version the current virus and attack definitions and the FortiGate unit serial number If you log into the web based manager using the admin administrator account you can make any of the following changes to the FortiGate system settings Changing the FortiGate host name e Changing the FortiGate firmware e Manual virus definition updates e Manual attack definition updates e Backing up system settings e Restoring system settings e Restoring system settings to factory defaults e Changing to Transparent mode e Changing to NAT Route mode e Restarting the FortiGate unit e Shutting down the FortiGate unit If you log into the web based manager with another administrator account you can view the system settings including e Displaying the FortiGate serial number e Displaying the FortiGate up time All administrative users can also go to the Monitor page and view FortiGate system status System status displays FortiGate system health monitoring information including CPU and memory status session and network status e System status All administrative users can also go to the Session page and view the active communication sessions to and through the FortiGate
249. nal or LAN connection of your DSL or cable modem Configuring your networks If you are operating the FortiGate unit in NAT Route mode your internal network must be configured to route all Internet traffic to the FortiGate internal interface Change the default gateway address of all computers and routers connected directly to your internal network to the IP address of the FortiGate internal interface For the external network route all packets to the FortiGate external interface If you are using the FortiGate unit as the DHCP server for your internal network configure the computers on your internal network for DHCP Make sure that the connected FortiGate unit is functioning properly by connecting to the Internet from a computer on your internal network You should be able to connect to any Internet address Completing the configuration Use the information in this section to complete the initial configuration of the FortiGate unit Setting the date and time For effective scheduling and logging the FortiGate system date and time should be accurate You can either manually set the system date and time or you can configure the FortiGate unit to automatically keep its time correct by synchronizing with a Network Time Protocol NTP server To set the FortiGate system date and time see Setting system date and time on page 121 Changing antivirus protection 38 By default the FortiGate unit scans all web and email content
250. nced to configure advanced settings Select Settings Select Challenge Handshake Authentication Protocol CHAP Make sure that none of the other settings are selected Select the Networking tab O O ON OO _ Make sure that the following options are selected e TCP IP e QoS Packet Scheduler 11 Make sure that the following options are not selected e File and Printer Sharing for Microsoft Networks e Client for Microsoft Networks 12 Select OK To connect to the PPTP VPN Connect to your ISP Start the VPN connection that you configured in the previous procedure Enter your PPTP VPN User Name and Password Select Connect a fF O N In the connect window enter the User Name and Password that you use for your dialup network connection This user name and password is not the same as your VPN user name and password 208 Fortinet Inc PPTP and L2TP VPN Configuring L2TP Configuring L2TP Some implementations of L2TP support elements of IPSec These elements must be disabled when L2TP is used with a FortiGate unit ue Note L2TP VPNs are only supported in NAT Route mode This section describes e Configuring the FortiGate unit as an L2TP gateway e Configuring a Windows 2000 client for L2TP Configuring a Windows XP client for L2TP Configuring the FortiGate unit as an L2TP gateway Use the following procedures to configure the FortiGate unit as an L2TP gateway To add users and user groups Add a user for
251. nd Configuration Guide 175 Configuring LDAP support Users and authentication Enter the distinguished name used to look up entries on the LDAP server Enter the base distinguished name for the server using the correct X 500 or LDAP format The FortiGate unit passes this distinguished name unchanged to the server For example you could use the following base distinguished name ou marketing dc fortinet dc com where ou is organization unit and dc is domain component You can also specify multiple instances of the same field in the distinguished name for example to specify multiple organization units ou accounts ou marketing dc fortinet dc com Select OK Figure 19 Example LDAP configuration LDAP y New LDAP Server Name LDAP_1 Server Name IP fi 3245 Server Port 389 Common Name Identifier jn Stti i CS C Distinguished Name fou marketing dc fortinet dc com Deleting LDAP servers 176 You cannot delete an LDAP server that has been added to a user group To delete an LDAP server Go to User gt LDAP Select Delete ill beside the LDAP server name that you want to delete Select OK Fortinet Inc Users and authentication Configuring user groups Configuring user groups To enable authentication you must add user names RADIUS servers and LDAP servers to one or more user groups You can then select a user group when you require authentication You can select a user group to configure au
252. nd L2TP VPN You can use PPTP and L2TP to create a virtual private network VPN between a remote client computer that is running Windows and your internal network Because PPTP and L2TP are supported by Windows you do not require third party software on the client computer Provided your ISP supports PPTP and L2TP connections you can create a secure connection by making some configuration changes to the client computer and the FortiGate unit This chapter provides an overview of how to configure FortiGate PPTP and L2TP VPN For a complete description of FortiGate PPTP and L2TP see the FortiGate VPN Guide This chapter describes e Configuring PPTP e Configuring L2TP Configuring PPTP Point to Point protocol PPTP packages data within PPP packets and then encapsulates the PPP packets within IP packets for transmission through a VPN tunnel ue Note PPTP VPNs are supported only in NAT Route mode This section describes e Configuring the FortiGate unit as a PPTP gateway e Configuring a Windows 98 client for PPTP e Configuring a Windows 2000 client for PPTP e Configuring a Windows XP client for PPTP Configuring the FortiGate unit as a PPTP gateway Use the following procedures to configure the FortiGate unit as a PPTP gateway To add users and user groups Add a user for each PPTP client 1 Go to User gt Local FortiGate 50A Installation and Configuration Guide 203 Configuring PPTP PPTP and L2TP VPN 2 Add and configur
253. nd current virus and attack definitions versions fnSysNetwork FortiGate system network configuration including the interface VLAN rout ing DHCP zone and DNS configuration fnSysConfig FortiGate system configuration including time options administrative users and HA configuration fnSysSnmp FortiGate SNMP configuration Firewall configuration Table 9 Firewall MIB fields MIB field Description fnFirewallPolicy FortiGate firewall policy list including complete configuration information for each policy fnFirewallAddress FortiGate firewall address and address group list fnFirewallService FortiGate firewall service and service group list fnFirewallSchedule FortiGate firewall schedule list fnFirewallVirtuallP FortiGate firewall virtual IP list fnFirewalllpPool FortiGate firewall IP pool list fnFirewalllIPMACBinding FortiGate firewall IP MAC binding configuration fnFirewallContProfiles FortiGate firewall content profile list Users and authentication configuration Table 10 User and authentication MIB fields FnUserLocalTable Local user list FnUserRadiusSrvTable RADIUS server list FnUserGrpTable User group list FortiGate 50A Installation and Configuration Guide 131 Configuring SNMP 132 System configuration VPN configuration and status Table 11 VPN MIB fields
254. nect to the firewall if IP MAC binding is set to Allow traffic e is blocked if IP MAC binding is set to Block traffic kh OO N 164 Fortinet Inc Firewall configuration IP MAC binding Adding IP MAC addresses To add an IP MAC address 1 Go to Firewall gt IP MAC Binding gt Static IP MAC Select New to add an IP address MAC address pair Enter the IP Address and the MAC Address You can bind multiple IP addresses to the same MAC address You cannot bind multiple MAC addresses to the same IP address However you can set the IP address to 0 0 0 0 for multiple MAC addresses This means that all packets with these MAC addresses are matched with the IP MAC binding list Similarly you can set the MAC address to 00 00 00 00 00 00 for multiple IP addresses This means that all packets with these IP addresses are matched with the IP MAC binding list 4 Type a Name for the new IP MAC address pair The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Select the Enable check box to enable IP MAC binding for the IP MAC pair Select OK to save the IP MAC binding pair Viewing the dynamic IP MAC list To view the dynamic IP MAC list 1 Go to Firewall gt IP MAC Binding gt Dynamic IP MAC Enabling IP MAC binding Caution Make sure that you have added the IP MAC Address pair of your management computer before enabli
255. net connections to the CLI through this interface Telnet connections are not secure and can be intercepted by a third party 5 Select Log for each interface that you want to record log messages whenever a firewall policy accepts a connection to this interface 6 Select Apply to save the changes FortiGate 50A Installation and Configuration Guide 99 Adding DNS server IP addresses Network configuration Adding DNS server IP addresses Several FortiGate functions including sending email alerts and URL blocking use DNS Use the following procedure to add the IP addresses of the DNS servers that your FortiGate unit can connect to DNS server IP addresses are usually supplied by your ISP To add DNS server IP addresses Go to System gt Network gt DNS Change the primary and secondary DNS server IP addresses as required Select Apply to save the changes Configuring routing 100 This section describes how to configure FortiGate routing You can configure routing to add static routes from the FortiGate unit to local routers Using policy routing you can increase the flexibility of FortiGate routing to support more advanced routing functions You can also use routing to create a multiple Internet connection configuration that supports redundancy and load sharing between the two Internet connections This section describes e Adding a default route e Adding destination based routes to the routing table e Adding routes in Transpa
256. network and a destination address on an external network The source address identifies the addresses on the internal network that are part of the VPN The destination address identifies the addresses on the remote network that are part of the VPN Note The destination address can be a VPN client address on the Internet or the address of a A network behind a remote VPN gateway FortiGate 50A Installation and Configuration Guide 193 Configuring encrypt policies 194 IPSec VPN In addition to defining membership in the VPN by address you can configure the encrypt policy for services such as DNS FTP and POP3 and to allow connections according to a predefined schedule by the time of the day or the day of the week month or year You can also configure the encrypt policy for e Inbound NAT to translate the source of incoming packets e Outbound NAT to translate the source address of outgoing packets e Traffic shaping to control the bandwidth available to the VPN and the priority of the VPN e Content profiles to apply antivirus protection web filtering and email filtering to web file transfer and email services in the VPN Logging so that the FortiGate unit logs all connections that use the VPN The policy must also include the VPN tunnel that you created to communicate with the remote FortiGate VPN gateway When users on your internal network attempt to connect to the network behind the remote VPN gateway the encrypt pol
257. new FortiGate Unit cee eeeeeeeee seen eee eee eee eee eeeeaaeeeeeeeaeeeeeneeneeeeeeeeaas 88 Adding or changing a FortiCare Support Contract NUMbEL cccecceeeeeeeeeeeeeeereaeees 88 Changing your Fortinet Support password eeeeeee teeter eter etenteee eee taaeeeeeetaaeeeeeennea 89 Changing your contact information or security question ceeseeeeeeeeceeeeeeeeeeeeeees 89 Downloading virus and attack definitions updates 0 00 0 eee eeeeeeeeeeeteteeeeeeentaeeeeeeeaas 90 Registering a FortiGate unit after an RMA 0 eee teeter tere ette eee eeteeeeeeeaeeeeeeneeeeee 91 FortiGate 50A Installation and Configuration Guide 5 Contents Network configuration aia Seca da cn dace dope cenelsesesdedtenecenceaswesde eden desk Sneweneeeeees 93 Configuring interfaces ce ecceeeee sence eee eeeeeee eee ceeeeeeeeeceeeeeeeceeeeeeeeseeeeeeeeeseeeeaeeeeeeeaanees 93 Viewing the interface isto cc csiivecsataceeceeins decided devved ataedeeeanadeeedediseeeedd dela dveeleuata enact 94 Changing the administrative status of an interface 0 ec ceeeeeeeeeeeeeeeteeeeeeeeneeeeeeeaas 94 Configuring an interface with a manual IP address eee ceeeeeeeeeeeeeeeeteeeeeeeetaeeeeeeeenaas 94 Configuring an interface for DHCP ceeeececceeeeeeeeeeeeeeenaeeeeeeeeaeeeeeeeeaeeeeeeenaeeeeeeeaaas 95 Configuring an interface for PPPOE 0 cccccceeeseeeeeeeeeeeeneeeeeeeeaeeeeeeeeaeeeeeeenaeeeeeeeeaaas 96 Ad
258. ng gt Traffic Filter Select the settings that you want to apply to all traffic log messages Resolve IP Select Resolve IP if you want traffic log messages to list the IP address and domain name stored on the DNS server If the primary and secondary DNS server addresses provided to you by your ISP have not already been added go to System gt Network gt DNS and add the addresses Display Select Port Number if you want traffic log messages to list the port number for example 80 tcp Select Service Name if you want traffic log messages to list the name of the service for example TCP FortiGate 50A Installation and Configuration Guide 255 Configuring traffic logging Logging and reporting 3 Select Apply Figure 45 Example traffic filter list MV Resolve IP Type Session Packet Display Port Number Service Name Apply gt Source Address Destination Address COTIERA FTP_Main_Office 10 10 10 1 255 255 255 0 10 10 10 2 255 255 255 0 FTP i ey All_traffic 192 168 123 111 255 255 255 0 192 168 124 0 255 255 255 0 ANY Ww amp Email_Branch_to_Main 10 10 11 0 255 255 255 0 10 10 10 0 255 255 255 0 POP3 T Adding traffic filter entries Add entries to the traffic filter list to filter the messages that are recorded in the traffic log If you do not add any entries to the traffic filter list the FortiGate unit records all traffic log messages You can add entries to the traffic filter list to limit the traffic logs
259. ng IP MAC binding To enable IP MAC binding 1 Go to Firewall gt IP MAC Binding gt Setting 2 Select the Enable IP MAC binding going through the firewall check box if you want to turn on IP MAC binding for packets that could be matched by policies 3 Select the Enable IP MAC binding going to the firewall check box if you want to turn on IP MAC binding for packets connecting to the firewall 4 Configure how IP MAC binding handles packets with IP and MAC addresses that are not defined in the IP MAC list Select Allow traffic to allow all packets with IP and MAC address pairs that are not added to the IP MAC binding list Select Block traffic to block packets with IP and MAC address pairs that are not added to the IP MAC binding list 5 Select Apply to save the changes FortiGate 50A Installation and Configuration Guide 165 Content profiles Firewall configuration Figure 15 IP MAC settings Setting StaticIP MAC Dynamic IP MAC M Enable IP MAC binding going through the firewall MV Enable IP MAC binding going to the firewall For hasts not defined in table C Allow traffic Block traffic Content profiles Use content profiles to apply different protection settings for content traffic that is controlled by firewall policies You can use content profiles to e Configure antivirus protection for HTTP FTP POP3 SMTP and IMAP policies Configure web filtering for HTTP policies e Configure email
260. ng RADIUS servers Adding RADIUS servers To add a RADIUS server 1 Go to User gt RADIUS Select New to add a new RADIUS server Type the Name of the RADIUS server You can type any name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Enter the Server Name or IP address of the RADIUS server Enter the RADIUS server secret Select OK Figure 18 Example RADIUS configuration Radius i Name Radius 1 Server Name IP 23 64 67 47 Server Secret Secret 1 Deleting RADIUS servers You cannot delete a RADIUS server that has been added to a user group To delete a RADIUS server 1 Go to User gt RADIUS Select Delete fj beside the RADIUS server name that you want to delete Select OK 174 Fortinet Inc Users and authentication Configuring LDAP support Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server the FortiGate unit contacts the LDAP server for authentication To authenticate with the FortiGate unit the user enters a user name and password The FortiGate unit sends this user name and password to the LDAP server If the LDAP server can authenticate the user the user is successfully authenticated with the FortiGate unit If the LDAP server cannot authenticate the user the connection is refused by the FortiGate unit
261. nies adding routes to outgoing RIP update packets Each entry in a RIP filter list consists of a prefix IP address and netmask the action RIP should take for this prefix allow or deny and the interface to which to apply this RIP filter list entry When RIP applies a filter while processing an update packet it starts at the top of the filter list and works down through the list looking for a matching prefix If RIP finds a matching prefix it then checks that the interface in the filter list entry matches the interface that the packet is received or sent on If both prefix and interface match RIP takes the action specified If no match is found the default action is allow e For the neighbors filter RIP attempts to match prefixes in the filter list against the source address in the update packet For the incoming filter RIP attempts to match prefixes in the filter list against prefixes in the routing table entries in the update packet For the outgoing filter RIP attempts to match prefixes in the filter list against prefixes in the RIP routing table You can add up to four RIP filter lists to the FortiGate RIP configuration You can then select one RIP filter list for each RIP filter type neighbors incoming routes outgoing routes If you do not select a RIP filter list for any of the RIP filter types no filtering is applied Note To block all updates not specifically allowed in a filter list create an entry at the bottom
262. nnels and policies are configured the peers are ready to communicate As they do IKE manages the exchange of certificates sending signed digital certificates from one peer to another The signed digital certificates are validated by the presence of the CA certificate at each end With authentication complete the IPSec tunnel is then established In some respects certificates are simpler to manage than manual keys or pre shared keys For this reason certificates are best suited to large network deployments Fortinet Inc IPSec VPN Manual key IPSec VPNs Manual key IPSec VPNs When using manual keys complementary security parameters must be entered at both ends of the tunnel In addition to encryption and authentication algorithms and keys the security parameter index SPI is required The SPI is an arbitrary value that defines the structure of the communication between the peers With other methods the SPI is generated automatically but with the manual key configuration it must be entered as part of the VPN setup The encryption and authentication keys must match on the local and remote peers that is the SPI values must be mirror images of each other After you enter these values the VPN tunnel can start without a need for the authentication and encryption algorithms to be negotiated Provided you entered correct complementary values the tunnels are established between the peers This means that the tunnel already exists between th
263. nning Copy the new firmware image file to the root directory of the TFTP server Log into the CLI as the admin administrative user FortiGate 50A Installation and Configuration Guide 55 Changing the FortiGate firmware System status 56 Make sure the FortiGate unit can connect to the TFTP server You can use the following command to ping the computer running the TFTP server For example if the IP address of the TFTP server is 192 168 1 168 execute ping 192 168 1 168 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit xecute restore image lt name_str gt lt tftp_ip gt Where lt name_str gt is the name of the firmware image file on the TFTP server and lt tftp_ip gt is the IP address of the TFTP server For example if the firmware image file name is FGT_300 v250 build045 FORTINET out and the IP address of the TFTP server is 192 168 1 168 enter xecute restore image FGT_ 300 v250 build045 FORTINET out 192 168 1 168 The FortiGate unit uploads the firmware image file upgrades to the new firmware version and restarts This process takes a few minutes Reconnect to the CLI To confirm that the new firmware image is successfully installed enter get system status Use the procedure Manually initiating antivirus and attack definitions updates on page 75 to update antivirus and attack definitions or from the CLI enter execute updatecenter updatenow To
264. nstallation Connecting the FortiGate unit to your networks Optionally set the secondary DNS server IP addresses Enter set system dns secondary lt IP address gt Example set system dns secondary 293 44 75 22 Set the default route to the Default Gateway IP address not required for DHCP and PPPoE set system route number lt route_ no gt dst 0 0 0 0 0 0 0 0 gwl lt gateway ip gt Example set system route number 0 dst 0 0 0 0 0 0 0 0 gwl 204 23 1 2 Figure 5 FortiGate 50A network connections Internal Network Management Computer Hub Switch or Router om am a FortiGate 50A External Public Switch or Router Internet SS Connecting the FortiGate unit to your networks FortiGate 50A Installation and Configuration Guide When you have completed the initial configuration you can connect the FortiGate unit between your internal network and the Internet There are two 10 100 BaseTX connectors on the FortiGate 50A e Internal for connecting to your internal network e External for connecting to the Internet 37 Configuring your networks NAT Route mode installation To connect the FortiGate 50A unit Connect the Internal interface to the hub or switch connected to your internal network Connect the External interface to the Internet Connect to the public switch or router provided by your Internet Service Provider If you are a DSL or cable subscriber connect the External interface to the inter
265. nt filtering is not case sensitive You cannot include special characters in banned words 1 Select the Language for the banned word or phrase You can choose Western Chinese Simplified Chinese Traditional Japanese or Korean Your computer and web browser must be configured to enter characters in the language that you select 2 Select OK The word or phrase is added to the banned word list sA Note Email Content Block must be selected in the content profile for IMAP or POP3 email C containing banned words to be tagged 246 Fortinet Inc Email filter Email banned word list Downloading the email banned word list You can back up the banned word list by downloading it to a text file on the management computer To download the banned word list 1 Go to Email Filter gt Content Block 2 Select Download The FortiGate unit downloads the banned word list to a text file on the management computer You can specify a location to which to download the text file as well as a name for the text file Uploading the email banned word list You can create or edit a banned word list in a text file and upload it from your management computer to the FortiGate unit Each banned word or phrase must appear on a separate line in the text file Use ASCII Western Chinese Simplified Chinese Traditional Japanese or Korean characters Your computer and web browser must be configured to enter characters in the character set that you use A
266. ntaining the virus For HTTP this is the IP address of web page that sent the virus V DEST_IP The IP address of the computer that would have received the virus For POP3 this is the IP address of the user s computer that attempted to download the email containing the virus EMAIL_FROM The email address of the sender of the message in which the virus was found VEMAIL_TO The email address of the intended receiver of the message in which the virus was found Section End lt VIRUS_ALERT gt Block alert Used for file block alert email messages Section Start lt BLOCK_ALERT gt Allowed Tags FILE The name of the file that was blocked PROTOCOL The service for which the file was blocked SOURCE_IP The IP address from which the block file was received For email this is the IP address of the email server that sent the email containing the blocked file For HTTP this is the IP address of web page that sent the blocked file VVDEST_IP The IP address of the computer that would have received the blocked file For email this is the IP address of the user s computer that attempted to download the message from which the file ware removed EMAIL_FROM The email address of the sender of the message from which the file was removed EMAIL_TO The email address of the intended receiver of the message from which the file was removed Section End lt BLOCK_ALERT gt FortiGate 50
267. nted email Fortinet Inc RAT MET Logging and reporting You can configure the FortiGate unit to log network activity from routine configuration changes and traffic sessions to emergency events You can also configure the FortiGate unit to send alert email messages to inform system administrators about events such as network attacks virus incidents and firewall and VPN events This chapter describes e Recording logs e Filtering log messages e Configuring traffic logging e Configuring alert email Recording logs You can configure logging to record logs to one or more of a computer running a syslog server a computer running a WebTrends firewall reporting server e the console For information about filtering the log types and activities that the FortiGate unit records see Filtering log messages on page 253 For information about traffic logs see Configuring traffic logging on page 254 This section describes e Recording logs on a remote computer e Recording logs on a NetIQ WebTrends server e Log message levels Recording logs on a remote computer You can configure the FortiGate unit to record log messages on a remote computer The remote computer must be configured with a syslog server To record logs on a remote computer 1 Go to Log amp Report gt Log Setting Select the Log to Remote Host check box to send the logs to a syslog server Type the IP address of the remote computer running sysl
268. nterfaces you must first add addresses to the address list for each interface You can add edit and delete all firewall addresses as required You can also organize related addresses into address groups to simplify policy creation A firewall address consists of an IP address and a netmask This information can represent The address of a subnet for example for a class C subnet IP address 192 168 20 0 and Netmask 255 255 255 0 A single IP address for example IP Address 192 168 20 1 and Netmask 255 255 255 255 All possible IP addresses represented by IP Address 0 0 0 0 and Netmask 0 0 0 0 Note IP address 0 0 0 0 and Netmask 255 255 255 255 is not a valid firewall address Fortinet Inc Firewall configuration Addresses This section describes e Adding addresses e Editing addresses e Deleting addresses e Organizing addresses into address groups Adding addresses To add an address Go to Firewall gt Address Select the interface that you want to add the address to Select New to add a new address kh OO N Enter an Address Name to identify the address The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Spaces and other special characters are not allowed 5 Enter the IP Address The IP address can be The IP address of a single computer for example 192 45 46 45 The IP address of a subnetwork for example 19
269. ny point without the need to make any changes to your network FortiGate 50A Installation and Configuration Guide 13 Document conventions Introduction Document conventions This guide uses the following conventions to describe CLI command syntax e angle brackets lt gt to indicate variable keywords For example xecute restore config lt filename_ str gt You enter restore config myfile bak lt xxx_str gt indicates an ASCII string variable keyword lt xxx_integer gt indicates an integer variable keyword lt xxx_ip gt indicates an IP address variable keyword e vertical bar and curly brackets to separate alternative mutually exclusive required keywords For example set system opmode nat transparent You can enter set system opmode nat Orset system opmode transparent e square brackets to indicate that a keyword is optional For example get firewall ipmacbinding dhcpipmac You can enter get firewall ipmacbinding or get firewall ipmacbinding dhcpipmac 14 Fortinet Inc Introduction Fortinet documentation Fortinet documentation Information about FortiGate products is available from the following FortiGate User Manual volumes Volume 1 FortiGate Installation and Configuration Guide Describes installation and basic configuration for the FortiGate unit Also describes how to use FortiGate firewall policies to control traffic flow through the FortiGate unit and how to use firewall po
270. o a RADIUS server Select the name of the RADIUS server to which the user must authenticate You can only select a RADIUS server that has been added to the FortiGate RADIUS configuration See Configuring RADIUS support on page 174 5 Select the Try other servers if connect to selected server fails check box if you have selected Radius and you want the FortiGate unit to try to connect to other RADIUS servers added to the FortiGate RADIUS configuration 6 Select OK Figure 17 Adding a user name Local N pew User User Name User 2 l Disable Password pea C LDAP LDAP_1 7 C Radius Radiusi x I Try other servers if connect to selected server fails Deleting user names from the internal database You cannot delete user names that have been added to user groups Remove user names from user groups before deleting them To delete a user name from the internal database Go to User gt Local Select Delete User Jff for the user name that you want to delete 3 Select OK ue Note Deleting the user name deletes the authentication configured for the user FortiGate 50A Installation and Configuration Guide 173 Configuring RADIUS support Users and authentication Configuring RADIUS support If you have configured RADIUS support and a user is required to authenticate using a RADIUS server the FortiGate unit contacts the RADIUS server for authentication This section describes e Adding RADIUS servers e Deleti
271. o the actual address of the web server on the internal network To allow connections from the Internet to the web server you must then add an Ext gt Int firewall policy and set Destination to the virtual IP You can create two types of virtual IPs Static NAT Used to translate an address on a source network to a hidden address on a destination network Static NAT translates the source address of return packets to the address on the source network Port Forwarding Used to translate an address and a port number on a source network to a hidden address and optionally a different port number on a destination network Using port forwarding you can also route packets with a specific port number and a destination address that matches the IP address of the interface that receives the packets This technique is called port forwarding or port address translation PAT You can also use port forwarding to change the destination port of the forwarded packets This section describes e Adding static NAT virtual IPs e Adding port forwarding virtual IPs e Adding policies with virtual IPs FortiGate 50A Installation and Configuration Guide 157 Virtual IPs 158 Firewall configuration Adding static NAT virtual IPs we e To add a static NAT virtual IP Go to Firewall gt Virtual IP Select New to add a virtual IP Type a Name for the virtual IP The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the specia
272. o the web based manager cceececeeeeeeeeeeeeeeeeneeeeeeeetaeeeeeeetaeeeeeneaaas 35 Using the command line interface c cccceecesccneeeeeencceeeeneeeaaneneneeaaeneeeneeacaseeenseaeanenenees 36 Configuring the FortiGate unit to operate in NAT Route mode ccceeeeeeeeeeeees 36 Connecting the FortiGate unit to your NEtWOFKS eee eeeeeeeeeeteeeeeeeetaeeeeeeeetaeeeeeeeaees 37 COnTIQUIING your NETWOIKS enisi aia aa ANA AASA ERRESA AE ANANA E S 38 FortiGate 50A Installation and Configuration Guide 3 Contents Completing the configuration 0 eee cette ee teeeeeee ee eeeee eter eeeeeeeeeteeenaeeeeseeeeaeeeetenaaaeeeeeeeatenes 38 Setting the date and UMO v 20 cies eaten niidedeeeatiadeeed tiedeendeaiadeedestii weed Gli eeeleiiiaeeee 38 Changing antivirus Protection seisicieceticeciedtetedeneseceddebeseteecobdcbeatuneheeeculobeneiduebbivbiateteaced 38 Registering your FortiGate Unit ec ceeeeeneeeeeeeeceeeeeee tenets eeeeeaeeeeeeeaaeeeeeeeneeeeeeeeaaas 39 Configuring virus and attack definition updates eect eeeeeeee eee etteeeeeeetttaeeeeeteee 39 Transparent mode installation ccccecceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaes 41 Preparing to configure Transparent mode eeesssssseesrsessssrnnasesnnneaatinnnaatttnnaaatdannaaennnnnaaaa 41 Using the Setup WIZaId fciii neil ieee i E tarneeiaci ee daviniel ieee 42 Changing to Transparent mOde ii cceceee cecesttecicteeeeden
273. oads the list to a text file on the management computer You can specify a location to which to download the text file as well as a name for the text file Fortinet Inc Email filter Email exempt list Uploading an email block list You can create a email block list in a text editor and then upload the text file to the FortiGate unit Add one pattern to each line of the text file You can follow the pattern with a space and then a 1 to enable or a zero 0 to disable the pattern If you do not add this information to the text file the FortiGate unit automatically enables all patterns that are followed with a 1 or no number when you upload the text file Figure 43 Example email block list text file mail badsite com 1 suredeal org 1 userl badsite com 1 You can either create the email block list yourself or add a block list created by a third party email blacklist service For example you can subscribe to the Realtime Blackhole List service available at http mail abuse org rbl as a starting point for creating your own email block list You can upload blacklists to the FortiGate unit as text files with only minimal editing to remove comments at the top of each list and to combine the lists that you want into a single file A Note All changes made to the email block list using the web based manager are lost when you x upload a new list However you can download your current email block list add more patterns Me to it usin
274. of the filter list with a prefix with 0 0 0 0 for the IP address 0 0 0 0 for the netmask and action set to deny Because RIP uses the first match it finds in a top down search of the filter list all the allowed entries are matched first and all other entries for the specified interface are matched by the last entry and denied Create a separate entry at the bottom of the filter list for each interface for which you want to deny all updates not specifically allowed This section describes e Adding a RIP filter list e Assigning a RIP filter list to the neighbors filter e Assigning a RIP filter list to the incoming filter e Assigning a RIP filter list to the outgoing filter Adding a RIP filter list Each entry in a RIP filter list consists of a prefix IP address and netmask the action RIP should take for this prefix allow or deny and the interface to which to apply this RIP filter list entry To add a RIP filter list Go to System gt RIP gt Filter Select New to add a RIP filter FortiGate 50A Installation and Configuration Guide 117 Adding RIP filters 118 N oO NO oO FR WO DN RIP configuration For Filter Name type a name for the RIP filter list The name can be 15 characters long and can contain upper and lower case letters numbers and special characters The name cannot contain spaces Select the Blank Filter check box to create a RIP filter list with no entries or enter the information for the fir
275. og server software FortiGate 50A Installation and Configuration Guide 251 Recording logs Logging and reporting 252 Type the port number of the syslog server Select the severity level for which you want to record log messages The FortiGate unit logs all levels of severity down to but not lower than the level you choose For example if you want to record emergency alert critical and error messages select Error See Log message levels on page 253 Select Config Policy e Select the Log type for which you want the FortiGate unit to record logs For each Log type select the activities for which you want the FortiGate unit to record log messages For information about log types and activities see Filtering log messages on page 253 and Configuring traffic logging on page 254 Select OK Select Apply Recording logs on a NetIQ WebTrends server kh OO N Use the following procedure to configure the FortiGate unit to record logs on a remote NetIQ WebTrends firewall reporting server for storage and analysis FortiGate log formats comply with WebTrends Enhanced Log Format WELF and are compatible with WebTrends NetIQ Security Reporting Center 2 0 and Firewall Suite 4 1 For more information see the Security Reporting Center and Firewall Suite documentation Note FortiGate traffic log messages include sent and received fields which are optional but required for drawing a WebTrends graph To recor
276. okes it requires a tunnel connecting it to the hub but not to the other spokes It also requires policies that control its encrypted connections to the other spokes and its non encrypted connections to other networks such as the Internet e VPN concentrator hub general configuration steps e Adding a VPN concentrator e VPN spoke general configuration steps VPN concentrator hub general configuration steps gt A central FortiGate that is functioning as a hub requires the following configuration e A tunnel AutolKE phase 1 and phase 2 configuration or manual key configuration for each spoke e Destination addresses for each spoke e A concentrator configuration e An encrypt policy for each spoke To create a VPN concentrator configuration Configure one of the following tunnels for each spoke A manual key tunnel consists of a name for the tunnel the IP address of the spoke client or gateway at the opposite end of the tunnel and the encryption and authentication algorithms to use for the tunnel See Manual key IPSec VPNs on page 181 e An AutolKE tunnel consists of phase 1 and phase 2 parameters The phase 1 parameters include the name of the spoke client or gateway designation of how the spoke receives its IP address static or dialup encryption and authentication algorithms and the authentication method either pre shared keys or PKI certificates The phase 2 parameters include the name of the
277. olicy grid You can configure firewall policies to control the flow of packets between the modem interface and the other interfaces on the FortiGate unit For information about adding firewall policies see Adding firewall policies on page 140 FortiGate 50A Installation and Configuration Guide 111 Configuring the modem interface Network configuration 112 Fortinet Inc RAT MET RIP configuration The FortiGate implementation of the Routing Information Protocol RIP supports both RIP version 1 as defined by RFC 1058 and RIP version 2 as defined by RFC 2453 RIP version 2 enables RIP messages to carry more information and to support simple authentication and subnet masks RIP is a distance vector routing protocol intended for small relatively homogeneous networks RIP uses hop count as its routing metric Each network is usually counted as one hop The network diameter is limited to 15 hops This chapter describes how to configure FortiGate RIP e RIP settings e Configuring RIP for FortiGate interfaces e Adding RIP filters RIP settings To configure RIP on the FortiGate unit 1 Go to System gt RIP gt Settings 2 Select Enable RIP When you enable RIP the Fortigate unit starts the RIP process The FortiGate unit does not send or receive RIP packets until you enable RIP on at least one interface For information about configuring RIP see Configuring RIP for FortiGate interfaces on page 115 3 Select En
278. on eZ lt a Network FDN Internet NS lt Management Computer Upstream Gateway IP 192 168 1 2 w Router Management IP 192 168 1 1 FortiGate 50A Internal Network sesseces a v e e e SS COI CO General configuration steps 1 Set the FortiGate unit to operate in Transparent mode Configure the Management IP address and Netmask of the FortiGate unit Configure the default route to the external network FortiGate 50A Installation and Configuration Guide 47 Transparent mode configuration examples Transparent mode installation 48 Web based manager example configuration steps To configure basic Transparent mode settings and a default route using the web based manager Go to System gt Status e Select Change to Transparent Mode e Select Transparent in the Operation Mode list e Select OK The FortiGate unit changes to Transparent mode Go to System gt Network gt Management Change the Management IP and Netmask IP 192 168 1 1 Mask 255 255 255 0 e Select Apply Go to System gt Network gt Routing e Select New to add the default route to the external network Destination IP 0 0 0 0 Mask 0 0 0 0 Gateway 192 168 1 2 e Select OK CLI configuration steps To configure the Fortinet basic settings and a default route using the CLI Change the system to operate in Transparent Mode set system opmode transparent Add the Management IP address and Netmask set sy
279. on addresses of the request it starts an IPSec VPN tunnel and applies an encrypt policy To add a phase 1 configuration Go to VPN gt IPSEC gt Phase 1 Select New to add a new phase 1 configuration Type a Gateway Name for the remote VPN peer The remote VPN peer can be either a gateway to another network or an individual client on the Internet The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed FortiGate 50A Installation and Configuration Guide 183 AutolKE IPSec VPNs 184 IPSec VPN Select a Remote Gateway address type Ifthe remote VPN peer has a static IP address select Static IP Address Ifthe remote VPN peer has a dynamically assigned IP address DHCP or PPPoE or if the remote VPN peer has a static IP address that is not required in the peer identification process select Dialup User Depending on the Remote Gateway address type you selected other fields become available Remote Gateway Static IP Address IP Address If you select Static IP Address the IP Address field appears Enter the IP address of the remote IPSec VPN gateway or client that can connect to the FortiGate unit This is a mandatory entry Remote Gateway Dialup User Peer Options If you select Dialup User the Peer Options become available under Advanced Options Use the Peer Options to authenticate remote VPN peers with p
280. on and can receive FortiGate traps To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinet supported standard MIBs into your SNMP manager RFC support includes support for most of RFC 2665 Ethernet like MIB and most of RFC 1213 MIB II for more information see FortiGate MIBs FortiGate 50A Installation and Configuration Guide 125 Configuring SNMP 126 System configuration This section describes Configuring the FortiGate unit for SNMP monitoring Configuring FortiGate SNMP support e FortiGate MIBs e FortiGate traps e Fortinet MIB fields Configuring the FortiGate unit for SNMP monitoring Before a remote SNMP manager can connect to the FortiGate agent you must configure one or more FortiGate interfaces to accept SNMP connections See Controlling administrative access to an interface on page 97 Configuring FortiGate SNMP support kh OO N Use the information in this section to configure the FortiGate unit so that an SNMP manager can connect to the FortiGate SNMP agent to receive management information and traps e Configuring SNMP access to an interface e Configuring SNMP community settings Configuring SNMP access to an interface Before a remote SNMP manager can connect to the FortiGate agent you must configure one or more FortiGate interface s to accept SNMP connections The configuration steps to follow depend on whether
281. on menu Immediately press any key to interrupt the system startup Note You have only 3 seconds to press any key If you do not press a key soon enough the FortiGate unit reboots and you must log in and repeat the execute reboot command If you successfully interrupt the startup process one of the following messages appears G Get firmware image from TFTP server Format boot device Boot with backup firmware and set as default Quit menu and continue to boot with default firmware Display this list of options Enter G F B Q or H Type G to get the new firmware image from the TFTP server Type the address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1 188 Type the address of the internal interface of the FortiGate unit and press Enter Note The local IP address is used only to download the firmware image After the firmware is installed the address of this interface is changed back to the default IP address for this interface The following message appears Enter File Name image out Enter the firmware image filename and press Enter The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following are displayed Save as Default firmware Run image without saving D R Save as Default firmware Backup firmware Run image without saving D B R Type D The FortiGate unit installs the new firmware image
282. on mode Transparent Configuring the Transparent mode management IP address 1 Log into the CLI if you are not already logged in 2 Setthe management IP address and netmask to the IP address and netmask that you recorded in Table 14 on page 41 Enter set system management ip lt IP address gt lt netmask gt Example set system management ip 10 10 10 2 255 255 255 0 3 Confirm that the address is correct Enter get system management The CLI lists the management IP address and netmask Configure the Transparent mode default gateway 1 Log into the CLI if you are not already logged in 2 Set the default route to the default gateway that you recorded in Table 14 on page 41 Enter set system route number lt number gt gateway lt IP address gt Example set system route number 1 gwl 204 23 1 2 You have now completed the initial configuration of the FortiGate unit Connecting the FortiGate unit to your networks When you have completed the initial configuration you can connect the FortiGate unit between your internal network and the Internet There are two 10 100 BaseTX connectors on the FortiGate 50A unit e Internal for connecting to your internal network e External for connecting to the Internet FortiGate 50A Installation and Configuration Guide 43 Connecting the FortiGate unit to your networks Transparent mode installation To connect the FortiGate unit 1 Connect the Internal interface to the hub or switch connected to you
283. onfiguring settings 108 connecting to a dialup account 109 connecting to FortiGate unit 108 disconnecting 109 interface 107 standalone mode 107 110 viewing status 110 FortiGate 50A Installation and Configuration Guide Index monitor system status 70 monitored interfaces 216 monitoring system status 67 MTU size 98 changing 98 definition 260 improving network performance 98 interface 98 N NAT policy option 142 push update 79 NAT mode adding policy 140 introduction 13 IP addresses 36 NAT Route mode changing to 66 configuration from the CLI 36 netmask administrator account 124 125 network address translation introduction 13 Network Intrusion Detection System 215 network status 68 next hop router 97 NIDS 215 attack prevention 220 detection 215 prevention 220 reducing alert email 222 reducing attack log messages 222 user defined signatures 218 NTP 38 45 151 260 NTP server 121 setting system date and time 121 O one time schedule 155 creating 155 operating mode changing to NAT Route mode 66 changing to Transparent mode 65 options changing system options 122 Outbound NAT encrypt policy 142 override serve adding 76 77 oversized files and email blocking 228 267 Index P password adding 172 changing administrator account 125 Fortinet support 89 recovering a lost Fortinet support 86 PAT 159 pattern web pattern blocking 237 permission administrator account 125 ping server adding to an inter
284. operate with most standard external serial interface modems that support standard Hayes AT commands To connect install a USB to serial converter between one of the two USB ports on the FortiGate unit and the serial port on the modem The FortiGate unit does not support a direct USB connection between the two devices Figure 10 Example modem interface network connection ERTINeET PWR STATUS INTERNAL EXTERNAL FortiGate 50A CW a oo oo Forrisare 50A UNK100 LINK 100 USB connector lt USB to serial converter External modem amp Internet D Configuring modem settings Configure modem settings so that the FortiGate unit uses the modem to connect to your ISP dialup accounts You can configure the modem to connect to up to three dialup accounts You can also enable and disable FortiGate modem support configure how the modem dials and select the FortiGate interface that the modem is redundant for To configure modem settings 1 Go to System gt Network gt Modem Select Enable USB Modem Change any of the following dialup connection settings 108 Fortinet Inc Network configuration 6 Configuring the modem interface Redial Limit The maximum number of times 1 10 that the FortiGate unit dials the ISP to restore an active connection on the modem interface The default redial limit is 1 Select None to allow the modem to never stop redialing Holddown For backup configurations The time 1 60 seconds t
285. ord Select Connect In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password Configuring a Windows XP client for PPTP ao a fF WN Use the following procedure to configure a client computer running Windows XP so that it can connect to a FortiGate PPTP VPN To configure a PPTP dialup connection Go to Start gt Settings gt Control Panel Select Network and Internet Connections Select Create a Connection to the network of your workplace and select Next Select Virtual Private Network Connection and select Next Name the connection and select Next If the Public Network dialog box appears choose the appropriate initial connection and select Next In the VPN Server Selection dialog enter the IP address or host name of the FortiGate unit to connect to and select Next FortiGate 50A Installation and Configuration Guide 207 Configuring PPTP PPTP and L2TP VPN 8 Select Finish To configure the VPN connection Right click the Connection icon that you created in the previous procedure Select Properties gt Security Select Typical to configure typical settings Select Require data encryption Note If a RADIUS server is used for authentication do not select Require data encryption PPTP encryption is not supported for RADIUS server authentication Ila Ve hwnd a Select Adva
286. ord activity events such as detection of email that contains unwanted content and email from unwanted senders Record log messages when the FortiGate connects to the FDN to download antivirus and attack updates 253 Configuring traffic logging Logging and reporting 4 Select the message categories that you want the FortiGate unit to record if you selected Event Log Virus Log Web Filtering Log Attack Log Email Filter Log or Update in step 3 5 Select OK Figure 44 Example log filter configuration Log Setting l Traffic Log l Web Filtering Log l Event Log l Content block I When configuration has changed M URL block l IPSec negotiation event URL exempt I DHCP service event M Attack Log I PPP service event I Attack Detection M Admin login logout event I Attack Prevention I IP MAC binding event I Email Filter Log I System activity event I Blocklist email detected I HA activity event Banned word detected I Firewall authentication event I Update I Route gateway event Failed update I Virus Log I Successful update I Virus infected I FDN error I Filename blocked IT File oversized Configuring traffic logging You can configure the FortiGate unit to record traffic log messages for connections to An interface e A firewall policy The FortiGate unit can filter traffic logs for a source and destination address and service You can also enable the following global settings e resolve IP addresses to
287. ormation about arranging policies in a policy list see Configuring policy lists on page 144 Firewall policy options This section describes the options that you can add to firewall policies Source Select an address or address group that matches the source address of the packet Before you can add this address to a policy you must add it to the source interface For information about adding an address see Addresses on page 146 Destination Select an address or address group that matches the destination address of the packet Before you can add this address to a policy you must add it to the destination interface For information about adding an address see Addresses on page 146 For NAT Route mode policies where the address on the destination network is hidden from the source network using NAT the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address See Virtual IPs on page 157 Schedule Select a schedule that controls when the policy is available to be matched with connections See Schedules on page 154 Service Select a service that matches the service port number of the packet You can select from a wide range of predefined services or add custom services and service groups See Services on page 149 140 Fortinet Inc Firewall configuration Adding firewall policies Figure 5 Adding a NAT Route policy Int gt
288. ou want to enable network protection for Oo N Oo a Re W FortiGate 50A Installation and Configuration Guide 169 Content profiles Firewall configuration 170 Fortinet Inc AT MET Users and authentication FortiGate units support user authentication to the FortiGate user database a RADIUS server and an LDAP server You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database You can also add the names of RADIUS and LDAP servers You can select RADIUS to allow the user to authenticate using the selected RADIUS server or LDAP to allow the user to authenticate using the selected LDAP server You can disable a user name so that the user cannot authenticate To enable authentication you must add user names to one or more user groups You can also add RADIUS servers and LDAP servers to user groups You can then select a user group when you require authentication You can select user groups to require authentication for e any firewall policy with Action set to ACCEPT e IPSec dialup user phase 1 configurations e Auth functionality for phase 1 IPSec VPN configurations e PPTP e L2TP When a user enters a user name and password the FortiGate unit searches the internal user database for a matching user name If Disable is selected for that user name the user cannot authenticate and the connection is dropped If Password is selected for that user and the
289. ource addresses into an address group Go to Firewall gt Address gt Group Add a new address group to the interface to which L2TP clients connect Enter a Group Name to identify the address group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed To add addresses to the address group select an address from the Available Addresses list and select the right arrow to add it to the Members list To remove addresses from the address group select an address from the Members list and select the left arrow to remove it from the group Select OK to add the address group Fortinet Inc 210 PPTP and L2TP VPN kh OO N ao a fF WN N 9 Configuring L2TP To add a destination address Add an address to which L2TP users can connect Go to Firewall gt Address Select the internal interface Select New to add an address Enter the Address Name IP Address and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer Select OK to save the source address To add a firewall policy Add a policy that specifies the source and destination addresses and sets the service for the policy to the traffic type inside the L2TP VPN tunnel Go to Firewall gt Policy Select the Ext gt lnt policy list Select New to add a policy Set Source to the group that m
290. p 389 of protocols used to access information directories NetMeeting NetMeeting allows users to teleconference tcp 1720 using the Internet as the transmission medium NFS Network File System allows network users to tcp 111 2049 access shared files stored on computers of different types NNTP Network News Transport Protocol is a tcp 119 protocol used to post distribute and retrieve USENET messages NTP Network time protocol for synchronizing a tcp 123 computer s time with a time server OSPF Open Shortest Path First OSPF routing 89 protocol OSPF is a common link state routing protocol PC Anywhere PC Anywhere is a remote control and file udp 5632 transfer protocol PING ICMP echo request reply for testing icmp 8 connections to other devices TIMESTAMP ICMP timestamp request messages icmp 13 INFO_REQUEST ICMP information request messages icmp 15 INFO_ADDRESS ICMP address mask request messages icmp 17 POP3 Post office protocol email protocol for tcp 110 downloading email from a POPS server PPTP Point to Point Tunneling Protocol is a tcp 1723 protocol that allows corporations to extend their own corporate network through private tunnels over the public Internet QUAKE For connections used by the popular Quake udp 26000 multi player computer game 27000 27910 27960 RAUDIO For streaming real audio multimedia traffic udp 7070 RLOGIN Rlogin service for remotely logging into a tcp 513 server RIP Routing Information Protoco
291. password matches the connection is allowed If the password does not match the connection is dropped If RADIUS is selected and RADIUS support is configured and the user name and password match a user name and password on the RADIUS server the connection is allowed If the user name and password do not match a user name and password on the RADIUS server the connection is dropped If LDAP is selected and LDAP support is configured and the user name and password match a user name and password on the LDAP server the connection is allowed If the user name and password do not match a user name and password on the LDAP server the connection is dropped If the user group contains user names RADIUS servers and LDAP servers the FortiGate unit checks them in the order in which they have been added to the user group FortiGate 50A Installation and Configuration Guide 171 Users and authentication Setting authentication timeout This chapter describes e Setting authentication timeout e Adding user names and configuring authentication e Configuring RADIUS support e Configuring LDAP support e Configuring user groups Setting authentication timeout Authentication timeout controls how long authenticated firewall connections can remain idle before users must authenticate again to get access through the firewall To set authentication timeout Go to System gt Config gt Options In Auth Timeout type a number in minutes The defau
292. plet O Cookie M Activex Fortinet Inc Web filtering Exempt URL list Exempt URL list Add URLs to the exempt URL list to allow legitimate traffic that might otherwise be blocked by content or URL blocking For example if content blocking is set to block pornography related words and a reputable website runs a story on pornography web pages from the reputable website are blocked Adding the address of the reputable website to the exempt URL list allows the content of the website to bypass content blocking Note Content downloaded from exempt web pages is not blocked or scanned by antivirus protection Adding URLs to the URL Exempt list e Downloading the URL Exempt List e Uploading a URL Exempt List Adding URLs to the URL Exempt list 1 2 3 Go to Web Filter gt URL Exempt Select New to add an item to the URL Exempt list Type the URL to exempt Type a complete URL including path and filename to exempt access to a page ona website For example www goodsite com index html exempts access to the main page of this example website You can also add IP addresses for example 122 63 44 67 index html exempts access to the main web page at this address Do not include http in the URL to exempt Exempting a top level URL such as www goodsite com exempts all requested subpages for example www goodsite com badpage from all content and URL filtering rules Note Exempting a top level URL does not exempt pa
293. pleted the procedures in this chapter you can proceed to one of the following If you are going to operate the FortiGate unit in NAT Route mode go to NAT Route mode installation on page 33 If you are going to operate the FortiGate unit in Transparent mode go to Transparent mode installation on page 41 This chapter describes Package contents Mounting Powering on Connecting to the web based manager Connecting to the command line interface CLI Factory default FortiGate configuration settings Planning the FortiGate configuration FortiGate model maximum values matrix Next steps FortiGate 50A Installation and Configuration Guide 17 Getting started Package contents Package contents Mounting 18 The FortiGate 50A package contains the following items e the FortiGate 50A Antivirus Firewall one orange cross over ethernet cable one gray regular ethernet cable one null modem cable e FortiGate 50A QuickStart Guide e ACD containing the FortiGate user documentation e one AC adapter Figure 1 FortiGate 50A package contents Front Ethernet Cables Orange Crossover 4 Grey Straight through FSRTUNneTT PWR status o o vara atau Forrisare 50A sl el ag Null Modem Cable ee RS 232 Power Status Internal External LED LED Interface Interface Back Power Cable Power Supply a Gp External Internal Internal Power USB RS 232 Serial External A Connection Documentatio
294. pper right of the web based manager Modifying the Dead Gateway Detection settings Modify dead gateway detection to control how the FortiGate unit confirms connectivity with a ping server added to an interface configuration For information about adding a ping server to an interface see Adding a ping server to an interface on page 97 To modify the dead gateway detection settings 1 Go to System gt Config gt Options 2 For Detection Interval type a number in seconds to specify how often the FortiGate unit tests the connection to the ping target 3 For Fail over Detection type a number of times that the connection test fails before the FortiGate unit assumes that the gateway is no longer functioning 4 Select Apply Adding and editing administrator accounts When the FortiGate unit is initially installed it is configured with a single administrator account with the user name admin From this administrator account you can add and edit administrator accounts You can also control the access level of each of these administrator accounts and control the IP address from which the administrator can connect to the FortiGate unit There are three administration account access levels FortiGate 50A Installation and Configuration Guide 123 Adding and editing administrator accounts System configuration 124 admin Has all permissions Can view add edit and delete administrator accounts Can view and change the FortiGate con
295. ption Status 0 Disabled 1 Enabled Language O ASCII 1 Simplified Chinese 2 Traditional Chinese 3 Japanese 4 Korean Figure 36 Example Banned Word List text file banned 1 0 banned phrasetl 1 3 banned phrase 2 1 1 Note All changes made to the banned word list using the web based manager are lost when you upload a new list However you can download your current banned word list add more items to it using a text editor and then upload the edited list to the FortiGate unit To restore the banned word list Go to Web Filter gt Content Block Select Restore Banned Word List Type the path and filename of the banned word list text file or select Browse and locate the file Select OK to upload the file to the FortiGate unit Select Return to display the updated Banned Word List io You can continue to maintain the Banned Word List by making changes to the text file and uploading it again as necessary Note Banned Word must be selected in the content profile for web pages containing banned words to be blocked Fortinet Inc Web filtering URL blocking URL blocking You can block the unwanted web URLs using FortiGate Web URL blocking FortiGate Web pattern blocking and Cerberian web filtering Configuring FortiGate Web URL blocking Configuring FortiGate Web pattern blocking e Configuring Cerberian URL filtering Configuring FortiGate Web URL blocking You can configure FortiGat
296. ption 140 recurring 156 scheduled antivirus and attack updates 78 scheduled updates through a proxy server 78 scheduling 76 scope adding a DHCP scope 105 script filter 240 example settings 240 scripts removing from web pages 240 250 secondary IP interface 96 security question registration 89 serial number displaying 64 FortiGate 50A Installation and Configuration Guide Index server DHCP 104 105 service 149 custom ICMP 153 custom IP 153 custom TCP 152 custom UDP 152 group 153 policy option 140 predefined 149 service name 149 user defined ICMP 153 user defined IP 153 user defined TCP 152 user defined UDP 152 service contracts Forticare 84 service group adding 154 service name traffic filter display 255 session clearing 70 session list 70 session status 68 set time 121 setup wizard 35 42 starting 35 42 shutting down 66 signature threshold values 221 SMTP 151 configuring alert email 258 definition 260 SNMP configuring 125 contact information 127 definition 260 first trap receiver IP address 127 get community 127 MIBs 128 system location 127 trap community 127 traps 129 source policy option 140 squidGuard 237 249 SSH 151 261 SSL 259 service definition 150 standalone mode modem 107 110 starting IP DHCP 22 106 107 PPTP 204 209 static IP MAC list 163 static NAT virtual IP 157 adding 158 static route adding 101 269 Index status CPU 67 interface 94 intrusions 69 IPSec VPN tunnel 2
297. r a service that is not in the predefined service list To add a custom TCP or UDP service Go to Firewall gt Service gt Custom Select TCP UDP from the Protocol list Select New Type a Name for the new custom TCP or UDP service This name appears in the service list used when you add a policy The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Select the Protocol either TCP or UDP used by the service Specify a Source and Destination Port number range for the service by entering the low and high port numbers If the service uses one port number enter this number in both the low and high fields If the service has more than one port range select Add to specify additional protocols and port ranges If there are too many port range rows select Delete H to remove each extra row Select OK to add the custom service You can now add this custom service to a policy Fortinet Inc Firewall configuration Services Adding custom ICMP services Add a custom ICMP service if you need to create a policy for a service that is not in the predefined service list To add a custom ICMP service Go to Firewall gt Service gt Custom Select ICMP from the Protocol list Select New kh OO N Type a Name for the new custom ICMP service This name appears in the service list used when you add a policy The name ca
298. r internal network 2 Connect the External interface to the Internet Connect to the public switch or router provided by your Internet Service Provider Figure 6 FortiGate 50A network connections Internal Network Management Computer Hub Switch or Router ean Internal FortiGate 50A External Public Switch Smm E or Router Internet In Transparent mode the FortiGate unit does not change the layer 3 topology This means that all of its interfaces are on the same IP subnet and that it appears to other devices as a bridge Typically the FortiGate unit would be deployed in Transparent mode when it is intended to provide antivirus and content scanning behind an existing firewall solution A FortiGate unit in Transparent mode can also perform firewalling Even though it takes no part in the layer 3 topology it can examine layer 3 header information and make decisions on whether to block or pass traffic 44 Fortinet Inc Transparent mode installation Completing the configuration Completing the configuration Use the information in this section to complete the initial configuration of the FortiGate unit Setting the date and time For effective scheduling and logging the FortiGate system date and time should be accurate You can either manually set the date and time or you can configure the FortiGate unit to automatically keep its date and time correct by synchronizing with a Network Time Protocol NTP
299. r the new connection appears in the Dial Up Networking folder Right click the new icon and select Properties Go to Server Types Uncheck IPX SPX Compatible Select TCP IP Settings Uncheck Use IP header compression Uncheck Use default gateway on remote network Select OK twice To connect to the PPTP VPN Start the dialup connection that you configured in the previous procedure Enter your PPTP VPN User Name and Password Select Connect Fortinet Inc PPTP and L2TP VPN Configuring PPTP Configuring a Windows 2000 client for PPTP O O N OO kh OO N Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiGate PPTP VPN To configure a PPTP dialup connection Go to Start gt Settings gt Network and Dial up Connections Double click Make New Connection to start the Network Connection Wizard and select Next For Network Connection Type select Connect to a private network through the Internet and select Next For Destination Address enter the IP address or host name of the FortiGate unit to connect to and select Next Set Connection Availability to Only for myself and select Next Select Finish In the Connect window select Properties Select the Security tab Uncheck Require data encryption Select OK To connect to the PPTP VPN Start the dialup connection that you configured in the previous procedure Enter your PPTP VPN User Name and Passw
300. rent mode e Configuring the routing table e Policy routing Adding a default route a Ff WOW N Se S You can add a default route for network traffic leaving the external interface To add a default route Go to System gt Network gt Routing Table Select New to add a new route Set the Source IP and Netmask to 0 0 0 0 Set the Destination IP and Netmask to 0 0 0 0 Set Gateway 1 to the IP address of the routing gateway that routes traffic to the Internet Select OK to save the default route Note Only one default route can be active at a time If two default routes are added to the routing table only the default route closest to the top of the routing table is active Fortinet Inc Network configuration Configuring routing Adding destination based routes to the routing table kh OO N You can add destination based routes to the FortiGate routing table to control the destination of traffic exiting the FortiGate unit You configure routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses The gateways are the next hop routers to which to route traffic that matches the destination addresses in the route You can add one or two gateways to a route If you add one gateway the FortiGate unit routes the traffic to that gateway You can add a second gateway to route traffic to the second gateway if the first gateway fails To support routing failover the IP addres
301. ress Media Access Control address A hardware address that uniquely identifies each node of a network MIB Management Information Base A database of objects that can be monitored by an SNMP network manager Modem A device that converts digital signals into analog signals and back again for transmission over telephone lines MTU Maximum Transmission Unit The largest physical packet size measured in bytes that a network can transmit Any packets larger than the MTU are divided into smaller packets before being sent Ideally you want the MTU your network produces to be the same as the smallest MTU of all the networks between your machine and a message s final destination If your messages are larger than one of the intervening MTUs they get broken up fragmented which slows down transmission speeds Netmask Also called subnet mask A set of rules for omitting parts of a complete IP address to reach a target destination without using a broadcast message It can indicate a subnetwork portion of a larger network in TCP IP Sometimes referred to as an Address Mask NTP Network Time Protocol Used to synchronize the time of a computer to an NTP server NTP provides accuracies to within tens of milliseconds across the Internet relative to Coordinated Universal Time UTC Packet A piece of a message transmitted over a packet switching network One of the key features of a packet is that it contains the destination address in ad
302. reverting from FortiOS v2 50 to FortiOS v2 36 you might not be able to restore your previous configuration from the backup configuration file 2 Note Installing firmware replaces the current antivirus and attack definitions with the definitions S included with the firmware release that you are installing After you install new firmware use the procedure Manually initiating antivirus and attack definitions updates on page 75 to make sure that antivirus and attack definitions are up to date To install firmware from a system reboot Connect to the CLI using the null modem cable and FortiGate console port Make sure that the TFTP server is running Copy the new firmware image file to the root directory of the TFTP server A A OO N Make sure that the internal interface is connected to the same network as the TFTP server 5 To confirm that the FortiGate unit can connect to the TFTP server use the following command to ping the computer running the TFTP server For example if the IP address of the TFTP server is 192 168 1 168 enter execute ping 192 168 1 168 FortiGate 50A Installation and Configuration Guide 59 Changing the FortiGate firmware System status S 10 11 12 60 Enter the following command to restart the FortiGate unit execute reboot As the FortiGate units starts a series of system startup messages is displayed When one of the following messages appears Press any key to enter configurati
303. riety of suspicious network traffic and network based attacks Use the following procedures to configure the general NIDS settings and the NIDS Detection module Signature List For the general NIDS settings you must select which interfaces you want to be monitored for network based attacks You also need to decide whether to enable checksum verification Checksum verification tests the integrity of packets received at the monitored interfaces This section describes Selecting the interfaces to monitor Disabling monitoring interfaces Configuring checksum verification Viewing the signature list Viewing attack descriptions Disabling NIDS attack signatures Adding user defined signatures FortiGate 50A Installation and Configuration Guide 215 Detecting attacks Network Intrusion Detection System NIDS Selecting the interfaces to monitor To select the interfaces to monitor for attacks 1 Go to NIDS gt Detection gt General 2 Select the interfaces to monitor for network attacks You can select one or more interfaces 3 Select Apply Disabling monitoring interfaces To disable monitoring interfaces for attacks 1 Go to NIDS gt Detection gt General Clear the check box for all the interfaces that you do not want monitored Select Apply Configuring checksum verification Checksum verification tests the files that pass through the FortiGate unit to make sure that they have not been changed in transit The NIDS can run
304. rix Next steps FortiGate model 50A 60 100 200 300 400 500 800 1000 3000 3600 4000 IPSec remote 20 50 80 200 1500 1500 3000 3000 5000 5000 5000 5000 gateways Phase 1 IPSec VPN 20 50 80 200 1500 1500 3000 3000 5000 5000 5000 5000 tunnels Phase 2 IPSec VPN 500 500 500 500 500 500 500 500 500 500 500 500 concentrators PPTP users 500 500 500 500 500 500 500 500 500 500 500 500 L2TP users 500 500 500 500 500 500 500 500 500 500 500 500 NIDS user defined 100 100 100 100 100 100 100 100 100 100 100 100 signatures Antivirus file 56 56 56 56 56 56 56 56 56 56 56 56 block patterns Web filter and Limit varies depending on available system memory Fortinet recommends limiting total size of web and email filter lists email filter lists to 4 Mbytes or less If you want to use larger web filter lists consider using Cerberian web filtering Log setting traffic 50 50 50 50 50 50 50 50 50 50 50 50 filter entries Includes the number of physical interfaces Next steps Now that your FortiGate unit is operating you can proceed to configure it to connect to networks e Ifyou are going to operate the FortiGate unit in NAT Route mode go to NAT Route mode installation on page 33 e Ifyou are going to operate the FortiGate unit in Transparent mode go to Transparent mode installation on page 41 FortiGate
305. rmware version You must run this procedure by connecting to the CLI using the FortiGate console port and a reboot usingthe CLI null modem cable This procedure reverts the FortiGate unit to its factory default configuration Testing a new Use this procedure to test a new firmware image before installing it firmware image before You must run this procedure by connecting to the CLI using the installing it FortiGate console port and a null modem cable This procedure gi t Aae emporarily installs a new firmware image using your current configuration You can test the firmware image before installing it permanently If the firmware image works correctly you can use one of the other procedures listed in this table to install it permanently 54 Fortinet Inc System status Changing the FortiGate firmware Upgrading to a new firmware version Use the following procedures to upgrade the FortiGate unit to a newer firmware version Upgrading the firmware using the web based manager amp Note Installing firmware replaces the current antivirus and attack definitions with the definitions S included with the firmware release that you are installing After you install new firmware use the procedure Manually initiating antivirus and attack definitions updates on page 75 to make sure that antivirus and attack definitions are up to date To upgrade the firmware using the web based manager Copy the firmware image file
306. rovides the web filtering options that you want to apply to a policy See Adding content profiles to policies on page 169 3 Configure web filtering settings to control how the FortiGate unit applies web filtering to the HTTP traffic allowed by policies See e URL blocking on page 235 e Configuring Cerberian URL filtering on page 238 e Content blocking on page 232 Script filtering on page 240 e Exempt URL list on page 241 FortiGate 50A Installation and Configuration Guide 231 Content blocking Web filtering 4 Configure the messages that users receive when the FortiGate unit blocks unwanted content or unwanted URLs See Replacement messages on page 133 5 Configure the FortiGate unit to record log messages when it blocks unwanted content or unwanted URLs See Recording logs on page 251 6 Configure the FortiGate unit to send an alert email when it blocks unwanted content or unwanted URLs See Configuring alert email on page 257 Content blocking 232 When the FortiGate unit blocks a web page the user who requested the blocked page receives a block message and the FortiGate unit writes a message to the web filtering log You can add banned words to the list in many languages using Western Simplified Chinese Traditional Chinese Japanese or Korean character sets e Adding words and phrases to the Banned Word list e Clearing the Banned Word list e Backing up the Banned Word l
307. ry After completing this procedure the FortiGate unit operates using the new firmware image with the current configuration This new firmware image is not permanently installed The next time the FortiGate unit restarts it operates with the originally installed firmware image using the current configuration If the new firmware image operates successfully you can install it permanently using the procedure Upgrading to a new firmware version on page 55 To run this procedure you access the CLI by connecting to the FortiGate console port using a null modem cable e install a TFTP server that you can connect to from the FortiGate internal interface The TFTP server should be on the same subnet as the internal interface To test a new firmware image Connect to the CLI using a null modem cable and FortiGate console port Make sure the TFTP server is running Copy the new firmware image file to the root directory of the TFTP server Make sure that the internal interface is connected to the same network as the TFTP server You can use the following command to ping the computer running the TFTP server For example if the TFTP server s IP address is 192 168 1 168 execute ping 192 168 1 168 FortiGate 50A Installation and Configuration Guide 61 Changing the FortiGate firmware System status 62 11 12 13 14 Enter the following command to restart the FortiGate unit execute reboot As the FortiGate unit reboots press
308. s Dialup Group Peer XAUTH Nat Traversal DPD Peer Options Accept any peer ID Accept this peer 1D Accept peer ID in dialup group nore H xauth Disable C Enable as Client Enable as Server Nat traversal M Enable Keepalive Frequency 5 Seconds Dead Peer Detection M Enable Short Idle 1o seconds Retry Count B times Retry Interval 5 Seconds Long Idle B00 seconds Cancel Figure 22 Adding a phase 1 configuration Advanced options Advanced Options Dialup Group Peer XAUTH Nat Traversal DPD Peer Options Accept any peer ID C Accept this peer ID ae ____ Accept peer ID in dialup group Gregory XAuth Nat traversal Keepalive Frequency Disable Enable as Client Enable as Server M Enable 5 0 900 seconds Dead Peer Detection Short Idle Retry Count Retry Interval Long Idle M Enable fio 1 300 seconds B 0 10 times 5 1 60 seconds soo 101 2880 seconds OK Cancel FortiGate 50A Installation and Configuration Guide AutolIKE IPSec VPNs 187 AutolKE IPSec VPNs 188 IPSec VPN Adding a phase 2 configuration for an AutolIKE VPN Add a phase 2 configuration to specify the parameters used to create and maintain a VPN tunnel between the local VPN peer the FortiGate unit and the remote VPN peer the VPN gateway or client Note Adding a Phase 2 configuration is the s
309. s for a local or active directory IPSec policy To connect to the L2TP VPN Start the dialup connection that you configured in the previous procedure Enter your L2TP VPN User Name and Password Select Connect In the connect window enter the User Name and Password that you use to connect to your dialup network connection This user name and password is not the same as your VPN user name and password Fortinet Inc PPTP and L2TP VPN Configuring L2TP Configuring a Windows XP client for L2TP ao a fF WN C hwRnN a Y O O NOOA _ 11 Use the following procedure to configure a client computer running Windows XP so that it can connect to a FortiGate L2TP VPN To configure an L2TP VPN dialup connection Go to Start gt Settings Select Network and Internet Connections Select Create a connection to the network of your workplace and select Next Select Virtual Private Network Connection and select Next Name the connection and select Next If the Public Network dialog box appears choose the appropriate initial connection and select Next In the VPN Server Selection dialog enter the IP address or host name of the FortiGate unit to connect to and select Next Select Finish To configure the VPN connection Right click the icon that you created Select Properties gt Security Select Typical to configure typical settings Select Require data encryption Note If a RADIUS server is used for authenti
310. s of each gateway must be added to the ping server of the interface connected to the same network as the gateway For information about adding a ping server see Adding a ping server to an interface on page 97 To add destination based routes to the routing table Go to System gt Network gt Routing Table Select New to add a new route Type the Destination IP address and netmask for the route Add the IP address of Gateway 1 Gateway 1 is the IP address of the primary destination for the route Gateway 1 must be on the same subnet as a Fortigate interface If you are adding a static route from the FortiGate unit to a single destination router you need to specify only one gateway Add the IP address of Gateway 2 if you want to route traffic to multiple gateways Set Device 1 to the FortiGate interface through which you want to route traffic to connect to Gateway 1 You can select the name of an interface or Auto the default If you select the name of an interface the traffic is routed to that interface If you select Auto the system selects the interface according to the following rules e If the Gateway 1 IP address is on the same subnet as a FortiGate interface the system sends the traffic to that interface e If the Gateway 1 IP address is not on the same subnet as a FortiGate interface the system routes the traffic to the external interface using the default route You can use Device 1 to send packets to an
311. s that has been added to a policy you must first remove the address from the policy To delete an address Go to Firewall gt Address Select the interface list containing the address that you want to delete You can delete any address that has a Delete Address icon T Choose an address to delete and select Delete T Select OK to delete the address Organizing addresses into address groups You can organize related addresses into address groups to make it easier to add policies For example if you add three addresses and then add them to an address group you only have to add one policy using the address group rather than a separate policy for each address You can add address groups to any interface The address group can only contain addresses from that interface Address groups are available in interface source or destination address lists Address groups cannot have the same names as individual addresses If an address group is included in a policy it cannot be deleted unless it is first removed from the policy To organize addresses into an address group Go to Firewall gt Address gt Group Select the interface that you want to add the address group to Enter a Group Name to identify the address group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed To add addresses to the address group select an ad
312. selected This policy does not record messages to the traffic log for the traffic processed by this policy You can configure FortiGate logging and select Log Traffic to record all connections through the firewall that are accepted by this policy Fortinet Inc Getting started Factory default FortiGate configuration settings Factory default content profiles You can use content profiles to apply different protection settings for content traffic that is controlled by firewall policies You can use content profiles for e Antivirus protection of HTTP FTP IMAP POP3 and SMTP network traffic e Web content filtering for HTTP network traffic e Email filtering for IMAP and POP3 network traffic e Oversized file and email blocking for HTTP FTP POP3 SMTP and IMAP network traffic e Passing fragmented emails in IMAP POP3 and SMTP email traffic Using content profiles you can build protection configurations that can be applied to different types of firewall policies This allows you to customize types and levels of protection for different firewall policies For example while traffic between internal and external addresses might need strict protection traffic between trusted internal addresses might need moderate protection You can configure policies for different traffic services to use the same or different content profiles Content profiles can be added to NAT Route mode and Transparent mode policies Strict content profi
313. server To set the FortiGate system date and time see Setting system date and time on page 121 Enabling antivirus protection To enable antivirus protection to protect users on your internal network from downloading a virus from the Internet Go to Firewall gt Policy gt Int gt Ext Select Edit Z to edit this policy Select Anti Virus amp Web filter to enable antivirus protection for this policy Select the Scan Content Profile a Ff O N Select OK to save your changes Registering your FortiGate After purchasing and installing a new FortiGate unit you can register the unit by going to System gt Update gt Support or using a web browser to connect to http support fortinet com and selecting Product Registration Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased Registration is quick and easy You can register multiple FortiGate units in a single session without re entering your contact information For more information about registration see Registering FortiGate units on page 83 Configuring virus and attack definition updates You can configure the FortiGate unit to automatically check to see if new versions of the virus definitions and attack definitions are available If it finds new versions the FortiGate unit automatically downloads and installs the updated definitions The FortiGate unit uses HT
314. splay More frequent updates use system resources and increase network traffic However this only occurs when you are viewing the display using the web based manager The line graph scales are shown on the upper right corner of the graph Select Refresh to manually update the information displayed FortiGate 50A Installation and Configuration Guide 69 Session list Session list 70 System status Figure 3 Sessions and network status monitor Automatic Refresh Interval 20 seconds 7 CPU amp Memory Sessions amp Network Virus amp Intrusions Virus Virus History LJ P last 20 hours Intrusions Intrusion History LJ PE last 20 hours The session list displays information about the communications sessions currently being processed by the FortiGate unit You can use the session list to view current sessions FortiGate administrators with read and write permission and the FortiGate admin user can also stop active communication sessions To view the session list Go to System gt Status gt Session The web based manager displays the total number of active sessions in the FortiGate unit session table and lists the top 16 To navigate the list of sessions select Page Up P or Page Down Select Refresh A to update the session list If you are logged in as an administrative user with read and write privileges or as the admin user you can select Clear jf to stop an active session Fortine
315. ss group To add a source address group Organize the source addresses into an address group Go to Firewall gt Address gt Group Add a new address group to the interface to which PPTP clients connect Enter a Group Name to identify the address group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed To add addresses to the address group select an address from the Available Addresses list and select the right arrow to add it to the Members list To remove addresses from the address group select an address from the Members list and select the left arrow to remove it from the group Select OK to add the address group To add a destination address Add an address to which PPTP users can connect Go to Firewall gt Address Select the internal interface Select New to add an address Enter the Address Name IP Address and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer Select OK to save the destination address To add a firewall policy Add a policy which specifies the source and destination addresses and sets the service for the policy to the traffic type inside the PPTP VPN tunnel Go to Firewall gt Policy Select the Ext gt lnt policy list Select New to add a new policy Set Source to the group that matches the PPTP address range Set
316. ssary 262 Fortinet Inc Index A accept policy 141 action policy option 141 ActiveX 240 removing from web pages 240 address 146 adding 147 editing 148 group 148 IP MAC binding 165 virtual IP 157 address group 148 example 149 address name 147 addressing mode DHCP 95 PPPoE 96 admin access level administrator account 124 administrative access to an interface 97 administrative status changing for an interface 94 administrator account adding 123 124 admin 124 changing password 125 editing 123 124 netmask 124 125 permission 125 trusted host 124 125 alert email configuring 257 configuring SMTP server 258 content of messages 222 critical firewall or VPN events 258 enabling 258 hard disk full 258 intrusion attempts 258 reducing messages 218 testing 258 virus incidents 258 FortiGate 50A Installation and Configuration Guide RAT MET allow inbound encrypt policy 142 allow outbound encrypt policy 142 allow traffic IP MAC binding 164 Anti Virus amp Web filter policy 143 antivirus definition updates manual 63 antivirus definitions updating 73 antivirus updates 76 configuring 77 through a proxy server 78 attack definition updates downloading 90 manual 63 attack definitions updating 73 75 attack detection checksum verification 216 disabling the NIDS 216 enabling and disabling signatures 218 selecting interfaces to monitor 216 viewing the signature list 217 attack log 253 content of messages 222 r
317. st entry on the RIP filter list Enter the IP address and Mask to create the prefix For Action select allow or deny For Interface enter the name of the interface to which to apply the entry Select OK to save the RIP filter list To add an entry to a RIP filter list Go to System gt RIP gt Filter For the RIP filter list name select Add Prefix to add an entry to the filter list Enter the IP address and Mask to create the prefix For Action select allow or deny For Interface enter the name of the interface to which to apply the entry Select OK to add the entry to the RIP filter list Repeat steps 2 to 6 to add entries to the RIP filter list Assigning a RIP filter list to the neighbors filter 4 The neighbors filter allows or denies updates from other routers You can assign a single RIP filter list to the neighbors filter To assign a RIP filter list to the neighbors filter Go to System gt RIP gt Filter Add RIP filter lists as required For Neighbors Filter select the name of the RIP filter list to assign to the neighbors filter Select Apply Assigning a RIP filter list to the incoming filter The incoming filter accepts or rejects routes in an incoming RIP update packet You can assign a single RIP filter list to the incoming filter To assign a RIP filter list to the incoming filter Go to System gt RIP gt Filter Add RIP filter lists as required For Incoming Routes Filter select the na
318. st that you want to change the order of Choose the policy that you want to move and select Move To D to change its order in the policy list Type a number in the Move to field to specify where in the policy list to move the policy and select OK FortiGate 50A Installation and Configuration Guide 145 Addresses Firewall configuration Enabling and disabling policies 1 1 Addresses o gt Ss 146 You can enable and disable policies in the policy list to control whether the policy is active or not The FortiGate unit matches enabled policies but does not match disabled policies Disabling policies Disable a policy to temporarily prevent the firewall from selecting the policy Disabling a policy does not stop active communications sessions that have been allowed by the policy For information about stopping active communication sessions see System status on page 67 To disable a policy Go to Firewall gt Policy Select the policy list that contains the policy that you want to disable Clear the check box of the policy to disable it Enabling policies Enable a policy that has been disabled so that the firewall can match connections with the policy To enable a policy Go to Firewall gt Policy Select the policy list that contains the policy that you want to enable Select the check box of the policy to enable it All policies require source and destination addresses To add addresses to a policy between two i
319. st widely implemented LAN standards A newer version of Ethernet called 100 Base T or Fast Ethernet supports data transfer rates of 100 Mbps And the newest version Gigabit Ethernet supports data rates of 1 gigabit 1 000 megabits per second External interface The FortiGate interface that is connected to the Internet For the FortiGate 60 the external interface is WAN1 or WAN2 FTP File transfer Protocol An application and TCP IP protocol used to upload or download files Gateway A combination of hardware and software that links different networks Gateways between TCP IP networks for example can link different subnetworks HTTP Hyper Text Transfer Protocol The protocol used by the World Wide Web HTTP defines how messages are formatted and transmitted and what actions Web servers and browsers should take in response to various commands HTTPS The SSL protocol for transmitting private documents over the Internet using a Web browser FortiGate 50A Installation and Configuration Guide AT MET Internal interface The FortiGate interface that is connected to an internal private network Internet A collection of networks connected together that span the entire globe using the NFSNET as their backbone As a generic term it refers to any collection of interdependent networks ICMP Internet Control Message Protocol Part of the Internet Protocol IP that allows for the generation of error messages test pack
320. stem management ip 192 168 1 1 255 255 255 0 Add the default route to the external network set system route number 1 gwl 192 168 1 2 Example static route to an external destination Figure 8 shows a FortiGate unit that requires routes to the FDN located on the external network The Fortigate unit does not require routes to the DNS servers or management computer because they are located on the internal network To connect to the FDN you would typically enter a single default route to the external network However to provide an extra degree of security you could enter static routes to a specific FortiResponse server in addition to a default route to the external network If the static route becomes unavailable perhaps because the IP address of the FortiResponse server changes the FortiGate unit will still be able to receive antivirus and NIDS updates from the FDN using the default route Fortinet Inc Transparent mode installation Transparent mode configuration examples Note This is an example configuration only To configure a static route you require a S destination IP address Figure 8 Static route to an external destination i 24 102 233 5 se Sesgceceesesencases regs FortiResponse abn ne Distribution es Internet w ap ork FON NS p Upstream Gateway IP 192 168 1 2 Router D Management IP 192 168 1 1 at asst ne 4 FortiGate 50A Internal Network Pd lt e O o e d
321. stration Updating registration information To recover a lost Fortinet support password Go to System gt Update gt Support Select Support Login Enter your Fortinet support user name Select Forgot your password a Fk WN Enter your email address and select Submit The security question that you entered when you registered is displayed 6 Enter the answer to your security question and select Get Password If you entered the correct answer to the security question an email containing a new password is sent to your email address You can use your current user name and this password to log into the Fortinet support web site Select Support Login When you receive your new password enter your user name and new password to log into the Fortinet support web site Viewing the list of registered FortiGate units To view the list of registered FortiGate units Go to System gt Update gt Support Select Support Login Enter your Fortinet support user name and password Select Login a Fk WO N Select View Products The list of FortiGate products that you have registered is displayed For each FortiGate unit the list includes the serial number and current support options for that unit FortiGate 50A Installation and Configuration Guide 87 88 Updating registration information Virus and attack definitions updates and registration Figure 7 Sample list of registered FortiGate units View Product Support Seria
322. t 9443 Protocol C TCP UDP Add New Virtual IP Mapping Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT device Add a new external to internal firewall policy Configure the policy with the following settings Source External_All Destination The virtual IP added above Schedule Always Service ANY Action Accept NAT Selected Select OK Configuring the FortiGate unit with an override push IP and port To configure the FortiGate unit on the internal network Go to System gt Update Select the Allow Push Update check box Select the Use override push check box Virus and attack definitions updates and registration Registering FortiGate units 4 Set IP to the external IP address added to the virtual IP For the example topology enter 64 230 123 149 5 Set Port to the external service port added to the virtual IP For the example topology enter 45001 6 Select Apply The FortiGate unit sends the override push IP address and port to the FDN The FDN now uses this IP address and port for push updates to the FortiGate unit on the internal network If the external IP address or external service port change add the changes to the Use override push configuration and select Apply to update the push information on the FDN Figure 4 Example push update configuration l Allow Push Update M Use override push IP 64 230 123 149 Port 45001 Select Apply You can se
323. t Inc System status Session list Each line of the session list displays the following information Protocol The service protocol of the connection for example udp tcp or icmp From IP The source IP address of the connection From Port The source port of the connection To IP The destination IP address of the connection To Port The destination port of the connection Expire The time in seconds before the connection expires Clear Stop an active communication session Figure 4 Example session list Total Number of Sessions 659 BE a eA Protocol From IP From Port To IP To Port Expire Clear secs udp 192 168 110 200 1242 206 191 0210 53 76 To top 192 168 110 121 4704 192 168 110 3 443 8 m t 192 168 110 200 1250 65 39 139 188 110 4 E tcp 192 168 110 121 4699 192 168 110 3 443 8 E tep 192 168 110 121 4691 192 168 110 3 443 56 E a tcp 192 168 110 121 4479 10 0 1 128 6969 72 io udp 192 168 110 200 1246 209 87 239 20 53 86 i udp 192 168 110 200 1246 209 97 23921 53 89 E i tep 192 168 110 121 4674 192 168 110 3 443 8 T tcp 192 168 110 155 1107 65 39 139 188 143 3262 To tcp 192 168 110 200 1248 65 39 139 188 110 30 ii top 192 168 110 123 2307 65 39 139 198 110 26 wo tep 192 168 110 121 4701 192 168 110 3 443 8 i tcp 192 168 110 154 1117 65 39 139 188 143 92 top 192 168 110 121 4361 10 0 1 128 6969 49 To tcp 192 168 110 123 2308 65 39 139 188 110 85 To top 192 168 110 1
324. t into the network Among other things you must decide whether you want the unit to be visible to the network which firewall functions you want it to provide and how you want it to control the traffic flowing between its interfaces Your configuration plan depends on the operating mode that you select The FortiGate unit can be configured in one of two modes NAT Route mode the default or Transparent mode NAT Route mode In NAT Route mode the unit is visible to the network Like a router all its interfaces are on different subnets The following interfaces are available in NAT Route mode e External is the interface to the external network usually the Internet e Internal is the interface to the internal network You can add security policies to control whether communications through the FortiGate unit operate in NAT or Route mode Security policies control the flow of traffic based on the source address destination address and service of each packet In NAT mode the FortiGate unit performs network address translation before it sends the packet to the destination network In Route mode there is no translation By default the FortiGate unit has a NAT mode security policy that allows users on the internal network to securely download content from the external network No other traffic is possible until you have configured further security policies FortiGate 50A Installation and Configuration Guide 27 28 Planning the FortiGa
325. t profile See Adding content profiles on page 167 2 Select the Anti Virus amp Web filter option in firewall policies that allow web HTTP FTP and email IMAP POP3 and SMTP connections through the FortiGate unit Select a content profile that provides the antivirus protection options that you want to apply to a policy See Adding content profiles to policies on page 169 3 Configure antivirus protection settings to control how the FortiGate unit applies antivirus protection to the web FTP and email traffic allowed by policies See e Antivirus scanning on page 226 e File blocking on page 227 e Blocking oversized files and emails on page 228 e Exempting fragmented email from blocking on page 228 4 Configure the messages that users receive when the FortiGate unit blocks or deletes an infected file See Replacement messages on page 133 5 Configure the FortiGate unit to send an alert email when it blocks or deletes an infected file See Configuring alert email in the Logging and Message Reference Guide amp Note For information about receiving virus log messages see Configuring logging and for information about log message content and format see Virus log messages in the Logging Configuration and Reference Guide FortiGate 50A Installation and Configuration Guide 225 Antivirus scanning Antivirus protection Antivirus scanning Virus scanning intercepts most f
326. talling After you install new firmware use the procedure Manually initiating antivirus and attack definitions updates on page 75 to make sure that antivirus and attack definitions are up to date To revert to a previous firmware version using the web based manager Copy the firmware image file to your management computer Log into the FortiGate web based manager as the admin administrative user Go to System gt Status Select Firmware Upgrade ie Type the path and filename of the previous firmware image file or select Browse and locate the file Select OK The FortiGate unit uploads the firmware image file reverts to the old firmware version resets the configuration restarts and displays the FortiGate login This process takes a few minutes Log into the web based manager Go to System gt Status and check the Firmware Version to confirm that the firmware is successfully installed Restore your configuration For information about restoring your configuration see Restoring system settings on page 64 Update antivirus and attack definitions For information about antivirus and attack definitions see Manually initiating antivirus and attack definitions updates on page 75 Reverting to a previous firmware version using the CLI This procedure reverts your FortiGate unit to its factory default configuration and deletes NIDS user defined signatures web content lists email filtering lists and changes to
327. te configuration Getting started You typically use NAT Route mode when the FortiGate unit is operating as a gateway between private and public networks In this configuration you would create NAT mode policies to control traffic flowing between the internal private network and the external public network usually the Internet Figure 3 Example NAT Route mode network configuration FortiGate 50A Unit External in NAT Route mode Internal 204 23 1 5 192 168 1 99 Internal network Internet s s E 192 168 1 3 NAT mode policies controlling traffic between internal and external networks Transparent mode In Transparent mode the FortiGate unit is invisible to the network Similar to a network bridge all FortiGate interfaces must be on the same subnet You only have to configure a management IP address so that you can make configuration changes The management IP address is also used for antivirus and attack definition updates You typically use the FortiGate unit in Transparent mode on a private network behind an existing firewall or behind a router The FortiGate unit performs firewall functions as well as antivirus and content scanning but not VPN Figure 4 Example Transparent mode network configuration FortiGate 50A Unit in Transparent mode Gateway to public network 204 23 1 5 10 10 10 2 Internet See ee HE Si firewall router External 10 10 10 1 Internal Management IP
328. te packet not the confidentiality of the routing information in the packet Changes the metric for routes sent by this interface All routes sent from this interface have this metric added to their current metric value You can change the interface metric to give a higher priority to an interface For example if you have two interfaces that can be used to route packets to the same destination and you set the metric of one interface higher than the other the routes to the interface with the lower metric will seem to have a lower cost More traffic will use routes to the interface with the lower metric Metric can be from 1 to 16 with 16 equalling unreachable 4 Select OK to save the RIP configuration for the selected interface Figure 2 Example RIP configuration for an internal interface Settings aN Interface y Filter A Edit RIP on Interface Interface internal 116 I RIP1 Send I RIP1 Receive M RIP2 Send I RIP2 Receive V Split Horizon J Authentication Password Mode Ne ne z Metric Roo ag Fortinet Inc RIP configuration Adding RIP filters Adding RIP filters a Use the Filter page to create RIP filter lists and assign RIP filter lists to the neighbors filter incoming route filter or outgoing route filter The neighbors filter allows or denies updates from other routers The incoming filter accepts or rejects routes in an incoming RIP update packet The outgoing filter allows or de
329. terface of the FortiGate unit Outbound NAT makes it impossible for remote hosts to see the IP addresses of local hosts hosts located on the network behind the local VPN gateway If Outbound NAT is implemented it is subject to these limitations Configure Outbound NAT only at one end of the tunnel The end that does not implement Outbound NAT requires an internal to external policy that specifies the remote external interface as the Destination usually a public IP address The tunnel and the traffic within the tunnel can only be initiated at the end that implements Outbound NAT For information about configuring the remaining policy settings see Adding firewall policies on page 140 Select OK to save the encrypt policy FortiGate 50A Installation and Configuration Guide 195 IPSec VPN concentrators IPSec VPN To make sure that the encrypt policy is matched for VPN connections arrange the encrypt policy above other policies with similar source and destination addresses and services in the policy list Figure 25 Adding an encrypt policy Int gt Ext Int gt DMZ DMZ gt Int DMZ gt Ext Ext gt Int Ext gt DMZ Source FeT 100 z Destination FGT_60 z Schedule Always z Service ANY E Action ENCRYPT z PN Tunnel FGT 60 z M Allow inbound I Inbound NAT M Allow outbound I Outbound NAT C Traffic Shapi Guaranteed fo rammesnaping Bandwidth 9 kBytes s Maximum Bandwidth l0
330. that are recorded You can log traffic with a specified source IP address and netmask to a destination IP address and netmask and for a specified service A traffic filter entry can include any combination of source and destination addresses and services To add an entry to the traffic filter list Go to Log amp Report gt Log Setting gt Traffic Filter Select New Configure the traffic filter for the type of traffic that you want to record on the traffic log Name Type a name to identify the traffic filter entry The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Spaces and other special characters are not allowed Source IP Address Type the source IP address and netmask for which you want the Source Netmask FortiGate unit to log traffic messages The address can be an individual computer subnetwork or network Destination IP Address Type the destination IP address and netmask for which you want the Destination Netmask FortiGate unit to log traffic messages The address can be an individual computer subnetwork or network Service Select the service group or individual service for which you want the FortiGate unit to log traffic messages 4 Select OK The traffic filter list displays the new traffic address entry with the settings that you selected in Enabling traffic logging on page 255 256 Fortinet Inc Logging and reporting Configuring alert email
331. the addresses of up to 3 DNS servers that the DHCP server assigns to the DHCP clients WINS Server IP Add the IP addresses of one or two WINS servers to be assigned to DHCP clients Exclusion Range Optionally enter up to 4 exclusion ranges of IP addresses within the IP pool that cannot be assigned to DHCP clients Select OK Adding a reserve IP to a DHCP server If you have configured an interface as a DHCP server you can reserve an IP address for a particular device on the network according to the MAC address of the device When you add the MAC address of a device and an IP address to the reserve IP list the DHCP server always assigns this IP address to the device To add a reserve IP you must first select the interface and scope to which you want to add the reserve IP To add a reserve IP to a DHCP server Go to System gt Network gt DHCP Select Reserve IP Select an interface You must configure the interface as a DHCP server before you can select it Select a scope You must configure an address scope for the interface before you can select it Select New to add a reserved IP Configure the reserved IP Fortinet Inc Network configuration Configuring the modem interface IP Enter an IP address The IP address must be within the IP pool added to the selected scope MAC Enter the MAC address of the device Name Optionally specify a name for the IP and MAC address pair io Note The reserved IP cannot be assigne
332. them again Table 1 FortiGate MIBs MIB file name or RFC Description fortinet trap mib The Fortinet trap MIB is a proprietary MIB that is required for your SNMP manager to receive traps from the FortiGate SNMP agent For more information about FortiGate traps see FortiGate traps on page 129 fortinet mib The Fortinet MIB is a proprietary MIB that includes detailed FortiGate system configuration information Add this MIB to your SNMP manager to monitor all FortiGate configuration settings RFC 1213 MIB Il The FortiGate SNMP agent supports MIB II groups with the following exceptions No support for the EGP group from MIB II RFC 1213 section 3 11 and 6 10 Protocol statistics returned for MIB II groups IP ICMP TCP UDP etc do not accurately capture all FortiGate traffic activity More accurate infor mation can be obtained from the information reported by the Fortinet MIB RFC 2665 Ethernet like MIB The FortiGate SNMP agent supports Ethernet like MIB information with the following exception No support for the dot3Tests and dot3Errors groups 128 Fortinet Inc System configuration Configuring SNMP FortiGate traps The FortiGate agent can send traps to up to three SNMP trap receivers on your network that are configured to receive traps from the FortiGate unit For these SNMP managers to receive traps you must load and compile the Fortinet trap MIB onto the
333. thentication for e Policies that require authentication Only users in the selected user group or users that can authenticate with the RADIUS servers added to the user group can authenticate with these policies e IPSec VPN Phase 1 configurations for dialup users Only users in the selected user group can authenticate to use the VPN tunnel e XAuth for IPSec VPN Phase 1 configurations Only users in the selected user group can be authenticated using XAuth The FortiGate PPTP configuration Only users in the selected user group can use PPTP The FortiGate L2TP configuration Only users in the selected user group can use L2TP When you add user names RADIUS servers and LDAP servers to a user group the order in which they are added determines the order in which the FortiGate unit checks for authentication If user names are first then the FortiGate unit checks for a match with these local users If a match is not found the FortiGate unit checks the RADIUS or LDAP server If a RADIUS or LDAP server is added first the FortiGate unit checks the server and then the local users If the user group contains users RADIUS servers and LDAP servers the FortiGate unit checks them in the order in which they have been added to the user group This section describes e Adding user groups e Deleting user groups Adding user groups Use the following procedure to add user groups to the FortiGate configuration You can add user names RADIU
334. thentication provides a means to verify the origin of a packet and the integrity of its contents Authentication is done using checksums calculated with keyed hash function algorithms This chapter provides an overview about how to configure FortiGate IPSec VPN For a complete description of FortiGate VPN see the FortiGate VPN Guide e Key management e Manual key IPSec VPNs e AutolKE IPSec VPNs e Managing digital certificates e Configuring encrypt policies IPSec VPN concentrators e Monitoring and Troubleshooting VPNs FortiGate 50A Installation and Configuration Guide 179 Key management IPSec VPN Key management 180 Manual Keys There are three basic elements in any encryption system e analgorithm that changes information into code e a cryptographic key that serves as a secret starting point for the algorithm a management system to control the key IPSec provides two ways to handle key exchange and management e Manual Keys e Automatic Internet Key Exchange AutolKE with pre shared keys or certificates When using manual keys matching security settings must be entered at both ends of the tunnel These settings which include both the encryption and authentication keys must be kept secret so that unauthorized parties cannot decrypt the data even if they know which encryption algorithm is being used Automatic Internet Key Exchange AutolKE with pre shared keys or certificates For using multiple tunnels
335. this is required for your configuration To improve the security of a FortiGate unit that allows remote administration from the Internet e Use secure administrative user passwords e Change these passwords regularly e Enable secure administrative access to this interface using only HTTPS or SSH e Do not change the system idle timeout from the default value of 5 minutes see To set the system idle timeout on page 122 To configure the management interface in Transparent mode 1 Go to System gt Network gt Management 2 Change the Management IP and Netmask as required This must be a valid IP address for the network that you want to manage the FortiGate unit from 3 Add a default gateway IP address if the FortiGate unit must connect to a default gateway to reach the management computer 4 Select the administrative access methods for each interface HTTPS To allow secure HTTPS connections to the web based manager through this interface PING If you want this interface to respond to pings Use this setting to verify your installation and for testing HTTP To allow HTTP connections to the web based manager through this interface HTTP connections are not secure and can be intercepted by a third party SSH To allow SSH connections to the CLI through this interface SNMP To allow a remote SNMP manager to request SNMP information by connecting to this interface See Configuring SNMP on page 125 TELNET To allow Tel
336. tificates Note Digital certificates are not required for configuring FortiGate VPNs Digital certificates are an advanced feature provided for the convenience of system administrators This manual assumes the user has prior knowledge of how to configure digital certificates for their implementation Obtaining a signed local certificate The signed local certificate provides the FortiGate unit with a means to authenticate itself to other devices Note The VPN peers must use digital certificates that adhere to the X 509 standard Generating the certificate request With this procedure you generate a private and public key pair The public key is the base component of the certificate request To generate the certificate request Go to VPN gt Certificates gt Local Certificates Select Generate Type a Certificate Name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Configure the Subject Information that identifies the object being certified Preferably use an IP address or domain name If this is impossible such as with a dialup client use an email address Host IP For Host IP enter the IP address of the FortiGate unit being certified Domain Name For Domain name enter the fully qualified domain name of the FortiGate unit being certified Do not include the protocol specification http or any port num
337. ting to the web based manager If you changed the IP address of the management interface while you were using the setup wizard you must reconnect to the web based manager using the new IP address Browse to https followed by the new IP address of the management interface Otherwise you can reconnect to the web based manager by browsing to https 10 10 10 1 If you connect to the management interface through a router make sure that you have added a default gateway for that router to the management IP default gateway field Using the command line interface 42 As an alternative to the setup wizard you can configure the FortiGate unit using the command line interface CLI To connect to the CLI see Connecting to the command line interface CLI on page 20 Use the information that you gathered in Table 14 on page 41 to complete the following procedures Fortinet Inc Transparent mode installation Connecting the FortiGate unit to your networks Changing to Transparent mode 1 Log into the CLI if you are not already logged in 2 Switch to Transparent mode Enter set system opmode transparent After a few seconds the login prompt appears 3 Type admin and press Enter The following prompt appears Type for a list of commands 4 Confirm that the FortiGate unit has switched to Transparent mode Enter get system status The CLI displays the status of the FortiGate unit The last line shows the current operation mode Operati
338. ting to verify your installation and for testing HTTP To allow HTTP connections to the web based manager through this interface HTTP connections are not secure and can be intercepted by a third party SSH To allow SSH connections to the CLI through this interface SNMP To allow a remote SNMP manager to request SNMP information by connecting to this interface See Configuring SNMP on page 125 TELNET To allow Telnet connections to the CLI through this interface Telnet connections are not secure and can be intercepted by a third party Select OK to save the changes Changing the MTU size to improve network performance kh O N To improve network performance you can change the maximum transmission unit MTU of the packets that the FortiGate unit transmits from any interface Ideally this MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets If the packets that the FortiGate unit sends are larger they are broken up or fragmented which slows down transmission Experiment by lowering the MTU to find an MTU size for best network performance To change the MTU size of the packets leaving an interface Go to System gt Network gt Interface Choose an interface and select Modify 2 Select Override default MTU value 1500 Set the MTU size Set the maximum packet size For manual and DHCP addressing mode the MTU size can be from 576 to 1500 bytes For
339. tion about arranging routes in the routing table see Configuring the routing table Adding routes in Transparent mode ao a Aa WN Use the following procedure to add routes when operating the FortiGate unit in Transparent mode To add a route in Transparent mode Go to System gt Network gt Routing Select New Enter the Destination IP address and Netmask for the route Enter the Gateway IP address for the route Select OK to save the new route Repeat steps 1 to 5 to add more routes as required Configuring the routing table The routing table shows the destination IP address and mask of each route that you add as well as the gateways and devices added to the route The routing table also displays the gateway connection status A green check mark indicates that the FortiGate unit has used the ping server and dead gateway detection to determine that it can connect to the gateway A red X means that a connection cannot be established A blue question mark means that the connection status is unknown For more information see Adding a ping server to an interface on page 97 The FortiGate unit assigns routes using a best match algorithm based on the destination address of the packet and the destination address of the route To select a route for a packet the FortiGate unit searches the routing table for a route that best matches the destination address of the packet If a match is not found the FortiGate unit routes t
340. tion and Configuration Guide 63 Displaying the FortiGate serial number System status Displaying the FortiGate serial number 1 Go to System gt Status The serial number is displayed on the System Status page of the web based manager The serial number is specific to the FortiGate unit and does not change with firmware upgrades Displaying the FortiGate up time 1 Go to System gt Status The FortiGate up time displays the time in days hours and minutes since the FortiGate unit was last started Backing up system settings kh OO N You can back up system settings by downloading them to a text file on the management computer To back up system settings Go to System gt Status Select System Settings Backup Select Backup System Settings Type a name and location for the file The system settings file is backed up to the management computer Select Return to go back to the Status page Restoring system settings 64 You can restore system settings by uploading a previously downloaded system settings text file To restore system settings Go to System gt Status Select System Settings Restore Enter the path and filename of the system settings file or select Browse and locate the file Select OK to restore the system settings file to the FortiGate unit The FortiGate unit restarts loading the new system settings Reconnect to the web based manager and review your configuration to confirm that t
341. tivirus scanning and web content blocking to HTTP content traffic You can add this content profile to firewall policies that control HTTP traffic Table 8 Web content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan Mw oO O Oo o File Block O O O o m Web URL Block m Web Content Block m Web Script Filter O Web Exempt List O Email Block List O O Oo Email Exempt List El O Email Content Block O O Oversized File Email Block pass pass pass pass pass Pass Fragmented Emails E O O 26 Fortinet Inc Getting started Planning the FortiGate configuration Unfiltered content profile Use the unfiltered content profile if you do not want to apply content protection to traffic You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected Table 9 Unfiltered content profile Options HTTP FTP IMAP POP3 SMTP Antivirus Scan O O O O O File Block oO O oO o o Web URL Block O Web Content Block O Web Script Filter O Web Exempt List MV Email Block List O O m Email Exempt List l m Email Content Block O m Oversized File Email Block pass pass pass pass pass Pass Fragmented Emails i A M Planning the FortiGate configuration Before you configure the FortiGate unit you need to plan how to integrate the uni
342. to your management computer Log into the web based manager as the admin administrative user Go to System gt Status Select Firmware Upgrade ie Type the path and filename of the firmware image file or select Browse and locate the file 6 Select OK The FortiGate unit uploads the firmware image file upgrades to the new firmware version restarts and displays the FortiGate login This process takes a few minutes a fF WN Log into the web based manager Go to System gt Status and check the Firmware Version to confirm that the firmware upgrade is successfully installed 9 Update antivirus and attack definitions For information about antivirus and attack definitions see Manually initiating antivirus and attack definitions updates on page 75 Upgrading the firmware using the CLI To use the following procedure you must have a TFTP server that the FortiGate unit can connect to A Note Installing firmware replaces your current antivirus and attack definitions with the S definitions included with the firmware release that you are installing After you install new z firmware use the procedure Manually initiating antivirus and attack definitions updates on page 75 to make sure that antivirus and attack definitions are up to date You can also use the CLI command execute updatecenter updatenow to update the antivirus and attack definitions To upgrade the firmware using the CLI 1 Make sure that the TFTP server is ru
343. tunnel selection of the spoke client or gateway configured in phase 1 encryption and authentication algorithms and a number of security parameters See AutolKE IPSec VPNs on page 182 Add a destination address for each spoke The destination address is the address of the spoke either a client on the Internet or a network located behind a gateway See Adding a source address on page 194 Add the concentrator configuration This step groups the tunnels together on the FortiGate unit The tunnels link the hub to the spokes The tunnels are added as part of the AutolKE phase 2 configuration or the manual key configuration See Adding a VPN concentrator on page 198 Note Add the concentrator configuration to the central FortiGate unit the hub after adding the tunnels for all spokes FortiGate 50A Installation and Configuration Guide 197 IPSec VPN concentrators 198 IPSec VPN Add an encrypt policy for each spoke Encrypt policies control the direction of traffic through the hub and allow inbound and outbound VPN connections between the hub and the spokes The encrypt policy for each spoke must include the tunnel name of the spoke The source address must be Internal_All Use the following configuration for the encrypt policies Source Internal_All Destination The VPN spoke address Action ENCRYPT VPN Tunnel The VPN spoke tunnel name Allow inbound Select allow inbound Allow outbound Select allow outbound
344. turn until the modem connects to an ISP Disconnecting the modem Use the following procedure to disconnect the modem from a dialup account To disconnect the modem Go to System gt Network gt Modem Select Hang Up if you want to disconnect from the dialup account FortiGate 50A Installation and Configuration Guide 109 Configuring the modem interface Network configuration 110 Viewing modem status To view the status of the modem connection go to System gt Network gt Modem Modem status is one of the following not active The modem interface is not connected to the ISP active The modem interface is attempting to connect to the ISP or is connected to the ISP A green check mark indicates the active dialup account The IP address and netmask assigned to the modem interface appears on the System Network Interface page of the web based manager Backup mode configuration The modem interface in backup mode backs up a selected ethernet interface If that ethernet interface disconnects from its network the modem automatically dials the configured dialup accounts When the modem connects to a dialup account the FortiGate unit routes IP packets normally destined for the selected ethernet interface to the modem interface The FortiGate unit disconnects the modem interface and switches back to the ethernet interface when the ethernet interface can again connect to its network For the FortiGate unit to be able to switch fro
345. twork address translation NAT policy that allows users on your internal network to connect to the external network and stops users on the external network from connecting to the internal network You can add more policies to provide more control of the network traffic passing through the FortiGate unit The factory default content profiles can be used to apply different levels of antivirus protection web content filtering and email filtering to the network traffic that is controlled by firewall policies e Factory default DHCP configuration e Factory default NAT Route mode network configuration e Factory default Transparent mode network configuration e Factory default firewall configuration e Factory default content profiles Factory default DHCP configuration When the FortiGate unit is first powered on the external interface is configured to receive its IP address by connecting to a DHCP server If your ISP provides IP addresses using DHCP no other configuration is required for this interface The FortiGate unit can also function as a DHCP server for your internal network You can configure the TCP IP settings of the computers on your internal network to obtain an IP address automatically from the FortiGate unit DHCP server For more information about the FortiGate DHCP server see Configuring DHCP services on page 104 Table 2 FortiGate DHCP Server default configuration Enable DHCP vi Starting IP 19
346. unit e Session list FortiGate 50A Installation and Configuration Guide 53 Changing the FortiGate host name System status Changing the FortiGate host name The FortiGate host name appears on the Status page and in the FortiGate CLI prompt The host name is also used as the SNMP system name For information about the SNMP system name see Configuring SNMP on page 125 The default host name is FortiGate 50A To change the FortiGate host name Go to System gt Status Select Edit Host Name Eee Type a new host name Select OK The new host name is displayed on the Status page and in the CLI prompt and is added to the SNMP System Name kh OO N Changing the FortiGate firmware After you download a FortiGate firmware image from Fortinet you can use the procedures listed in Table 1 to install the firmware image on your FortiGate unit Table 1 Firmware upgrade procedures Procedure Description Upgrading to a new Commonly used web based manager and CLI procedures to firmware version upgrade to a new FortiOS firmware version or to a more recent build of the same firmware version Reverting to a Use the web based manager or CLI procedure to revert to a previous firmware previous firmware version This procedure reverts the FortiGate version unit to its factory default configuration Installing firmware Use this procedure to install a new firmware version or revert to a images from a system Previous fi
347. with policy routes before they are matched with destination routes If a packet does not match a policy route it is routed using destination routes The gateway added to a policy route must also be added to a destination route When the FortiGate unit matches packets with a route in the RPDB the FortiGate unit looks in the destination routing table for the gateway that was added to the policy route Ifa match is found the FortiGate unit routes the packet using the matched destination route If a match is not found the FortiGate unit routes the packet using normal routing To find a route with a matching gateway the FortiGate unit starts at the top of the destination routing table and searches until it finds the first matching destination route This matched route is used to route the packet FortiGate 50A Installation and Configuration Guide 103 Configuring DHCP services Network configuration Policy routing command syntax Configure policy routing using the following CLI command set system route policy lt route_int gt src lt source_ ip gt lt source mask gt iifname lt source interface name gt dst lt destination ip gt lt destination_mask gt oifname lt destination interface name gt protocol lt protocol int gt port lt low port int gt lt high port int gt gw lt gateway ip gt Complete policy routing command syntax is described in Volume 6 FortiGate CLI Reference Guide Configuring DHCP services 104 A
348. wse to locate the signed local certificate on the management computer Select OK The signed local certificate is displayed on the Local Certificates list with a status of OK Backing up and restoring the local certificate and private key When you back up a FortiGate configuration that includes IPSec VPN tunnels using certificates you must also back up the local certificate and private key in a password protected PKCS12 file Before restoring the configuration you must import the PKCS12 file and set the local certificate name to the same that was in the original configuration Public Key Cryptography Standard 12 PKCS12 describes the syntax for securely exchanging personal information Note Use the execute vpn certificates key CLI command to back up and restore the local certificate and private key For more information see the FortiGate CLI Reference Guide Obtaining CA certificates For the VPN peers to authenticate themselves to each other they must both obtain a CA certificate from the same certificate authority The CA certificate provides the VPN peers with a means to validate the digital certificates that they receive from other devices Fortinet Inc IPSec VPN Configuring encrypt policies The FortiGate unit obtains the CA certificate to validate the digital certificate that it receives from the remote VPN peer The remote VPN peer obtains the CA certificate to validate the digital certificate that it receives from
Download Pdf Manuals
Related Search